HEA World

Privacy Policy

Last updated: July 2026

This Privacy Policy explains how HEA World collects, uses, and protects personal data in connection with our services, websites, and applications (together the “Service”). It covers processing where HEA World acts as data controller and where we act as data processor on behalf of our customers.

1. Roles and controller identity

The Service is operated by NPE Holding B.V. (trading as “HEA World”), based in the Netherlands. Contact: privacy@hea-world.com.

As controller: HEA World decides how and why personal data is processed for our own purposes — for example when you create an account, subscribe, visit hea-world.com, or contact us.

As processor: When you deploy HEAs on your website, your visitors and end-users interact with the Service through your configuration. For that processing, you act as the data controller (or processor on behalf of your own controller) and HEA World acts as data processor, as further described in our Terms and Data Processing Agreement.

2. Categories of data we process

2.1 As controller — your relationship with HEA World

When you use HEA World as a customer or visit our website, we may process:

2.2 As processor — on your behalf

When you deploy HEAs or enable integrations, we process the following categories on your instructions (see the DPA):

2a. AI Outputs and No Professional Advice

The Service may generate responses using artificial intelligence based on your configuration and the User Content you provide. HEA World does not guarantee the accuracy, completeness, legality, or appropriateness of any HEA Outputs. You remain solely responsible for reviewing HEA Outputs and determining their suitability.

HEA Outputs are not intended to constitute legal, financial, medical, or other professional advice. You agree not to rely on HEA Outputs as a substitute for professional judgment.

2b. AI and model providers

HEA World uses third-party AI model providers (including OpenAI and others listed in our Sub-processors page) to generate responses. Conversation content and resource context needed for inference are sent to those providers for the duration of the request. We do not intentionally opt customer content into provider model training through our API usage; provider retention and safety policies may still apply and are documented per provider. HEA World does not use your HEA Outputs to train models for other customers, except as strictly necessary to deliver the Service or comply with legal obligations.

3. Purposes and Legal Bases

We process data for the following purposes:

4. Processors and Sub-processors

We use trusted third-party providers for authentication, billing, hosting, and analytics, including identity platforms, Stripe for payments, and cloud infrastructure. These providers act as processors and are bound by written data-processing agreements. Our Data Processing Agreement describes how we process personal data on behalf of our customers. A current list of sub-processors is maintained at Sub-processors.

5. Data Storage and Retention

Core customer content and operational logs are stored in Cloudflare R2 (EU — Western Europe). Session and application state may be stored in Upstash (EU — Frankfurt). Operational and usage logs are generally retained for up to 12 months for reliability, diagnostics, and abuse detection unless a longer period is required by law or your configuration.

Conversation, CRM, and connector data processed on your behalf as processor are retained according to your HEA configuration, the DPA, and applicable law. Billing and accounting records may be retained longer where required by law.

6. International Transfers

Where data is transferred outside the European Economic Area, we rely on appropriate safeguards such as Standard Contractual Clauses or equivalent mechanisms, as required by law.

7. Your Rights

7.1 If you are a HEA World customer

You may have the right to:

To exercise these rights regarding your account or billing data, contact privacy@hea-world.com. We will respond within applicable GDPR timelines. You may also use our data deletion request form.

7.2 If you interacted with an HEA on someone else’s website

The website owner or organization that deployed the HEA is usually the data controller for visitor data. Please contact them first to access, correct, or delete your data. HEA World will assist the controller as described in our DPA. You may also contact privacy@hea-world.com and we will forward your request to the relevant customer where possible.

8. Cookies and Analytics

We use essential cookies and first-party storage for site functionality. Analytics tags (such as Google Tag Manager) are loaded only where legally permitted, managed through our Cookiebot consent banner. You can manage preferences via the banner or our Cookie Policy. Blocking non-essential cookies may limit some features.

9. Security

We apply technical and organizational measures to protect personal data against unauthorized access, loss, or misuse. No system is perfectly secure, but we implement appropriate safeguards based on the nature of the data and associated risks.

10. Changes to this Policy

We may update this Privacy Policy from time to time to reflect changes in the Service or in applicable law. If changes are material, we will notify you via email or in-product notice.

11. Contact

If you have any questions about this Privacy Policy or how we process personal data, please contact us at:
privacy@hea-world.com

12. Language Versions

This Privacy Policy may be provided in English, French, and Dutch. If there is any conflict between translations, the English version prevails.

Related documents:
→ Data Processing Agreement
→ Sub-processors

Other languages:
→ Version Française
→ Nederlandse Versie