Privacy Policy

Heartwork B.V.

Effective date: March 2026

1. Who We Are

Heartwork B.V. (“Heartwork”, “we”, “us”, or “our”) is a Dutch company that provides an HR management platform (the “Service”) for small businesses. This Privacy Policy explains how we collect, use, store, and protect personal data when you use our Service.

Heartwork B.V. is registered in The Netherlands (KvK: 99973790) with its address at Everard Meysterweg 29, 3817 HA Amersfoort, The Netherlands. For privacy-related enquiries, you can reach us at privacy@heartwork.co.

2. Roles and Responsibilities Under GDPR

Our Service processes two categories of personal data, and the applicable GDPR role depends on the category:

Account and usage data: Heartwork is the data controller. This includes the data you provide when creating your account and the data we collect about how you use the Service.

Employee and applicant data: You (the Customer) are the data controller, and Heartwork is the data processor. This includes all personal data about your employees and job applicants that you upload to or manage through the Service.

As a data processor, we process employee and applicant data solely on your instructions and for the purpose of providing the Service. The processing of personal data by Heartwork on behalf of the Customer is governed by the Data Processing Addendum (DPA), which forms an integral part of our Terms of Service.

3. What Data We Collect

3.1 Account Data

When you create an account, we collect: first name, last name, work email address, password (stored in hashed form), job title, company name, and optionally, company website.

3.2 Employee and Applicant Data (Customer Data)

Through your use of the Service, you may upload and manage personal data about your employees and job applicants. This may include, depending on how you use the Service:

  • Personal details: name, preferred name, pronouns, date of birth, gender identity, nationality, contact information, address, identification number, emergency contact information.
  • Employment information: job title, contract details, salary, bank account number, working hours, start and end dates, team assignments, manager relationships.
  • Time-off records: leave requests, balances, and types of leave (including sick leave, which may constitute health-related data under GDPR).
  • Performance data: review cycles, peer feedback, self-assessments, ratings.
  • Survey responses: answers to employee surveys (which may be anonymous).
  • Recruitment data: applicant profiles, application materials, pipeline status, interview notes.
  • Photos: employee profile photos.
  • Documents: employment contracts, certificates, and other files you choose to upload.
  • Audit trail: a log of changes made to records within the Service, including what was changed and by whom.

Important: Some of this data — particularly sick leave records and certain personal details — may qualify as special category data under Article 9 of the GDPR. As the data controller, you are responsible for ensuring you have a lawful basis for processing this data and for informing your employees accordingly.

3.3 Usage Data

We collect data about how you use the Service for the purpose of analysing and improving it. We use Plausible Analytics, a cookieless analytics service that does not collect personal data, and we analyse aggregated feature usage within our own systems. We do not use usage data to build individual profiles or for advertising purposes.

3.4 Cookies

We use essential cookies only. These are strictly necessary for the functioning of the Service (such as maintaining your login session and security tokens). We do not use analytics cookies, marketing cookies, or tracking cookies.

Our live chat tool (Crisp) sets its own functional cookies (prefixed crisp-client/) to maintain your chat session across pages. These cookies are not used for tracking and have a maximum lifetime of 6 months. Because all cookies we use are strictly necessary for the Service, no cookie consent banner is required under EU law.

4. How We Use Your Data

We use personal data for the following purposes:

Purpose Data Used Legal Basis (GDPR)
Providing the Service Account data, Customer Data Performance of contract (Art. 6(1)(b))
Billing and invoicing Account data, usage metrics Performance of contract (Art. 6(1)(b))
Service improvement and analytics Usage data (aggregated) Legitimate interest (Art. 6(1)(f))
Security and fraud prevention Account data, IP addresses, logs Legitimate interest (Art. 6(1)(f))
Transactional communications Email address Performance of contract (Art. 6(1)(b))
AI Features (when enabled) Data you choose to process via AI Consent (Art. 6(1)(a))
Legal compliance As required Legal obligation (Art. 6(1)(c))

We do not use your data for: training AI models, advertising, profiling, automated decision-making, or selling to third parties.

5. AI Features and AI Services

The Service may include features powered by artificial intelligence. When you choose to use AI Features:

  • AI Features are never activated automatically. Each use requires your explicit action.
  • Your data may be sent to AI service providers for processing.
  • We will clearly identify which features use AI within the Service.
  • Our AI service providers have committed to not collecting, reading, or reusing the content of your inputs or outputs.

We select AI providers that offer appropriate data protection guarantees. Details of specific AI providers used will be maintained in our sub-processor list (see Section 6).

6. Data Sharing and Sub-Processors

We do not sell your data to anyone. We share personal data only with the following categories of service providers, who act as sub-processors:

  • Hosting and infrastructure: Scaleway SAS (France) for storing and serving the application and your data. All data remains within the EU.
  • Payment processing: Mollie B.V. (Netherlands) processes payments on our behalf.
  • Email services: Scaleway SAS (France) for sending transactional emails such as invitations, notifications, and password resets.
  • AI service providers: Scaleway SAS (France) for AI-powered features, only when you have enabled and consented to AI Features.
  • Customer support: Crisp SAS (France) for live chat support. Your name, email address, IP address, and chat messages are processed by Crisp.

All sub-processors are bound by data processing agreements that require them to protect your data in accordance with GDPR. We will maintain an up-to-date list of sub-processors on our website at heartwork.co/sub-processors.

We may also disclose personal data if required by law, regulation, legal process, or governmental request.

7. International Data Transfers

Your data stays within the European Union. Our hosting, email, AI, and primary service providers are all based in the EU. In the unlikely event that a future sub-processor requires data to be transferred outside the EEA, we will ensure that appropriate safeguards are in place, such as Standard Contractual Clauses (SCCs) approved by the European Commission or an adequacy decision.

8. Data Retention

We retain personal data only for as long as necessary for the purposes described in this Privacy Policy:

  • Account data: retained for the duration of your active account, and deleted within 30 days of account termination.
  • Customer Data (employee and applicant data): retained for the duration of your subscription. Upon cancellation, you have 30 days to export your data, after which it will be deleted.
  • Usage data: derived from application data and analytics without personal identifiers. Follows the retention periods of account and customer data described above.
  • Invoicing and billing records: retained for 7 years as required by Dutch tax law.

When data is deleted, it is permanently removed from our active systems. Backups containing deleted data are overwritten within 7 days.

9. Data Security

We implement appropriate technical and organisational measures to protect your data, including:

  • Encryption of data in transit (TLS) and at rest.
  • Two-factor authentication for user accounts.
  • Role-based access controls within the application.
  • Regular security updates and dependency management.
  • Secure password storage using industry-standard hashing.

While we take data security seriously, no method of electronic transmission or storage is completely secure. We cannot guarantee absolute security, but we are committed to following industry best practices.

10. Your Rights

10.1 If You Are an Account Holder (Customer)

Under the GDPR, you have the following rights with respect to your account data:

  • Right of access: request a copy of the personal data we hold about you.
  • Right to rectification: request correction of inaccurate data.
  • Right to erasure: request deletion of your data (subject to legal retention requirements).
  • Right to restriction: request that we restrict processing of your data.
  • Right to data portability: receive your data in a structured, machine-readable format.
  • Right to object: object to processing based on legitimate interest.
  • Right to withdraw consent: where processing is based on consent (such as AI Features), withdraw consent at any time.

To exercise any of these rights, contact us at privacy@heartwork.co. We will respond within 30 days.

10.2 If You Are an Employee or Applicant

If your employer or a company you have applied to uses Heartwork, and you wish to exercise your GDPR rights (access, rectification, erasure, etc.), you should first contact your employer or the relevant company directly, as they are the data controller for your personal data.

If you are unable to resolve your request with the relevant company, you may contact us at privacy@heartwork.co and we will assist where we are able to do so.

11. Data Breach Notification

In the event of a personal data breach, we will:

  • Notify the relevant supervisory authority (the Dutch Data Protection Authority, Autoriteit Persoonsgegevens) within 72 hours of becoming aware of the breach, where required by law.
  • Notify affected Customers without undue delay so that they can, in turn, inform their employees and applicants if necessary.
  • Document the breach, its effects, and the remedial actions taken.

12. Children

The Service is not intended for use by individuals under the age of 18 as account holders. We do not knowingly allow anyone under 18 to create an account. The Service may, however, store personal data about employees under 18 (such as interns or apprentices) as entered by their employer in the normal course of using the Service.

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. If we make material changes, we will notify you at least 30 days in advance via email. The date at the top of this document indicates when the Privacy Policy was last updated.

14. Complaints

If you have a concern about how we handle your data, please contact us first at privacy@heartwork.co. We will do our best to resolve your concern.

If you are not satisfied with our response, you have the right to lodge a complaint with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens) at autoriteitpersoonsgegevens.nl, or with the supervisory authority in your country of residence.

15. Contact

For any questions or requests regarding this Privacy Policy or your personal data:

Heartwork B.V.
Everard Meysterweg 29
3817 HA Amersfoort
The Netherlands

Privacy enquiries: privacy@heartwork.co
General support: support@heartwork.co
Website: www.heartwork.co