Terms of Service

Heartwork B.V.

Effective date: March 2026

1. Introduction

Welcome to Heartwork. These Terms of Service (“Terms”) govern your access to and use of the Heartwork platform (the “Service”), operated by Heartwork B.V., a company registered under Dutch law (KvK: 99973790), with its registered address at Everard Meysterweg 29, 3817 HA Amersfoort, The Netherlands (“Heartwork”, “we”, “us”, or “our”).

By creating an account or using the Service, you agree to be bound by these Terms. If you are accepting these Terms on behalf of a company or other legal entity, you represent that you have the authority to bind that entity. If you do not agree to these Terms, you may not use the Service.

The Service is designed for businesses with up to 50 employees. Heartwork is an HR information system (HRIS) and applicant tracking system (ATS) that enables you to manage employee records, contracts, time-off, performance reviews, employee surveys, recruitment, organisational charts, and related company information.

2. Definitions

“Account” means the user account you create to access the Service.

“Customer” means the legal entity (company or organisation) on whose behalf an Account is created and the Service is used.

“Customer Data” means all data, content, and information uploaded, submitted, or generated by you or your Authorised Users through the Service, including but not limited to employee records, documents, and communications.

“Authorised User” means any individual who is granted access to the Service under your Account, including team members you invite.

“AI Features” means any features of the Service that use artificial intelligence or third-party AI services to process or generate content.

3. Account Registration

To use the Service, you must create an Account by providing your first name, last name, work email address, a password, your job title, company name, and optionally, your company website. You are responsible for maintaining the confidentiality of your login credentials and for all activities that occur under your Account.

You must provide accurate and complete information during registration and keep this information up to date. You must be at least 18 years of age to use the Service. You may invite team members to your Account, and you are responsible for ensuring that all Authorised Users comply with these Terms.

You must notify us immediately at support@heartwork.co if you become aware of any unauthorised use of your Account.

4. Free Trial

New Customers receive a 14-day free trial of the Service with full access to all features. No payment information is required to start a free trial. At the end of the trial period, you must subscribe to a paid plan to continue using the Service, unless you qualify for our non-profit programme (see Section 6).

We reserve the right to modify or discontinue the free trial at any time.

5. Pricing and Payment

5.1 Pricing

The Service is priced as follows:

  • HRIS: €1 per employee per month.
  • Recruitment: €1 per active vacancy per day.

A vacancy is considered active on any calendar day where it exists and is published. Pausing a vacancy stops the day count. Days are counted in the Customer’s local timezone. Partial days count as full days. There are no minimum fees and no annual commitments.

5.2 Billing

Billing is monthly in arrears. Usage is calculated at the end of each calendar month. An invoice is generated on the 1st of the following month. Payment is due within 14 days of the invoice date.

Accepted payment methods include iDEAL, credit card, and SEPA direct debit. Payments are processed by our payment provider, Mollie B.V.

5.3 Late Payment

If payment is not received within 14 days of the invoice date, we may send a payment reminder. If payment remains outstanding for more than 30 days, we may suspend access to the Service until the outstanding amount is settled. We reserve the right to charge statutory interest on overdue amounts in accordance with Dutch law.

5.4 Price Changes

We may adjust our pricing from time to time. We will notify you of any price changes at least 30 days in advance via email. If you do not agree with a price change, you may cancel your subscription before the new pricing takes effect.

6. Mission-Driven Non-Profit Programme

Mission-driven non-profit organisations may use the Service entirely free of charge, with no limitations on features, employees, or vacancies. To qualify, your organisation must exist primarily to serve a charitable, social, educational, humanitarian, or community-benefit purpose - not to serve the commercial or professional interests of its members. You must be registered as an ANBI (Algemeen Nut Beogende Instelling) in The Netherlands, or hold equivalent charitable status in another country within the European Economic Area or the United Kingdom. Trade associations, political parties, professional bodies, and sports clubs do not qualify, even if they hold non-profit legal status.

Eligibility is based on self-declaration with verification. We reserve the right to request proof of non-profit status and to revoke free access if the eligibility criteria are no longer met. We determine eligibility at our sole discretion and may request documentation demonstrating your organisation’s mission and activities.

7. Cancellation and Refunds

You may cancel your subscription at any time. Cancellation takes effect at the end of the current calendar month. You will retain full access to the Service until that date. A final invoice will be generated for your usage up to and including the cancellation date, in accordance with our standard billing cycle (see Section 5).

Refunds and invoice corrections are handled on a case-by-case basis at our discretion. If you believe an invoice is incorrect or wish to discuss a billing matter, please contact us at support@heartwork.co.

Upon cancellation, you may export your data at any time before your access ends (see Section 12).

8. Acceptable Use

You agree to use the Service only for lawful purposes and in accordance with these Terms. You shall not:

  • Use the Service in violation of any applicable law or regulation.
  • Upload, store, or transmit any content that is unlawful, harmful, threatening, abusive, defamatory, or otherwise objectionable.
  • Attempt to gain unauthorised access to the Service, other user accounts, or any related systems or networks.
  • Interfere with or disrupt the integrity or performance of the Service.
  • Reverse engineer, decompile, or disassemble any part of the Service.
  • Use the Service to store or process data that you are not legally authorised to handle.
  • Misrepresent your identity or your organisation’s eligibility for the mission-driven non-profit programme.
  • Resell, sublicense, or make the Service available to third parties without our prior written consent.

We reserve the right to suspend or terminate your Account if we reasonably believe you are in violation of this section.

9. Intellectual Property

9.1 Our Intellectual Property

The Service, including all software, designs, text, graphics, and other materials, is owned by Heartwork B.V. and is protected by intellectual property laws. These Terms do not grant you any rights to our intellectual property except the limited right to use the Service in accordance with these Terms.

9.2 Your Data

You retain all ownership rights to your Customer Data. By using the Service, you grant us a limited, non-exclusive licence to host, store, and process your Customer Data solely for the purpose of providing and maintaining the Service. We will not use your Customer Data for any other purpose, including the training of artificial intelligence models.

10. AI Features

The Service may include features that use artificial intelligence, including third-party AI services. When AI Features are used, some of your data may be sent to third-party AI providers for processing. AI Features are never activated automatically and each use requires your explicit consent.

While we take care to select reputable AI providers, we do not guarantee the accuracy, completeness, or reliability of AI-generated content. You are responsible for reviewing and verifying any output produced by AI Features before acting on it.

We will clearly indicate in the Service when a feature uses AI, and our Privacy Policy provides additional details on how data is handled in connection with AI Features.

11. Data Protection

The nature of the Service means you may process personal data of your employees and job applicants through the platform. In this context:

  • You (the Customer) act as the data controller with respect to the personal data of your employees and applicants.
  • Heartwork acts as a data processor, processing data on your behalf and in accordance with your instructions.

We process personal data in accordance with the General Data Protection Regulation (GDPR) and other applicable data protection legislation. Our Privacy Policy, available at heartwork.co/privacy, describes in detail what data we collect, how we use it, and what rights individuals have.

Given that the Service handles HR data — which may include health-related information (such as sick leave records), salary information, and personal identification details — both you and Heartwork must treat this data with appropriate care. You are responsible for ensuring that you have a lawful basis for processing the personal data you upload to the Service, and for informing your employees about how their data is handled.

The Data Processing Addendum (DPA), which forms an integral part of these Terms, governs the processing of personal data by Heartwork on behalf of the Customer. See the Data Processing Addendum below.

12. Data Export and Portability

You may export your Customer Data at any time in standard formats (CSV and JSON) at no additional cost. There are no export fees, artificial delays, or restrictions on data portability.

Heartwork is intentionally built for small teams. If your organisation grows beyond what Heartwork is designed for, we are happy to help you transition to a more suitable platform and can assist with a smooth migration.

13. Service Availability

We strive to keep the Service available and operational at all times, but we do not guarantee uninterrupted or error-free access. The Service is provided on an “as available” basis. We do not offer formal Service Level Agreements (SLAs) or uptime guarantees.

We may occasionally need to interrupt the Service for maintenance, updates, or security patches. Where reasonably possible, we will provide advance notice of planned downtime.

14. Support

Support is provided via email at support@heartwork.co. We aim to respond to enquiries within 24–48 hours on business days. We do not offer phone support or dedicated account management. Self-service documentation is available within the application and on our website.

15. Limitation of Liability

To the maximum extent permitted by applicable law:

  • The Service is provided “as is” and “as available” without warranties of any kind, whether express or implied, including but not limited to implied warranties of merchantability, fitness for a particular purpose, and non-infringement.
  • Heartwork shall not be liable for any indirect, incidental, special, consequential, or punitive damages, including but not limited to loss of profits, data, business opportunities, or goodwill.
  • Heartwork’s total aggregate liability arising out of or in connection with these Terms or the Service shall not exceed the total amount paid by you to Heartwork in the 12 months preceding the event giving rise to the claim.
  • Heartwork shall not be liable for any loss or damage resulting from your reliance on AI-generated content.

Nothing in these Terms excludes or limits liability for fraud, wilful misconduct, or any liability that cannot be excluded under applicable law.

16. Indemnification

You agree to indemnify, defend, and hold harmless Heartwork, its directors, employees, and agents from and against any claims, liabilities, damages, losses, and expenses (including reasonable legal fees) arising out of or in any way connected with:

  • Your use of the Service.
  • Your violation of these Terms.
  • Your violation of any applicable law or regulation.
  • Your processing of personal data through the Service.

17. Term and Termination

These Terms remain in effect for as long as you have an active Account. Either party may terminate the agreement:

  • You may terminate by cancelling your subscription and deleting your Account.
  • We may terminate or suspend your Account if you breach these Terms, fail to pay outstanding invoices after reasonable notice, or if we discontinue the Service.

Upon termination, your right to use the Service ceases immediately. You will have 30 days after termination to export your Customer Data, unless your Account was terminated due to a breach of these Terms, in which case we may delete your data immediately. After this period, we will delete your data in accordance with our data retention policies and applicable law.

18. Changes to These Terms

We may update these Terms from time to time. If we make material changes, we will notify you at least 30 days in advance via email or through a prominent notice in the Service. Your continued use of the Service after the effective date of the revised Terms constitutes acceptance of the changes.

If you do not agree with the revised Terms, you must stop using the Service and cancel your subscription before the changes take effect.

19. Governing Law and Disputes

These Terms are governed by and construed in accordance with the laws of The Netherlands.

Any disputes arising out of or in connection with these Terms shall be submitted to the exclusive jurisdiction of the competent courts in Amsterdam, The Netherlands.

Before initiating legal proceedings, both parties agree to attempt to resolve any dispute in good faith through direct communication.

20. Miscellaneous

Entire Agreement. These Terms, together with the Data Processing Addendum and the Privacy Policy, constitute the entire agreement between you and Heartwork with respect to the Service.

Severability. If any provision of these Terms is found to be unenforceable, the remaining provisions shall continue in full force and effect.

Waiver. Our failure to enforce any provision of these Terms shall not constitute a waiver of that provision.

Assignment. You may not assign your rights or obligations under these Terms without our prior written consent. We may assign our rights and obligations to a successor in the event of a merger, acquisition, or sale of all or substantially all of our assets.

Force Majeure. Heartwork shall not be liable for any failure or delay in performing its obligations under these Terms due to circumstances beyond its reasonable control, including but not limited to natural disasters, pandemics, government actions, or internet service disruptions.

21. Contact

If you have any questions about these Terms, please contact us:

Heartwork B.V.
Everard Meysterweg 29
3817 HA Amersfoort
The Netherlands

Email: support@heartwork.co
Website: www.heartwork.co

Data Processing Addendum

This Data Processing Addendum (“DPA”) governs the processing of personal data by Heartwork on behalf of the Customer. This DPA is an integral part of the Terms of Service (“Terms”) and, together with the Terms and the Privacy Policy, forms the complete Agreement between the parties. By using the Service, the Customer accepts this DPA. In the event of a conflict between this DPA and the Terms, this DPA shall prevail with respect to the processing of personal data.

DPA 1. Definitions

Terms used in this DPA that are defined in the Terms of Service have the same meaning here. In addition, terms such as “processing”, “personal data”, “data subject”, “personal data breach”, “controller”, “processor” and “sub-processor” shall have the meaning ascribed to them in the General Data Protection Regulation (Regulation (EU) 2016/679 — “GDPR”).

“Relevant Legislation” means the GDPR and all other applicable data protection laws and regulations, including the Dutch GDPR Implementation Act (Uitvoeringswet AVG, “UAVG”).

DPA 2. Roles of the Parties

In the context of the Service, the Customer acts as the controller and Heartwork acts as the processor within the meaning of the GDPR. Heartwork shall only process personal data on behalf of the Customer and in accordance with the Customer’s documented instructions, as described in this DPA, the Terms, and through the Customer’s configuration and use of the Service.

DPA 3. Scope and Subject Matter

This DPA applies to the processing of personal data by Heartwork on behalf of the Customer in the course of providing the Service. Which personal data is processed depends on which features the Customer uses and how the Customer configures the Service.

DPA 3.1 HRIS

Nature and purpose of processing: Heartwork provides a standardised software platform for managing employee information, contracts, time-off, performance reviews, employee surveys, organisational charts, and related HR data. The Customer determines how the platform is used, which features are enabled, and how settings are configured.

Categories of data subjects:

  • Employees: persons who are employed by or otherwise work for the Customer, in any capacity.
  • Users: persons who have a user account in the Service, typically employees, managers, or administrators of the Customer.

Types of personal data processed: The personal data that may be processed depends on how the Customer uses the Service and may include: name, date of birth, gender identity, nationality, contact information, address, employee photo, job title, team and manager assignments, employment contract details (including salary, working hours, and probation periods), time-off records (including type of leave), performance review data (including self-assessments, peer feedback, and ratings), survey responses, and documents uploaded by the Customer.

DPA 3.2 Recruitment (ATS)

Nature and purpose of processing: Heartwork provides recruitment functionality to manage job vacancies, candidate applications, and the hiring pipeline. The Customer determines which data is collected from applicants and how the recruitment process is configured.

Categories of data subjects:

  • Applicants: persons who apply for a position with the Customer, or persons whom the Customer sources or approaches for employment.
  • Users: persons involved in the recruitment process on behalf of the Customer.

Types of personal data processed: The personal data that may be processed depends on how the Customer configures the application process and may include: name, contact information, CV or resume, cover letter, application answers, interview notes, assessments by the hiring team, pipeline status, and communication between the hiring team and the applicant.

DPA 3.3 Special Categories of Data

The Customer or its users may submit data through the Service that qualifies as special category data under Article 9 of the GDPR, such as health-related information (e.g. sick leave records). It is the exclusive responsibility of the Customer to ensure that the processing of any special category data is compliant with the Relevant Legislation, including having a valid legal basis and providing appropriate safeguards.

DPA 3.4 Duration

This DPA shall remain in effect for as long as Heartwork processes personal data on behalf of the Customer. Upon termination of the Agreement, Heartwork shall handle personal data in accordance with Section DPA 12 of this DPA.

DPA 4. Obligations of the Customer

The Customer warrants that:

  • All instructions given to Heartwork regarding the processing of personal data are and shall remain compliant with the Relevant Legislation.
  • The Customer has a lawful basis for the processing of all personal data uploaded to or managed through the Service.
  • Data subjects (employees, applicants, and others) have been adequately informed about the processing of their personal data, including the involvement of Heartwork as a processor.
  • The Customer shall implement and maintain appropriate data retention practices using the available functionality of the Service, and is solely responsible for deleting personal data that is no longer necessary.

DPA 5. Obligations of Heartwork

Heartwork shall:

  • Process personal data only in accordance with the Customer’s documented instructions as set out in this DPA and the Terms, or as required by applicable law. If Heartwork is required by law to process personal data for another purpose, Heartwork shall inform the Customer of this requirement prior to processing, unless the law prohibits such notification.
  • Not process personal data for any purpose other than providing and maintaining the Service, unless explicitly instructed by the Customer.
  • Not use personal data for the training of artificial intelligence models.
  • Inform the Customer without undue delay if, in Heartwork’s opinion, an instruction from the Customer infringes the GDPR or other applicable data protection law.

DPA 6. Confidentiality

Heartwork shall treat all personal data processed on behalf of the Customer as confidential. Heartwork shall ensure that access to personal data is limited to those persons who require access to it for the purpose of providing the Service, and that all such persons are bound by appropriate confidentiality obligations, whether contractual or statutory.

DPA 7. Security Measures

Heartwork shall implement and maintain appropriate technical and organisational measures to protect personal data against unauthorised or unlawful processing, accidental loss, destruction, or damage, in accordance with Article 32 of the GDPR. These measures include, but are not limited to:

  • Encryption of personal data in transit (TLS) and at rest.
  • Two-factor authentication for user accounts.
  • Role-based access controls within the application.
  • Regular security updates and dependency management.
  • Secure password storage using industry-standard hashing algorithms.
  • Regular testing and evaluation of the effectiveness of these measures.

Heartwork may update its security measures from time to time, provided that the overall level of protection is not materially reduced.

DPA 8. Sub-Processors

The Customer grants Heartwork general written authorisation to engage sub-processors for the processing of personal data, provided that:

  • Heartwork maintains an up-to-date list of sub-processors at heartwork.co/sub-processors.
  • Heartwork notifies the Customer of any intended changes to the list of sub-processors (additions or replacements) at least 14 days before the new sub-processor begins processing personal data, by email to the Customer’s registered contact address.
  • The Customer may object to a new sub-processor within 14 days of receiving such notification. If the Customer objects on reasonable grounds related to data protection, the parties shall discuss the matter in good faith. If no resolution is reached, the Customer may terminate the Agreement.
  • Heartwork imposes on each sub-processor, by way of a written agreement, data protection obligations that are no less protective than those set out in this DPA.
  • Heartwork remains fully liable for the acts and omissions of its sub-processors as if they were its own.

DPA 9. International Data Transfers

Heartwork shall process personal data within the European Economic Area (EEA). If a transfer of personal data to a country outside the EEA is necessary (for example, through a sub-processor or an AI service provider), Heartwork shall ensure that appropriate safeguards are in place in accordance with Chapter V of the GDPR, such as Standard Contractual Clauses (SCCs) approved by the European Commission, or an adequacy decision by the European Commission.

DPA 10. Data Subject Rights

Heartwork shall assist the Customer in fulfilling its obligations to respond to requests from data subjects exercising their rights under the GDPR (including the right of access, rectification, erasure, restriction, portability, and objection). If Heartwork receives a request from a data subject directly, Heartwork shall promptly redirect the data subject to the Customer, unless otherwise instructed by the Customer.

To the extent that the Customer cannot address a data subject request independently through the functionality of the Service, Heartwork shall provide reasonable assistance upon the Customer’s request.

DPA 11. Personal Data Breach

Heartwork shall notify the Customer without undue delay, and in any event within 48 hours, after becoming aware of a personal data breach affecting the Customer’s personal data. The notification shall include, to the extent available:

  • A description of the nature of the breach, including the categories and approximate number of data subjects and records affected.
  • The likely consequences of the breach.
  • A description of the measures taken or proposed to be taken to address the breach and mitigate its effects.
  • The contact point at Heartwork for further information.

Heartwork shall cooperate with the Customer and take reasonable steps to assist in the investigation, mitigation, and remediation of the breach. The obligation to report a breach shall not be interpreted as an acknowledgement of liability.

DPA 12. Data Retention and Deletion

Upon termination of the Agreement, the Customer shall have 30 days to export its data through the data export functionality of the Service (see Section 12 of the Terms). After this period, Heartwork shall delete all personal data processed on behalf of the Customer, unless Heartwork is required by applicable law to retain certain data, in which case Heartwork shall inform the Customer of the retention requirement and limit any further processing to what is strictly necessary under the applicable legal obligation.

Backups containing personal data will be overwritten within 7 days.

DPA 13. Audits

Heartwork shall make available to the Customer all information reasonably necessary to demonstrate compliance with the obligations set out in this DPA and in Article 28 of the GDPR. Heartwork shall allow for and contribute to audits, including inspections, conducted by the Customer or an independent auditor mandated by the Customer, subject to the following conditions:

  • The Customer shall provide at least 30 days’ written notice of an audit request.
  • Audits shall be conducted during business hours and shall not unreasonably disrupt Heartwork’s operations.
  • The Customer shall bear its own costs for conducting the audit. If the audit requires significant involvement from Heartwork beyond providing standard documentation and access, the parties shall agree in advance on reasonable compensation for Heartwork’s time and resources.
  • Audit findings and any information obtained shall be treated as confidential by the Customer and the auditor.
  • Audits shall be limited to once per calendar year, unless a personal data breach has occurred or a supervisory authority requires additional audits.

DPA 14. Assistance with Compliance

Taking into account the nature of the processing and the information available to Heartwork, Heartwork shall assist the Customer in ensuring compliance with the Customer’s obligations under Articles 32 to 36 of the GDPR, including obligations related to security of processing, notification of personal data breaches, data protection impact assessments, and prior consultation with supervisory authorities.

DPA 15. Liability

The liability provisions set out in Section 15 (Limitation of Liability) of the Terms apply equally to this DPA. Each party shall be liable for damages caused by processing that infringes the GDPR in accordance with Article 82 of the GDPR.