Skip to main content

Privacy Policy

Last updated: May 28, 2026

This Privacy Policy applies to individuals using the Heroify platform as Clients (companies purchasing services) and Users (recruiters, managers, account administrators).

If you are a Candidate/Participant taking part in a competency assessment, please refer to the separate Candidate/Participant Privacy Policy available at: https://heroify.co/pl/polityka-prywatnosci-kandydaci/.

1. Personal Data Controller

The controller of your personal data is Heroify sp. z o.o., with its registered office in Warsaw, ul. Padewska 23/7, 00-777 Warsaw, Poland, Tax ID (NIP): 5213930518 (hereinafter: “Heroify”, “we”).

Heroify is a data-driven competency assessment platform that enables organizations (Clients) to create, manage, and analyze assessments of candidates and employees. In relation to Clients, Heroify acts as the controller of the personal data of platform Users.

In relation to candidates of Clients, Heroify acts as a data processor processing data on behalf of the Client. This matter is governed by a separate Data Processing Agreement (DPA) available at https://heroify.co/pl/dpa and by the Candidate/Participant Privacy Policy.

For data protection matters, contact us at: gdpr@heroify.co.
Address: Heroify sp. z o.o., ul. Padewska 23/7, 00-777 Warsaw, Poland.

2. Who Does This Policy Apply To?

This Privacy Policy governs the processing of personal data of:

  • individuals representing Clients (companies and organizations using the Heroify platform),
  • platform Users, i.e., recruiters, managers, and account administrators acting on behalf of the Client,
  • individuals contacting Heroify regarding commercial or support matters,
  • visitors to heroify.co with respect to automatically collected data.

This Policy does not govern the processing of personal data of Candidates/Participants (individuals completing tests on behalf of Clients). The rules for processing Candidates’/Participants’ data are described in a separate Candidate/Participant Privacy Policy.

3. Data Processing Agreement (DPA)

Heroify processes the personal data of Candidates/Participants on behalf of and for the benefit of the Client as a processor within the meaning of Article 28 GDPR. Detailed terms of data processing are set out in the Data Processing Agreement (DPA) available at https://heroify.co/pl/dpa, which forms an integral part of the Heroify Terms and Conditions.

Clients requiring an individually negotiated DPA may contact Heroify at gdpr@heroify.co.

As part of the data processing arrangement, Heroify undertakes, among others, to:

  • process Candidates’/Participants’ data solely in accordance with the documented instructions of the Client,
  • ensure the confidentiality of data by persons authorized to process it,
  • implement appropriate technical and organizational security measures (Article 32 GDPR),
  • inform the Client about planned changes regarding sub-processors,
  • support the Client in fulfilling the rights of data subjects,
  • provide the Client with information necessary to demonstrate compliance with Article 28 GDPR.

4. What Personal Data Do We Collect?

4.1. Data Provided Directly

  • first and last name,
  • business e-mail address,
  • phone number,
  • job title and organization name,
  • invoicing details (company name, address, tax identification number) to the extent required for contract performance and legal obligations,
  • content of correspondence with us (inquiries, requests, contact forms).

4.2. Data Collected Automatically

  • IP address and connection data,
  • browser type and version, operating system,
  • information about how the platform is used (visited pages, session duration, performed actions),
  • cookies and similar tracking technologies (details in section 10),
  • session or device identifiers used to maintain secure login and session continuity,
  • system and diagnostic logs.

4.3. Data from External Sources

We may receive contact data from publicly available business sources, such as professional profiles on platforms like LinkedIn, solely for the purpose of establishing B2B cooperation. Such data is processed on the basis of Heroify’s legitimate interest (Article 6(1)(f) GDPR), and you may request its deletion at any time.

6. Automated Decision-Making and Profiling

Heroify may carry out automated analysis of platform usage in order to personalize the interface and recommend functionalities.

Heroify does not make any automated decisions producing legal effects concerning Users or similarly significantly affecting them within the meaning of Article 22 GDPR. All decisions regarding commercial relationships are made with human involvement.

7. Who Do We Share Your Data With? Sub-processors

Heroify may disclose personal data to the following categories of recipients:

  • hosting and cloud infrastructure providers (servers located in the EEA),
  • e-mail and communication service providers,
  • analytics tool providers (e.g., Google Analytics – aggregated and pseudonymized data),
  • error monitoring and security tool providers (e.g., Sentry),
  • user behavior analytics providers (e.g., HotJar – aggregated data, text fields and personal data automatically masked),
  • payment and accounting service providers,
  • law firms and advisors – only to the extent necessary,
  • public authorities – only where required by law.

All external service providers act solely as processors and may process data only for purposes specified by us. Data processing is based on data processing agreements or other legally binding mechanisms compliant with Article 28 GDPR.

The current list of sub-processors is available upon request sent to gdpr@heroify.co. Clients are informed about material changes to this list (addition or replacement of a sub-processor) at least 14 days in advance. The Client has the right to object to the planned change within 14 days of receiving the notification.

We do not sell Users’ or Clients’ personal data to third parties.

8. Transfers of Data Outside the EEA

Personal data is stored on servers located within the European Union. Some of our service providers (e.g., Twilio, Sentry, Cloudflare) may process data outside the EEA. In each such case, we apply appropriate safeguards in accordance with Article 46 GDPR, in particular:

  • Standard Contractual Clauses (SCCs) approved by the European Commission,
  • the provider’s registration under the EU-US Data Privacy Framework (DPF),
  • other mechanisms compliant with Article 46 GDPR.

In the case of transfers outside the EEA, we also conduct a Transfer Impact Assessment in accordance with the guidelines of the European Data Protection Board. Upon request, we may provide detailed information about the safeguards applied to specific transfers.

9. How Long Do We Retain Your Data?

Data retention periods depend on the category of data and the purpose of processing:

  • Active account data: for the duration of the platform usage agreement.
  • Inactive account data: we delete inactive accounts after at least one year from the last login.
  • Billing and accounting data: for the period required by tax and accounting regulations (usually 5 years from the end of the tax year).
  • Correspondence and support data: no longer than 3 years from the last contact.
  • Data processed for security purposes: for the period necessary to investigate incidents, no longer than until the limitation period for claims expires.
  • Marketing data: until consent is withdrawn or an objection is effectively submitted.

You may request deletion of your account at any time by contacting gdpr@heroify.co. We will delete the account and related data within up to 3 months unless legal regulations or unresolved claims require longer retention.

10. Cookies and Tracking Technologies

Heroify uses cookies and similar technologies for the following purposes:

  • Essential session cookies: maintaining the logged-in user session and enabling core platform functionalities. These do not require consent.
  • Performance cookies: data collected by analytics tools (e.g., Google Analytics) is aggregated and pseudonymized, preventing identification of a specific user.
  • Security cookies: protection against unauthorized access and attacks.
  • Behavioral analytics cookies: session analysis tools (e.g., HotJar) operate with data anonymization and automatic masking of text fields.

For analytics and marketing cookies, we may request your consent through a consent management mechanism (cookie banner). You may also manage preferences in your browser settings. Rejecting certain cookies may limit the platform’s functionality.

Cookies may also be placed by our technology partners: Sentry, Google, HotJar.

11. Data Security

Heroify has implemented appropriate technical and organizational security measures to protect personal data against accidental loss, destruction, unauthorized access, disclosure, or alteration. These measures include, among others:

  • encryption of data in transit (TLS/HTTPS) and at rest,
  • role-based access control,
  • pseudonymization of data where possible without compromising functionality,
  • regular data backups and recovery procedures,
  • monitoring and logging access to personal data,
  • regular testing and evaluation of security measures,
  • security incident management procedures,
  • training of employees with access to personal data in the field of data protection.

No security measures can guarantee absolute security of internet transmissions. In the event of a personal data breach, Heroify will take actions required under GDPR and inform you about the incident within the timeframe required by law.

12. Your Rights as a Data Subject

Under GDPR, you have the following rights:

  • Right of access: to obtain confirmation and a copy of processed data (Article 15 GDPR).
  • Right to rectification: to correct inaccurate or complete incomplete data (Article 16 GDPR).
  • Right to erasure: in certain cases (Article 17 GDPR).
  • Right to restriction of processing: (Article 18 GDPR).
  • Right to data portability: for data processed on the basis of a contract or consent (Article 20 GDPR).
  • Right to object: to processing based on legitimate interest, including direct marketing and profiling (Article 21 GDPR).
  • Right to withdraw consent: at any time, without affecting the lawfulness of prior processing.
  • Right to review automated decisions: (Article 22 GDPR).

To exercise your rights, contact us at: gdpr@heroify.co. We will respond within 30 days (extendable up to 3 months in complex cases – we will inform you accordingly).

You also have the right to lodge a complaint with the supervisory authority, i.e., the President of the Personal Data Protection Office (ul. Stawki 2, 00-193 Warsaw, Poland, uodo.gov.pl). We encourage you to contact us first.

14. Changes to This Privacy Policy

We may update this Privacy Policy as our services evolve and legal regulations change. We will notify you in advance of material changes, for example via e-mail or a platform notification.

The date of the latest update is always indicated at the beginning of the document. Continued use of the platform after the changes take effect constitutes acceptance of the updated Policy.

15. Contact

If you have questions regarding this Privacy Policy, your personal data, or the exercise of your rights, please contact us:

E-mail: gdpr@heroify.co
Address: Heroify sp. z o.o., ul. Padewska 23/7, 00-777 Warsaw, Poland
Website: https://heroify.co