PRIVACY POLICY

Date of last update: March 5, 2026

This Privacy Policy applies to people using the Heroify platform as Clients (companies purchasing services) and Users (recruiters, managers, account administrators).

If you are a Candidate participating in a competency assessment, please refer to the separate Candidate Privacy Policy available at heroify.co.

1. Personal data controller

Your personal data controller is Heroify sp. z o.o., with its registered office in Warsaw, ul. Padewska 23/7, 00-777 Warsaw, NIP: 5213930518 (hereinafter: Heroify, we).

Heroify is a data-driven competency testing platform that enables organizations (Clients) to create, manage, and analyze competency assessments of candidates and employees. In relation to Clients, Heroify acts as the controller of platform Users' personal data. In relation to Clients' candidates, Heroify acts as a processor on behalf of the Client. This is governed by a separate Data Processing Agreement and the Candidate Privacy Policy.

Contact for data protection matters: gdpr@heroify.co.
Address: Heroify sp. z o.o., ul. Padewska 23/7, 00-777 Warsaw.

2. Who does this Policy apply to?

This Privacy Policy governs the processing of personal data of:

persons representing Clients (companies and organizations using the Heroify platform),
platform Users, i.e. recruiters, managers, and account administrators acting on behalf of a Client,
persons contacting Heroify regarding commercial matters or support,
visitors to heroify.co with respect to automatically collected data.

This Policy does not govern the processing of Candidates' personal data (people completing tests on Clients' behalf). The rules for processing Candidates' data are described in a separate Candidate Privacy Policy.

3. Data Processing Agreement (DPA)

Heroify processes Candidates' personal data on behalf of and for the Client as a processor within the meaning of Article 28 GDPR. Detailed data processing terms are defined in the Data Processing Agreement (DPA), which forms an integral part of the Heroify Terms or a separate document agreed individually with the Client.

Under this engagement, Heroify undertakes to:

process Candidates' data only in accordance with the Client's documented instructions,
ensure data confidentiality by persons authorized to process it,
implement appropriate technical and organizational security measures (Article 32 GDPR),
inform the Client of planned changes concerning processors (sub-processors),
support the Client in fulfilling data subject rights,
make available to the Client the information required to demonstrate compliance with Article 28 GDPR.

Clients requiring an individually signed DPA may contact us at gdpr@heroify.co.

4. What personal data do we collect?

4.1. Data provided directly

first and last name,
business email address,
phone number,
job title and organization name,
invoice details (company, address, tax ID) to the extent required for contract performance and legal obligations,
the content of correspondence with us (inquiries, requests, contact forms).

4.2. Data collected automatically

IP address and connection data,
browser type and version, operating system,
data on how the platform is used (visited pages, session duration, performed actions),
cookies and similar tracking technologies (details in section 10),
session or device identifiers used to maintain secure login and session continuity,
system and diagnostic logs.

4.3. Data from external sources
We may receive contact data from publicly available business sources, such as professional profiles on services like LinkedIn, solely for the purpose of initiating B2B cooperation. We process such data based on Heroify's legitimate interest (Article 6(1)(f) GDPR), and you may request its deletion at any time.

5. Purposes and legal bases of processing

Heroify processes only personal data necessary to achieve specific purposes, applying the data minimization principle in accordance with Article 5(1)(c) GDPR.

5.1. Entering into and performing a contract
Providing platform services, account management, payment handling, and invoicing.
Legal basis: Article 6(1)(b) GDPR.

5.2. Customer support and technical support
Responding to inquiries, resolving technical issues, ensuring service continuity.
Legal basis: Article 6(1)(b) GDPR and Article 6(1)(f) GDPR.

5.3. Compliance with legal obligations
Retention of accounting records and invoices in accordance with tax and accounting laws.
Legal basis: Article 6(1)(c) GDPR.

5.4. Platform security and abuse prevention
Monitoring system security, detecting unauthorized access, protecting Clients' and Candidates' data.
Legal basis: Article 6(1)(f) GDPR.

5.5. Service analysis and improvement
Analyzing platform use, developing new features, improving service quality.
Legal basis: Article 6(1)(f) GDPR.

5.6. Direct marketing

Newsletter and communication to new contacts: only on the basis of consent (Article 6(1)(a) GDPR). You can withdraw consent at any time by clicking the unsubscribe link or writing to gdpr@heroify.co.
Information about updates and similar services directed to current Clients: based on Heroify's legitimate interest (Article 6(1)(f) GDPR). You may object at any time.

5.7. Establishing and defending legal claims
Retention of data necessary to pursue or defend against legal claims.
Legal basis: Article 6(1)(f) GDPR.

6. Automated decision-making and profiling

Heroify may carry out automated analysis of how the platform is used in order to personalize the interface and recommend features.

Heroify does not make any automated decisions producing legal effects concerning Users or similarly significantly affecting them within the meaning of Article 22 GDPR. All decisions concerning commercial relationships are made with human involvement.

8. Transfers of data outside the EEA

Personal data is stored on servers located in the European Union. Some of our tool providers (e.g. Google, Sentry) may process data outside the EEA. In each such case, we apply appropriate safeguards in accordance with Article 46 GDPR, in particular Standard Contractual Clauses (SCCs) approved by the European Commission. For transfers outside the EEA, we also perform a Transfer Impact Assessment in line with European Data Protection Board guidelines. Upon request, we can provide detailed information on safeguards used for specific transfers.

9. How long do we retain your data?

Data retention periods depend on the data category and purpose of processing:

Active account data: for the entire duration of the platform use agreement.
Inactive account data: we delete inactive accounts after at least one year from the last login.
Invoicing and settlement data: for the period required by tax and accounting regulations (usually 5 years from the end of the tax year).
Correspondence and support data: no longer than 3 years from the last contact.
Data processed for security purposes: for the period necessary to investigate incidents, no longer than until expiry of the limitation period for claims.
Marketing data: until consent is withdrawn or an objection is effectively submitted.

You may request account deletion at any time by writing to gdpr@heroify.co. We will delete the account and data within up to 3 months, unless legal obligations or unresolved claims require longer retention.

10. Cookies and tracking technologies

Heroify uses cookies and similar technologies for the following purposes:

Essential session cookies: maintaining logged-in user sessions and core platform functionality. These do not require consent.
Performance cookies: data collected by analytics tools (e.g. Google Analytics) is aggregated and pseudonymized, preventing identification of a specific user.
Security cookies: protection against unauthorized access and attacks.
Behavioral analytics cookies: session analysis tools (e.g. HotJar) operate with data anonymization and automatic masking of text fields.

For analytics and marketing cookies, we may request your consent through a consent management mechanism (cookie banner). You can also manage preferences in your browser settings. Rejecting certain cookies may limit platform functionality.

Cookies may also be set by our technology partners: Sentry, Google, HotJar.

11. Data security

Heroify has implemented appropriate technical and organizational security measures to protect personal data against accidental loss, destruction, unauthorized access, disclosure, or alteration. These include, among others:

encryption of data in transit (TLS/HTTPS),
role-based access control,
regular data backups,
regular infrastructure security testing,
monitoring of security incidents.

No safeguards guarantee absolute security of internet transmission. In the event of a personal data breach, Heroify will take actions required under GDPR and notify you of the incident within the legally required timeframe.

12. Your rights as a data subject

Under GDPR, you have the following rights:

Right of access: to obtain confirmation and a copy of processed data (Article 15 GDPR).
Right to rectification: to correct inaccurate data or complete incomplete data (Article 16 GDPR).
Right to erasure: in specified cases (Article 17 GDPR).
Right to restriction of processing: (Article 18 GDPR).
Right to data portability: for data processed on the basis of a contract or consent (Article 20 GDPR).
Right to object: to processing based on legitimate interests, including direct marketing and profiling (Article 21 GDPR).
Right to withdraw consent: at any time, without affecting the lawfulness of processing carried out before withdrawal.
Right to review automated decisions: (Article 22 GDPR).

To exercise your rights, contact us at: gdpr@heroify.co. We will respond within 30 days (this may be extended up to 3 months in complex cases — we will inform you accordingly).

You also have the right to lodge a complaint with the supervisory authority, i.e. the President of the Personal Data Protection Office (ul. Stawki 2, 00-193 Warsaw, uodo.gov.pl). We encourage you to contact us first.

13. Links to third-party websites and services

Our website and platform may contain links to third-party websites. Heroify is not responsible for the privacy practices of those websites. We encourage you to review the privacy policy of each external website you visit.

14. Changes to this Privacy Policy

We may update this Privacy Policy as our services evolve and legal requirements change. We will notify you in advance of material changes, for example by email or by notice within the platform.

The date of the last update is always indicated at the beginning of this document. Continued use of the platform after changes take effect means acceptance of the updated Policy.

15. Contact

If you have any questions about this Privacy Policy, your personal data, or the exercise of your rights, please contact us:

Email: gdpr@heroify.co
Address: Heroify sp. z o.o., ul. Padewska 23/7, 00-777 Warsaw
Website: https://heroify.co