Legal

Privacy Policy

Last updated: February 23, 2026  ·  Effective: February 23, 2026

At Hero Technologies Ltd (company number 16934431, registered in England and Wales) ("HeroDocs", "we", "us", or "our"), we are committed to protecting your personal data and respecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information in accordance with the UK General Data Protection Regulation ("UK GDPR"), the Data Protection Act 2018, and the Privacy and Electronic Communications Regulations 2003 ("PECR"), when you use our workplace policy management platform and related services (collectively, the "Service").

1. Introduction

This Privacy Policy applies to all users of HeroDocs, including HR professionals, compliance officers, legal teams, and employees who access documents shared through our platform. By using the Service, you acknowledge that you have read and understood this policy.

If you are accessing the Service on behalf of an organisation, that organisation may have entered into a separate Data Processing Agreement with us. This policy governs our processing of your personal data as an individual user. Please contact your organisation's administrator if you have questions about how your organisation handles data within the platform.

2. Who We Are

Hero Technologies Ltd (company number 16934431) is the data controller responsible for your personal data. We are registered in England and Wales with ICO registration number ZC077887.

Data Controller

Hero Technologies Ltd

Registered in England and Wales · Company No. 16934431

ICO Registration: ZC077887

Email: [email protected]

If you have any concerns about how we handle your personal data, you also have the right to contact the Information Commissioner's Office (ICO) at ico.org.uk or by calling 0303 123 1113.

3. Information We Collect

We collect the following categories of personal data to provide and improve the Service:

Account & Profile Information

  • Full name and email address when you register
  • Job title, department, and organisation name
  • Profile photo (if provided)
  • Authentication credentials (stored in hashed form — we never store your plain-text password)
  • Billing information for paid accounts (processed by our payment provider, Stripe)

Usage & Activity Data

  • Documents and policies you create, edit, or review
  • Comments, annotations, and approval actions
  • Search queries within the platform
  • Feature usage patterns and navigation flows
  • Technical log data: IP address, browser type, operating system, and timestamps

Communications

When you contact us for support or provide feedback, we retain those communications along with any information you voluntarily include. We collect this data directly from you.

4. Lawful Basis for Processing

Under UK GDPR (Article 6), we are required to identify a lawful basis for each type of processing we carry out. We rely on the following bases:

Contract (Article 6(1)(b))

Processing your account information, delivering the Service, and managing your subscription is necessary to perform the contract we have with you as a user.

Legitimate Interests (Article 6(1)(f))

We process usage and technical data to improve the platform, detect fraud, and maintain security. We have assessed that these interests are not overridden by your rights and freedoms.

Legal Obligation (Article 6(1)(c))

We may process data where we are required to do so by law, such as retaining financial records for HMRC compliance purposes.

Consent (Article 6(1)(a))

Where we send marketing emails or set non-essential cookies, we rely on your freely given, specific, and informed consent. You may withdraw your consent at any time.

5. How We Use Your Information

We use the information we collect for the following purposes:

Providing the Service: To create and maintain your account, process your requests, and deliver the core features of the platform including document management, AI assistance, and compliance tracking.
Improving the Platform: To understand how users interact with HeroDocs, diagnose technical issues, and develop new features based on aggregated usage patterns. This is carried out under legitimate interests.
Communications: To send you product updates, security alerts, and billing receipts (under contract). With your consent, we may also send marketing and feature announcement emails. You can unsubscribe at any time by clicking the link in any email or by contacting us.
Security & Fraud Prevention: To verify identity, detect and prevent unauthorised access, and protect the integrity of our systems and your data, under our legitimate interests.
Legal Compliance: To comply with applicable UK laws, regulations, and legal processes, including the Data Protection Act 2018, and to enforce our Terms of Service.

6. Data Sharing

We do not sell your personal data. We may share your information in the following limited circumstances:

Service Providers

We engage trusted third-party processors to help us operate the Service — including cloud hosting providers, payment processors (Stripe), email delivery services, and analytics tools. All processors are bound by Data Processing Agreements and are contractually required to process data only as instructed by us and to maintain appropriate technical and organisational security measures.

Your Organisation

If you access HeroDocs through an employer or organisation account, that organisation's administrators may have access to your account activity, documents you create, and actions you take within the platform. The organisation acts as a data controller for such processing.

Legal Obligations

We may disclose personal data where required by law, court order, or a request from a law enforcement or regulatory authority in the UK, or where we have a good-faith belief that disclosure is necessary to protect the rights, property, or safety of HeroDocs, our users, or others.

Business Transfers

In the event of a merger, acquisition, or sale of all or substantially all of our assets, your personal data may be transferred. We will notify you before your information is subject to a different privacy policy and, where required by law, seek your consent.

7. International Transfers

Some of our third-party service providers are based outside the UK or European Economic Area (EEA). Where we transfer personal data internationally, we ensure appropriate safeguards are in place in accordance with UK GDPR Chapter V, including:

  • Transfers to countries with an adequacy decision issued by the UK Secretary of State
  • Use of the International Data Transfer Agreement (IDTA) or the UK Addendum to the EU Standard Contractual Clauses (SCCs)
  • Binding Corporate Rules where applicable

You can request details of the specific safeguards in place for any international transfer by contacting us at [email protected].

8. Data Security

We implement appropriate technical and organisational measures (as required by UK GDPR Article 32) to protect your personal data against unauthorised access, alteration, disclosure, or destruction. These measures include:

  • Encryption of data in transit using TLS 1.2+
  • Encryption of data at rest using AES-256
  • Role-based access controls and least-privilege principles
  • Regular security audits and vulnerability assessments
  • Secure software development lifecycle (SDLC) practices
  • Multi-factor authentication options for all accounts

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the ICO within 72 hours of becoming aware of it, and notify affected individuals without undue delay where required.

If you suspect a security incident involving your account, please contact us immediately at [email protected].

9. Data Retention

We retain your personal data only for as long as necessary for the purposes for which it was collected or as required by law (the "storage limitation" principle under UK GDPR). In practice:

  • Account and profile data is retained for the duration of your account and deleted within 90 days of account closure
  • Financial and billing records are retained for 6 years in accordance with HMRC requirements
  • Support communications are retained for 2 years from the date of resolution
  • Technical logs are retained for up to 12 months for security and diagnostic purposes

Where your organisation has set a longer retention period under a Data Processing Agreement, we will honour that period subject to any overriding legal obligations.

10. Your Rights

Under UK GDPR and the Data Protection Act 2018, you have the following rights in relation to your personal data. To exercise any of these rights, contact us at [email protected]. We will respond within one calendar month of receiving your request.

Right of Access (Article 15)

Request a copy of the personal data we hold about you (a Subject Access Request).

Right to Rectification (Article 16)

Ask us to correct inaccurate or incomplete personal data without undue delay.

Right to Erasure (Article 17)

Request deletion of your personal data where there is no compelling reason for us to continue processing it.

Right to Portability (Article 20)

Receive your personal data in a structured, commonly used, machine-readable format and transfer it to another controller.

Right to Restriction (Article 18)

Request that we restrict the processing of your data in certain circumstances, e.g. while we verify its accuracy.

Right to Object (Article 21)

Object at any time to processing based on legitimate interests, including profiling and direct marketing.

Withdraw Consent

Where processing is based on consent, you have the right to withdraw it at any time. Withdrawal does not affect the lawfulness of prior processing.

Automated Decision-Making

Not to be subject to solely automated decisions (including profiling) that produce significant legal effects concerning you.

Right to Complain to the ICO

If you are unhappy with how we have handled your personal data, you have the right to lodge a complaint with the Information Commissioner's Office (ICO), the UK's supervisory authority for data protection. You can contact the ICO at ico.org.uk/make-a-complaint or call 0303 123 1113. We would, however, appreciate the opportunity to address your concerns before you contact the ICO.

11. Cookies & Tracking

We use cookies and similar technologies in accordance with the Privacy and Electronic Communications Regulations 2003 (PECR) and UK GDPR. We will only set non-essential cookies with your prior consent.

Strictly Necessary Cookies: Required for the platform to function — session management, authentication tokens, and CSRF protection. These are exempt from consent requirements under PECR.
Analytics Cookies: We use Vercel Analytics to understand how users navigate the platform. These cookies are only set with your consent. Data collected is used in aggregate form and does not personally identify you.
Preference Cookies: Store your settings such as UI customisations. These are set with your consent and are not shared with third parties.

You can withdraw consent for non-essential cookies at any time by adjusting your browser settings or via our cookie preference centre. Withdrawing consent will not affect the functionality of strictly necessary cookies.

12. AI Data Handling

HeroDocs uses Artificial Intelligence (AI) to assist in drafting and refining workplace policies. We are committed to processing your data responsibly and transparently in this context.

No Training on Customer Data

We explicitly do not use your documents, policy drafts, or specific organisational data to train or fine-tune third-party foundation AI models. Your content remains your proprietary information.

Data Transmission

To provide AI features, we transmit necessary document context to our trusted AI infrastructure providers. This data is processed in secure environments and is not retained by the AI providers for their own independent assessment or model training.

Note: AI-generated content is provided for informational purposes as a drafting aid and does not constitute legal or professional advice. See our Terms of Service for full disclaimers.

13. Contact Us

If you have questions, concerns, or requests relating to this Privacy Policy or our data processing activities, please contact us:

Hero Technologies Ltd — Data Controller

Registered in England and Wales · Company No. 16934431

ICO Registration: ZC077887

Email: [email protected]

We may update this Privacy Policy from time to time to reflect changes in our practices or applicable law. We will notify you of material changes by email or by a prominent notice in the platform at least 14 days before the change takes effect. The "Last updated" date at the top of this page reflects when the policy was last revised.

Also read our Terms of Service

Understand your rights and responsibilities when using HeroDocs.

View Terms →