Version: 1.0
Effective Date: November 5, 2023
HeyScore (“we”, “us”, “our”) is committed to protecting personal data and respecting privacy. This Privacy Policy explains how we collect, use, and protect personal information when you visit our website or use our SaaS application (“HeyScore App”) in accordance with the EU General Data Protection Regulation (GDPR).
Controller (Art. 4(7) GDPR):
Philipp Paul, Grimmeisenstraße 27, 81927 Munich, Germany
The contact person for privacy matters is the Controller himself. You may reach us at Contact us .
This Policy applies to the website under the domain heyscore.net (including subdomains) and to registered users of the HeyScore App. Our primary focus is the EU market; registrations from outside the EU may be limited or reviewed.
Hosting: The HeyScore platform is hosted with UpSun (formerly Platform.sh) in the European Union.
Server Logs: When accessing our website or app, our servers may automatically record: IP address, timestamp, request URL, referrer URL, browser, operating system, and similar technical metadata. These data are processed to ensure security and system stability, and for troubleshooting (Art. 6(1)(f) GDPR). Logs are retained according to the hosting provider’s default retention periods.
Email Infrastructure: The HeyScore App sends transactional emails via Amazon Web Services Simple Email Service (AWS SES) within the EU.
During account registration and usage we process: first and last name, company name and address, telephone number, email address, password (encrypted), language, and time zone settings. Processing is necessary to provide and manage your account and to deliver the contracted services (Art. 6(1)(b) GDPR).
HeyScore processes feedback submitted through your campaigns, including Net Promoter Score (NPS) and free-text responses. Optionally, you may transmit metadata such as customer number, order ID, or invoice ID depending on your own configuration and legal basis.
You (as HeyScore Client) determine whether personal data of end customers are included. We recommend transmitting feedback in anonymized or pseudonymized form where possible. Data are stored until deleted by the Client or after a reasonable period following contract termination. Where data are supplied anonymously, individual end-customer rights may only be exercised if identification is technically possible (e.g., via metadata that you have provided).
Transactional emails: sent via AWS SES (EU region).
Support emails / contact: processed via Microsoft 365 (DomainFactory). Data are processed for handling inquiries (Art. 6(1)(b) and/or (f) GDPR).
Payments are processed through PayPal. When completing a payment, your payment data (e.g., email address, transaction details) are transmitted to PayPal to execute the transaction. PayPal acts as an independent controller. For details, please refer to PayPal’s privacy notice.
We use OpenAI via Microsoft Azure in EU regions to analyze feedback (topic and sentiment analysis). We transmit the feedback content and your configured analysis topics to the AI service, solely to produce analysis results for you. Results are stored in HeyScore until deleted by the Client or after contract termination. Processing is based on our contract with you (Art. 6(1)(b) GDPR) and/or our legitimate interests in providing analytics (Art. 6(1)(f) GDPR). Where required, we conclude appropriate data processing terms with our providers.
We use Google Analytics (Google Ireland Limited) to analyze website usage. Cookies may be used to generate information on usage; IP anonymization is activated so IP addresses are shortened within the EU/EEA. Processing only occurs with your prior consent (Art. 6(1)(a) GDPR), which you can withdraw at any time via the cookie settings.
We use jsDelivr (ProspectOne Sp. z o.o., Poland) to deliver static assets (e.g., JavaScript/CSS). This involves technical connections to CDN servers. Processing is based on our legitimate interest in efficient and secure content delivery (Art. 6(1)(f) GDPR).
We retain personal data only as long as necessary to fulfill the purposes described here or as required by law. After termination of the contract, data are deleted within a reasonable period unless legal retention obligations apply. Hosting and log data are kept according to provider defaults.
You have the rights of access (Art. 15), rectification (Art. 16), erasure (Art. 17), restriction (Art. 18), data portability (Art. 20), and objection (Art. 21). To exercise these rights, contact Contact us . You may lodge a complaint with a competent supervisory authority, in particular in your place of residence or where the alleged infringement occurred.
We implement appropriate technical and organizational measures to protect data against unauthorized access, alteration, and loss. Communication with the HeyScore App is encrypted (HTTPS/TLS). No method of transmission or storage is 100% secure, but we continuously improve our controls.
We primarily process data within the EU. Where providers may process data outside the EU (e.g., certain analytics or payment flows), transfers rely on appropriate safeguards such as Standard Contractual Clauses or adequacy decisions, as applicable.
We may update this Policy to reflect legal, technical, or business changes. The updated version will be published here with a new “Effective Date”.
For privacy inquiries or to exercise your rights, please contact:
Contact us
— Philipp Paul, Grimmeisenstraße 27, 81927 Munich, Germany
Last updated: November 5, 2023
Note: Data processing on behalf (Art. 28 GDPR) is governed by a separate Data Processing Agreement (DPA). Clients are responsible for their own legal basis and notices toward end customers when transmitting personal data to HeyScore.