Version: 3.1
Effective Date: January 5, 2026
HeyScore (“we”, “us”, “our”) is committed to protecting personal data and respecting privacy. This Privacy Policy explains how we collect, use, and protect personal information when you visit our website or use our SaaS application (“HeyScore App”) in accordance with the EU General Data Protection Regulation (GDPR).
Controller (Art. 4(7) GDPR):
Philipp Paul, Grimmeisenstraße 27, 81927 Munich, Germany
The contact person for privacy matters is the Controller himself. You may reach us at Contact us .
This Policy applies to the website under the domain heyscore.net (including subdomains) and to registered users of the HeyScore App. Our primary focus is the EU market; registrations from outside the EU may be limited or reviewed.
Hosting: The HeyScore platform is hosted with UpSun (formerly Platform.sh) in the European Union.
Server Logs: When accessing our website or app, our servers may automatically record: IP address, timestamp, request URL, referrer URL, browser, operating system, and similar technical metadata. These data are processed to ensure security and system stability, and for troubleshooting (Art. 6(1)(f) GDPR). Logs are retained according to the hosting provider’s default retention periods.
Email Infrastructure: The HeyScore App sends transactional emails via Amazon Web Services Simple Email Service (AWS SES) within the EU. Support emails are processed via All-Inkl.com (Germany).
During account registration and usage we process: first and last name, company name and address, telephone number, email address, password (encrypted), language, and time zone settings. Processing is necessary to provide and manage your account and to deliver the contracted services (Art. 6(1)(b) GDPR).
HeyScore processes feedback submitted through your feedback campaigns, including Net Promoter Score (NPS) and free-text responses. Optionally, you may transmit metadata such as customer number, order ID, or invoice ID depending on your own configuration and legal basis.
You (as HeyScore Client) determine whether personal data of end customers are included. We recommend transmitting feedback in anonymized or pseudonymized form where possible. Data are stored until deleted by the Client or after a reasonable period following contract termination. Where data are supplied anonymously, individual end-customer rights may only be exercised if identification is technically possible (e.g., via metadata that you have provided).
Transactional emails: sent via AWS SES (EU region).
Support emails / contact: processed via All-Inkl.com (Germany). Data are processed for handling inquiries (Art. 6(1)(b) and/or (f) GDPR).
Payments are processed through PayPal. When completing a payment, your payment data (e.g., email address, transaction details) are transmitted to PayPal to execute the transaction. PayPal acts as an independent controller. For details, please refer to PayPal’s privacy notice.
We use Mistral in EU regions to analyze feedback (topic and sentiment analysis). HeyScore acts as a processor within the meaning of Art. 28 GDPR. The Client remains the controller for the feedback data submitted. We transmit the feedback content and your configured analysis topics to the AI service, solely to produce analysis results for you. Results are stored in HeyScore until deleted by the Client or after contract termination. Processing is based on our contract with you (Art. 6(1)(b) GDPR) and/or our legitimate interests in providing analytics (Art. 6(1)(f) GDPR). Where required, we conclude appropriate data processing terms with our providers.
We use Google Analytics (Google Ireland Limited) to analyze website usage. Cookies may be used to generate information on usage; IP addresses are processed by Google to provide the analytics service; we use privacy-focused configuration settings and consent-based activation. Processing only occurs with your prior consent (Art. 6(1)(a) GDPR), which you can withdraw at any time via the cookie settings.
We use Google Ads (Google Ireland Limited) to promote HeyScore and to measure the effectiveness of our advertising campaigns.
Purposes of processing:
Data categories that may be processed:
Legal basis: Processing for Google Ads purposes occurs only based on your consent (Art. 6(1)(a) GDPR). You can withdraw your consent at any time via our cookie settings. The lawfulness of processing prior to withdrawal remains unaffected.
Consent Mode: We use Google Consent Mode (v2, advanced mode). If you do not provide consent, no advertising cookies are set. In this case, Google may receive only aggregated or cookieless signals to measure and model campaign performance without identifying you as an individual.
Recipients / roles: Google acts as a separate controller or as a processor depending on the specific service configuration. For more information, please refer to Google’s privacy information.
International transfers: Data may be transferred to Google servers outside the EU/EEA (e.g., the United States). Transfers are based on appropriate safeguards (e.g., adequacy decisions and/or contractual safeguards), as applicable.
Opt-out / withdrawal: You can change or withdraw your consent at any time using the cookie banner/settings. You can also restrict cookies in your browser settings.
We use jsDelivr (ProspectOne Sp. z o.o., Poland) to deliver static assets (e.g., JavaScript/CSS). This involves technical connections to CDN servers. Processing is based on our legitimate interest in efficient and secure content delivery (Art. 6(1)(f) GDPR).
We retain personal data only as long as necessary to fulfill the purposes described here or as required by law. After termination of the contract, data are deleted within a reasonable period unless legal retention obligations apply. Hosting and log data are kept according to provider defaults.
You have the rights of access (Art. 15), rectification (Art. 16), erasure (Art. 17), restriction (Art. 18), data portability (Art. 20), and objection (Art. 21). To exercise these rights, contact Contact us . You may lodge a complaint with a competent supervisory authority, in particular in your place of residence or where the alleged infringement occurred.
We implement appropriate technical and organizational measures to protect data against unauthorized access, alteration, and loss. Communication with the HeyScore App is encrypted (HTTPS/TLS). No method of transmission or storage is 100% secure, but we continuously improve our controls.
We primarily process data within the EU. Where providers may process data outside the EU (e.g., certain analytics or payment flows), transfers rely on appropriate safeguards such as Standard Contractual Clauses or adequacy decisions, as applicable.
We may update this Policy to reflect legal, technical, or business changes. The updated version will be published here with a new “Effective Date”.
For privacy inquiries or to exercise your rights, please contact:
Contact us
— Philipp Paul, Grimmeisenstraße 27, 81927 Munich, Germany
Last updated: January 1, 2026
Note: Data processing on behalf (Art. 28 GDPR) is governed by a separate Data Processing Agreement (DPA). Clients are responsible for their own legal basis and notices toward end customers when transmitting personal data to HeyScore.