Heartspace AI

    Privacy Policy

    Heartspace PR Sverige AB (”HEARTSPACE”)

    Garagevägen 32
    121 32 Enskededalen
    SWEDEN

    Table of contents

    1 Introduction
    2 What is personal data, and what does the processing of personal data mean?
    3. For whom is this policy applicable?
    4. For what areas is this policy applicable?
    5. What does it mean to be a Data Controller?
    6. HEARTSPACE as a Data Controller
    7. Why are we allowed to process personal data?
    8. What personal data do we process and why?
    9. How long do we generally store personal data?
    10. Our actions to protect personal data
    11. When do we share personal data
    12. Your rights
    13. Cookies
    14. Changes to this policy
    15. Contact

    1. Introduction

    Thank you for choosing us, and a special thanks for taking the time to read through this Privacy Policy thoroughly. We would like to begin with a summary explaining why we have created this policy. Our fundamental objectives are to

    • Give a brief introduction to personal data and HEARTSPACE and its users’ responsibilities to create a well-functioning and safe platform.
    • Explain why we handle certain kinds of personal information
    • Ensure that you understand what information we gather and what we do with this information
    • Show you how we work to protect your rights and your integrity.

    Our goal with this policy is that you, after having read it, will feel secure that your integrity is respected and that your data is treated correctly. Therefore we also work continuously to ensure that our treatment of personal data complies in its entirety with current legislation, especially the General Data Protection Regulation (GDPR).

    Unless otherwise defined herein, all terms beginning with a capital letter that are defined in the Terms of Use shall have the same meanings herein as therein unless expressly stated otherwise.

    2. What is personal data, and what does the processing of personal data mean?

    2.1 Personal data consists of all information that, directly or indirectly, together with other information, can be connected to a living (physical) person. A non-exhaustive list with examples of personal data consists of, among others:

    • Name
    • Personal ID number
    • Email-address
    • IP-address
    • Phone number

    2.2 The processing of personal data includes every action connected to the use of personal data, regardless of whether such an action is performed automatically or not. This means that the following actions, among others, are included:

    • Collection
    • Registration
    • Use
    • Alteration
    • Storage
    • Disclosure by transmission
    • Deletion

    Heartspace takes appropriate security measures to prevent unauthorized access, disclosure, modification, or unauthorized destruction of the Data. The Data processing is carried out using computers and/or IT-enabled tools, following organizational procedures and modes strictly related to the purposes indicated in our Privacy Policy and Terms of Use.

    The Data concerning the User is collected to allow Heartspace to provide its Services, comply with its legal obligations, respond to enforcement requests, protect its rights and interests (or those of its Users or third parties), detect any malicious or fraudulent activity, as well as the following: Registration and authentication, Hosting and backend infrastructure, Managing data collection and online surveys, Infrastructure monitoring, User database management, Handling payments, Managing contacts and sending messages, Traffic optimization and distribution, Tag Management, Analytics and Displaying content from external platforms.

    3. For whom is this policy applicable?

    This Privacy Policy shall in the first instance apply to individuals who are users of our Platform and from whom we collect and process personal data (” Data Subjects”). Different parts of this Privacy Policy may also be relevant to you depending on your relationship with HEARTSPACE. All in all, this policy is relevant for persons who

    • are users of our Platform
    • visit our website or our social media channels
    • otherwise communicate with us, for example through our customer service

    4. For what areas is this policy applicable?

    This Privacy Policy regulates how we may collect and process personal data to be able to continue delivering and developing our services.

    5. What does it mean to be a Data Controller?

    A Data Controller is a legal person or other entity that determines the purpose and means for the processing of personal data. A corporation is a Data Controller regarding personal data it has for its benefit concerning its employees, customers, partners, users, and others.

    6. HEARTSPACE as a Data Controller

    We, HEARTSPACE PR Sverige AB (company reg. no. 556882-2042) are the Data Controller and therefore accountable by applicable legislation, for the processing that occurs with your data, within the scope of our services.

    7. Why are we allowed to process personal data?

    7.1 For it to be permissible for us to process personal data there must always be support for said treatment within the GDPR, a so-called lawful basis. Such lawful basis may include:

    • Consent from the Data Subject
    • That the processing of personal data is necessary to fulfill the terms of an agreement with the Data Subject, for example about the use of the Platform (i.e., Terms of Use).
    • Fulfilling a legal obligation, for example storing certain information due to legislation regarding certain accounting standards and practices. This could also be the case when handling opt-out settings requests concerning your rights as a Data Subject by the GDPR.
    • A weighing of interests when we have a legitimate interest in using your data, for example for statistical purposes and to market our services and prevent fraud.

    7.2 The same personal data may be processed both when giving you support (fulfilling the terms of an agreement) as well as based on your consent or when fulfilling another legal obligation. This means, for example, that even though you may revoke your consent and the processing based on said consent ceases, that specific personal data may remain with us for separate reasons. All in all, as long as HEARTSPACE has a lawful basis for its processing of your data, HEARTSPACE reserves the right to proceed with said processing.

    8. What personal data do we process, and why?

    In this section, we explain how your data is used for us to be able to provide you with relevant experiences, services, and offers.

    8.1 When you sign up for an account at [email protected]

    When you register as a User at heartspace.ai we handle the following personal data which you provide to us:

    • Your name and your contact information (phone number, email)
    • Data connected to your User Account, for example, username and password
    • The information which you choose to save in your profile.

    8.1.1 We handle your data to:

    • identify you as a user
    • discover, and prevent, fraud in conjunction with rewards and payments
    • provide our services per our Terms of Use
    • notify you (through email or similar) regarding information connected to your usage of our services
    • market our services, for example by email
    • produce statistics regarding purchases and usage, to improve our platform

    8.1.2 Legal grounds for the processing

    We process your data based on:

    • fulfilling the terms of our agreement when we provide our services per our Terms of Use;
    • a weighing of interests when we have a legitimate interest in using your data for statistical purposes and to market our services, as well as to prevent fraud
    • a legal obligation for handling opt-out requests concerning your rights by the GDPR

    8.1.3 Period of storage

    We save data about you for up to 12 months after the termination of your User Account, among other reasons to provide information regarding any complaints.

    8.1.4 Third-Party Platforms

    When you access or use the Platform, we may make available services from one or more third parties (“Third-Party Platforms”). The Platform makes use of Third-Party Platforms and technologies, including Google, Outlook, Google Fonts; HubSpot Chat; HubSpot CRM; Cloudflare Bot Management; Cloudflare, Typeform (for our application form) and Squarespace (for our blog on blog.heartspace.ai). We also use services like Resend, Reply.io and Nylas to handle different aspects of transactional email and email functionality within the app. We also use services like Discord, Slack, Teamtailor and Kitchen to handle our community and career features. We encrypt API-keys and sensitive information in our database and only share information that is crucial for the core-functionality of our app. We primarily use Google and Outlook to make it easier for you to sign in or create your User Account and to connect your email to our distribution system. Any use of Third-Party Platforms to create and access your User Account is subject to the terms and conditions and privacy policies of such third parties (“Third-Party Terms”). Please note that when using our Platform, you should not submit any sensitive or confidential information with the use of applications utilizing generative artificial intelligence (generative AI). As HEARTSPACE may utilize platforms such as those available through OpenAI, certain data may be submitted through servers based outside of the EU. The texts you write in our platform (after given permission) or that are enhanced by our human experts may be used to train and improve on our AI-models, this will always take place in a way that masks personal information from the training data.

    8.2 When you use the Platform

    When you are a user of our services, in addition to the provisions described in section 8.1, we also process:

    • data about your User Account, for example, user number, membership level, ranking, and security code
    • data about your usage of our services

    8.2.1 The personal data is processed to:

    • administer your User Account, for example, username and password
    • inform you of personal and tailor-made offers, campaigns, and benefits from us and our partners, for example by email
    • provide, maintain, test, improve and develop the digital services and the technical platform used to provide our services
    • ensure the security of our services, and discover or prevent various types of unlawful use, or use which otherwise contravenes the Terms of Use of our services

    8.2.2 Legal grounds for the processing:

    We process your data based on

    • fulfilling the terms of our agreement when we fulfill our obligations towards you as a user (for example administering your User Account and providing relevant offers) and
    • a weighing of interests when we have a legitimate interest in using data about your usage of the Platform and your purchasing history to produce statistics needed to develop, improve, and ensure the functionality and security of our services.

    8.2.3 Period of storage:

    We save your personal data when you have an active User Account at heartspace.ai and for up to 12 months after the account is terminated. To ensure traceability, we save data regarding our communications with you for 12 months.

    8.3 When you communicate with us

    You can choose to communicate with us in many different ways, for example via social media and emails with our customer service. When you communicate with us, we process the data that you provide to us, for example:

    • name and contact information
    • regarding your views, questions, or matters

    8.3.1 We process your data to:

    • answer questions and handle your concerns, for example addressing defects, handling complaints, and questions about the Platform
    • improve our services and the information we provide and publish on our website
    • analytical purposes (such as to utilize tools such as MixPanel, Google Analytics, or Firebase Analytics (please visit their respective websites for further information on each respective tool or contact us for further information)
    • Displaying content from external platforms
    • Handling payments/subscriptions
    • Maintaining hosting and backend infrastructure and monitoring our infrastructure
    • Managing contacts and sending messages
    • Managing data collection
    • Registration and authentication of users
    • Traffic optimization, distribution, and tag management
    • Database management

    8.3.2 Legal grounds for the processing:

    We process your data for our, and your, legitimate interest in administering your customer service request (weighing of interests).

    8.3.3 Period of storage:

    We save your data for up to 12 months after the matter is closed to ensure traceability in your communications with us.

    9. How long do we generally store personal data?

    Your data is stored only during the period for which there is a need to store the information to be able to fulfill the terms of our agreement. We may store your data longer if this is necessary from a legal standpoint or to safeguard our legal interests, for example within the scope of legal proceedings that we are involved in.

    10. Our actions to protect personal data

    10.1 We have ensured that we have taken all necessary and appropriate technical and organizational measures to safeguard your data against loss, misuse, or unauthorized access.

    10.2 To technically ensure that personal data is processed safely and confidentially we use digital networks that are breach protected through for example encryption, firewalls, and password protection. In any instance where a breach may occur, we have created routines to identify, assess and minimize any damage that may occur as well as report said damage to all affected parties.

    10.3 To ensure an adequate knowledge level regarding the processing of personal data we will arrange ongoing educational efforts regarding GDPR, both for our employees as well as the consultants that may from time to another be contracted to do work for us.

    11. When do we share personal data?

    11.1 We will not sell, make available or spread personal data to third parties except what is stated throughout this Privacy Policy. Within the scope of the Platform, personal data may be shared with subcontractors or partners, if this is necessary for the fulfillment and performance of our services, for example, to process your Rewards. In any instance where we choose to share personal data, we will enter into a Data Processing Agreement to ensure that the recipient of the personal data processes said information by applicable legislation as well as to ensure that the recipient has taken the necessary technical and organizational actions to, in a satisfactory fashion, be able to protect the rights and freedoms of you as a Data Subject.

    11.2 Furthermore we may share personal data if we are required to do so by law, or court order or if withholding such personal data would hinder any ongoing legal investigation.

    12. Your rights

    12.1 We are responsible for your data being processed by applicable legislation.

    12.2 Upon your request, or at our initiative, we will correct, de-identify, delete, or complete any information that is wrongful, incomplete, or misleading.

    12.3 You have the right to demand access to your data. This means that you have the right to demand transcripts regarding the processing that we have maintained over your data. You also have the right to receive a copy of the personal data that are being processed. You have the right to, once a year and through written application, without cost receive a transcript regarding what personal data is stored regarding you, the purpose of the storage and processing as well as to whom said information has been made accessible. You also have, within the transcripts, the right to be informed of the period in which the personal data will be stored and what criteria we have used to determine the said period.

    12.4 You have the right to correction of your data. We will, upon your request and as quickly as possible correct the incorrect or incomplete personal data we process concerning you.

    12.5 You have the right to demand the deletion of your data. This means that you have the right to demand that your data be removed if it is no longer necessary for the objectives for which it was gathered. There may exist legal requirements stating that we may not immediately delete personal data (for example in terms of auditing and taxation-related legislation). We will in any such case cease the processing being done for any other reasons than to adhere to the legislation of GDPR.

    12.6 You have the right to object to any processing of personal data that is carried out on a lawful basis of weighing interests. If you object to such processing, we will only continue the processing if there are legitimate reasons for the processing that outweigh your interests.

    12.7 If you do not want us to process your data for direct marketing, you always have the right to object to such processing. This is done either by unregistering in each specific email) or by sending us an email at [email protected] When we have received your objection, we will cease the processing of personal data for any such marketing. You also have the right to report our processing of your data to any public authority responsible for monitoring the application of the GDPR, for example, the “Swedish Authority for Privacy Protection” in Sweden. However, we do recommend that you contact us first so that we can try solving the matter in a more efficient and timely manner.

    13. Cookies

    When you use our Platform, we may also collect information and data about you by using what is referred to as cookies. For more information about how we use cookies, please see heartspace.ai/cookiepolicy

    14. Changes to this policy

    We reserve the right to make amendments to this Privacy Policy from time to time. The date for the latest amendment is stated at the end of this Privacy Policy. If we make any amendments to the Privacy Policy, we will publish these amendments on our website. You are therefore recommended to read this Privacy Policy regularly to view any potential amendments.

    15. Contact

    HEARTSPACE PR Sverige AB (company reg. no. 556882-2042) is the Data Controller for processing your personal data. If you would like to have additional information on how your data is handled, please contact us through a written and personally signed request sent to:

    Heartspace PR Sverige AB
    Garagevägen 32
    121 32
    Sweden

    Please include your name, address, email, telephone number, and personal ID number in the letter. Please also enclose a copy of your ID. A reply will be sent to your address as stated in the National Population Register.