GDPR & Data Processing

How HeroLink.ai handles your data in compliance with GDPR and UK data protection laws.

Roles (Controller/Processor)

You are the Data Controller: You determine the purposes and means of processing personal data of your customers who contact you through HeroLink.

HeroLink is the Data Processor: We process personal data on your behalf according to your instructions and our Data Processing Agreement.

For our own business operations (your account, billing, support), HeroLink acts as a Data Controller.

Lawful Basis

Customer Data Processing: Legitimate interests (providing appointment booking services) and contract performance (fulfilling service requests).

Account Data: Contract performance (providing HeroLink services) and legitimate interests (business operations, fraud prevention).

Marketing: Consent (where required) and legitimate interests (existing customer communications).

Data Categories

Customer Data (You Control)

  • • Contact details (name, phone, address)
  • • Communication content (messages, photos)
  • • Appointment details (date, time, service type)
  • • Location data (postcode, service area)

Account Data (We Control)

  • • Business contact information
  • • Billing and payment data
  • • Usage analytics and logs
  • • Support communications

Retention

Customer Data: Retained as long as you maintain your HeroLink account, plus 30 days for account recovery. You can delete specific conversations anytime.

Account Data: Retained for 7 years after account closure for legal and tax obligations.

Analytics Data: Aggregated, anonymized data may be retained indefinitely for service improvement.

Sub-processors

We use the following sub-processors to provide HeroLink services:

AWS (Ireland)

Cloud hosting and database services

Meta Platforms

WhatsApp Business API

Stripe (Ireland)

Payment processing

Postmark

Transactional emails

Data Location & Backups

Primary Location: All data is stored in AWS Ireland (EU-West-1) data centers.

Backups: Encrypted backups are stored in AWS Ireland with 30-day retention.

No US Transfers: Customer data never leaves the EU/UK without explicit consent.

Data Subject Rights

Your Customers Can:

  • • Request access to their data
  • • Request data correction
  • • Request data deletion
  • • Object to processing
  • • Request data portability

How to Handle Requests:

  • • Forward requests to support@herolink.ai
  • • We'll assist with technical fulfillment
  • • You remain responsible for the response
  • • 30-day response time requirement

Contact

Data Protection Officer: dpo@herolink.ai

General Inquiries: privacy@herolink.ai

Postal Address:
HeroLink.ai Ltd
Data Protection Team
London, United Kingdom