Privacy Policy

This Privacy Policy explains how HeyEd collects, uses, shares, and protects personal data.

Document Version: v1.1
Effective Date: 14 April 2025
Last Updated: 11 February 2026

This Privacy Policy explains how Hey Tech Labs Ltd, company number 15972086, trading as "HeyEd" ("HeyEd", "we", "us", "our") collects, uses, shares, and protects personal data when you visit our website, contact us, use the HeyEd platform, or otherwise interact with us.

This policy should be read alongside our Cookies Policy, Terms of Service, and, where we process personal data on behalf of a customer, our Data Processing Agreement ("DPA").

1. Who We Are

Hey Tech Labs Ltd is registered in England and Wales.

Registered office:

Hey Tech Labs Ltd

128 City Road, London, EC1V 2NX

Data protection contact:

legal@heyed.co.uk

ICO registration reference: ZB774385

2. When We Are Controller and When We Are Processor

For our own business activities, HeyEd acts as a controller. This includes:

website enquiries and sales communications;
customer account administration;
billing and subscription administration;
support communications;
security administration;
legal, regulatory, accounting, and internal business records;
marketing communications where applicable.

For personal data that customers upload, enter, generate, or manage in the HeyEd platform for staff onboarding, compliance, documents, forms, references, tasks, and related operational workflows, the customer is usually the controller and HeyEd is the processor. That processing is governed by the customer agreement and our DPA.

If you are a staff member, contractor, referee, emergency contact, or other data subject whose information is held in a customer HeyEd account, the relevant customer normally controls that data. You should contact that customer first for data protection requests. We will assist the customer as required under our DPA.

3. Personal Data We Collect

The personal data we collect depends on how you interact with us.

3.1 Website Visitors and Enquirers

We may collect:

name, work email address, phone number, organisation name, role, and enquiry details;
information you choose to provide in forms, emails, calls, demos, or meetings;
device, browser, IP address, cookie, analytics, and usage information where cookies or similar technologies are used;
marketing communication preferences.

3.2 Customer Users and Platform Accounts

We may collect:

user names, work email addresses, phone numbers, roles, permissions, company and venue association, account status, and preferences;
authentication, session, security, verification, password reset, and audit metadata;
platform usage, feature interaction, diagnostic, error, and support context;
correspondence with our support, onboarding, or account teams.

3.3 Billing and Commercial Contacts

We may collect:

company details, billing contact details, VAT or tax details, subscription plan, invoice status, payment status, and payment-provider metadata;
commercial correspondence, order records, renewal information, and contract records.

We do not intentionally store raw card numbers. Card payments are handled by our payment provider.

3.4 Support, Onboarding, and Migration Data

Where you ask us to help with onboarding, support, troubleshooting, data import, or migration, we may process information you provide to us, including:

support messages, emails, attachments, screenshots, call notes, and meeting notes;
customer-provided spreadsheets, exports, documents, or sample records for migration or troubleshooting;
limited task context needed to provide support, investigate an issue, or complete an approved migration.

Where this information contains customer-controlled platform data, we process it under the DPA unless we need to retain limited records for our own legal, security, or business administration purposes.

3.5 Special Category and Criminal Offence-Related Data

We do not ask website visitors or commercial contacts to provide special category data or criminal offence-related data.

The HeyEd platform is used by customers in regulated education and care settings. Customer-controlled platform data may include staff health information, safeguarding-related information, DBS information, right-to-work records, references, qualifications, certificates, and other compliance records. For that data, the customer is normally the controller and HeyEd acts as processor under the DPA.

You should not send special category data, criminal offence-related data, or highly confidential documents to HeyEd outside approved platform, support, or migration channels unless we have asked for them or agreed an appropriate method.

4. How We Collect Personal Data

We collect personal data:

directly from you when you complete forms, create an account, contact us, use the platform, join a demo, or correspond with us;
from our customers, where they create user accounts or provide information for onboarding, support, or platform use;
automatically through platform logs, security systems, cookies, analytics, diagnostics, and similar technologies;
from service providers such as payment, email, support, monitoring, analytics, and infrastructure providers;
from public sources such as company websites, Companies House, professional profiles, or other business directories where relevant to sales or account administration.

5. How and Why We Use Personal Data

Purpose	Examples	Lawful Basis
Responding to enquiries and arranging demos	Contact forms, emails, calls, demo booking, follow-up questions	Legitimate interests, consent where required, or steps before entering a contract
Providing and administering the HeyEd platform	User accounts, access, venue/company association, service notifications, support, onboarding	Performance of a contract and legitimate interests
Processing customer-controlled platform data	Staff onboarding, compliance records, document storage, forms, references, tasks, notifications	Processed as processor on the customer's instructions under the DPA
Billing and subscription administration	Invoices, payment status, renewals, tax/VAT records, payment-provider webhooks	Performance of a contract, legitimate interests, and legal obligations
Support, troubleshooting, migration, and import assistance	Support requests, issue diagnosis, customer-approved migration work, data parsing or cleansing	Performance of a contract, legitimate interests, and, for customer-controlled data, processing under the DPA
Security and fraud prevention	Login security, audit logs, abuse prevention, account protection, monitoring suspicious activity	Legitimate interests and legal obligations
Service reliability and diagnostics	Error monitoring, performance diagnostics, crash reports, scheduled job monitoring	Legitimate interests
Product improvement and analytics	Understanding feature use, improving workflows, optional website or platform analytics, session replay where enabled	Consent where required, otherwise legitimate interests where lawful and proportionate
Transactional communications	Account emails, password resets, verification emails, service updates, support replies	Performance of a contract and legitimate interests
Marketing communications	News, product updates, events, or offers where relevant	Consent or legitimate interests, depending on the communication and recipient
Legal and compliance	Record keeping, dispute handling, regulatory requests, enforcing terms, complying with law	Legal obligations and legitimate interests

6. AI-Assisted Support and Migration

Where approved for a specific task, we may use AI-assisted tools to help with data migration, parsing, cleansing, normalisation, import preparation, migration script development, or operational support.

Where AI-assisted tools process customer-controlled personal data, we use approved providers with appropriate safeguards.

We restrict AI-assisted processing of personal data to approved providers, approved use cases, and task-specific data needed for the relevant support or migration work.

7. Cookies and Similar Technologies

We use cookies and similar technologies for:

strictly necessary functions, such as login, session management, security, and platform navigation;
preferences and functionality;
analytics, performance measurement, diagnostics, and product improvement;
optional session replay or UX analytics where enabled.

Non-essential cookies and similar technologies should be used only where we have a lawful basis and, where required, consent. You can find more detail in our Cookies Policy.

Disabling strictly necessary cookies may prevent the website or platform from working correctly. You can manage cookies through your browser settings and, where available, our cookie preference controls.

8. Who We Share Personal Data With

We may share personal data with:

cloud hosting, storage, database, backup, and infrastructure providers;
email delivery providers;
payment and billing providers;
support, productivity, document, and internal business systems;
error monitoring, diagnostics, logging, and security providers;
website analytics, product analytics, and session replay providers where enabled;
approved AI providers where used for support or migration under appropriate safeguards;
professional advisers, insurers, auditors, accountants, legal advisers, and banks;
regulators, public authorities, courts, law enforcement, or other third parties where required by law or necessary to protect rights, safety, or security;
prospective buyers, investors, or successor organisations if we restructure, sell, transfer, or merge part of our business, subject to appropriate confidentiality and data protection safeguards.

Our current customer-data sub-processors are listed in our DPA. For our own controller activities, key providers may include Amazon Web Services, Resend, Stripe, Google Workspace, Sentry, Hotjar / Contentsquare where enabled, Google Analytics where enabled, OpenAI where used, and Anthropic where used.

We require service providers to protect personal data and use it only for the purposes we authorise, unless they act as independent controllers for specific activities such as certain payment, legal, tax, or regulatory obligations.

9. International Transfers

Some of our providers may process personal data outside the United Kingdom or the European Economic Area.

Where personal data is transferred to a country that is not subject to an adequacy decision or adequacy regulation, we use appropriate safeguards where required. These may include the UK International Data Transfer Agreement, the UK International Data Transfer Addendum to the EU Standard Contractual Clauses, EU Standard Contractual Clauses, the UK Extension to the EU-US Data Privacy Framework, or another lawful transfer mechanism.

You can contact us for further information about transfer safeguards.

10. How Long We Keep Personal Data

We keep personal data only for as long as needed for the purposes described in this policy, unless a longer retention period is required or permitted by law.

Typical retention periods or criteria include:

Data Type	Retention Approach
Website enquiries and demo requests	Usually up to 6 months after the last meaningful contact, unless the enquiry becomes a customer relationship or we need to retain it for legal or business reasons
Customer account and contract records	For the customer relationship and then as needed for legal, accounting, tax, audit, dispute, or business records
Billing, invoice, and accounting records	Usually 6 years after the relevant financial year or transaction, where required for tax and accounting purposes
Customer-controlled platform data	For the duration of the customer relationship and then as described in the DPA or customer instructions
Deleted or terminated customer platform data	Default target deletion from active production systems within 90 days after termination or a verified deletion request, unless otherwise agreed or legally required
Backups and provider logs	Retained until overwritten or deleted under applicable backup or log retention cycles, with access restricted and not used for ordinary business purposes
Support correspondence	For as long as needed to provide support, maintain service records, evidence decisions, resolve disputes, and improve service quality
Security, audit, diagnostic, and error logs	For the period needed for security, reliability, investigation, compliance, and operational purposes
Marketing records	Until you unsubscribe, object, or we decide the information is no longer relevant; suppression records may be kept to respect opt-outs
Cookie and analytics data	As described in our Cookies Policy and the relevant provider settings

11. Security

We use technical and organisational measures designed to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access.

These measures include, where appropriate:

encryption in transit using HTTPS/TLS;
production storage encryption through cloud-provider controls where configured;
role-based access controls and permission checks;
company, workspace, and venue scoping controls;
secure session management;
password policy enforcement, email verification, and account recovery controls;
rate limiting on sensitive routes;
monitoring, logging, diagnostics, and incident response processes;
confidentiality obligations for personnel;
access limited to business need.

No internet-based service can be guaranteed to be completely secure. If you believe your account or personal data may be at risk, contact us promptly at legal@heyed.co.uk.

12. Your Rights

Depending on the circumstances and lawful basis for processing, you may have the right to:

be informed about how your personal data is used;
request access to your personal data;
request correction of inaccurate or incomplete personal data;
request erasure of your personal data;
request restriction of processing;
object to processing, including processing based on legitimate interests and direct marketing;
request data portability;
withdraw consent where processing is based on consent.

You have an absolute right to object to direct marketing at any time.

To exercise your rights, contact legal@heyed.co.uk.

If your request relates to personal data controlled by one of our customers in the HeyEd platform, we may direct you to that customer or assist the customer in responding to your request.

13. Automated Decision-Making and Profiling

We do not use personal data for solely automated decisions that produce legal or similarly significant effects about individuals.

We may use limited analytics, diagnostics, security rules, and workflow automation to operate and improve the Services, protect accounts, generate notifications, calculate platform status, or support customer workflows.

14. Children's Personal Data

Our website and platform are not directed at children.

The HeyEd platform is designed for staff onboarding and compliance management, not for managing children's records. Customers should not upload children's personal data unless it is necessary for an agreed use of the Services and they have an appropriate lawful basis and privacy notice.

15. Marketing

We may send business-to-business marketing communications where permitted by law. You can opt out of marketing emails by using the unsubscribe link in the email or by contacting us.

We will still send service, security, account, legal, and transactional communications where needed to provide the Services or manage our relationship.

16. Links to Other Websites

Our website or platform may contain links to third-party websites, services, or documents. We are not responsible for the privacy practices of those third parties. You should read their privacy notices before providing personal data to them.

17. Complaints

Please contact us first if you have concerns about how we handle personal data:

legal@heyed.co.uk

You also have the right to complain to the Information Commissioner's Office ("ICO"), the UK supervisory authority for data protection:

https://ico.org.uk

ICO helpline: 0303 123 1113

18. Changes to This Policy

We may update this Privacy Policy from time to time. The latest version will be published on our website with the "Last updated" date above.

If we make material changes, we will take reasonable steps to bring them to the attention of affected users or customers where required.

19. Contact

For questions about this Privacy Policy or how we handle personal data, contact:

Hey Tech Labs Ltd

legal@heyed.co.uk

128 City Road, London, EC1V 2NX

Back to Home

Privacy Policy

This Privacy Policy explains how HeyEd collects, uses, shares, and protects personal data.

Document Version: v1.1
Effective Date: 14 April 2025
Last Updated: 11 February 2026

This policy should be read alongside our Cookies Policy, Terms of Service, and, where we process personal data on behalf of a customer, our Data Processing Agreement ("DPA").

1. Who We Are

Hey Tech Labs Ltd is registered in England and Wales.

Registered office:

Hey Tech Labs Ltd

128 City Road, London, EC1V 2NX

Data protection contact:

legal@heyed.co.uk

ICO registration reference: ZB774385

2. When We Are Controller and When We Are Processor

For our own business activities, HeyEd acts as a controller. This includes:

website enquiries and sales communications;
customer account administration;
billing and subscription administration;
support communications;
security administration;
legal, regulatory, accounting, and internal business records;
marketing communications where applicable.

3. Personal Data We Collect

The personal data we collect depends on how you interact with us.

3.1 Website Visitors and Enquirers

We may collect:

name, work email address, phone number, organisation name, role, and enquiry details;
information you choose to provide in forms, emails, calls, demos, or meetings;
device, browser, IP address, cookie, analytics, and usage information where cookies or similar technologies are used;
marketing communication preferences.

3.2 Customer Users and Platform Accounts

We may collect:

user names, work email addresses, phone numbers, roles, permissions, company and venue association, account status, and preferences;
authentication, session, security, verification, password reset, and audit metadata;
platform usage, feature interaction, diagnostic, error, and support context;
correspondence with our support, onboarding, or account teams.

3.3 Billing and Commercial Contacts

We may collect:

company details, billing contact details, VAT or tax details, subscription plan, invoice status, payment status, and payment-provider metadata;
commercial correspondence, order records, renewal information, and contract records.

We do not intentionally store raw card numbers. Card payments are handled by our payment provider.

3.4 Support, Onboarding, and Migration Data

Where you ask us to help with onboarding, support, troubleshooting, data import, or migration, we may process information you provide to us, including:

support messages, emails, attachments, screenshots, call notes, and meeting notes;
customer-provided spreadsheets, exports, documents, or sample records for migration or troubleshooting;
limited task context needed to provide support, investigate an issue, or complete an approved migration.

3.5 Special Category and Criminal Offence-Related Data

We do not ask website visitors or commercial contacts to provide special category data or criminal offence-related data.

4. How We Collect Personal Data

We collect personal data:

directly from you when you complete forms, create an account, contact us, use the platform, join a demo, or correspond with us;
from our customers, where they create user accounts or provide information for onboarding, support, or platform use;
automatically through platform logs, security systems, cookies, analytics, diagnostics, and similar technologies;
from service providers such as payment, email, support, monitoring, analytics, and infrastructure providers;
from public sources such as company websites, Companies House, professional profiles, or other business directories where relevant to sales or account administration.

5. How and Why We Use Personal Data

Purpose	Examples	Lawful Basis
Responding to enquiries and arranging demos	Contact forms, emails, calls, demo booking, follow-up questions	Legitimate interests, consent where required, or steps before entering a contract
Providing and administering the HeyEd platform	User accounts, access, venue/company association, service notifications, support, onboarding	Performance of a contract and legitimate interests
Processing customer-controlled platform data	Staff onboarding, compliance records, document storage, forms, references, tasks, notifications	Processed as processor on the customer's instructions under the DPA
Billing and subscription administration	Invoices, payment status, renewals, tax/VAT records, payment-provider webhooks	Performance of a contract, legitimate interests, and legal obligations
Support, troubleshooting, migration, and import assistance	Support requests, issue diagnosis, customer-approved migration work, data parsing or cleansing	Performance of a contract, legitimate interests, and, for customer-controlled data, processing under the DPA
Security and fraud prevention	Login security, audit logs, abuse prevention, account protection, monitoring suspicious activity	Legitimate interests and legal obligations
Service reliability and diagnostics	Error monitoring, performance diagnostics, crash reports, scheduled job monitoring	Legitimate interests
Product improvement and analytics	Understanding feature use, improving workflows, optional website or platform analytics, session replay where enabled	Consent where required, otherwise legitimate interests where lawful and proportionate
Transactional communications	Account emails, password resets, verification emails, service updates, support replies	Performance of a contract and legitimate interests
Marketing communications	News, product updates, events, or offers where relevant	Consent or legitimate interests, depending on the communication and recipient
Legal and compliance	Record keeping, dispute handling, regulatory requests, enforcing terms, complying with law	Legal obligations and legitimate interests

6. AI-Assisted Support and Migration

Where AI-assisted tools process customer-controlled personal data, we use approved providers with appropriate safeguards.

We restrict AI-assisted processing of personal data to approved providers, approved use cases, and task-specific data needed for the relevant support or migration work.

7. Cookies and Similar Technologies

We use cookies and similar technologies for:

strictly necessary functions, such as login, session management, security, and platform navigation;
preferences and functionality;
analytics, performance measurement, diagnostics, and product improvement;
optional session replay or UX analytics where enabled.

Non-essential cookies and similar technologies should be used only where we have a lawful basis and, where required, consent. You can find more detail in our Cookies Policy.

8. Who We Share Personal Data With

We may share personal data with:

cloud hosting, storage, database, backup, and infrastructure providers;
email delivery providers;
payment and billing providers;
support, productivity, document, and internal business systems;
error monitoring, diagnostics, logging, and security providers;
website analytics, product analytics, and session replay providers where enabled;
approved AI providers where used for support or migration under appropriate safeguards;
professional advisers, insurers, auditors, accountants, legal advisers, and banks;
regulators, public authorities, courts, law enforcement, or other third parties where required by law or necessary to protect rights, safety, or security;
prospective buyers, investors, or successor organisations if we restructure, sell, transfer, or merge part of our business, subject to appropriate confidentiality and data protection safeguards.

9. International Transfers

Some of our providers may process personal data outside the United Kingdom or the European Economic Area.

You can contact us for further information about transfer safeguards.

10. How Long We Keep Personal Data

We keep personal data only for as long as needed for the purposes described in this policy, unless a longer retention period is required or permitted by law.

Typical retention periods or criteria include:

Data Type	Retention Approach
Website enquiries and demo requests	Usually up to 6 months after the last meaningful contact, unless the enquiry becomes a customer relationship or we need to retain it for legal or business reasons
Customer account and contract records	For the customer relationship and then as needed for legal, accounting, tax, audit, dispute, or business records
Billing, invoice, and accounting records	Usually 6 years after the relevant financial year or transaction, where required for tax and accounting purposes
Customer-controlled platform data	For the duration of the customer relationship and then as described in the DPA or customer instructions
Deleted or terminated customer platform data	Default target deletion from active production systems within 90 days after termination or a verified deletion request, unless otherwise agreed or legally required
Backups and provider logs	Retained until overwritten or deleted under applicable backup or log retention cycles, with access restricted and not used for ordinary business purposes
Support correspondence	For as long as needed to provide support, maintain service records, evidence decisions, resolve disputes, and improve service quality
Security, audit, diagnostic, and error logs	For the period needed for security, reliability, investigation, compliance, and operational purposes
Marketing records	Until you unsubscribe, object, or we decide the information is no longer relevant; suppression records may be kept to respect opt-outs
Cookie and analytics data	As described in our Cookies Policy and the relevant provider settings

11. Security

We use technical and organisational measures designed to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access.

These measures include, where appropriate:

encryption in transit using HTTPS/TLS;
production storage encryption through cloud-provider controls where configured;
role-based access controls and permission checks;
company, workspace, and venue scoping controls;
secure session management;
password policy enforcement, email verification, and account recovery controls;
rate limiting on sensitive routes;
monitoring, logging, diagnostics, and incident response processes;
confidentiality obligations for personnel;
access limited to business need.

No internet-based service can be guaranteed to be completely secure. If you believe your account or personal data may be at risk, contact us promptly at legal@heyed.co.uk.

12. Your Rights

Depending on the circumstances and lawful basis for processing, you may have the right to:

be informed about how your personal data is used;
request access to your personal data;
request correction of inaccurate or incomplete personal data;
request erasure of your personal data;
request restriction of processing;
object to processing, including processing based on legitimate interests and direct marketing;
request data portability;
withdraw consent where processing is based on consent.

You have an absolute right to object to direct marketing at any time.

To exercise your rights, contact legal@heyed.co.uk.

If your request relates to personal data controlled by one of our customers in the HeyEd platform, we may direct you to that customer or assist the customer in responding to your request.

13. Automated Decision-Making and Profiling

We do not use personal data for solely automated decisions that produce legal or similarly significant effects about individuals.

14. Children's Personal Data

Our website and platform are not directed at children.

15. Marketing

We may send business-to-business marketing communications where permitted by law. You can opt out of marketing emails by using the unsubscribe link in the email or by contacting us.

We will still send service, security, account, legal, and transactional communications where needed to provide the Services or manage our relationship.

16. Links to Other Websites

17. Complaints

Please contact us first if you have concerns about how we handle personal data:

legal@heyed.co.uk

You also have the right to complain to the Information Commissioner's Office ("ICO"), the UK supervisory authority for data protection:

https://ico.org.uk

ICO helpline: 0303 123 1113

18. Changes to This Policy

We may update this Privacy Policy from time to time. The latest version will be published on our website with the "Last updated" date above.

If we make material changes, we will take reasonable steps to bring them to the attention of affected users or customers where required.

19. Contact

For questions about this Privacy Policy or how we handle personal data, contact:

Hey Tech Labs Ltd

legal@heyed.co.uk

128 City Road, London, EC1V 2NX