Introduction

Heads is committed to protecting and respecting your privacy. This Privacy Policy explains how we collect, use, share, and protect personal data in connection with our services, including our internal staff-facing applications, point-of-sale systems, and public-facing website. It also outlines your rights and how to exercise them.

This policy is intended to comply with the General Data Protection Regulation (EU) 2016/679 (“GDPR”) and other applicable data protection laws in the jurisdictions where Heads operates, including the Nordic countries.

Scope

This Privacy Policy applies to personal data processed by Heads in its role as a data controller. It covers processing through:

• Our website (e.g. contact forms, cookies, analytics)

• Our applications (apps) such as the POS, ERP or Backoffice system delivered to our enterprise customers and used by their authorized staff, made available through the internet or via the Apple App Store and Google Play

• Internal communications and administrative processes

This policy does not apply to data processed by Heads solely in its role as a data processor on behalf of customers. It also does not apply to customer-facing mobile applications, as Heads’ apps are designed solely for internal staff use.

Our applications and services are intended solely for adult use by authorized staff members and are not intended for children under the age of 16.

Legal Basis for Processing

Heads processes personal data based on the following legal grounds:

• Performance of a contract

• Compliance with a legal obligation

• Legitimate interests of Heads or its customers

• Consent (when required by law)

Types of Data Collected

Depending on your relationship with Heads and how you interact with us, we may process the following types of personal data:

From staff and internal users of the Heads applications:

• Full name, email address, and contact details

• Employment information (e.g. title, store location, role)

• Login credentials (e.g. username, password)

• Location data (if enabled on company devices)

• App Permissions on iOS Devices

  • Bluetooth Access: The application requests Bluetooth access as needed to enable connection with external hardware such as barcode scanners or printers.

  • Location Access: The application requests location access (if function is enabled) to verify store assignments and prevent fraud. Location access can be managed or disabled through device settings.

• App usage data, interaction logs, and activity history

• Device information (e.g. device ID, OS version)

From visitors to our website or individuals contacting us:

• Name and contact details submitted via forms or emails

• IP address and browser/device data

• Cookie and usage data (see “Cookies and Tracking” below)

Collection of Data

We collect personal data:

• Directly from staff as part of employment or onboarding

• When using our apps or internal tools

• From website form submissions and cookie-based tracking

• From customer representatives during business interactions

Use of Personal Data

We use personal data for the following purposes:

• To provide and maintain our services and internal systems

• To authenticate and manage staff access to our apps

• To support internal business operations and communications

• To ensure system security and detect unauthorized access

• To improve app functionality and user experience

• To comply with legal obligations, such as tax or employment law

• To manage recruitment processes (when applicable)

Use of Customer Data Within our Apps

Our appplications allows authorized staff to view and manage customer-related information stored in our systems. This customer data is processed solely in accordance with the overarching Heads customer agreements and privacy standards.

Please note that customers do not have direct access to the app. Customers wishing to exercise their rights under applicable data protection laws (e.g. access, correction, deletion of their data) should contact Heads via the details provided at the end of this policy.

Payment Data

Heads does not store or process payment card data directly. All transactions are handled by third-party payment service providers that are compliant with the PCI DSS security standard. Heads only stores relevant transaction metadata necessary for business records and customer service.

Cookies and Tracking Technologies

Heads uses cookies and similar technologies on its public-facing websites. These cookies help improve the user experience and collect analytics about website performance and behavior.

Consent for non-essential cookies is collected in compliance with GDPR using Consent Mode v2. Users can accept, decline, or customize their preferences via our cookie banner.

We use the following types of cookies:

• Necessary cookies (essential for website functionality)

• Functional cookies (enhance features and personalization)

• Analytics cookies (track website usage, e.g. Google Analytics 4)

• Marketing cookies (used for advertising and remarketing, e.g. Google Ads, LinkedIn)

App Tracking Transparency

Heads software applications does not track users across third-party apps or websites, nor does it collect device IDs for advertising or tracking beyond its direct business operations.

Location Data

If location tracking is enabled within our applications (on company-managed devices), location data may be used to verify store assignments, enhance fraud detection, or generate usage analytics. Location data is collected only with appropriate permissions and can be disabled on the device.

Third-Party Services and Tools

Heads uses trusted service providers for analytics, hosting, advertising, and security. These include:

Google Analytics 4

• Purpose: Website and app analytics

• Region: Global

• Privacy Policy: https://policies.google.com/privacy

Google Ads

• Purpose: Marketing & remarketing

• Region: Global

• Privacy Policy: https://policies.google.com/privacy

LinkedIn Insights

• Purpose: B2B marketing

• Region: Global

• Privacy Policy: https://www.linkedin.com/legal/privacy-policy

LeadInfo

• Purpose: B2B visitor analytics

• Region: EU-based

• Privacy Policy: https://www.leadinfo.com/en/privacy/

Apple iCloud

• Purpose: Optional cloud sync

• Region: Global

• Privacy Policy: https://www.apple.com/legal/privacy/

All subprocessors are subject to data processing agreements and, where applicable, Standard Contractual Clauses (SCCs) for international transfers.

Data Transfers Outside the EEA

Personal data may be processed outside of the EEA when using third-party services. Heads ensures such transfers comply with GDPR through approved legal mechanisms, including SCCs or adequacy decisions.

Data Security

Heads applies a combination of organizational, technical, and physical safeguards to protect personal data. These include:

• Access control and role-based permissions

• Anonymization where applicable

• Regular staff training

• Incident detection and response procedures

• Internal audits and risk assessments

Data accessed or stored via our apps is encrypted in transit using secure protocols such as TLS, and encrypted at rest where applicable.

Access to app data is restricted to authorized personnel only.

Access to internal systems and the application is restricted to authorized personnel.

Data Retention

Personal data is retained only for as long as needed to fulfill its intended purpose, or to meet legal obligations. Specific retention periods include:

• Staff and internal user data: Retained during employment and for up to 12 months after departure.

• Financial and transactional records: Retained for 7 years for compliance with tax and accounting laws.

• Job applicant data: Retained for 6 months unless consent is provided for longer storage.

• Website analytics and cookie data: Retained between 14 and 26 months depending on the service provider.

Data Subject Rights

In accordance with GDPR and other applicable privacy laws, you have the right to:

• Access your personal data

• Correct inaccurate or outdated data

• Request deletion of your personal data

• Request restriction of processing

• Object to data processing based on legitimate interest

• Withdraw consent (where processing is based on consent)

• Request data portability (when applicable)

To exercise your rights, please contact our Data Protection Officer (DPO) using the details below. For security, we may ask for verification before processing your request.

In-App Account and Data Deletion

The Heads applications do not support individual account creation, as accounts and access credentials are provisioned directly by enterprise administrators in accordance with business agreements.

Due to legal and compliance obligations associated with transactional data handled by our systems, individual users are not permitted to directly delete their accounts or associated data from within the app.

To request account deletion or inquire about personal data removal, users must contact their organization’s designated system administrator or the Heads Data Protection Officer (DPO) as listed below. All deletion requests are subject to review and approval in line with applicable employment, contractual, and regulatory obligations.

Contact Information

If you have questions about this Privacy Policy or wish to exercise your data rights, please contact:

Data Protection Officer

Email: dpo@heads.com

You also have the right to file a complaint with your local supervisory authority if you believe your data has been processed unlawfully.

Updates to This Policy

This Privacy Policy may be updated to reflect changes in legal requirements, technology, or company operations. The latest version will always be available on our website and within the app, where applicable.

This Privacy Policy was last updated on April 18, 2025.