Introduction
Heads Svenska AB, a Swedish company ("Heads," "we," "our," or "us") is committed to protecting and respecting your privacy.
This document constitutes our baseline Privacy Policy. Individual customer contracts may specify more extensive privacy protections, stricter data handling requirements, or additional security measures beyond what is described here. Where customer-specific agreements exist, they take precedence over this baseline policy.
This Privacy Policy explains what personal data we collect, why we collect it, how we use it, and the choices you have. It represents our minimum privacy commitments to all users and is structured so that each product environment (Website vs. Heads Applications) is addressed separately, in line with the disclosure requirements of:
EU General Data Protection Regulation (GDPR) and corresponding national implementations.
Apple App Store Review Guidelines §5.1 and App Privacy Details.
Google Play Developer Policy (User Data policy & Data Safety section).
ePrivacy Regulation requirements for cookies and electronic communications.
Our software and services are intended only for adults acting in an occupational context. We do not knowingly market to—or knowingly collect data from—children.
In short, we only collect the work-related data needed to run the Heads staff tools, keep them secure, and meet legal duties. We never sell your data or use ads in our applications.
If you do not agree with this Privacy Policy, please refrain from using our services.
1. Who is the data controller?
Website: Heads Svenska AB, company no. 556639-3871, Linnégatan 87F, 115 23 Stockholm, Sweden acts as data controller.
Heads Applications (iOS, iPadOS, Android, Web and desktop applications): Heads Svenska AB acts as a data processor on behalf of your employer (the Heads customer that has licensed our software). Your employer is the data controller.
Data Processing Responsibilities:
Heads Svenska AB (Processor): Responsible for app security, technical infrastructure, processing data according to the Data Processing Agreement (Article 28 GDPR), and responding to data subject requests about technical functionality
Your Employer (Controller): Responsible for determining processing purposes, user account management, access permissions, and employment-related data decisions under the Data Processing Agreement
For data requests: While we encourage you to contact your employer first for account-related matters, Heads will always handle data subject requests sent directly to us and coordinate with your employer as needed
Our Data Protection Officer (DPO) can be reached at dpo@heads.com.
2. Scope
This Policy applies to personal data that Heads processes:
As a controller: The Website (contact forms, cookies, analytics, remarketing).
As a processor: Heads Applications, including POS, ERP and back‑office modules delivered via the internet, the Apple App Store or Google Play.
Internal administrative and communication processes related to the above.
It does not cover data that Heads processes solely as a processor on behalf of enterprise customers for other purposes, nor does it govern consumer‑facing mobile apps (Heads' software is intended for internal staff use only).
2.1 Children's Privacy
Our services are not directed to children. We do not knowingly collect data from anyone under 13 (US COPPA) or under 16 (EU GDPR). If we become aware that we have collected personal data from a child under 16, we will take steps to delete such information promptly. If you believe we have collected data from a child, please contact dpo@heads.com immediately.
3. What data we process and why
3.1 Website visitors:
When you browse the Website we process the contact details you choose to enter in forms (such as your name, business email and company), basic technical data supplied by your browser (for example your IP address and device type), and—if you consent—cookie identifiers and usage events that help us understand how the site performs and to run remarketing campaigns.
3.2 Heads Applications users:
When you use our iOS, Android or web back‑office apps we process your name, corporate email address, role and store identifier so we can recognise you when you sign in; credentials, device identifiers and crash logs so we can secure and improve the service; and usage logs that help us detect fraud and provide support.
As a processor, we process this data according to the instructions in our Data Processing Agreement with your employer.
3.3 Legal basis for processing
Processing Activity | Where | Personal Data | Legal Basis | Purpose |
|---|---|---|---|---|
Website Contact Forms | Website | Name, email, company | Contract (Art. 6(1)(b)) | Respond to inquiries |
Website Analytics | Website | IP address, cookies | Consent (Art. 6(1)(a)) | Improve website performance |
Newsletter | Website | Email address | Consent (Art. 6(1)(a)) | Send marketing communications |
Heads Apps Authentication | Heads Applications | Name, email, employee ID | Processing on behalf of controller (Art. 28) | Provide access to work tools |
Transaction Logs | Heads Applications | User ID, actions, timestamps | Legal Obligation (Art. 6(1)(c)) | Comply with accounting laws |
Crash Diagnostics | Heads Applications | Device info, stack traces | Legitimate Interest (Art. 6(1)(f))* | Improve service quality |
Bluetooth Scanning | Heads Applications | Device proximity data | Legitimate Interest (Art. 6(1)(f))* | Enable printer/scanner connectivity |
*Legitimate Interest Assessment summaries are available on request at dpo@heads.com
4. Website Privacy Notice
4.1 Data we collect automatically
Device & log data (IP address, browser type, referrer URL, pages visited, time spent).
Cookies (see section 4.4 and separate Cookie Policy).
Legal basis: legitimate interest (IT security and fraud prevention).*
*Legitimate Interest Assessment available on request
4.2 Data you provide
Contact forms (name, e‑mail, company, message).
Newsletter opt‑in (e‑mail address).
4.3 How we use website data
Deliver content and respond to enquiries.
Prevent misuse (rate-limiting, abuse detection)*
Analyse site traffic using Google Analytics 4.
Run remarketing campaigns in Google Ads & LinkedIn.
Marketing cookies and remarketing pixels are disabled until you grant consent via our consent banner using Google Consent Mode v2.
*Legitimate Interest Assessment available on request
4.4 Website Cookies and tracking technologies
We use:
(a) Necessary cookies (site functionality),
(b) Functional cookies (preferences),
(c) Analytics cookies (Google Analytics 4),
(d) Marketing cookies (Google Ads, LinkedIn).
Consent for non‑essential cookies is obtained via our banner using Google Consent Mode v2. You can withdraw consent at any time by:
Using the cookie banner when it appears
Visiting heads.com and navigating to cookie settings to access consent settings
Clearing your browser cookies
Cookie Category | Lifespan | Notes / Examples |
|---|---|---|
Necessary cookies | Session-based | Essential site functionality |
Functional cookies | 30 days | Saves user preferences |
Analytics cookies | 2 years (e.g., Google Analytics _ga cookie) | Site usage statistics |
Marketing cookies | 90 days | Advertising & remarketing |
See our full Cookie Policy at heads.com/cookie-policy for complete details.
4.5 Legal bases
Consent (for marketing & analytics cookies); Legitimate interest (site security, basic analytics)*; Contract (responding to a request you initiated).
Heads Applications do not engage in cross-app tracking on iOS and therefore do not request ATT consent. Google Ads & LinkedIn remarketing are limited to website visitors only.
*Legitimate Interest Assessment available on request
5. Heads Applications privacy details
5.1 What we collect in the apps
Contact information – your name and work email address.
Identifiers – a unique login ID that ties your account to your employer, plus the device identifier supplied by the operating system.
Payment information – masked payment card numbers (last 4 digits), transaction IDs, and payment method types (e.g., card, mobile payment). We process this data on behalf of retailers but never store full card numbers or sensitive authentication data.
Purchase history – transaction records, receipts, order data, and product information that flows through the POS system during shopper transactions.
Customer registration data (if collected in-app) – shopper names, email addresses, physical addresses, and phone numbers when customers register or provide this information during checkout.
App activity – events such as signing in, opening a screen or performing a refund, recorded to help with fraud prevention and troubleshooting. Specific examples include:
Login/logout timestamps
Screen navigation events
Transaction initiation and completion
Error events and failed operations
Feature usage statistics (anonymized)
Session duration and frequency
Operational metadata (cashier IDs, device info, timestamps)
Diagnostics – crash reports and performance metrics that tell us when something goes wrong. This specifically includes:
App version and build number
Device model and OS version
Crash stack traces (anonymized)
App response times and error rates
Network connection type (WiFi/cellular)
No personal content or sensitive data is included in diagnostic reports.
Retention: crash data are stored for 24 months and then deleted or aggregated.
All native Expo modules bundled with Heads Applications already include Apple PrivacyInfo.xcprivacy manifests; no additional third-party SDKs are embedded.
5.2 Data we do not collect
We do not collect full payment card numbers (PANs), CVV codes, PIN numbers, advertising identifiers for cross-app tracking or any information from other apps on your device.We do not use the Apple Identifier for Advertisers (IDFA) or any tracking technologies that follow users across apps or websites owned by other companies.
5.3 Why we ask for certain permissions
Bluetooth is required to pair with barcode scanners and receipt printers.*
iOS: Reason shown to users "'This app uses Bluetooth to connect to barcode scanners and other devices to enable fast and accurate checkout at the point of sale.'
Android: uses android.permission.BLUETOOTH_CONNECT
These permissions are optional unless they are essential for a feature you or your employer chooses to use. Each request is accompanied by a plain‑language explanation inside the operating‑system prompt.
*Legitimate Interest Assessment available on request
5.4 Account and data deletion
Accounts are provisioned by your employer.
You can initiate deletion of your Heads account from Main menu › My Settings › Delete Account in the application, or via https://heads.com/contact
When you submit a deletion request, it is forwarded to your organisation's administrator, who must complete or refuse it within 30 days. Requests may be refused only where the employer or Heads has a legal obligation to retain specific records (e.g., bookkeeping, labour-law). Data approved for deletion is removed from live systems within 90 days unless a longer legal retention applies.
Backup Retention and Deletion:
Encrypted backups are retained for 30 days for disaster recovery
After deletion from production systems, data may persist in encrypted backups for up to 90 days
Backup data access is strictly limited to authorized personnel
Upon expiration, backup data is securely overwritten and verified as unrecoverable
Total deletion timeline: up to 120 days from approval (90 days production + 30 days encrypted backup retention)
5.5 Data Retention
Data category | Where collected | Retention period | Reason |
|---|---|---|---|
Staff & internal user records | Heads Applications | Employment period + 12 months | HR administration |
Sign‑in & activity logs | Heads Applications | 12 months | Fraud prevention; accounting compliance |
Crash logs & diagnostics | Heads Applications | 24 months | Service quality & debugging |
Transactional metadata* | Heads Applications | 7 years | Legal obligation (Swedish Bokföringslagen) |
Contact‑form submissions | Website | 24 months | Customer‑relation management |
Job‑applicant data | Website | 6 months (longer with consent) | Recruitment administration |
Website analytics & cookies | Website | 14–26 months | Consent / analytics |
*Transactional metadata includes: receipt ID, transaction amount, store ID, timestamp, payment method type (not card details), cashier ID, and product categories
5.6 Data Transfers Outside the EEA
Personal data may be processed outside of the EEA when using cloud infrastructure providers or third-party services.
International Transfer Safeguards: All transfers from the EU/EEA to third countries are protected by:
Standard Contractual Clauses (SCCs) as approved by the European Commission
Transfer Impact Assessments (TIAs) conducted to evaluate third-country risks
Supplementary measures implemented where TIAs identify risks, including enhanced encryption and access controls
UK IDTA or UK Addendum to SCCs for UK transfers
Third-Party Services with International Transfers:
Google Analytics 4: Global processing, protected by SCCs and supplementary measures
Google Ads: Global processing, protected by SCCs and supplementary measures
LinkedIn Insights: Global processing, protected by SCCs and supplementary measures
Cloud Infrastructure Providers: Depending on your organization's deployment, data may be processed by:
Amazon Web Services (AWS) - EU regions (Frankfurt, Ireland, Stockholm)
Microsoft Azure - EU regions (Netherlands, France)
Google Cloud Platform - EU regions (Belgium, Frankfurt)
Hetzner - (Finland or Germany)
All providers are subject to:
Data Processing Agreements (DPAs) compliant with Article 28 GDPR
Standard Contractual Clauses (SCCs) where applicable
Commitment to EU data residency unless otherwise agreed
SOC 2 Type II or equivalent certifications
6. Security measures
TLS 1.3 for data in transit; AES‑256 at rest.
Role‑based access control & MFA for staff.
Anonymisation or pseudonymisation of data where appropriate.
Regular security‑awareness training for all staff members.
Internal audits and risk‑assessments performed at least annually.
Annual penetration tests; ISO‑27001‑aligned policies.
Continuous monitoring & incident response plan.
6.1 Data Breach Notification
In the event of a personal data breach that is likely to result in risk to your rights and freedoms, we will:
Notify the Swedish Authority for Privacy Protection (IMY) within 72 hours
Notify affected individuals without undue delay if the breach is likely to result in high risk
Document all breaches and actions taken
Cooperate with authorities to minimize impact
7. Payment Data
Heads does not store or process payment card data directly. All transactions are handled by third-party payment service providers that are compliant with the PCI DSS security standard. Heads only stores relevant transaction metadata necessary for business records and customer service.
8. Third-Party Services and Tools
Service | Used where | Purpose | Region | Privacy Policy |
|---|---|---|---|---|
Google Analytics 4 | Website | Website analytics | Global | |
Google Ads | Website | Marketing & remarketing | Global | |
LinkedIn Insights | Website | B2B marketing | Global | |
LeadInfo | Website | B2B visitor analytics | EU-based | |
Cloud infrastructure* | Heads Applications | Hosting, backup and data processing | EU-based or Global | Details available in your organization's Data Processing Agreement |
*Note: In addition to the above website services, Heads Applications utilize enterprise cloud infrastructure providers (which may include AWS, Microsoft Azure, Google Cloud Platform, or others depending on your organization's deployment). All cloud providers are subject to data processing agreements and appropriate transfer mechanisms. EEA data residency is the default for all customers; other regions are available only when contractually agreed.
All subprocessors are subject to data processing agreements and, where applicable, Standard Contractual Clauses (SCCs) for international transfers with Transfer Impact Assessments and supplementary measures as required.
8.1 SDK and Third-Party Libraries
Our Heads Applications utilize the following third-party SDKs and libraries that may process data:
Expo SDK: Core framework for cross-platform development (privacy-compliant, no tracking)
React Native: UI framework (no data collection)
Native device APIs: For Bluetooth
All third-party code is regularly reviewed for:
Compliance with our privacy commitments
Security vulnerabilities
Data collection practices
Updates to privacy policies
We do not include any advertising SDKs, analytics trackers, or cross-app tracking libraries in our Heads Applications.
9. Your rights
Under GDPR (Articles 15–22) and similar laws you may:
Access your personal data.
Request rectification or erasure.
Restrict or object to processing.
Port your data.
Withdraw consent at any time.
Not be subject to automated decision-making.
Exercising Your Rights: While we encourage you to contact your employer first for account-related matters, Heads will always handle data subject requests sent directly to us at dpo@heads.com. We will coordinate with your employer as needed to fulfill your request.
Requests are free of charge unless manifestly unfounded or excessive. We will respond within 30 days (extendable by 30 days for complex requests). You may also lodge a complaint with the Swedish Authority for Privacy Protection (IMY), Box 8114, 104 20 Stockholm, https://www.imy.se.
Heads does not use automated decision-making, including profiling, that produces legal effects or similarly significantly affects you. All significant decisions involving personal data include human review.
9.1 Data Portability
You have the right to receive your personal data in a structured, commonly used, and machine-readable format. To request data portability:
Submit a request to dpo@heads.com
Specify the data you want to receive
We will provide the data in JSON or CSV format within 30 days
Where technically feasible, we can transfer data directly to another controller
9.2 Withdrawing Consent
To withdraw consent:
For cookies: Use the cookie banner when it appears or visit heads.com and navigate to the cookie settings in the website footer to access consent management platform settings
For marketing emails: Click unsubscribe in any email
For app permissions: Use your device settings
9.3 Consent Management
We document and manage consent through:
Timestamp recording: When consent was given or withdrawn
Version tracking: Which privacy policy version was in effect
Granular controls: Separate consent for different processing activities
Easy withdrawal: Simple mechanisms to revoke consent
Audit trail: Complete history of consent changes
No pre-ticked boxes: All consent is explicit and freely given
10. App Store Privacy Compliance
10.1 Apple App Store Privacy Details
In accordance with Apple's App Privacy requirements, we declare the following data collection practices:
Data Linked to You:
Contact Info: Name and email address (used for account creation)
Identifiers: User ID (used for app functionality)
Usage Data: App interactions (used for analytics and fraud prevention)
Payment Info: Masked PANs, transaction IDs, payment methods (processed on behalf of retailers)
Purchase History: Transaction records, receipts, order data (processed on behalf of retailers)
Customer Data (if collected): Shopper names, emails, addresses, phone numbers (processed on behalf of retailers)
Data Not Linked to You:
Diagnostics: Crash data and performance metrics (used for app improvement, collected via Expo/Sentry frameworks)
Data Not Collected:
Full payment card numbers or sensitive authentication data
Health & Fitness
Contacts
User Content
Browsing History
Search History
Sensitive Info
Tracking: Our Heads Applications do not track users across apps or websites owned by other companies. We do not use the Apple Identifier for Advertisers (IDFA) or implement App Tracking Transparency (ATT) as we do not engage in cross-app tracking.
10.2 Google Play Data Safety
For Google Play Store compliance, we disclose identical categories in the Data Safety form:
Data Collected:
Personal info: Name, email address
Payment info: Masked payment details, transaction IDs
Purchase history: Transaction records, receipts
Customer info (if collected): Shopper contact details
App activity: In-app actions
App info and performance: Crash logs, diagnostics (via Expo/Sentry)
Device or other IDs: Device identifiers
Data Usage:
App functionality
Analytics
Fraud prevention and security
Compliance with legal obligations
Data Sharing:
No data is shared with third parties for advertising
Data may be transferred to service providers under contract
Data is encrypted in transit
Users can request data deletion
Data collection is required for app functionality
11. Contact Information
Data Protection Officer
Heads Svenska AB
Linnégatan 87 F, 115 23 Stockholm, Sweden
Email: dpo@heads.com
12. Data Minimization and Privacy by Design
We implement privacy by design principles:
Data Minimization:
We only collect data necessary for specific, legitimate purposes
Data collection is limited to what is adequate and relevant
We regularly review data collection practices to ensure minimization
Unnecessary data is promptly deleted or anonymized
Privacy by Design:
Privacy considerations are embedded in system design
Default settings are privacy-protective
Full functionality is ensured while protecting privacy
End-to-end security protects data throughout its lifecycle
Transparency is maintained through clear documentation
User privacy is respected with granular controls
Privacy measures are regularly audited and improved
13. Annexes and Additional Information
Available on Request:
Full Cookie Policy: heads.com/cookies
Legitimate Interest Assessment (LIA) summaries: dpo@heads.com
Data Protection Impact Assessment (DPIA) summaries: dpo@heads.com
Complete sub-processor list specific for your organization: dpo@heads.com
Data Processing Agreement templates: Contact your account manager
14. Amendments
This Privacy Policy may be updated to reflect changes in legal requirements, technology, or company operations.
We will notify customers of material changes through appropriate channels at least 30 days before they take effect.
The latest version will always be available on our website at https://heads.com/privacy-policy, accessible without login, and within our application under Main Menu › My Settings › Privacy Policy.
Note: Your organization may have additional privacy protections specified in their service agreement with Heads. This policy represents our baseline privacy commitments to all customers.
