Integritetspolicy

Integritetspolicy

Integritetspolicy

Integritetspolicy

Integritetspolicy

Introduction

Heads Svenska AB, a Swedish company ("Heads," "we," "our," or "us") is committed to protecting and respecting your privacy.

This document constitutes our baseline Privacy Policy. Individual customer contracts may specify more extensive privacy protections, stricter data handling requirements, or additional security measures beyond what is described here. Where customer-specific agreements exist, they take precedence over this baseline policy.

This Privacy Policy explains what personal data we collect, why we collect it, how we use it, and the choices you have. It represents our minimum privacy commitments to all users and is structured so that each product environment (Website vs. Heads Applications) is addressed separately, in line with the disclosure requirements of:


  • EU General Data Protection Regulation (GDPR) and corresponding national implementations.

  • Apple App Store Review Guidelines §5.1 and App Privacy Details.

  • Google Play Developer Policy (User Data policy & Data Safety section).

  • ePrivacy Regulation requirements for cookies and electronic communications.


Our software and services are intended only for adults acting in an occupational context. We do not knowingly market to—or knowingly collect data from—children.

In short, we only collect the work-related data needed to run the Heads staff tools, keep them secure, and meet legal duties. We never sell your data or use ads in our applications.

If you do not agree with this Privacy Policy, please refrain from using our services.

1. Who is the data controller?

Website: Heads Svenska AB, company no. 556639-3871, Linnégatan 87F, 115 23 Stockholm, Sweden acts as data controller.

Heads Applications (iOS, iPadOS, Android, Web and desktop applications): Heads Svenska AB acts as a data processor on behalf of your employer (the Heads customer that has licensed our software). Your employer is the data controller.

Data Processing Responsibilities:

  • Heads Svenska AB (Processor): Responsible for app security, technical infrastructure, processing data according to the Data Processing Agreement (Article 28 GDPR), and responding to data subject requests about technical functionality

  • Your Employer (Controller): Responsible for determining processing purposes, user account management, access permissions, and employment-related data decisions under the Data Processing Agreement

  • For data requests: While we encourage you to contact your employer first for account-related matters, Heads will always handle data subject requests sent directly to us and coordinate with your employer as needed

Our Data Protection Officer (DPO) can be reached at dpo@heads.com.

2. Scope

This Policy applies to personal data that Heads processes:

  1. As a controller: The Website (contact forms, cookies, analytics, remarketing).

  2. As a processor: Heads Applications, including POS, ERP and back‑office modules delivered via the internet, the Apple App Store or Google Play.

  3. Internal administrative and communication processes related to the above.

It does not cover data that Heads processes solely as a processor on behalf of enterprise customers for other purposes, nor does it govern consumer‑facing mobile apps (Heads' software is intended for internal staff use only).

2.1 Children's Privacy

Our services are not directed to children. We do not knowingly collect data from anyone under 13 (US COPPA) or under 16 (EU GDPR). If we become aware that we have collected personal data from a child under 16, we will take steps to delete such information promptly. If you believe we have collected data from a child, please contact dpo@heads.com immediately.

3. What data we process and why

3.1 Website visitors:

When you browse the Website we process the contact details you choose to enter in forms (such as your name, business email and company), basic technical data supplied by your browser (for example your IP address and device type), and—if you consent—cookie identifiers and usage events that help us understand how the site performs and to run remarketing campaigns.

3.2 Heads Applications users:

When you use our iOS, Android or web back‑office apps we process your name, corporate email address, role and store identifier so we can recognise you when you sign in; credentials, device identifiers and crash logs so we can secure and improve the service; and usage logs that help us detect fraud and provide support.

As a processor, we process this data according to the instructions in our Data Processing Agreement with your employer.

3.3 Legal basis for processing

Processing Activity

Where

Personal Data

Legal Basis

Purpose

Website Contact Forms

Website

Name, email, company

Contract (Art. 6(1)(b))

Respond to inquiries

Website Analytics

Website

IP address, cookies

Consent (Art. 6(1)(a))

Improve website performance

Newsletter

Website

Email address

Consent (Art. 6(1)(a))

Send marketing communications

Heads Apps Authentication

Heads Applications

Name, email, employee ID

Processing on behalf of controller (Art. 28)

Provide access to work tools

Transaction Logs

Heads Applications

User ID, actions, timestamps

Legal Obligation (Art. 6(1)(c))

Comply with accounting laws

Crash Diagnostics

Heads Applications

Device info, stack traces

Legitimate Interest (Art. 6(1)(f))*

Improve service quality

Bluetooth Scanning

Heads Applications

Device proximity data

Legitimate Interest (Art. 6(1)(f))*

Enable printer/scanner connectivity

*Legitimate Interest Assessment summaries are available on request at dpo@heads.com

4. Website Privacy Notice

4.1 Data we collect automatically
  • Device & log data (IP address, browser type, referrer URL, pages visited, time spent).

  • Cookies (see section 4.4 and separate Cookie Policy).

  • Legal basis: legitimate interest (IT security and fraud prevention).*

*Legitimate Interest Assessment available on request

4.2 Data you provide
  • Contact forms (name, e‑mail, company, message).

  • Newsletter opt‑in (e‑mail address).

4.3 How we use website data
  • Deliver content and respond to enquiries.

  • Prevent misuse (rate-limiting, abuse detection)*

  • Analyse site traffic using Google Analytics 4.

  • Run remarketing campaigns in Google Ads & LinkedIn.

Marketing cookies and remarketing pixels are disabled until you grant consent via our consent banner using Google Consent Mode v2.

*Legitimate Interest Assessment available on request

4.4 Website Cookies and tracking technologies

We use:
(a) Necessary cookies (site functionality),
(b) Functional cookies (preferences),
(c) Analytics cookies (Google Analytics 4),
(d) Marketing cookies (Google Ads, LinkedIn).

Consent for non‑essential cookies is obtained via our banner using Google Consent Mode v2. You can withdraw consent at any time by:

  • Using the cookie banner when it appears

  • Visiting heads.com and navigating to cookie settings to access consent settings

  • Clearing your browser cookies

Cookie Category

Lifespan

Notes / Examples

Necessary cookies

Session-based

Essential site functionality

Functional cookies

30 days

Saves user preferences

Analytics cookies

2 years (e.g., Google Analytics _ga cookie)

Site usage statistics

Marketing cookies

90 days

Advertising & remarketing

See our full Cookie Policy at heads.com/cookie-policy for complete details.

4.5 Legal bases

Consent (for marketing & analytics cookies); Legitimate interest (site security, basic analytics)*; Contract (responding to a request you initiated).

Heads Applications do not engage in cross-app tracking on iOS and therefore do not request ATT consent. Google Ads & LinkedIn remarketing are limited to website visitors only.

*Legitimate Interest Assessment available on request

5. Heads Applications privacy details

5.1 What we collect in the apps
  • Contact information – your name and work email address.

  • Identifiers – a unique login ID that ties your account to your employer, plus the device identifier supplied by the operating system.

  • Payment information – masked payment card numbers (last 4 digits), transaction IDs, and payment method types (e.g., card, mobile payment). We process this data on behalf of retailers but never store full card numbers or sensitive authentication data.

  • Purchase history – transaction records, receipts, order data, and product information that flows through the POS system during shopper transactions.

  • Customer registration data (if collected in-app) – shopper names, email addresses, physical addresses, and phone numbers when customers register or provide this information during checkout.

  • App activity – events such as signing in, opening a screen or performing a refund, recorded to help with fraud prevention and troubleshooting. Specific examples include:

    • Login/logout timestamps

    • Screen navigation events

    • Transaction initiation and completion

    • Error events and failed operations

    • Feature usage statistics (anonymized)

    • Session duration and frequency

    • Operational metadata (cashier IDs, device info, timestamps)

  • Diagnostics – crash reports and performance metrics that tell us when something goes wrong. This specifically includes:

    • App version and build number

    • Device model and OS version

    • Crash stack traces (anonymized)

    • App response times and error rates

    • Network connection type (WiFi/cellular)

    • No personal content or sensitive data is included in diagnostic reports.

    • Retention: crash data are stored for 24 months and then deleted or aggregated.

All native Expo modules bundled with Heads Applications already include Apple PrivacyInfo.xcprivacy manifests; no additional third-party SDKs are embedded.

5.2 Data we do not collect

We do not collect full payment card numbers (PANs), CVV codes, PIN numbers, advertising identifiers for cross-app tracking or any information from other apps on your device.We do not use the Apple Identifier for Advertisers (IDFA) or any tracking technologies that follow users across apps or websites owned by other companies.

5.3 Why we ask for certain permissions
  • Bluetooth is required to pair with barcode scanners and receipt printers.*

    • iOS: Reason shown to users "'This app uses Bluetooth to connect to barcode scanners and other devices to enable fast and accurate checkout at the point of sale.'

    • Android: uses android.permission.BLUETOOTH_CONNECT

These permissions are optional unless they are essential for a feature you or your employer chooses to use. Each request is accompanied by a plain‑language explanation inside the operating‑system prompt.

*Legitimate Interest Assessment available on request

5.4 Account and data deletion

Accounts are provisioned by your employer.
You can initiate deletion of your Heads account from Main menu › My Settings › Delete Account in the application, or via https://heads.com/contact

When you submit a deletion request, it is forwarded to your organisation's administrator, who must complete or refuse it within 30 days. Requests may be refused only where the employer or Heads has a legal obligation to retain specific records (e.g., bookkeeping, labour-law). Data approved for deletion is removed from live systems within 90 days unless a longer legal retention applies.

Backup Retention and Deletion:

  • Encrypted backups are retained for 30 days for disaster recovery

  • After deletion from production systems, data may persist in encrypted backups for up to 90 days

  • Backup data access is strictly limited to authorized personnel

  • Upon expiration, backup data is securely overwritten and verified as unrecoverable

  • Total deletion timeline: up to 120 days from approval (90 days production + 30 days encrypted backup retention)

5.5 Data Retention

Data category

Where collected

Retention period

Reason

Staff & internal user records

Heads Applications

Employment period + 12 months

HR administration

Sign‑in & activity logs

Heads Applications

12 months

Fraud prevention; accounting compliance

Crash logs & diagnostics

Heads Applications

24 months

Service quality & debugging

Transactional metadata*

Heads Applications

7 years

Legal obligation (Swedish Bokföringslagen)

Contact‑form submissions

Website

24 months

Customer‑relation management

Job‑applicant data

Website

6 months (longer with consent)

Recruitment administration

Website analytics & cookies

Website

14–26 months

Consent / analytics

*Transactional metadata includes: receipt ID, transaction amount, store ID, timestamp, payment method type (not card details), cashier ID, and product categories

5.6 Data Transfers Outside the EEA

Personal data may be processed outside of the EEA when using cloud infrastructure providers or third-party services.

International Transfer Safeguards: All transfers from the EU/EEA to third countries are protected by:

  • Standard Contractual Clauses (SCCs) as approved by the European Commission

  • Transfer Impact Assessments (TIAs) conducted to evaluate third-country risks

  • Supplementary measures implemented where TIAs identify risks, including enhanced encryption and access controls

  • UK IDTA or UK Addendum to SCCs for UK transfers

Third-Party Services with International Transfers:

  • Google Analytics 4: Global processing, protected by SCCs and supplementary measures

  • Google Ads: Global processing, protected by SCCs and supplementary measures

  • LinkedIn Insights: Global processing, protected by SCCs and supplementary measures

Cloud Infrastructure Providers: Depending on your organization's deployment, data may be processed by:

  • Amazon Web Services (AWS) - EU regions (Frankfurt, Ireland, Stockholm)

  • Microsoft Azure - EU regions (Netherlands, France)

  • Google Cloud Platform - EU regions (Belgium, Frankfurt)

  • Hetzner - (Finland or Germany)

All providers are subject to:

  • Data Processing Agreements (DPAs) compliant with Article 28 GDPR

  • Standard Contractual Clauses (SCCs) where applicable

  • Commitment to EU data residency unless otherwise agreed

  • SOC 2 Type II or equivalent certifications

6. Security measures

  • TLS 1.3 for data in transit; AES‑256 at rest.

  • Role‑based access control & MFA for staff.

  • Anonymisation or pseudonymisation of data where appropriate.

  • Regular security‑awareness training for all staff members.

  • Internal audits and risk‑assessments performed at least annually.

  • Annual penetration tests; ISO‑27001‑aligned policies.

  • Continuous monitoring & incident response plan.

6.1 Data Breach Notification

In the event of a personal data breach that is likely to result in risk to your rights and freedoms, we will:

  • Notify the Swedish Authority for Privacy Protection (IMY) within 72 hours

  • Notify affected individuals without undue delay if the breach is likely to result in high risk

  • Document all breaches and actions taken

  • Cooperate with authorities to minimize impact

7. Payment Data

Heads does not store or process payment card data directly. All transactions are handled by third-party payment service providers that are compliant with the PCI DSS security standard. Heads only stores relevant transaction metadata necessary for business records and customer service.

8. Third-Party Services and Tools

Service

Used where

Purpose

Region

Privacy Policy

Google Analytics 4

Website

Website analytics

Global

https://policies.google.com/privacy

Google Ads

Website

Marketing & remarketing

Global

https://policies.google.com/privacy

LinkedIn Insights

Website

B2B marketing

Global

https://www.linkedin.com/legal/privacy-policy

LeadInfo

Website

B2B visitor analytics

EU-based

https://www.leadinfo.com/en/privacy/

Cloud infrastructure*

Heads Applications

Hosting, backup and data processing

EU-based or Global

Details available in your organization's Data Processing Agreement

*Note: In addition to the above website services, Heads Applications utilize enterprise cloud infrastructure providers (which may include AWS, Microsoft Azure, Google Cloud Platform, or others depending on your organization's deployment). All cloud providers are subject to data processing agreements and appropriate transfer mechanisms. EEA data residency is the default for all customers; other regions are available only when contractually agreed.

All subprocessors are subject to data processing agreements and, where applicable, Standard Contractual Clauses (SCCs) for international transfers with Transfer Impact Assessments and supplementary measures as required.

8.1 SDK and Third-Party Libraries

Our Heads Applications utilize the following third-party SDKs and libraries that may process data:

  • Expo SDK: Core framework for cross-platform development (privacy-compliant, no tracking)

  • React Native: UI framework (no data collection)

  • Native device APIs: For Bluetooth

All third-party code is regularly reviewed for:

  • Compliance with our privacy commitments

  • Security vulnerabilities

  • Data collection practices

  • Updates to privacy policies

We do not include any advertising SDKs, analytics trackers, or cross-app tracking libraries in our Heads Applications.

9. Your rights

Under GDPR (Articles 15–22) and similar laws you may:

  1. Access your personal data.

  2. Request rectification or erasure.

  3. Restrict or object to processing.

  4. Port your data.

  5. Withdraw consent at any time.

  6. Not be subject to automated decision-making.

Exercising Your Rights: While we encourage you to contact your employer first for account-related matters, Heads will always handle data subject requests sent directly to us at dpo@heads.com. We will coordinate with your employer as needed to fulfill your request.

Requests are free of charge unless manifestly unfounded or excessive. We will respond within 30 days (extendable by 30 days for complex requests). You may also lodge a complaint with the Swedish Authority for Privacy Protection (IMY), Box 8114, 104 20 Stockholm, https://www.imy.se.

Heads does not use automated decision-making, including profiling, that produces legal effects or similarly significantly affects you. All significant decisions involving personal data include human review.

9.1 Data Portability

You have the right to receive your personal data in a structured, commonly used, and machine-readable format. To request data portability:

  1. Submit a request to dpo@heads.com

  2. Specify the data you want to receive

  3. We will provide the data in JSON or CSV format within 30 days

  4. Where technically feasible, we can transfer data directly to another controller

9.2 Withdrawing Consent

To withdraw consent:

  • For cookies: Use the cookie banner when it appears or visit heads.com and navigate to the cookie settings in the website footer to access consent management platform settings

  • For marketing emails: Click unsubscribe in any email

  • For app permissions: Use your device settings

9.3 Consent Management

We document and manage consent through:

  • Timestamp recording: When consent was given or withdrawn

  • Version tracking: Which privacy policy version was in effect

  • Granular controls: Separate consent for different processing activities

  • Easy withdrawal: Simple mechanisms to revoke consent

  • Audit trail: Complete history of consent changes

  • No pre-ticked boxes: All consent is explicit and freely given

10. App Store Privacy Compliance

10.1 Apple App Store Privacy Details

In accordance with Apple's App Privacy requirements, we declare the following data collection practices:

Data Linked to You:

  • Contact Info: Name and email address (used for account creation)

  • Identifiers: User ID (used for app functionality)

  • Usage Data: App interactions (used for analytics and fraud prevention)

  • Payment Info: Masked PANs, transaction IDs, payment methods (processed on behalf of retailers)

  • Purchase History: Transaction records, receipts, order data (processed on behalf of retailers)

  • Customer Data (if collected): Shopper names, emails, addresses, phone numbers (processed on behalf of retailers)

Data Not Linked to You:

  • Diagnostics: Crash data and performance metrics (used for app improvement, collected via Expo/Sentry frameworks)

Data Not Collected:

  • Full payment card numbers or sensitive authentication data

  • Health & Fitness

  • Contacts

  • User Content

  • Browsing History

  • Search History

  • Sensitive Info

Tracking: Our Heads Applications do not track users across apps or websites owned by other companies. We do not use the Apple Identifier for Advertisers (IDFA) or implement App Tracking Transparency (ATT) as we do not engage in cross-app tracking.

10.2 Google Play Data Safety

For Google Play Store compliance, we disclose identical categories in the Data Safety form:

Data Collected:

  • Personal info: Name, email address

  • Payment info: Masked payment details, transaction IDs

  • Purchase history: Transaction records, receipts

  • Customer info (if collected): Shopper contact details

  • App activity: In-app actions

  • App info and performance: Crash logs, diagnostics (via Expo/Sentry)

  • Device or other IDs: Device identifiers

Data Usage:

  • App functionality

  • Analytics

  • Fraud prevention and security

  • Compliance with legal obligations

Data Sharing:

  • No data is shared with third parties for advertising

  • Data may be transferred to service providers under contract

  • Data is encrypted in transit

  • Users can request data deletion

  • Data collection is required for app functionality

11. Contact Information

Data Protection Officer
Heads Svenska AB
Linnégatan 87 F, 115 23 Stockholm, Sweden
Email: dpo@heads.com

12. Data Minimization and Privacy by Design

We implement privacy by design principles:

Data Minimization:

  • We only collect data necessary for specific, legitimate purposes

  • Data collection is limited to what is adequate and relevant

  • We regularly review data collection practices to ensure minimization

  • Unnecessary data is promptly deleted or anonymized

Privacy by Design:

  • Privacy considerations are embedded in system design

  • Default settings are privacy-protective

  • Full functionality is ensured while protecting privacy

  • End-to-end security protects data throughout its lifecycle

  • Transparency is maintained through clear documentation

  • User privacy is respected with granular controls

  • Privacy measures are regularly audited and improved

13. Annexes and Additional Information

Available on Request:

  • Full Cookie Policy: heads.com/cookies

  • Legitimate Interest Assessment (LIA) summaries: dpo@heads.com

  • Data Protection Impact Assessment (DPIA) summaries: dpo@heads.com

  • Complete sub-processor list specific for your organization: dpo@heads.com

  • Data Processing Agreement templates: Contact your account manager

14. Amendments

This Privacy Policy may be updated to reflect changes in legal requirements, technology, or company operations.

We will notify customers of material changes through appropriate channels at least 30 days before they take effect.

The latest version will always be available on our website at https://heads.com/privacy-policy, accessible without login, and within our application under Main Menu › My Settings › Privacy Policy.

Note: Your organization may have additional privacy protections specified in their service agreement with Heads. This policy represents our baseline privacy commitments to all customers.

Kontakta oss

Om du har frågor, eller bara vill säga hej, skicka ett meddelande här!

Kontakta oss

Om du har frågor, eller bara vill säga hej, skicka ett meddelande här!

Kontakta oss

Om du har frågor, eller bara vill säga hej, skicka ett meddelande här!