PRIVACY POLICY

Regarding our duty to provide information when collecting personal data under Article 13 GDPR

1. Introduction

In accordance with Article 13 GDPR, we hereby inform you about the processing of your personal data (“personal data” or “data”) collected by us, as well as your related rights. Exactly which data we process depends on the specific services you request or agree to.

2. Details about the Controller

The controller responsible for processing your data is Heronhel LLC, 30 N Gould St Suite R, Sheridan, WY 82801, USA. You can reach us by email at office@heronhel.com

3. Data Protection Officer

We are not required to appoint a data protection officer and have not done so. For any data protection concerns, please contact the controller.

4. Principles when collecting data

4.1 Data Collection

Supplying data is generally voluntary. However, for certain processing, data from you are required because otherwise we cannot process your concerns or requests—for example, forming a contractual relationship.

If providing data is mandatory (e.g. for contract or order handling, or to provide certain website or shop functions), then no objection right may be exercised in such cases.

Where possible — for example in contact or contract forms — we use optional and required fields. Required fields are marked. Data from required fields includes information we must have to process your request.

4.2 No Profiling

Profiling (Article 4 Paragraph 4 GDPR) refers to automated processing of data to evaluate or analyze or predict personal aspects of individuals (e.g., work performance, economic situation, health, personal preferences). We do not use automated decision-making or profiling.

5. Processing

We process personal data in compliance with the provisions of the European General Data Protection Regulation (GDPR) and the German Federal Data Protection Act (BDSG). The legal bases for processing differ depending on the purpose. We carry out processing in the following sub-sections.

In all cases, the following general provisions apply in addition to the specific rules:

We only share your data internally with divisions and persons who need the data to fulfill contractual or legal obligations or to implement our legitimate interests.
Data is only passed outside the company if we are legally or judicially obligated to do so, or with your consent, or on the basis of a legitimate interest (especially with our service providers).
We delete data when it is no longer needed for its purpose. Data may be stored longer if required by contract, law, or judicial decision.
Deletion also occurs if you withdraw consent or other legal permissions cease. If data is still needed to assert or defend legal claims, we retain it until that is no longer necessary. If needed for statutory retention periods, data is kept until those expire.
We review retention periods generally at the end of each year.

5.1 Processing: Website

5.1.1 Details of processing

Our website is based on WordPress, which uses your local storage (local storage) to store files (e.g. cookies, images, texts) necessary for technical flawless operation of the website. These are technically necessary under §25 (2) sentence 2 TTDSG.

Except for explicit communication with you upon your request, no data is processed or stored for identifying individuals. We do not create personal user profiles. Visits to our website are analyzed statistically, but only in aggregated, anonymized form.

To protect transmission and confidential content (e.g. orders or inquiries you send to us), our website uses SSL / TLS encryption. Thus, data you transmit to us cannot be read by third parties.

5.1.2 Categories of data subjects

All visitors of our website(s).

5.1.3 Categories of personal data processed

We store:

Telemetry and statistics data: this includes things like IP address, browser type/version, operating system, date/time and time zone, language, domain and path of visited page(s), consents, user ID, location info, user-agent, screen resolution, referrer URL, information about downloaded files, clicked links, search terms used in search engines.

5.1.4 Recipients of data

The processor responsible for hosting the website under Article 28 (1) GDPR.

5.1.5 Legal basis and purpose

The legal basis is Article 6 (1)(f) GDPR – our legitimate interest in technically and aesthetically proper delivery of our website and anonymous statistical analysis. We store data on your device as per §25 (2) sentence 2 TTDSG. These data are not used for other purposes.

5.1.6 Duration of storage

The storage duration for telemetry data, cookies, and locally stored data is usually up to one year, or until you request deletion or delete the data in your browser.

5.2 Processing: Forms

5.2.1 Details of processing

We offer various forms (newsletter signup, seminar registration, contact form, etc.). For these we require your personal data to process the requests.

5.2.2 Data subjects

Website visitors, interested parties, suppliers, customers, employees.

5.2.3 Categories of personal data processed

Contact information: name, postal/invoice address, phone, fax, email, optionally description of request or message.

5.2.4 Recipients of data

For the newsletter: we use the service Mailerlite, San Francisco, USA. We have concluded a data processing agreement with them.

5.2.5 Legal basis and purpose

The legal basis is Article 6 (1)(a) GDPR — your consent. This consent can be withdrawn at any time, with effect for the future.

5.2.6 Duration of storage

Form data are stored until the purpose is fulfilled, or until you ask us to delete it.

5.3 Processing: Contractual Relationship

5.3.1 Details of processing

We process data related to contract initiation or pre-contractual measures: registrations, execution of training or sessions, purchase of products, or for the newsletter. The data includes your personal/company details (name, address, contact info etc.) and any additional data you provide in connection with establishing the contract.

5.3.2 Data subjects

Website visitors, interested persons, suppliers, customers.

5.3.3 Categories of data processed

Contact info such as name, mailing address, phone, email; details about purchases or training; any concerns or special requests.

5.3.4 Recipients of data

Internal parties only.

5.3.5 Legal basis and purpose

Legal basis is Article 6 (1)(b) GDPR (contract performance) and Article 6 (1)(a) GDPR (consent). Your consent may be withdrawn for future processing.

5.3.6 Duration of storage

Contractual data are kept as long as needed for the purpose, or until you request deletion.

5.4 Use of Third-Party Services

To run efficiently, we use third-party processors in some places, to whom we send data. These include:

5.4.1 Google Analytics

For statistical analysis, we use Google Analytics (Google Ireland Ltd or Google Inc., USA). It helps us analyze user behaviour and fix errors. It is turned off by default when you visit our website. Only if you consent, your behaviour is captured in pseudonymised form. GA uses cookies stored on your computer.
Your IP address is anonymized so that we cannot identify a user.
Categories affected: all website visitors.
Types of data: telemetry/statistics (IP, browser info, OS, language, etc.).
Legal basis & purpose: Article 6 (1)(a) GDPR — your consent. The data are not used to identify you, only to measure website reach and enable debugging.
Duration of storage: Google cookies are stored up to 13 months after session ends or until you delete them yourself. Analyses and statistics derived from them remain, but they do not allow personal identification.

5.4.2 Pinterest

We use services from Pinterest Europe Ltd., Ireland to embed images we have provided on Pinterest. To enable this embedding, your IP address and other telemetry/statistics data are transmitted. You have agreed via our website’s consent system; otherwise no data are transferred and images are not embedded.
Categories of data: same kind of telemetry/statistics data.
Recipients: Pinterest Europe Ltd.
Legal basis: Article 6 (1)(a) GDPR — your consent.
Storage duration: As specified by Pinterest and subject to consent.

5.4.1 Processing: Use of Vimeo

5.4.1.1 Nature of the Processing

To play videos on our website, we use the Vimeo service provided by Vimeo LLC, NY, USA. Information about data processing by Vimeo can be found here: https://vimeo.com/privacy

5.4.1.2 Categories of Data Subjects

The following groups of persons are affected by this processing:

All visitors to the website(s)

5.4.1.3 Categories of Personal Data Processed

The following data may be stored:

Telemetry and statistical data: including IP address, browser type/version, operating system, date, time and time zone, cookie version and cookie duration, language, domain and path of the visited website, consents, UID, location information, user agent, screen resolution, referrer URL, information about downloaded files, clicked links, search terms from used search engines.

5.4.1.4 Recipients of the Data

The following parties are recipients of the processed data:

Vimeo LLC, NY, USA
Privacy information: https://vimeo.com/privacy

5.4.1.5 Legal Basis and Purpose

The legal basis is Article 6 (1)(f) GDPR — our legitimate interest in providing a simple and functionally appropriate way to display videos.

5.4.1.6 Duration of Storage

Detailed information on how long Vimeo stores your data can be found here: https://vimeo.com/privacy

6. Links to Social Media Channels

We have links to our profiles on social media (Instagram, Facebook, etc.). Use of those services by you is voluntary. We do not use data collected there, and we cannot influence their data processing.

7. Transfer of Data to Third Countries or an International Organization

We aim to conduct processing in the EU or in countries with an adequacy decision by the European Commission (per Art. 45 GDPR). However, data may be transmitted to service providers in third countries (i.e. outside the EEA) under certain conditions — for example when using external providers.

We will only do so if the requirements of Articles 44 ff. GDPR are met — meaning that those service providers are bound to the same level of data protection as we are (e.g. via contractual guarantees, binding internal privacy rules, special guarantees, or your consent).

Currently, none of our processing requires data transfer to a third country outside the EEA.

8. Technical and Organizational Measures

We have implemented technical and organizational measures to ensure the security of data processing. These in particular include:

SSL / TLS encryption: this website uses SSL/TLS so data you send to us cannot be read by third parties.
Use of processors within the EU: hosting of the website and other service providers are located exclusively within the European Union.

9. Rights of the Data Subject and Right to Lodge a Complaint

As a person whose data is processed, you have the following rights under Articles 7 and 15-22 GDPR:

Under Art. 7 GDPR: the right to withdraw consent where processing is based on your consent. Withdrawal is free and may be done in any form (preferably via email). Note that withdrawal only affects future processing; processing done before withdrawal is unaffected. Also note there may be legal retention periods we must observe.
Under Art. 15 GDPR: right of access to your processed data.
Under Art. 16 GDPR: right to correction of incorrect data.
Under Art. 17 GDPR: right to deletion (“right to be forgotten”), unless exceptions apply (such as legal retention or statute of limitations).
Under Art. 18 GDPR: right to restriction of processing.
Under Art. 19 GDPR: right to notification of any correction, deletion or restriction of processing of your data. We will inform you if you request this.
Under Art. 20 GDPR: right to data portability (if technically feasible).
Under Art. 21 GDPR: right to object to processing based on public or legitimate interest (i.e. processing under Art. 6 (1)(e) or (f) GDPR). If you do so, we will stop processing unless we have compelling legitimate grounds which override your interests. For direct marketing or profiling, no reason is needed to object.
Under Art. 77 GDPR: right to lodge a complaint with a supervisory authority if you believe your data is being processed improperly. For our company, the competent authority is the Comissão Nacional de Proteção de Dados (CNPD) in Lisbon. Address: Av. D. Carlos I, 134 – 1.º, 1200-651 Lisboa, Portugal. Phone +351 21 392 8400, email geral@cnpd.pt.

Status: September 2025