Legal document

Privacy Policy

Heila processes your personal data in compliance with the EU General Data Protection Regulation (Regulation EU 2016/679, "GDPR"). This document explains what we collect, why, how we protect it and what rights you have.

Version 1.0Last updated: 19 May 2026
Indice
  1. Who we are
  2. What data we collect
  3. AI-based enrichment
  4. Mandatory vs optional
  5. Recipients & sub-processors
  6. International transfers
  7. Disclosure to third parties
  8. Data retention
  9. Your rights
  10. Security & data breach
  11. Cookies
  12. Minors
  13. Changes

1. Who we are (Data Controllers)#

Pursuant to Article 13 of Regulation (EU) 2016/679 ("GDPR"), the Data Controllers of the personal data collected through the website heila.me and the related software-as-a-service platform (hereinafter, the "Service" or "Heila") are jointly the team running the "Heila" project (hereinafter also referred to as the "Controllers", "we" or "Heila").

The Heila project is currently in an idea-validation phase: at present no legal entity is dedicated to operating the Service, which is delivered directly by the project founders acting in their personal capacity as natural persons. Should a company be incorporated in the future to operate the Service, the controllership of the processing will be transferred to that entity (hereinafter, the "Company") and this notice will be updated accordingly. Registered users will be informed of such transfer by email at the address on file.

Single contact channel for any privacy-related request: info@heila.me.

Data Protection Officer (DPO): Not appointed. Pursuant to Article 37 GDPR, the appointment of a DPO is not mandatory for Heila at this stage, as (i) it is not a public authority or body, (ii) its core activities do not consist of processing operations requiring large-scale, regular and systematic monitoring of data subjects, and (iii) no special categories of data or data relating to criminal convictions are processed on a large scale.

2. What data we collect and why#

Heila processes three categories of personal data. For each one we indicate the type, purposes, legal basis and retention period.

2.1 Browsing data

What we collect: IP address, browser type and version, operating system, pages visited, date and time of access, anonymous interaction events (e.g. clicks), any UTM parameters from acquisition campaigns.

Purpose: ensure the proper functioning and security of the Service, prevent abuse, collect aggregated usage statistics to improve the product.

Legal basis: legitimate interest of the Controller in ensuring the proper functioning and security of the Service (Article 6(1)(f) GDPR). For analytics and marketing tools subject to consent, the legal basis is the data subject's consent (Article 6(1)(a) GDPR), provided through the cookie banner.

Retention: security logs up to 12 months; aggregated and anonymised analytics data with no time limit.

2.2 Account and contact data

What we collect: first name, last name, email address, password (stored in hashed form), phone number if provided, interface language, notification preferences.

Purpose: create and manage the user account, authenticate access, send service communications (e.g. notifications of new relevant opportunities, security alerts, contractual communications) and, subject to consent, commercial communications (e.g. newsletters, product updates).

Legal basis: performance of the contract to which the data subject is a party, namely the provision of the Service (Article 6(1)(b) GDPR); for commercial communications not strictly necessary to perform the contract, the data subject's consent (Article 6(1)(a) GDPR), revocable at any time.

Retention: for the duration of the contractual relationship and for 24 months thereafter, subject to longer retention required by law. Marketing mailing list: until consent is withdrawn.

2.3 Business profile data

What we collect: VAT number, company name, ATECO classification code, locations, company size, website, services offered, industries of interest, and any other information provided by the user or derived from automated enrichment (see Section 3), useful to profile relevant opportunities for the user's business.

While most of this information relates to legal entities and does not, in itself, qualify as personal data, some of it (e.g. the name of the legal representative, the corporate email firstname.lastname@) may qualify as personal data and is treated as such.

Purpose: feed the matching algorithm between business profile and opportunities (public tenders, grants, events, funding), deliver the core functionality of the Service.

Legal basis: performance of the contract (Article 6(1)(b) GDPR). For the AI-based enrichments described in Section 3, also the legitimate interest of the Controller in improving the quality of the matching (Article 6(1)(f) GDPR), balanced by the absence of individual profiling and by the user's ability to modify or delete at any time any pre-filled field.

Retention: for the duration of the contractual relationship and for 24 months thereafter, subject to legal obligations.

3. AI-based enrichment of the business profile#

During onboarding (step 2), Heila pre-fills a "Research profile" combining (i) public data associated with the VAT number provided by the user, (ii) information available on the company website, if indicated, (iii) processing by third-party artificial intelligence models to summarise activity, sector and size.

This does not constitute automated decision-making within the meaning of Article 22 GDPR: the output is a draft editable by the user, who remains free to accept, correct, supplement or delete each field before confirming the profile. No decision producing legal effects or significantly affecting the user is taken automatically on the basis of this data.

The third-party AI services used for this processing are listed in Section 5 (Recipients and sub-processors).

4. Mandatory vs optional data#

The provision of account data (Section 2.2) and of the VAT number (Section 2.3) is mandatory for using the Service: without it the account cannot be created and the Service cannot be delivered.

The provision of the company website during onboarding is optional: its absence reduces the quality of profile pre-filling but does not prevent use of the Service.

The provision of marketing data (consent to commercial communications) is optional and independent from the activation of the Service.

5. Recipients of data and sub-processors (external data processors)#

To deliver the Service we rely on external providers that process data on our behalf as data processors under Article 28 GDPR. Given the validation phase of the project, we list below the categories of providers used, and we will provide the up-to-date list of named providers upon request (see at the bottom):

  • Cloud hosting and database providers, for storing application data and technical logs;
  • Authentication providers, for managing credentials and user sessions;
  • Transactional email providers, for sending service emails (account verification, opportunity notifications, contractual communications);
  • Marketing email providers (if active, subject to consent), for sending newsletters and product updates;
  • Business data lookup providers, for verifying VAT numbers and enriching business data from official public sources;
  • Artificial intelligence model providers, for the automated processing of the Research profile (see Section 3);
  • Product analytics providers, for aggregated and — where not aggregated — pseudonymised analysis of usage.

We have signed, or will sign before live use, a Data Processing Agreement under Article 28 GDPR with each such provider.

The up-to-date list of named sub-processors is available free of charge upon request, by writing to info@heila.me. We will communicate any material changes to the list with reasonable notice to registered users.

6. International data transfers (outside the European Union)#

Some of the providers listed in Section 5 (particularly AI model providers and, potentially, some analytics and operational tools) are based in the United States or in other third countries.

Where such transfers occur, they take place exclusively to providers that (i) adhere to the EU-US Data Privacy Framework, where applicable, and/or (ii) ensure adequate safeguards through the Standard Contractual Clauses approved by the European Commission under Decision 2021/914/EU, supplemented where necessary by additional technical and organisational measures.

Data subjects can request a copy of the standard clauses or information on the measures adopted by writing to info@heila.me.

7. Disclosure to third parties other than sub-processors#

Heila does not sell or otherwise transfer users' personal data to third parties for their own marketing purposes.

Data may be disclosed to:

  • public authorities, exclusively in compliance with legal obligations or upon a legitimate request;
  • professional advisors (legal, tax, accounting) bound by confidentiality obligations, exclusively where necessary to manage specific compliance matters;
  • prospective acquirers, in the event of a business transfer (sale of business branch, merger, acquisition), with prior notice to the data subjects.

8. Retention period (summary)#

Type of dataDuration
Account dataDuration of the relationship + 24 months
Business profile dataDuration of the relationship + 24 months
Technical security logs12 months
Aggregated and anonymised analyticsNo time limit
Commercial communications (mailing list)Until consent is withdrawn
Accounting and tax records10 years (legal obligation)

Once these terms have elapsed, data is irreversibly deleted or anonymised.

9. Your rights as a data subject#

At any time and free of charge, pursuant to Articles 15-22 GDPR, the user has the right to:

  • access their personal data and information on the processing;
  • rectification of inaccurate data or completion of incomplete data;
  • erasure ("right to be forgotten"), in the cases provided for by the regulation;
  • restriction of processing, in the cases provided for by Article 18 GDPR;
  • portability, i.e. to receive their data in a structured, commonly used and machine-readable format, and to transmit it to another controller;
  • object to processing based on legitimate interest or for direct marketing purposes;
  • withdraw consent at any time, without prejudice to the lawfulness of processing based on consent given prior to withdrawal;
  • lodge a complaint with the Italian Data Protection Authority (Garante per la protezione dei dati personali, website: garanteprivacy.it) or with another competent supervisory authority.

To exercise these rights, simply write to info@heila.me. We will respond within 30 days, subject to justified extensions provided for by law.

10. Processing methods and security#

Processing is carried out electronically, applying technical and organisational measures appropriate to the risk, including: encryption in transit (TLS), at-rest encryption of databases, password hashing, role-based access control, regular backups, logging of administrative activities, incident management processes.

In the event of a personal data breach posing a risk to the rights and freedoms of data subjects, we will notify the Italian Data Protection Authority within 72 hours and, where the risk is high, inform the data subjects without undue delay, pursuant to Articles 33 and 34 GDPR.

11. Cookies#

The use of cookies and similar technologies is governed by our Cookie Policy, available at https://heila.me/en/cookie-policy and managed via the consent banner shown on first access to the website.

12. Minors#

The Service is exclusively intended for adults acting in the course of their professional, business or commercial activity (B2B). We do not knowingly collect data relating to minors. Should we become aware of having collected data relating to a minor without valid consent, we will delete such data immediately.

13. Changes to this notice#

We reserve the right to amend this notice at any time to reflect regulatory changes, evolution of the Service or new providers. The updated version will be published on this page with indication of the date of last update. In case of material changes, registered users will be informed by email at the address associated with their account.

Have privacy questions?

Write to info@heila.me. We respond within 30 days as required by GDPR.