HeadgeHeadge

GDPR Compliance Statement

Last updated: 8/21/2025

1. Our Commitment to GDPR

Headge is committed to protecting the personal data of all European Union (EU) residents in accordance with the General Data Protection Regulation (GDPR). This compliance statement outlines how we collect, process, store, and protect your personal data in compliance with GDPR requirements.

2. Legal Basis for Processing

We process personal data under the following legal bases:

  • Consent: You have given clear consent for us to process your personal data for specific purposes
  • Contract: Processing is necessary for the performance of our services to you
  • Legal obligations: Processing is necessary to comply with the law
  • Legitimate interests: Processing is necessary for our legitimate interests or those of a third party

3. Your Rights Under GDPR

As an EU resident, you have the following rights regarding your personal data:

Right to Access (Article 15)

You have the right to request copies of your personal data. We may charge a small fee for this service.

Right to Rectification (Article 16)

You have the right to request that we correct any information you believe is inaccurate or complete information you believe is incomplete.

Right to Erasure (Article 17)

You have the right to request that we erase your personal data, under certain conditions. This is also known as the "right to be forgotten."

Right to Restrict Processing (Article 18)

You have the right to request that we restrict the processing of your personal data, under certain conditions.

Right to Data Portability (Article 20)

You have the right to request that we transfer the data we have collected to another organization, or directly to you, under certain conditions.

Right to Object (Article 21)

You have the right to object to our processing of your personal data, under certain conditions.

Rights Related to Automated Decision-Making (Article 22)

You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you.

4. Data We Collect

We collect and process the following categories of personal data:

  • Identity data (name, username)
  • Contact data (email address)
  • Technical data (IP address, browser type, device information)
  • Profile data (preferences, feedback, survey responses)
  • Usage data (information about how you use our app and services)
  • Marketing and communications data (your preferences in receiving marketing from us)

5. How We Use Your Data

We use your personal data for the following purposes:

  • To provide and maintain our meditation and mindfulness services
  • To manage your account and subscription
  • To personalize your experience
  • To communicate with you about updates and offers
  • To improve our services through analytics
  • To comply with legal obligations
  • To protect against fraud and ensure security

6. Data Retention

We retain your personal data only for as long as necessary to fulfill the purposes for which it was collected, including to satisfy any legal, accounting, or reporting requirements. The retention period depends on:

  • The purpose for which we collected the data
  • Legal obligations requiring us to keep the data
  • Whether retention is necessary for our legitimate interests

When you request deletion of your account, we will delete or anonymize your personal data within 30 days, except where we are required to retain certain information for legal purposes.

7. International Data Transfers

Your personal data may be transferred to and processed in countries outside the European Economic Area (EEA). When we transfer your data outside the EEA, we ensure appropriate safeguards are in place, including:

  • Standard Contractual Clauses approved by the European Commission
  • Adequacy decisions by the European Commission
  • Your explicit consent to the proposed transfer

8. Data Security

We implement appropriate technical and organizational measures to protect your personal data against:

  • Unauthorized or unlawful processing
  • Accidental loss, destruction, or damage
  • Unauthorized disclosure or access

These measures include encryption, access controls, regular security assessments, and staff training on data protection.

9. Data Breach Notification

In the event of a personal data breach that is likely to result in a high risk to your rights and freedoms, we will notify you without undue delay, in accordance with Article 34 of the GDPR. We will also notify the relevant supervisory authority within 72 hours of becoming aware of the breach, as required by Article 33.

10. Third-Party Processors

We work with the following categories of third-party processors who may handle your data:

  • Cloud hosting providers (Supabase, Vercel)
  • Payment processors (Stripe, RevenueCat)
  • Analytics providers (anonymized data only)
  • Email service providers
  • Customer support tools

All third-party processors are required to process your data in accordance with GDPR requirements and our data processing agreements.

11. Children's Privacy

Our services are not intended for individuals under the age of 18. We do not knowingly collect personal data from children under 18. If we become aware that we have collected personal data from a child under 18, we will take steps to delete that information as soon as possible.

12. Cookies and Tracking

We use essential cookies necessary for the operation of our website. We also use analytics cookies to understand how visitors use our site. You can control cookie preferences through your browser settings. For more information, please see our Privacy Policy.

13. How to Exercise Your Rights

To exercise any of your rights under GDPR, please contact our Data Protection Officer at:

Email: dpo@headge.com
Alternative: team@headge.com

Please include:

  • Your full name and email address
  • The specific right you wish to exercise
  • Any relevant details to help us process your request

We will respond to your request within one month, as required by GDPR.

14. Supervisory Authority

You have the right to lodge a complaint with a supervisory authority if you believe our processing of your personal data violates the GDPR. You may lodge a complaint with the supervisory authority in your EU member state of residence, place of work, or place of the alleged infringement.

15. Updates to This Statement

We may update this GDPR Compliance Statement from time to time. We will notify you of any material changes by posting the new statement on this page and updating the "Last updated" date. We encourage you to review this statement periodically.

16. Contact Information

For any questions about this GDPR Compliance Statement or our data protection practices:

Headge
Website: https://www.headge.com
Email: team@headge.com

Data Protection Officer:
Email: dpo@headge.com