Who we are
Heimdell Verified Consent is operated by Heimdell Tech Ai Ltd (“Heimdell”, “we”, “us”), a company registered in England & Wales (Company No. 16478408), registered with the Information Commissioner’s Office (ICO Reg: ZC079121). You can contact us about privacy at andrew@heimdell-tech-ai.co.uk.
The two kinds of people this policy covers
Heimdell sits between sales companies (our clients) and their customers. Depending on who you are, we handle your data differently:
- If you visit our website, apply to sign up, or use our dashboard — we are the controller of your data and this policy explains what we do with it directly.
- If you are a customer of one of our clients (someone who received a verification link or phone call about a sale) — our client is the controller of your data, and we act as their processor, handling it only on their instructions. This policy still explains what we do with it and how to exercise your rights, but you should also check the sales company’s own privacy policy.
What we collect, and why
Website visitors and applicants. If you fill in our contact form or apply to sign up your company, we collect your name, email, company name, and message or application details (including, for signup applications, your Companies House number, ICO registration number, business address, and contact phone number). We use this to reply to you and, for signups, to manually review whether to approve your company for access. Legal basis: taking steps at your request before entering a contract, and our legitimate interest in responding to enquiries.
Dashboard users (client staff and sellers). We hold your name, email address, and role. We use this to authenticate you, control what you can see, and keep a record of who did what for audit purposes. Legal basis: performance of our contract with the client company you work for.
Customers being verified. When a client submits a sale, we hold the customer’s name, phone number, email, address, the product and price agreed, and — where a Direct Debit is involved — bank name, sort code, and account number (the full account number is encrypted; only the last 4 digits are ever shown to anyone, including our own staff). When the customer confirms a verification, we also record the time, a masked version of their IP address, a short summary of their device (e.g. “Chrome on Windows”), and their confirmation or decline. Legal basis: this is processed by us on behalf of, and under the instructions of, the client company (see the Data Processing Agreement below) — the client’s own legal basis for collecting it is between them and their customer.
How long we keep data
Verification records and certificates are kept for as long as the client company’s account is active, because their entire purpose is to serve as evidence if a sale is later disputed. If a client account is closed, we retain records for a reasonable period to meet legal and regulatory obligations before deletion. Website enquiry and signup application data not resulting in an account is kept for up to 24 months.
Who we share data with
We use a small number of trusted service providers (“sub-processors”) to run Heimdell. Full details are in our Data Processing Agreement, but in summary: Supabase (database hosting, EU), Stripe (payment processing), Twilio (phone calls and SMS), and Resend (email delivery). We do not sell personal data to anyone, ever.
Security
Bank account numbers are encrypted at rest (AES-256-GCM). Passwords and API keys are hashed, never stored in plain text. All traffic to our platform is encrypted in transit (HTTPS). Access to customer data in the dashboard is restricted by role, so staff only see what’s relevant to their job. Every certificate is fingerprinted with a cryptographic hash so tampering after the fact is detectable.
Your rights
Under UK GDPR, you have the right to:
- Ask what personal data we hold about you and get a copy of it
- Ask us to correct inaccurate data
- Ask us to delete your data, where we’re not required to keep it
- Object to or restrict certain processing
- Ask for your data in a portable format
To exercise any of these, email andrew@heimdell-tech-ai.co.uk. If you were verified by one of our clients and want to exercise your rights over that data, we recommend contacting them directly too, since they control why the data was collected in the first place. You also have the right to complain to the Information Commissioner’s Office if you’re unhappy with how we’ve handled your data.
Cookies
See our Cookies Policy for details on the (very few) cookies we use.
Children
Heimdell is a business-to-business service and is not directed at children.
Changes to this policy
We’ll update this page if how we handle data changes, and update the date at the top.