Hero Privacy Policy

Last updated: 5 June 2026   Effective date: 5 June 2026

This Privacy Policy explains how Shape Technical Consulting LTD trading as Hero ("Hero", "we", "us", "our") collects, uses, stores, and shares personal data when you use Hero services, websites, and applications (the "Services").

1. Controller Details

Data controller: Shape Technical Consulting LTD trading as Hero
Registered address: 133 New Bridge Street, Newcastle Upon Tyne, England, NE1 2SW
Privacy contact: contact@shape.tech

If appointed:

Data Protection Officer (DPO): N/A
DPO contact: N/A

2. Personal Data We Collect

Depending on how you use Hero, we may collect account data, profile and workspace data, operational data, support data, technical data, and billing data. We do not store full payment card details where payment processing is handled by third-party providers.

3. How We Use Personal Data

We use personal data to provide and maintain the Services, generate and manage invoices and workflow outputs at your direction, authenticate users, secure accounts, process subscriptions, respond to support requests, improve performance and usability, communicate service notices, and meet legal obligations.

4. Lawful Bases (UK GDPR)

• Contract: to deliver the Services under your subscription or agreement.
• Legitimate interests: to improve Services, prevent fraud, and secure systems.
• Legal obligation: to comply with legal or regulatory requirements.
• Consent: where required, for example optional marketing communications.

5. Payments and Invoice Responsibility

Hero provides software tools to help users prepare and issue invoices. Hero is not a payment processor and does not receive, hold, or transfer customer funds between you and your clients.

You are responsible for verifying invoice accuracy before issuing and managing any corrections, disputes, refunds, and communications with your clients.

6. Sharing Personal Data

We may share personal data with trusted processors and infrastructure providers, professional advisers, authorities or regulators where required by law, and successors in a merger, acquisition, or asset sale, subject to confidentiality protections.

Our subprocessor list is maintained internally and may be provided on request.

7. International Transfers

Where personal data is transferred outside the UK, we use lawful safeguards such as UK IDTA or addendum, standard contractual clauses, and transfers to jurisdictions with recognised adequacy status. The transfer mechanism used depends on the processor and destination and is selected to meet applicable UK data protection requirements.

8. Data Retention

We retain personal data only as long as needed for the purposes in this policy, including legal, accounting, and security requirements. Retention periods depend on data category and account status.

• Account and profile data: retained as long as reasonably necessary to operate services, maintain security, and support account lifecycle needs.
• Operational and workspace data: retained as long as reasonably necessary for service delivery, backups, continuity, dispute handling, and product improvement.
• Billing and financial records: retained for legal, tax, and accounting compliance periods.
• Support and communications data: retained as reasonably necessary to provide support, resolve disputes, and maintain service quality.
• Technical logs and telemetry: retained according to operational and security needs, then deleted or anonymised where reasonably practicable.
• Backups: retained for resilience and disaster recovery, then cycled out in accordance with backup and legal requirements.

9. Security

We apply technical and organisational safeguards appropriate to the risks, including access controls, encryption in transit, logging, and monitoring. No system is fully risk-free, but security controls are continuously improved.

10. Your Rights

Subject to applicable law, you may have rights to access, correct, request deletion, restrict or object to certain processing, request portability, and withdraw consent where processing relies on consent.

To exercise rights, contact: contact@shape.tech

You also have the right to complain to the UK Information Commissioner's Office (ICO): https://ico.org.uk

11. Cookies and Similar Technologies

We may use cookies and similar technologies for authentication, analytics, and service performance.

Details are provided in our Cookie Notice: N/A

12. Children's Data

Hero is not intended for children and we do not knowingly collect personal data from children under 13.

13. Changes to This Privacy Policy

We may update this policy from time to time. Material changes will be communicated through the Services or by email where appropriate.

14. Contact

For privacy questions or requests:

Email: contact@shape.tech
Postal: 133 New Bridge Street, Newcastle Upon Tyne, England, NE1 2SW

Drafting note: This policy is a UK-focused draft template and should be reviewed by qualified legal counsel before publication.