← Back to home

Privacy Policy

Last updated: 2026-06-16

Overview

HeedLab is a customer-feedback platform operated by SDX Studio (“we”, “us”), the data controller for the personal data described here. We are based in the EU. This policy explains what we collect, why, how we protect it, and the rights you have under the GDPR and similar laws.

Controller and Processor Roles

For your account and the way you operate your workspace, SDX Studio is the data controller. For the feedback your end-users submit to your boards, you are the controller and HeedLab acts as a processor on your behalf, in line with our Terms of Service.

Information We Collect

  • Account information: name, email address, and a password hash (we never store plaintext passwords).
  • Workspace data: organisation name, subdomain, branding, and team membership.
  • Feedback content: posts, comments, votes, and board configurations created by you and your end-users.
  • Usage data: pages visited, features used, and actions taken within the product.
  • Billing data: handled by our payment provider (Merchant of Record); we store only subscription status, plan, and identifiers - never card details.
  • Technical data: IP address, browser and device type, and cookies used for sessions and security.

How We Use Your Information

  • To provide, operate, and secure the HeedLab service.
  • To run optional AI triage (categorisation, duplicate detection, and spam moderation) on feedback content where enabled.
  • To send transactional emails such as invitations, password resets, login alerts, and subscription receipts.
  • To monitor service health, prevent abuse, and fix bugs.
  • To enforce our Terms of Service and Fair Use Policy and to comply with legal obligations.

Legal Bases for Processing

We process personal data under the following GDPR legal bases: performance of our contract with you (to provide the service), our legitimate interests (to secure, improve, and operate the service and prevent abuse), your consent (for non-essential cookies and optional features), and compliance with legal obligations.

Cookies

We use strictly necessary cookies for authentication sessions and security. Where used, optional analytics cookies are only set with your consent and help us understand how HeedLab is used. You can manage non-essential cookies through your browser settings.

Subprocessors

HeedLab uses a small set of vetted subprocessors - covering cloud hosting, managed database, object storage, email delivery, billing, error monitoring, and an LLM provider for optional AI features - each under a data-processing agreement. A current list is available on request; a published trust centre is forthcoming.

International Transfers

We use reputable cloud infrastructure and apply appropriate safeguards (such as Standard Contractual Clauses) for any transfers of personal data outside the EEA. Optional AI features may involve processing outside the EEA; these can be disabled and have non-AI fallbacks.

Data Retention

We retain personal data for as long as your account is active. After account deletion, personal data is purged within 30 days, except where longer retention is required by law (for example, billing records).

Your Rights

Under the GDPR you have the right to access, rectify, erase, restrict, and port your personal data, and to object to certain processing. You can export your personal data and delete your account and personal data at any time from Settings; deletion anonymises your posts and comments and removes your votes. For any other request, contact us at sdx-support@protonmail.com. You also have the right to lodge a complaint with your local data-protection authority.

Changes to This Policy

We may update this policy as our service and infrastructure evolve. Material changes will be communicated by email or in-app notice. The current version is always available on this page.

Contact

SDX Studio - sdx-support@protonmail.com. We aim to respond to privacy requests within 30 days.