Privacy Policy

Headway Solutions Sp. z o.o.
ul. Woronicza 31 lok. 250, budynek D, 02-640 Warszawa.

This privacy policy explains how we (the Company) collect, use, disclose, and protect personal data for users of our procurement SaaS platform (including early-access participants). It is designed to comply with the California Consumer Privacy Act (CCPA) / California Privacy Rights Act (CPRA) and the EU General Data Protection Regulation (GDPR).

Effective date: February 17, 2026

1. Controller / Contact

The Company is the data controller for personal data processed for platform operations and product development. For privacy requests or questions, contact: [email protected].

2. Categories of Personal Data We Collect

We collect categories of information necessary for providing and improving the Service, onboarding and supporting early access users, billing, and legal compliance. Categories include:

  • Identifiers: name, email, phone, company name, job title.
  • Contact & account data: billing address, billing records, payment token (processed by payment processors).
  • Professional & business info: employer, role, procurement workflows, supplied documents.
  • Usage & telemetry: IP address, device/browser metadata, logs, feature usage, timestamps.
  • Feedback & content: early access feedback, feature requests, uploaded files and attachments.
  • Sensitive personal information (where provided): government IDs, financial account details, precise geolocation — handled with higher protections under CPRA/GDPR.
  • Aggregated/anonymized data derived from the above.

(Under CCPA/CPRA we map these to the required categories and business purposes in our internal inventory.)

3. Purposes & Legal Bases

We process personal data only as necessary for the purposes below.

Primary purposes:

  • Provide, operate, maintain and improve the Service (contract performance / legitimate interests).
  • Manage early access participation and product research (consent where required; legitimate interests for product improvement).
  • Billing, fraud prevention, and collections (contract / legal obligation).
  • Security, abuse prevention, and legal compliance (legal obligation / legitimate interests).
  • Communicating product updates, transactional messages, and (with consent) marketing.
  • GDPR lawful bases: contract performance, legal obligation, consent (where applicable), and legitimate interests (balanced with user rights). For sensitive categories we rely on explicit consent or other lawful grounds and honor CPRA “limit use” requests.

4. How We Share Personal Data

We do not sell personal data. We disclose personal data only for business purposes:

  • Service providers (hosting, analytics, email, payment processors).
  • Professional advisors and legal authorities where required.
  • During corporate transactions (M&A) under confidentiality and data transfer protections.
  • Aggregated/anonymized data to partners or publicly.
  • Where a disclosure could be considered a “sale” or “sharing” under California law, we will provide opt-out options as required and describe such categories in our California privacy disclosures. You can exercise opt-out choices via our Do Not Sell/Share link (prominently on our site) or by contacting [email protected].

5. CPRA: Sensitive Personal Information & Right to Limit

CPRA adds protections for “sensitive personal information” and gives consumers the right to request limits on its use and disclosure. We treat precise geolocation, government IDs, financial account credentials, and similar SPI as restricted—we process them only where strictly necessary, with additional safeguards and the option for California consumers to limit such processing. See CPRA definitions and regulatory guidance for specifics.

6. Your Rights and How to Exercise Them

For EU residents (GDPR)

  • Access your personal data.
  • Rectify inaccurate data.
  • Erase (right to be forgotten) where applicable.
  • Restrict or object to processing, including profiling.
  • Data portability.
  • Withdraw consent at any time.
  • Lodge a complaint with a supervisory authority.
  • We respond to data subject requests within 1 month (can extend by up to two additional months for complex requests) as required by GDPR.

For California residents (CCPA/CPRA)

  • Right to know: categories and specific pieces of personal information collected, sources, business purpose, and third-party recipients.
  • Right to delete personal information (with exceptions).
  • Right to correct inaccurate personal information.
  • Right to opt-out of sale or sharing of personal information.
  • Right to limit use and disclosure of sensitive personal information.
  • Right to non-discrimination for exercising privacy rights.
  • We will acknowledge receipt of a verifiable request and respond within 45 days (with a possible single extension of up to 45 additional days if reasonably necessary). We publish a clear process to submit requests and verification requirements.

How to submit requests

Email: [email protected] (include enough detail to identify you and the request).

Authorized agent: California residents may designate an authorized agent; we require written authorization and verification.

We apply reasonable verification steps before fulfilling requests to protect privacy and security.

7. Data Retention

We retain personal data only as long as necessary for the purposes described (contract, legal obligations, legitimate interests). For early access feedback we retain product research data for development purposes but will de-identify where feasible. We maintain documented retention schedules and delete or anonymize data when no longer needed.

8. International Transfers & Safeguards

Personal data transferred outside the EU/EEA will be protected by appropriate safeguards such as Standard Contractual Clauses (SCCs), Binding Corporate Rules where used, or other lawful transfer mechanisms.

9. Security

We implement administrative, technical, and physical safeguards including encryption in transit, access controls, and vendor security reviews. We conduct regular security assessments and incident response planning. Despite protections, no system is 100% secure; in the event of a breach we follow applicable notification laws.

10. Cookies & Tracking

We use cookies, analytics, and similar technologies to operate the Service, improve user experience, and measure performance. For EU visitors, we obtain consent where required and provide cookie controls. California residents can opt out of certain tracking through the Do Not Sell/Share link and cookie controls.

11. Minors

Our Service is not intended for children under 16 (or higher age under local law). We do not knowingly collect data from those minors; if we learn we have, we will delete it.

12. Third-Party Integrations & Processors

We use reputable processors (cloud hosting, payment processors, analytics). Contracts with processors include data protection terms and audit rights. A current list of categories of third parties to whom we disclose personal information is available on request.

13. Changes to This Policy

We will update this policy to reflect legal, product, or operational changes. Material changes will be posted with an updated effective date.

14. Contact & Enforcement

To exercise rights, raise concerns, or request records, contact: [email protected]. California residents may also contact the California Privacy Protection Agency; EU data subjects may lodge complaints with their supervisory authority.