Privacy Policy
1. Identity of the Data Controller
The data controller responsible for the processing of personal data collected through the HeyJeff platform is HeyJeff, Lda. ("HeyJeff", "we", "us"), a company incorporated under Portuguese law, with registered offices in Lisbon, Portugal. For the purposes of Regulation (EU) 2016/679 (GDPR), HeyJeff acts as the data controller in relation to platform user data, and as a data processor in relation to data entered by business customers in the course of using the Service. To contact the data controller: privacy@heyjeff.com. [LEGAL REVIEW REQUIRED]
2. Data Protection Officer (DPO)
HeyJeff has appointed a Data Protection Officer (DPO) responsible for overseeing compliance with the GDPR and other applicable data protection legislation. The DPO can be contacted at dpo@heyjeff.com or by post to HeyJeff's registered office, marked "For the attention of the Data Protection Officer". The DPO is available to answer questions relating to the processing of personal data, the exercise of data subject rights, and compliance with applicable legislation. [LEGAL REVIEW REQUIRED]
3. Purposes of Processing
HeyJeff processes personal data for the following purposes: (a) Service Provision: account creation and management, authentication, technical support, and billing; (b) Service Improvement: usage analytics, error detection, development of new features, and experience personalisation; (c) Communications: sending information about the Service, important updates, and, with consent, marketing communications; (d) Security: detection and prevention of fraud, unauthorised use, and security threats; (e) Compliance with legal obligations: retention of tax documents and responses to competent authorities. [LEGAL REVIEW REQUIRED]
4. Legal Basis
HeyJeff's processing of personal data is based on the following legal grounds under the GDPR: (a) Performance of a contract (Art. 6(1)(b)): processing necessary for the provision of the contracted Service; (b) Legitimate interests (Art. 6(1)(f)): platform security, fraud prevention, and continuous improvement of the Service; (c) Compliance with a legal obligation (Art. 6(1)(c)): tax record-keeping and responses to authorities; (d) Consent (Art. 6(1)(a)): sending marketing communications, where the data subject has expressly agreed. Consent may be withdrawn at any time without affecting the lawfulness of processing carried out prior to withdrawal. [LEGAL REVIEW REQUIRED]
5. Categories of Data Collected
HeyJeff may collect the following categories of data: (a) Identification data: name, email address, telephone number, job title; (b) Business data: trading name, tax identification number, address, industry sector; (c) Authentication data: access credentials (passwords are stored in irreversible encrypted format); (d) Usage data: access logs, features used, platform preferences; (e) Technical data: IP address, browser type and version, operating system, device identifiers; (f) Payment data: billing information (card data is processed exclusively by the payment service provider and is not stored by HeyJeff); (g) Operational data: inventory, recipes, production and waste records entered by the customer. [LEGAL REVIEW REQUIRED]
6. Recipients and Sub-processors
HeyJeff may share personal data with the following recipients, bound by appropriate confidentiality and data protection agreements: (a) Vercel, Inc.: web application hosting and delivery (USA, covered by Standard Contractual Clauses); (b) Railway Corp.: API infrastructure and database hosting (USA, covered by Standard Contractual Clauses); (c) Neon, Inc.: managed PostgreSQL database service (USA, covered by Standard Contractual Clauses); (d) Sentry, Inc.: application error monitoring and performance (USA, covered by Standard Contractual Clauses); (e) Payment service provider: transaction processing (as indicated on the checkout page); (f) Public authorities: when required by law or court order. Data is not sold or shared with third parties for advertising purposes. [LEGAL REVIEW REQUIRED]
7. International Transfers
Some of HeyJeff's sub-processors are established outside the European Economic Area (EEA), particularly in the United States of America. In such cases, data transfers are safeguarded through appropriate legal mechanisms, specifically the Standard Contractual Clauses approved by the European Commission (Art. 46(2)(c) GDPR). The Customer may request a copy of the specific safeguards applicable to international transfers by contacting privacy@heyjeff.com. HeyJeff continuously monitors legislative and case-law developments relating to international data transfers to ensure ongoing compliance. [LEGAL REVIEW REQUIRED]
8. Retention Periods
Personal data is retained for the period strictly necessary for the purposes for which it was collected: (a) Account and operational data: for the duration of the contract and for an additional period of 5 years following termination, to meet legal obligations and resolve disputes; (b) Billing and transaction data: 10 years, as required by Portuguese tax legislation; (c) Access logs and technical data: 12 months; (d) Support communications: 3 years after the ticket is closed; (e) Marketing data (with consent): until consent is withdrawn or the contract ends, whichever occurs first. After the applicable retention periods, data is securely deleted or anonymised. [LEGAL REVIEW REQUIRED]
9. Data Subject Rights
Under the GDPR, data subjects have the following rights, which may be exercised at any time by contacting privacy@heyjeff.com: (a) Right of access: to obtain confirmation and a copy of the data being processed; (b) Right to rectification: to correct inaccurate or incomplete data; (c) Right to erasure ("right to be forgotten"): to request deletion of data in certain circumstances; (d) Right to restriction of processing: to restrict processing in specific circumstances; (e) Right to data portability: to receive data in a structured, commonly used format; (f) Right to object: to object to processing based on legitimate interests; (g) Right not to be subject to automated decision-making: not to be subject to decisions based solely on automated processing. HeyJeff will respond to requests within 30 days, extendable by a further 60 days in complex cases, with notification to the data subject within the initial period. [LEGAL REVIEW REQUIRED]
10. Right to Lodge a Complaint (CNPD)
Without prejudice to any other administrative or judicial remedy, data subjects have the right to lodge a complaint with the Comissão Nacional de Proteção de Dados (CNPD), the Portuguese supervisory authority, if they consider that the processing of their personal data infringes the GDPR or applicable legislation. CNPD — Comissão Nacional de Proteção de Dados: Rua de São Bento, no. 148 — 3rd floor, 1200-821 Lisbon, Portugal | geral@cnpd.pt | www.cnpd.pt. HeyJeff encourages data subjects to contact it directly in the first instance to seek an amicable resolution of any matter. [LEGAL REVIEW REQUIRED]
12. Automated Decision-Making
HeyJeff does not make decisions that produce legal effects or that significantly affect data subjects based solely on automated processing, including profiling, without human intervention. The analytics and recommendation features available on the platform (such as inventory alerts or cost suggestions) are tools to support human decision-making and do not constitute automated decision-making for the purposes of Art. 22 GDPR. Should this policy change in the future, users will be duly informed and explicit consent will be sought. [LEGAL REVIEW REQUIRED]
13. Data Security
HeyJeff implements appropriate technical and organisational measures to protect personal data against unauthorised access, alteration, disclosure, or destruction, including: (a) Encryption in transit: all communications are conducted via HTTPS/TLS 1.2+; (b) Encryption at rest: sensitive data stored in encrypted format; (c) Access control: multi-factor authentication available, strict RBAC, and multi-tenant isolation by businessId; (d) Audit trails: all access and changes to sensitive data are logged; (e) Security testing: periodic vulnerability assessments and penetration testing; (f) Incident response plan: documented procedures for notifying data breaches within legal timeframes. In the event of a data breach that poses a risk to the rights of data subjects, HeyJeff will notify the CNPD within 72 hours and affected data subjects without undue delay. [LEGAL REVIEW REQUIRED]
14. Minors
The HeyJeff Service is intended exclusively for users aged 18 or over, or for legal representatives of legal entities. HeyJeff does not knowingly collect personal data from individuals under the age of 18. Should HeyJeff become aware that it has inadvertently collected data from a minor, it will proceed to delete such data immediately. If you become aware that a minor has provided personal data to the platform, please contact privacy@heyjeff.com immediately. [LEGAL REVIEW REQUIRED]
15. Changes to this Policy
HeyJeff may update this Privacy Policy periodically to reflect changes in data processing practices, applicable legislation, or Service features. Material changes will be communicated by email at least 30 days in advance. The "last updated" date at the beginning of this document indicates when the Policy was last reviewed. We recommend reviewing this Policy regularly. Continued use of the Service following the entry into force of any changes constitutes acceptance of the revised Policy. For changes required by law with immediate effect, HeyJeff will publish the updated Policy and notify users as soon as possible. [LEGAL REVIEW REQUIRED]
16. Contact
To exercise your rights, clarify any queries, or lodge complaints relating to the processing of personal data by HeyJeff, you may contact us through the following means: General privacy email: privacy@heyjeff.com | DPO: dpo@heyjeff.com. HeyJeff commits to responding to all requests within a maximum of 30 days from receipt. In complex situations, this period may be extended by a further two months, with notification to the data subject within the initial 30-day period. [LEGAL REVIEW REQUIRED]