Privacy Policy
1. Introduction and Scope
1.1. We are Heartbot AI Incorporation (hereinafter referred to as “we”, “us”, or “our”) is committed to protecting your personal data and privacy. This Privacy Policy explains how we collect, process, store, use and protect your personal data when you use our website and its associated features and services. It also outlines how we safeguard your data and, where necessary, share it with third parties.
1.2. To ensure a high standard of privacy protection for all users, this website adheres to the principles and requirements of the EU General Data Protection Regulation (GDPR) and the ePrivacy Directive, including in its personal data processing and cookie management practices. Although certain jurisdictions (such as Taiwan or Hong Kong) may not require such measures under local laws, we have voluntarily adopted this uniform standard globally to ensure that all user data is processed securely and in alignment with fundamental rights to privacy.
1.3. This Policy applies to the processing of personal data that occurs when you visit our website, use online features, subscribe to newsletters, contact our support team, or otherwise interact with our services.
2. Categories of Personal Data Collected
2.1. When you use our website, we may collect the following categories of personal data:
2.1.1. Device and browser information
Including cookie identifiers, IP address, browser type and operating system details(User-Agent), language preferences, and screen resolution.
2.1.2. Usage data
Including pages visited, clicks or interactions and session duration. This data helps us analyze traffic patterns and improve the quality and performance of our services.
2.1.3. Contact information
When you contact us through our online form, we may collect your name, email address, and any additional information you voluntarily provide.
2.1.4. Preferences and user settings
Including language selection, login status, and content preferences, which are used to tailor your experience on our website.
2.1.5. Third-party services data
If you consent to the use of third-party cookies, we may receive anonymized usage data from tools such as Google Analytics or advertising platforms, which is used for performance analysis and advertising.
2.2. We collect only the personal data necessary for the operation and improvement of this website, and we process such data on one or more lawful bases under the GDPR. Please refer to the “Legal Basis for Data Processing” section below.
3. Purpose of Data Collection
3.1. We collect and use your personal data for the following purposes:
3.1.1. Website functionality and operation: This includes user login authentication, language preferences settings, core feature delivery, and maintaining the security and stability of our systems.
3.1.2. Improving user experience: We analyze usage patterns and user behavior to optimize website content, interface design, and user flow.
3.1.3. Customer support: Responding to user inquiries, processing feedback, and resolving technical support requests.
3.1.4. Marketing and remarketing: With your consent to relevant cookies, we may provide personalized content or advertisements based on your usage preferences or browsing behavior.
3.1.5. Legal compliance: Fulfilling legal requirements, including data disclosures or retention obligations mandated by competent authorities, courts, or applicable regulations.
3.2. We only process your data to the extent necessary to achieve the above specific purposes.
4. Legal Basis for Processing Personal Data
4.1. We process your personal data based on one or more of the following lawful grounds under the GDPR:
4.1.1. Consent
For example, when you agree to the use of cookies, fill out our online contact form, or subscribe to a newsletter, we process your data based on your informed consent.
4.1.2. Performance of a contract
When the processing is necessary for the performance of a contract to which you are a party, or in order to take steps at your request prior to entering into such a contract.
4.1.3. Compliance with a legal obligation
When processing is necessary for compliance with a legal obligation to which we are subject.
4.1.4. Legitimate interests
When processing is necessary for the purposes of the legitimate interests pursued by us or a third party. These may include website security, fraud prevention, traffic analytics, or direct marketing, provided that such interests are not overridden by your fundamental rights and freedoms.
4.2. If we process your personal data based on your consent, you have the right to withdraw that consent at any time. Such withdrawal will not affect the lawfulness of processing carried out prior to its withdrawal. Please refer to the “Your Rights” section for more details on how to exercise your data subject rights.
5. Use of Cookie and Similar Technologies
5.1. This website uses Cookies and similar technologies, such as local storage, to improve website functionality, enhance user experience, analyze traffic, and provide personalized content or advertising based on your preferences.
5.2. In compliance with the EU ePrivacy Directive and GDPR, we will only set and process non-essential cookies after obtaining your explicit consent. You can adjust or withdraw your consent at any time by using the “Cookie Settings” tool available at the bottom of the website.
5.3. Categories of Cookies We Use:
5.3.1. Strictly Necessary Cookies
These cookies are essential for the basic functioning of the website. They include, for example, authentication tokens and language preference settings. These cookies do not require your consent.
5.3.2. Functional and Personalization Cookies
These cookies are used to remember your settings and preferences, such as language selection or theme mode. They also help adapt the website’s content and layout based on your previous interactions. These cookies require your prior consent.
5.3.3. Analytics Cookies
These cookies collect aggregated and anonymized usage data, for example through Google Analytics, to help us understand how visitors interact with our website and to improve its performance. These cookies require your prior consent.
5.3.4. Marketing and Advertising Cookies
These cookies are used to deliver personalized advertising based on your browsing behavior, for example through tools such as Google Ads or Meta Pixel. These cookies will only be set with your explicit consent.
5.4. Managing Your Cookie Preferences:
· You can adjust your cookie preferences at any time using the “Cookie Settings” tool available at the bottom of our website.
· You may also delete or block cookies directly through your browser’s settings.
5.5. Non-essential cookies will only be set if you provide explicit consent. Refusing consent will not impair access to the essential functions of the website.
6. Information Sharing and Third Parties
6.1. We may share your personal data with trusted third parties in specific circumstances to support the operation of our website, the delivery of services, usage analytics, or lawful marketing activities. These third parties may act as data processors or independent data controllers.
6.2. The types of third-party recipients include:
· Analytics service providers: Such as Google Analytics and PostHog, who help us understand how users interact with our website and assess site performance.
· Marketing and remarketing partners: Such as Google Ads and Meta Pixel, who assist with ad delivery, audience targeting, and campaign performance tracking.
· Cloud and infrastructure service providers: Such as Cloudflare, Vercel, and Amazon Web Services (AWS), who provide hosting, content delivery, and website security services.
· Government and legal authorities: To whom we may disclose personal data when required by applicable law or binding legal order. Where permitted, we will make reasonable efforts to notify you of such requests.
6.3. All third-party recipients must enter into legally binding Data Processing Agreements (DPAs) or implement equivalent safeguards and must comply with applicable data protection laws. Some of these recipients may be based outside the European Economic Area (EEA). For more information on how we protect such cross-border transfers, please refer to the “International Data Transfers” section.
7. Children's Privacy
7.1. Our website and services are not designed for or directed at children under the age of 13, and we do not knowingly collect personal data from such users.
7.2. For users in the European Union, Article 8 of the GDPR requires that minors below the age of digital consent (typically between 13 and 16, depending on the member state) obtain verifiable parental or guardian consent before using our services.
7.3. If we become aware that a child has submitted personal data without the required consent, we will promptly take appropriate measures, including deletion or cessation of processing, as necessary.
7.4. If you are a parent or legal guardian and believe that your child has submitted personal data to us, please contact us using the information provided in the 'Contact Us' section of this Policy. We will assist you in deleting or restricting the processing of such data.
8. International Data Transfers
8.1. Some of our service providers and business partners are located outside the European Economic Area (EEA), including in jurisdictions such as the United States and Taiwan.
8.2. When we transfer personal data to such jurisdictions, we implement appropriate legal and technical safeguards to ensure that your data continues to receive an adequate level of protection in accordance with the General Data Protection Regulation (GDPR).
8.3. The safeguards may include:
· Standard Contractual Clauses (SCCs), issued by the European Commission, which establish legally binding obligations for international data transfer;
· Data Processing Agreements (DPAs), specifying the recipient’s obligations to process personal data in accordance with applicable laws and our instructions;
· Technical and organizational measures, such as encryption, access restrictions, data minimization, anonymization, data segregation, and disaster recovery mechanisms to minimize risks of unauthorized access or data breaches.
8.4. We evaluate each international transfer individually and continuously monitor developments in global data protections to ensure ongoing compliance with the GDPR and other applicable laws and update our Policy and internal procedures accordingly.
9. Data Retention
9.1. We retain personal data only for as long as necessary to fulfill the purposes for which it was collected, in accordance with the data minimization and storage limitation principle under Article 5 of the General Data Protection Regulation (GDPR). Our retention periods are determined based on the following criteria:
· The type and purpose of the data.
· Applicable legal obligations, such as accounting, tax, or contractual requirements.
· Reasonable user expectations.
· Recommendations or default settings by third-party services.
9.2. Examples of data retention periods:
9.2.1. Cookies and tracking technologies: Retention varies by cookie type and provider, but does not exceed 13 months. Please refer to our Cookie Notice for more details.
9.2.2. Contact form data: Retained for up to 12 months after resolution of the request, for audit and service quality purposes.
9.2.3. Analytics data: Retained in anonymized form for up to 26 months, for performance analysis, statistical reporting, and website optimization.
9.2.4. Marketing data (e.g., mailing lists, remarketing data): Deleted if consent is withdrawn or after 24 months of user inactivity.
9.2.5. Contract and transaction records: Retained for 5 to 10 years, as required under applicable tax and commercial regulations.
9.3. Where permitted by applicable law, we may, for the purposes of resolving disputes, fulfilling contractual obligations, or complying with legal requirements, extend the retention period. Once the relevant retention period expires or the data is no longer necessary, we will securely delete or anonymize it in line with our internal policies.
10. Data Security Measures
10.1. To protect your personal data, we implement appropriate technical and organizational safeguards to prevent unauthorized access, disclosure, alteration, or loss. These measures include but are not limited to:
10.1.1. Technical safeguards
· TLS/SSL encryption for secure data transmission.
· Multi-layer access controls and role-based permissions.
· Firewalls, antivirus tools, and intrusion detection systems.
· Regular vulnerability scans and security patching.
· Logging and anomaly monitoring systems to detect irregular activity.
10.1.2. Organizational controls:
· Access restricted to authorized personnel on a need-to-know basis.
· Ongoing employee training on data protection and information security.
· Internal audit policies and vendor contract controls to ensure third-party compliance with security standards.
10.1.3. Risk assessment and continuous improvement:
· We evaluate security measures based on data sensitivity, volume, and associated risks, and continuously enhance them over time.
· Periodic assessments and recovery testing are conducted to maintain resilience.
10.1.4. Breach response procedures:
· In the event of a personal data breach, we activate our incident response plan immediately to mitigate potential harm.
· Where required by law, we will notify the appropriate data protection authorities and affected individuals without undue delay.
10.2. While we take reasonable steps to secure your data, no method of transmission or storage over the Internet can be completely secure.
10.3. If you have concerns about our security practices, please contact us using the information provided in the 'Contact Us' section of this Policy.
11. Your Rights
11.1. Under the General Data Protection Regulation (GDPR), you have the following rights as a data subject.
11.2. To exercise these rights, please contact us using the information provided in the 'Contact Us' section of this Policy.
11.3. We will respond to your request, accompanied by any necessary identity verification, within thirty (30) calendar days of receipt. In cases where the request is complex or unusually numerous, we may extend our response time by up to 60 days, and we will inform you of the reason for the extension before the original deadline.
11.4. While using the Platform, you have the right to exercise the following rights pursuant to applicable data protection laws, including:
11.4.1. Right of Access: You have the right to obtain confirmation as to whether your personal data is being processed and, if so, access to that data, along with relevant information.
11.4.2. Right to Rectification: You have the right to request the correction or completion of inaccurate or incomplete personal data concerning you.
11.4.3. Right to Erasure (“Right to be Forgotten”): You have the right to request the erasure of your personal data, particularly when it is no longer necessary, you withdraw consent, or processing is unlawful.
11.4.4. Right to Restriction of Processing: You may request restriction of processing in specific circumstances, such as when the accuracy of the data is contested.
11.4.5. Right to Object: You may object to the processing of your data based on our legitimate interests or for direct marketing. If you object, we will cease processing unless we demonstrate compelling legitimate grounds that override your rights.
11.4.6. Right to Data Portability: You may request to receive your personal data in a structured, commonly used, and machine-readable format, or to have it transferred directly to another controller, where technically feasible.
11.4.7. Right to Withdraw Consent: If the processing of your personal data is based on your consent, you have the right to withdraw it at any time. Such withdrawal dose not affect the legality of processing carried out before withdrawal.
11.4.8. Right not to be subject to automated decision-making: You have the right not to be subject to decision based solely on automated processing, including profiling, particularly when such decisions produce legal or similarly significant effects concerning you.
11.5. If you believe your personal data has not been handled properly, you have the right to file a complaint with the data protection authority in your jurisdiction.
12. Use of AI Technologies and Automated Decision-Making
12.1. Our platform integrates with third-party generative AI models to enable functionalities including text generation, translation, summarization, and image creation. These features may generate automated output based on user inputs, previous interactions, and configured preferences.
12.2. However, we do not make any decisions that have legal or similarly significant effects on users solely based on automated processing (e.g., application rejections, credit scoring, or hiring decisions). All AI-generated content is provided solely for informational or assistive purposes, and any decision or reliance on such content remains entirely at the user's discretion.
12.3. If we implement systems in the future that involve automated decision-making with legal or similarly significant effects, we will provide safeguards in accordance with Article 22 of the GDPR and the EU EU Artificial Intelligence Act(AIA). These safeguards will include:
· Providing clear information about the purpose, operation, legal basis, and potential impact of such automated systems.
· Ensuring the right to opt-out or request meaningful human intervention.
· Providing explanations of the decision-making process and enabling users to request a review or lodge a complaint.
12.4. For more information about how AI technologies are used on our platform, please refer to our product documentation or contact us using the details provided in the “Contact Us” section.
13. Updates to Privacy Policy
13.1. We may update this Privacy Policy from time to time to reflect changes in applicable laws, technological developments, or modifications to our services. If we make any material changes, we will notify you through a notice on our website or via your registered contact details (such as your email address).
13.2. We encourage you to review this Privacy Policy periodically to stay informed about how we collect, use, and protect your personal data. The effective date of the most recent version of this Privacy Policy is indicated at the top of this document.
13.3. Please note that changes to this Privacy Policy will not apply retroactively; they will only apply to data processing activities that occur or continue after the policy’s effective date.
14. Contact Us
14.1. If you have any questions regarding this Privacy Policy or would like to exercise your data protection rights (e.g., access, rectification, erasure, objection to processing, withdrawal of consent), please contact us using the contact details below:
· Email: customer_support@heartbot.com
14.2. We will respond to your request within 30 days of receipt. If the request is particularly complex, this period may be extended by an additional 60 days. In such cases, we will inform you of the extension and the reasons for it.
14.3. To protect your personal data, we may request proof of identity before processing your request to ensure that your data is not disclosed to an unauthorized third party.
Last Updated: 2025/09/24