Privacy Policy

Heading ("we", "us", "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, store, and share your personal data when you use our AI search visibility platform ("Service").

This policy applies to all users of the Service, including visitors to our website, registered users, and team members within organisations.

Heading is the data controller for the personal data we process. We are registered in England and Wales and comply with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

We collect the following categories of personal data:

We process your personal data for the following purposes:

• Providing and operating the Service, including AI visibility monitoring and reporting
• Managing your account and team memberships
• Processing payments and managing subscriptions
• Sending service-related communications (account alerts, billing notices, feature updates)
• Improving the Service through aggregated, anonymised usage analysis
• Detecting and preventing fraud, abuse, and security incidents
• Complying with legal obligations

Our lawful bases for processing are: performance of a contract (delivering the Service), legitimate interests (improving and securing the Service), and compliance with legal obligations.

We do not sell your personal data. We share data only in the following circumstances:

• Service providers — third parties that help us operate the Service (hosting, payment processing, email delivery, analytics). These providers process data on our behalf under data processing agreements.
• Legal requirements — when required by law, regulation, legal process, or government request.
• Business transfers — in connection with a merger, acquisition, or sale of assets, with notice to affected users.
• With your consent — for any purpose you explicitly agree to.

Our key service providers include: Vercel (hosting), Neon (database), Stripe (payments), and Inngest (background processing). All providers are bound by data processing agreements and process data in accordance with GDPR requirements.

We retain your personal data only for as long as necessary to fulfil the purposes described in this policy:

• Account data — retained while your account is active and for 30 days after deletion
• Usage and technical data — retained for 24 months, then anonymised
• Billing data — retained for 7 years to comply with financial record-keeping requirements
• AI visibility data (prompts, responses, analysis) — retained while your account is active and deleted within 30 days of account closure

We implement appropriate technical and organisational measures to protect your personal data, including:

• Encryption in transit (TLS) and at rest
• Access controls and authentication for all systems
• Regular security assessments and monitoring
• Data processing agreements with all third-party providers
• Incident response procedures for data breaches

While we take reasonable steps to protect your data, no system is completely secure. We encourage you to use strong passwords and keep your account credentials confidential.

Under the UK GDPR, you have the following rights regarding your personal data:

• Access — request a copy of the personal data we hold about you
• Rectification — request correction of inaccurate or incomplete data
• Erasure — request deletion of your personal data (subject to legal retention requirements)
• Restriction — request that we limit processing of your data in certain circumstances
• Portability — receive your data in a structured, machine-readable format
• Objection — object to processing based on legitimate interests
• Withdraw consent — where processing is based on consent, you may withdraw it at any time

To exercise any of these rights, contact us at privacy@useheading.com. We will respond within one month. If we cannot fulfil your request, we will explain why.

You also have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk if you believe your data protection rights have been violated.

We use cookies and similar technologies for:

• Essential cookies — required for authentication and core functionality
• Analytics cookies — to understand how visitors use our website (anonymised)

We do not use advertising or tracking cookies. You can manage cookie preferences through your browser settings. Disabling essential cookies may prevent the Service from functioning correctly.

Your data may be processed in countries outside the United Kingdom, including the United States (where some of our service providers operate). Where we transfer data internationally, we ensure appropriate safeguards are in place, including Standard Contractual Clauses approved by the ICO.

The Service is not intended for individuals under the age of 16. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us and we will delete it.

We may update this Privacy Policy from time to time. We will notify you of material changes by email or through the Service at least 30 days before they take effect. The date at the top of this page indicates when the policy was last updated.

If you have questions about this Privacy Policy or how we handle your data, contact our Data Protection Officer:

• Email: privacy@useheading.com
• Post: Heading, [Registered Address], England

We aim to respond to all privacy enquiries within 5 working days.