Privacy Policy

The entity responsible for processing your personal data is:

We do not have a Data Protection Officer (DPO) as it is not required given the nature and scale of our data processing activities.

Age Restriction

Our products and services are not intended for individuals under 18 years of age. We do not knowingly collect personal data from children under 18. If you are a parent or guardian and believe your child has provided us with personal information, please contact us so we can delete it.

We collect the following information you provide

• Contact information: Such as name, email address, phone number when you contact us
• Account information: When you create an account for our services, your account may contain your personal contact details
• Correspondence: Communications you have with us, such as data you share via email or social media

We may also collect certain information automatically

• Usage data: About how you interact with our website
• Technical information: Such as browser type, IP address, operating system

• Provide and improve our services
• Communicate with you about our products
• Comply with legal obligations
• Guard against fraudulent or abusive use

We only process personal data when we have a valid legal basis under GDPR Article 6. The table below shows which legal basis applies to each type of processing:

Each Heimlane product may have specific processing or privacy considerations. Click on the corresponding product below for details.

Heimlane Vault ▼

Zero-Knowledge Architecture

Heimlane Vault uses end-to-end encryption with AES-256. Your data is encrypted on your device before being sent to our servers. We cannot access your passwords, notes, or stored data , only you hold the decryption key.

Data We Collect

• Email address: Used for account identification only
• Master password hash: Encrypted locally, never transmitted in plain text
• Encrypted vault data: Stored on your device and our servers (encrypted with AES-256)
• Billing information: For paid subscriptions (processed by our payment provider)

Data We DO NOT Collect

• We cannot see your passwords or any data stored in your Vault (zero-knowledge encryption)
• We do not track your browsing history
• We do not sell your data to third parties
• We do not use your data for advertising

How We Use Your Data

• Authentication: To verify your identity when you log in
• Sync: To synchronize your encrypted vault across devices
• Security: To protect your account from unauthorized access

Account Deletion

You can delete your Vault account and all associated data at any time directly from within the product. Upon deletion, all your encrypted vault data is permanently removed from our servers. Any other data is retained in accordance with our retention period.

Mobile App Permissions

Our mobile apps may request certain permissions:

• Camera: To scan QR codes for two-factor authentication setup
• Biometrics: To enable fingerprint or face unlock for quick access

Heimlane Prism ▼

Processing details for Heimlane Prism will be added as this product becomes available.

Heimlane Realm ▼

Processing details for Heimlane Realm will be added as this product becomes available.

Heimlane Scout ▼

Processing details for Heimlane Scout will be added as this product becomes available.

We do not sell your personal data. We may share your information with:

• Service providers: Who help us operate our business (hosting, payment processing)
• Legal authorities: When required by law
• Business partners: Only with your explicit consent

Where Your Data Is Stored

Heimlane strives to store and process all personal data within the European Union and requires its hosting providers to host personal data on EU territory.

However, we cannot guarantee that personal data will never be transferred outside the European Union, particularly for:

• Maintenance and support operations
• Third-party services you consent to (e.g., when using third-party integrations)
• Sub-processors with operations outside the EU

Safeguards We Implement

When transfers outside the EU are necessary, we ensure appropriate protection through:

• Adequacy decisions , Transfers to countries recognized by the European Commission as providing adequate protection
• Standard Contractual Clauses , EU-approved contractual clauses ensuring sufficient privacy and fundamental rights protection
• Confidentiality obligations , All service providers are bound by strict confidentiality and data protection requirements

Sub-Processors

We use carefully selected third-party service providers to help operate our services. These sub-processors only access data necessary for their specific function and are contractually bound to protect your data:

We make our best efforts to ensure a level of personal data protection that is sufficient and compliant with applicable regulations.

We implement appropriate technical and organizational measures to protect your personal data:

We do not use automated decision-making or profiling that produces legal effects or similarly significant effects on you.

Under the General Data Protection Regulation, you have the following rights:

We will respond to your request within one month of receipt, as required by GDPR. This period may be extended by two additional months for complex requests, in which case we will inform you.

We may ask you to verify your identity before processing your request to protect your data.

Supervisory Authority

If you have concerns about our processing of your personal data, you have the right to lodge a complaint with:

Our website may contain links to third-party websites. We are not responsible for their privacy practices. Please review their privacy policies before providing any personal information.

We may update this privacy policy periodically. Changes will be posted on this page with an updated "last updated" date.