Privacy Policy

Last updated: 17 May 2026

This notice covers the heimdallhr.com marketing website. The HeimdallHR application itself (where customers store HR data) is governed by a separate in-app privacy notice and data processing agreement, presented to you at sign-up. This page is about the marketing site only.

Who we are

HeimdallHR is operated by WSH Software Solutions Ltd, a company registered in England & Wales (company number 17186192). Our registered office is 73a High Street, Little Lever, Bolton, England, BL3 1NA. WSH Software Solutions Ltd is the data controller for the marketing website. Contact us at [email protected].

What data we collect on this website

The marketing website is intentionally minimal. We collect only:

  • Server access logs — IP address, request URL, user-agent string, timestamp. Recorded by our web server for security and diagnostic purposes.
  • Information you send us by email — if you contact [email protected], we hold your message, email address, and anything you choose to share.
  • First-party preferences stored locally in your browser via localStorage (theme preference, billing toggle). These never leave your browser and are not tracking.

The marketing site does not use cookies, third-party analytics, advertising trackers, or fingerprinting. See our Cookie Policy.

Product data is separate

If you become a HeimdallHR customer, the personal data your business stores in the product (employee records, leave history, performance reviews, etc.) is processed under a separate Data Processing Agreement. In that context, your business is the data controller and WSH Software Solutions Ltd is the data processor. Details are provided at sign-up and in the in-app privacy notice.

Why we use it and our legal basis

  • Access logs — running a secure website. Legal basis: legitimate interests.
  • Email enquiries — to reply to you and progress sales conversations. Legal basis: legitimate interests, or performance of a contract for active customers.
  • Browser preferences — to remember your settings between visits. No legal basis required (first-party, no personal data leaves your device).

How long we keep it

  • Server access logs are kept for up to 30 days, then deleted.
  • Email correspondence is kept for as long as is reasonably necessary to maintain the relationship or meet legal record-keeping obligations (typically up to 6 years for tax records under UK law).

Who we share it with

We use a small number of third-party processors to operate the website and respond to enquiries:

  • Our VPS hosting provider (web server infrastructure).
  • Our email provider (sending and receiving messages).

We do not sell, rent, or share your personal data with anyone for marketing purposes.

International transfers

Our marketing-site infrastructure is hosted within the UK or the European Economic Area wherever possible. Where data must be transferred outside the UK/EEA, we rely on adequacy decisions or standard contractual clauses as required by UK GDPR.

Your rights

Under UK GDPR you have the right to:

  • access the personal data we hold about you;
  • ask us to correct inaccurate data;
  • ask us to delete your data ("right to erasure");
  • ask us to restrict how we use your data;
  • object to processing based on legitimate interests;
  • request a copy of your data in a portable format.

To exercise any of these rights, email [email protected]. We'll respond within one month.

Complaints

If you're unhappy with how we've handled your data, please tell us first so we can put it right. You also have the right to complain to the UK's Information Commissioner's Office (ICO) at ico.org.uk.

Changes to this policy

We may update this notice from time to time. The "last updated" date at the top of this page shows when it was last revised.