Privacy Policy
Last updated: March 2026
Who we are
Heist AS ("Heist", "we", "us") provides an autonomous penetration testing platform that enables customers to run continuous application security tests (the "Service"). This Privacy Policy explains how we collect, use, and protect personal data in connection with the Service and our business activities.
Heist AS is the data controller for the processing described in this policy. For questions about your personal data, contact us at privacy@heisthq.com.
Heist AS Org. nr. 935 833 973 Sandbrekkevegen 100 5225 Nesttun Norway
What this policy covers
This policy covers personal data we process in our role as data controller, meaning data we collect and use for our own purposes.
Heist also acts as a data processor on behalf of customers. That processing is governed by our Data Processing Agreement, not this policy. If your personal data is processed as part of a customer's use of the Service, please contact that customer. See "Heist as a data processor" below for more detail.
The information we collect
Account and contact information
When you sign up for or use the Service, we process your name, work email address, role, company name, and any other contact details you provide.
Service usage
We process information about how you use the Service, including account activity, support enquiries, communications with us, and configuration settings.
Technical information
We process IP addresses, device and browser information, and log data for system administration, reliability, and security.
Website visitors
For information about cookies and tracking on our website, see our cookie policy at heisthq.com/cookie-policy.
Product analytics
We use product analytics within the Service to understand how features are used, identify issues, and improve the product. This data is processed under our contract with you and is not used for advertising or shared with third parties.
People who contact us
If you reach out to us, book a meeting, or interact with us at an event, we process your name, work email, job title, and company. If you sign up for our newsletter, we process the information you provide at sign-up.
Why we process your data and on what legal basis
To deliver the Service (legal basis: performance of contract)
Creating and maintaining your account, granting access, delivering the Service, responding to support enquiries, notifying you of changes to the Service or these terms, and analysing product usage to maintain and improve the Service.
To improve and secure the Service (legal basis: legitimate interest)
Improving the Service, its content, and user experience. Maintaining, monitoring, and strengthening security, preventing fraud and abuse. We consider that these interests do not override your privacy interests, given that we process only business contact information and service usage data.
To communicate with existing customers (legal basis: legitimate interest)
Informing existing customers about product updates, new features, and relevant changes to the Service. We consider that our interest in keeping customers informed does not override your privacy interests, given the existing relationship and the ease of opting out.
To send newsletters and other marketing (legal basis: consent)
If you sign up for our newsletter or other marketing communications, we process your contact information to send you the content you requested. You can withdraw your consent and unsubscribe at any time.
To respond to enquiries and manage business relationships (legal basis: legitimate interest)
Processing contact data of people who reach out to us, book meetings, or interact with us at events. We consider that our interest in managing these relationships does not override your privacy interests, given that contact is initiated by you.
To comply with legal obligations (legal basis: legal obligation)
Retaining records required by accounting legislation or other statutory requirements.
Who we share data with
We use service providers who perform services on our behalf. We have data processing agreements in place with each provider. These providers only process personal data according to our instructions and for the purposes described in this policy.
Our current providers include:
| Provider | Purpose |
|---|---|
| Supabase | Authentication and database hosting |
| Stripe | Payment processing |
| Attio | Customer relationship management |
| Loops | Newsletter and product communications |
| PostHog | Product analytics |
| Cal.com | Scheduling |
A full list of sub-processors that process Customer Data on behalf of our customers is available at heisthq.com/sub-processors. That list covers Heist's role as a data processor and is separate from the providers listed above.
International transfers
Some of the providers listed above are based in the United States. Where personal data is transferred outside the EEA, we ensure appropriate safeguards are in place, including EU Standard Contractual Clauses and, where applicable, certification under the EU-US Data Privacy Framework.
Security
We take appropriate technical and organisational measures to protect personal data against unauthorised access, loss, and misuse. For details on how we secure the Service, see our security page at heisthq.com/trust.
Obligation to provide data
To create an account and use the Service, you must provide your name and work email address. Without this information, we cannot deliver the Service. All other data you provide is voluntary.
How long we keep your data
We retain personal data for as long as necessary to fulfil the purposes described in this policy.
Account data is retained and deleted in accordance with our Terms of Service. Log and technical data is retained for up to 90 days. Purchase and payment documentation is retained for five years in accordance with Norwegian accounting legislation. Marketing preferences are retained until you unsubscribe.
Your rights
Under the General Data Protection Regulation, you have the right to access the personal data we hold about you, to have inaccurate data corrected, to request deletion of your data, to restrict or object to processing, and to receive your data in a portable format.
To exercise any of these rights, contact us at privacy@heisthq.com. We may need to verify your identity before processing your request.
If your request relates to Customer Data processed on behalf of a customer, please contact that customer directly. We will assist customers in responding to such requests as required.
Complaints
You have the right to lodge a complaint with a supervisory authority. In Norway, the supervisory authority is Datatilsynet (datatilsynet.no). You may also complain to the supervisory authority in the EU/EEA country where you live or work.
Automated decision-making
We do not use automated decision-making or profiling that produces legal or similarly significant effects.
Heist as a data processor
Heist tests customer applications using dedicated test accounts provisioned by the customer. During testing, our agents may incidentally encounter personal data that exists in the target application. Heist does not intentionally collect end-user personal data and takes measures to anonymise any personal data encountered before storing findings.
Customers are the data controllers for Customer Data. Heist processes this data strictly according to customer instructions and our Data Processing Agreement, available at heisthq.com/dpa. A list of sub-processors involved in this processing is maintained at heisthq.com/sub-processors.
If you believe your personal data has been processed as part of a customer's use of the Service, please contact that customer.
Changes to this policy
We may update this Privacy Policy from time to time. The current version is always available at heisthq.com/privacy-policy. We will notify users of material changes that affect how we process their personal data.
Contact
Heist AS Org. nr. 935 833 973 Sandbrekkevegen 100 5225 Nesttun Norway privacy@heisthq.com