HEROSA delivers expert information security, data privacy and AI strategy and compliance consulting services. Our aim is to support you in protecting and accelerating your business by becoming compliant with industry standards and regulatory requirements including ISO 27001, SOC 2, ISO 22301, EU GDPR, NIS2, DORA. ****This Privacy Policy applies to all of the HEROSA websites, platforms and all features or services that link to it ("HEROSA Services").

Topics that will be discussed in this Privacy Policy are listed below:

• How We Collect Information About You

• Information We Gain from Our Customers

• Personal Information That We Share

• Keeping Your Data Safe

• Your Rights Towards Your Data

• Data Retention

• Cookies and Analytics

• Privacy Policy for Children

• Changes to this Privacy Policy

• How to Contact Us

How We Collect Information About You - HEROSA as Data Controller

When we collect some personal data from you directly, we are acting as a Data Controller. Here you can see how, for what purposes and what personal data we collect from you: when you schedule a call, fill out our contact forms, register to our newsletter, contact us directly or request an invite. In the section that considers Keeping Your Data Safe you can find out where we store and how we protect your data. For any of these situations we are highly determined to guarantee security and appropriate use of your data.

Contact Us / Schedule a call / Request a meeting

When you fill out our Contact Us, Schedule a call or Request a meeting forms on any HEROSA website, either to ask us something about our products or to request a recall or offer, you are providing us with your personal data like: e-mail address, first name, last name, etc. We will use this data only to provide you with appropriate answers and to give you adequate updates regarding our products. Depending on the subject of your request, we might ask you to fill out some additional fields, like company name, to assure that you are a legitimate potential customer.

Direct contact

When you ask for assistance from our team of consultants, or make any kind of direct contact with us, we may collect and store contact information you provide (generally your name and e-mail address), as well as information about your usage of HEROSA services so that we can appropriately respond to inquiries. We will also store the correspondence and any related information.

Job Applications and HR

Every time you apply for a position in HEROSA, we collect, process and store your personal data, including: your e-mail address, name, surname and information in your CV, during the selection process period. Personal data you sent us, either using our application form or sending your application to our job application e-mail address, will be only used for potential employment purposes. After the selection process is finished, we will store your data during the six months period in case there is another suitable position for you. After that period your personal data will be erased from our systems. We also collect and store personal data of our employees, both on our servers and hard copy due to legal obligations.

Information We Gain from Our Customers - HEROSA as Data Processor

In accordance with our Consultancy Agreement and Non-Disclosure Agreement, we process personal data obtained from our customers only to provide requested service and appropriate support. In these cases, we act as Data Processor. Our customers are Data Controllers and they have provided us with personal data they collected lawfully.

For providing requested services, including consultancy, documentation preparation, risk assessment and internal audit, we are processing our customer’s personal data including their employee’s, vendor’s and customer’s name, surname, phone number, social media links, etc. depending on what information is relevant to the scope of the service. We do this processing on our customer’s request and on their premisses and on their or our cloud environment. Data might be accessed remotely or stored both locally and on remote cloud location.

An appropriate consent process is implemented in order to make sure all data is collected and used in line with data protection laws and regulations. Customers are fully liable for any use of personal data collected and shared using our services and the obligation of the user is to collect and process data lawfully using data protection measures implemented on our platforms and services.

How We Share Information

In some cases, we might share personal data and information we collected or we gained from our customers, as described in previous sections of this Policy. In this section we provide you with information in which cases and to whom we provide personal data and what we do in order to maintain privacy of shared data.

Our third-party contractors

There are cases where we use services of third-party companies that are somehow involved in processing of personal data. These companies process only personal data we collected and they do not process any personal data of our customers. If you provide us with your personal data, we might use some software or service of third-party contractors and in these cases, we are Data Controllers (cases described in previous section) and third-party contractors are acting as Data Processors. HEROSA performs due diligence on the information security practices and data protection compliance of all third-party contractors and requires each to commit to written obligations (Data Processing Agreement) regarding their security controls and applicable regulations for the protection of personal data. List of third-party contractors and their role in service provisioning and data storing and processing is given below:

Legal Requests and Safety

We may transfer and disclose information, including personal information and usage information and your device identifier (including IP address), to third parties to comply with a legal obligation: when we believe in good faith that the law requires them; at the request of governmental authorities conducting an investigation; to verify or enforce our Consultancy Services or other applicable policies; to respond to an emergency; or otherwise to protect the rights, property, safety, or security of third parties, users of the HEROSA services or the public. We may also use device identifiers to identify users, and may do so in cooperation with copyright owners, Internet service providers, wireless service providers or law enforcement agencies, at our discretion. Such disclosures may be carried out without notice to you.

Change of Ownership or Control

HEROSA reserves the right to disclose and transfer user information, including personal information, in connection with a corporate merger, consolidation, restructuring, the sale of certain stock and/or assets, or other corporate change including, without limitation, during the course of any due diligence process.

Security of Your Data

We take precautions to protect your information. When you submit personal information via the website, your information is protected both online and offline. While we use encryption to protect sensitive information transmitted online, we also protect your information offline. Only employees who need the information to perform a specific job (for example, invoicing or customer support) are granted access to personally identifiable information. The computers/servers in which we store personally identifiable information are kept in a secured environment.

We implemented technical and organizational security measures for the protection of personal data before processing of any personal data and additional security measures as mutually agreed with our customers. HEROSA has been adopting security measures including encryption, pseudonymization, resilience of processing systems and backing up personal data in order to be able to reinstate the system.

Security and privacy of our information, including personal data as an important information asset, is built and based on best practices and following holistic approach towards information security and data protection. All of our organizational and technical measures are applied taking into account high level information security standards (ex. ISO 27001) and GDPR requirements.

Access to Your Information, Correction and Right to Be Forgotten

You have the right to request a copy of the information that we hold about you. If you would like a copy of personal data we have on you, where we store it and how we use it please send us your request. We want to make sure that your personal information is accurate and up to date. You may ask us to correct or remove information you think is inaccurate or use your ‘’right to be forgotten’’ with consideration of lawful interception bounds. You can also unsubscribe from the specified channel or delete your account using unsubscribe/delete options on our website and/or services and mobile applications. Delete or change requests of any data we gained from our customers have to come from that customer as described in our NDA. For any additional request or question you can contact our DPO by sending an e-mail to the address presented below.

Retention Period

The duration of the processing of data we gained from our customers or received from data subjects directly is limited to the duration needed to perform our obligations considering requested service unless a legal obligation applies. Our obligation with regard to the data processing shall in any case continue until the data has been properly deleted or has been returned at the request of our customer. For the purposes of fulfilment of our legal obligation, we will store financial, billing and payment data for the period of time required by law. HEROSA job post applications data will be stored for six months as already defined in this Policy and HEROSA employee’s data is stored for the period of time required by law.

Cookies and Analytics

Cookies are text files placed on your computer to collect standard internet log information and visitor behaviour information. This information is used to track visitor use of the website and to compile statistical reports on website activity. You can set your browser not to accept cookies if you are not comfortable with them.

Our Policy Towards Children

The Services are not directed to individuals under 16. We do not knowingly collect personal information from children under 16. If we become aware that a child under 16 has provided us with personal information, we will take steps to delete such information. If you become aware that a child has provided us with personal information, please contact our support services.

Changes to Our Privacy Policy

HEROSA may update this policy from time to time and any changes will be effective upon posting. We will notify you about significant changes in the way we treat personal information by sending a notice to the primary email address specified in your HEROSA account or by placing a prominent notice on our site. However, we will use your personal information in a manner consistent with the Privacy Policy in effect at the time you submitted the information, unless you consent to the new or revised policy.

How to Contact Us

Please contact us with any questions or comments about this Policy, your personal data or your consent choices. If you have any concerns to address, any questions or complaints about this Policy or your personal data, you may contact HEROSA’s Data Protection Officer by sending an email to nemanja@herosa.consulting.

Last update: September 1st, 2025.