PRIVACY POLICY

Who are we?

GOAL ORIENTED SOLUTIONS, LDA., hereinafter referred to as "HEED", is the entity responsible for processing personal data collected through the website https://myheed.app/ and other associated channels.

Users can contact HEED through:

• Postal address: Rua João António Fernandes, n.º 64 J, 4810-491 Guimarães, Portugal
• Email: hello@myheed.app

Users

A "User" is considered to be any person who browses the website, on any of its pages or sections. From the moment they access the website, the User establishes a relationship with HEED in which they accept the Terms and Conditions, as well as the policies set out here.

Users under 18 years of age must obtain consent from parents or legal representatives for their personal data to be processed. HEED does not have the means to absolutely verify the actual age of Users, and therefore cannot be held responsible if a minor provides personal data without the consent of their legal representatives, in violation of what is provided here.

What we do not do:

In processing personal data, HEED commits, in particular, to:

• Not request personal information that is not strictly necessary to provide services, make content available, or send commercial communications requested by the User or appropriate to their relationship with HEED.
• Not share Users' personal data with third parties, except when necessary to comply with legal obligations, execute a contract, ensure the technical functioning of services, or when there is express consent from the User.
• Not use personal data for purposes different from those indicated in this Privacy Policy or in the specific information provided at the time of collection.

Applicable law

This website and the processing of personal data carried out by HEED are adapted to comply with the requirements of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (General Data Protection Regulation – GDPR), as well as Law No. 58/2019 of 8 August, which ensures the implementation of the GDPR in the internal legal order, and Law No. 41/2004 of 18 August, in its current wording, relating to the processing of personal data and the protection of privacy in the electronic communications sector.

Principles applicable to personal data processing

In processing Users' personal data, HEED applies, among others, the following principles:

• Principle of lawfulness, fairness and transparency: Personal data is processed lawfully, fairly and transparently. In each case, the User is informed of the specific purposes of processing, the legal basis and the recipients of the data.
• Data minimization principle: Only data strictly necessary in relation to the purposes for which they are processed will be requested.
• Storage limitation principle: Personal data will be retained only for the period necessary to pursue the respective purposes or for the period required by law. In the case of subscription lists, databases will be periodically reviewed to remove inactive or obsolete records.
• Integrity and confidentiality principle: Personal data will be processed in a way that ensures its security and confidentiality, with HEED adopting appropriate measures to prevent unauthorized access, loss, destruction or misuse by third parties.

What are your rights?

Users may, at any time, exercise the following rights regarding their personal data:

• Right of access: obtain confirmation as to whether or not your data is being processed and, if so, access the respective information.
• Right to rectification: request the correction of inaccurate data or the completion of incomplete data.
• Right to erasure ("right to be forgotten"): request the deletion of your personal data when, among other reasons, they are no longer necessary for the purpose that motivated their collection, without prejudice to legal retention obligations.
• Right to restriction of processing: in certain circumstances, request that data processing be restricted, keeping only data strictly necessary for administrative, legal, security purposes or for the exercise or defense of claims.
• Right to object: in specific situations and for reasons related to their particular situation, Users may object to the processing of their data. In such cases, HEED will cease processing the data, unless there are compelling legitimate reasons that prevail or if the data is necessary for the establishment, exercise or defense of a right in legal proceedings.
• Right to data portability: Users have the right to receive the personal data they have provided to HEED, in a structured, commonly used and machine-readable format, and to transmit it to another controller, whenever: (i) processing is based on consent or contract performance; and (ii) processing is carried out by automated means. Whenever technically possible, Users may request that transmission be made directly between controllers.

To exercise any of these rights, Users may contact HEED through: hello@myheed.app

Users also have the right to effective judicial protection and may resort to the courts whenever they consider their rights have been violated, as well as file a complaint with the National Data Protection Commission (CNPD) if they believe that the processing of their personal data violates the GDPR or applicable national legislation.

How do we collect your data?

When Users access the website, send an email, subscribe to content, enter into a contract or fill out a form, personal data for which HEED is responsible may be collected. This data may include, among others, name, physical address, email address, phone number, billing data, IP address and other elements necessary depending on the purpose in question.

The website has different personal data collection systems, each with specific purposes:

In addition to the purposes indicated above, HEED may process personal data to:

• Ensure compliance with the Terms of Use and applicable legislation;
• Support, maintain and improve the services and features offered through the website;
• Prevent abuse, fraud or illegal activities related to the use of the website.

In the context of the platform's use by the psychologist, HEED processes, on their behalf, the data they enter about their patients, which may include health-related data and other sensitive clinical information. The specific content of these records is determined exclusively by the psychologist, as the data controller, with HEED playing the role of subcontractor providing hosting, management and information security services.

Data retention and deletion periods

HEED retains personal data only for the period necessary for the purposes for which they were collected or to comply with applicable legal obligations. In particular:

• Customer identification and billing data are retained during the contractual relationship and, after its termination, for the legally required period to comply with tax and accounting obligations.
• Data entered by Users about their patients is retained while the account remains active and the Customer uses the service. After subscription cancellation or contract termination, this data will be retained only for a limited period of 60 days, intended to allow export by the User, after which it will be deleted or anonymized, unless the law requires a longer period.
• In the case of accounts created under a trial period that are not converted to paid plans, HEED may deactivate the account and delete or anonymize data 30 days after the end of the trial period, keeping only information strictly necessary for proof of technical operations or compliance with legal obligations.
• In case of non-payment, HEED may suspend normal access to the application. Whenever technically possible, Users will be provided, for a limited period, with a means to export stored data; after this period, data will be deleted or anonymized.

The indicated periods may be adjusted whenever there are specific legal obligations that impose different retention periods, in which case HEED will retain data for the time strictly necessary to comply with those obligations.

Record of acceptance of Terms and Privacy Policy

When Users create an account with HEED, the system technically records the moment they indicate acceptance of the Terms and Conditions and Privacy Policy, including the date and time, account identifier and, when applicable, technical elements such as IP address and browser type used. HEED also maintains an internal record of the different versions of the Terms and Conditions and Privacy Policy in force, so as to be able to demonstrate, if necessary, which conditions were accepted at each moment.

Social Networks

The website may integrate buttons, widgets or sections linked to social networks, as well as official HEED profiles on different platforms. In such cases, the processing of personal data of Users who interact with these pages or profiles is governed simultaneously by this Privacy Policy and by the terms of use, privacy policies and other rules of each social network, previously accepted by Users when they registered on these platforms. HEED will process Users' personal data for the purpose of properly managing its presence on social networks, promoting activities, products and services, and interacting with Users through comments, messages or mentions, and may also carry out marketing actions, always within the limits and functionalities provided by each platform.

Remarketing

Remarketing allows HEED to re-contact Users who have already visited the website, associating them with certain target audiences and showing them specific messages or advertisements on subsequent visits or on other platforms.

The website may use remarketing cookies, for example, through tools such as Facebook Ads, Google Ads or similar, whenever Users have authorized the use of marketing cookies in the banner/configuration panel.

Data collected for remarketing is obtained mainly through third-party cookies (e.g., Meta/Facebook or Google). Users can obtain more information about these processing activities in the respective services' privacy policies.

Remarketing is only carried out when Users provide their free, specific, informed and explicit consent for the use of these cookies.

Affiliate program

The website may integrate an affiliate program, through which certain links or content may be associated with affiliate partners.

To allow correct attribution of clicks, leads or sales to the respective affiliates, cookies or similar identifiers provided by a third-party affiliate platform (e.g., Awin) or by other providers with equivalent functions may be used.

These cookies will only be used with the User's prior consent, in accordance with the options set in the cookie banner or configuration panel. Users can obtain more information about these cookies and how to change or revoke their consent in the website's Cookie Policy and in the privacy policies of the providers involved.

Opinions and testimonials

HEED may select and publish statements, reviews or comments from customers and Users about its services or products, which may contain personal data (e.g., first name and city).

The publication of identified testimonials will always be based on the User's prior consent. Once published, this content may be visible to other Users of the website.

If Users wish to delete or change their testimonial, they may contact HEED through the contact form or by sending an email to hello@myheed.app. However, HEED cannot control or be held responsible for any prior sharing by third parties.

Recipients: to whom may your data be disclosed?

Many tools we use to manage user data are contracted to third parties, these are called "subcontractors" in the GDPR.

To provide certain services and ensure the technical functioning of the website, HEED uses external service providers that process personal data on its behalf, as subcontractors, under contracts that ensure GDPR compliance. Currently, Users' personal data may be processed, in particular, by the following subcontractors:

The list of subcontractors may be updated whenever HEED contracts new providers or replaces existing ones, maintaining, in any case, adequate guarantees for personal data protection.

Data security and confidentiality

HEED commits to using and processing Users' personal data respecting their confidentiality and in accordance with the purposes indicated in this Policy, as well as to comply with the duty of care and adoption of necessary measures to prevent alteration, loss, processing or unauthorized access, in accordance with applicable legislation.

The website uses an SSL certificate, which means that data transmission between HEED's server and the User's browser is encrypted.

Despite the measures applied, HEED cannot guarantee the total invulnerability of the Internet, nor completely eliminate the possibility of illegitimate access to data by third parties.

HEED ensures that any person authorized by it to process personal data (including employees, service providers and partners) is subject to adequate confidentiality duties.

In case of personal data breach that may pose a risk to Users' rights and freedoms, HEED commits to notify the competent supervisory authority, in accordance with applicable law, to inform affected Users whenever required by GDPR and to provide, to the extent reasonably possible, relevant information about the security incident.

Access to personal data is limited to persons duly authorized by HEED, exclusively to the extent necessary for maintenance, technical support, security and system administration purposes. These accesses are restricted by internal permission profiles and are subject to confidentiality duties, and may be recorded in audit logs whenever technically appropriate.

Accuracy and truthfulness of data

Users are solely responsible for the accuracy, truthfulness, completeness and updating of data they provide through the website, exempting HEED from any responsibility in this regard.

Users commit to providing complete and correct information and to keeping their data properly updated, communicating any relevant changes to HEED.

Privacy policy changes

This Privacy Policy may be updated due to legislative changes, case law decisions, supervisory authority guidance or changes in HEED's practices.

HEED reserves the right to modify this Policy to adapt it to new legal requirements or its internal practices. Whenever this happens, changes will be published on this page, with indication of the date of the last update, and Users are recommended to consult it periodically.

This document was last updated on January 13, 2026.

LEGAL NOTICE