Privacy Policy
Hepta Data — heptadata.com
Version 2.0 | Effective Date: 1 March 2026 | Last Updated: March 2026
Controller: Polygon Digital Ltd., Dublin, Ireland
Contact: info@heptadata.com | +353 89 981 5670
Scope: heptadata.com — Practice management & workflow automation platform
Applicable Law: EU GDPR (2016/679), Irish Data Protection Act 2018, ePrivacy Directive
1. About This Policy
This Privacy Policy explains how Polygon Digital Ltd. (‘we’, ‘us’, ‘our’), operating the Hepta Data platform at heptadata.com, collects, uses, stores, and protects personal data when you use our practice management and workflow automation services.
Hepta Data is a non-clinical, non-medical-grade software tool designed to help practices automate administrative workflows including scheduling, form collection, document management, and communication. It is not a medical device and does not provide clinical diagnoses or medical advice.
2. Who We Are
Polygon Digital Ltd. is an Irish-registered company providing healthcare administration software. We act as a Data Controller in respect of the personal data you provide when registering and using our platform, and as a Data Processor in respect of end-user/client data that our customers (practices) input into the system.
For GDPR purposes, our representative and primary contact is:
Polygon Digital Ltd.
3 The Grove, Donabate, Co. Dublin, K36 KD27, Ireland
Email: info@heptadata.com | Phone: +353 89 981 5670
3. What Data We Collect
3.1 Account & Registration Data
- Name, email address, phone number
- Practice or organisation name
- Billing address and payment information (processed by third-party payment provider)
- Login credentials (passwords are hashed and never stored in plain text)
3.2 Usage & Platform Data
- Log data: IP address, browser type, pages visited, timestamps
- Device and session information
- Feature usage patterns (to improve the platform)
3.3 Customer-Submitted Data
When you use Hepta Data to manage your practice, you may upload or input data about your own clients. This data is processed by us strictly as a Data Processor under your instructions. We do not use this data for any purpose other than providing the platform service to you.
3.4 Google Account Data (OAuth Integration)
If you choose to connect your Google account, we access only the specific scopes you authorise. See Section 6 for full details of our Google integration and data handling.
4. How We Use Your Data
4.1 To Provide the Platform
- Creating and managing your account
- Processing form submissions and workflow automation
- Scheduling and calendar management
- Sending notifications and appointment reminders
- Generating reports and analytics for your practice
4.2 For Communications
- Transactional emails (account confirmation, password reset, receipts)
- Service notifications (downtime alerts, feature updates)
- Marketing communications — only with your explicit consent, and you may unsubscribe at any time
4.3 For Security & Compliance
- Fraud prevention and abuse detection
- Audit logging (who accessed what, when)
- Compliance with our legal obligations under Irish and EU law
4.4 Legal Bases for Processing (GDPR Article 6)
| Legal Basis | Processing Activity |
|---|---|
| Contract (Art. 6(1)(b)) | Account management, platform features, billing |
| Legitimate Interest (Art. 6(1)(f)) | Security, fraud prevention, audit logging, service improvement |
| Legal Obligation (Art. 6(1)(c)) | Tax records, compliance requirements |
| Consent (Art. 6(1)(a)) | Marketing emails, Google OAuth connection, optional analytics |
5. Data Retention
We retain personal data only for as long as necessary for the purposes set out in this Policy, or as required by law:
| Data Type | Retention Period |
|---|---|
| Account data | Duration of subscription + 12 months |
| Billing records | 7 years (Irish tax law requirement) |
| Audit logs | 3 years |
| Google OAuth tokens | Until revoked or account deletion |
| Marketing consent records | Until consent withdrawn + 3 years |
| Support communications | 2 years from last interaction |
6. Google API Integration — Gmail & Calendar
When you choose to connect your Google account to Hepta Data, we request access to specific Google services. We strictly comply with Google's API Services User Data Policy, including the Limited Use requirements.
6.1 Scopes Requested
Gmail (gmail.send)
We request the gmail.send scope — this is the most restricted Gmail permission available. It allows Hepta Data to send emails on your behalf (e.g., appointment reminders, workflow notifications, automated correspondence). We do NOT request permission to read, modify, or delete your emails. We cannot and do not access your inbox or any received messages.
Google Calendar (calendar.events)
We request access to create, read, and update calendar events. This allows Hepta Data to schedule appointments on your behalf, send calendar invites to clients, and keep your practice calendar synchronised with platform bookings. We do not access personal calendar events unrelated to your Hepta Data workflow.
6.2 Google API Limited Use Policy Compliance
Our use of data obtained through Google APIs strictly complies with the Google API Services User Data Policy:
- We only use Google data to provide and improve the Hepta Data features you explicitly request
- We do NOT use Gmail or Calendar data to serve advertisements
- We do NOT allow humans to read your Gmail or Calendar data, except where required by law or with your explicit permission for support purposes
- We do NOT sell, transfer, or use Google user data for any purpose other than providing the requested Hepta Data features
- We do NOT use Google data to train AI or machine learning models
- Data accessed via Google APIs is stored securely and retained only as long as needed to provide the service
6.3 Revoking Google Access
You can revoke Hepta Data's access to your Google account at any time by visiting your Google Account settings at myaccount.google.com/permissions. You can also disconnect Google integration from within your Hepta Data account settings. Revoking access will disable Google-connected features but will not affect your core Hepta Data account.
7. How We Share Your Data
We do not sell your personal data. We only share data with third parties in the following circumstances:
7.1 Service Providers (Data Processors)
We engage trusted service providers who process data strictly on our behalf and under our instructions, bound by Data Processing Agreements:
- Cloud hosting and infrastructure (EU-based servers)
- Payment processing (PCI-DSS compliant provider)
- Email delivery service (for platform notifications)
- Security and monitoring services
- Analytics (aggregated, anonymised where possible)
7.2 Legal Requirements
We may disclose personal data if required by law, court order, or regulatory authority, or to protect the rights, property, or safety of our users or the public.
7.3 Business Transfers
If Polygon Digital Ltd. is involved in a merger, acquisition, or sale of assets, personal data may be transferred to the successor entity. We will notify you before your data is subject to a different privacy policy.
8. International Data Transfers
Our primary data storage is within the European Economic Area (EEA). If any of our service providers process data outside the EEA, we ensure adequate safeguards are in place, including:
- EU Standard Contractual Clauses (SCCs) under Commission Implementing Decision 2021/914
- Adequacy decisions issued by the European Commission
- Binding Corporate Rules where applicable
A list of our sub-processors and their locations is available on request at info@heptadata.com.
9. Your Rights Under GDPR
If you are located in the EEA, you have the following rights regarding your personal data:
| Right | What It Means |
|---|---|
| Access (Art. 15) | Request a copy of the personal data we hold about you |
| Rectification (Art. 16) | Request correction of inaccurate or incomplete data |
| Erasure (Art. 17) | Request deletion of your data (‘right to be forgotten’) |
| Restriction (Art. 18) | Request that we limit how we process your data |
| Portability (Art. 20) | Receive your data in a structured, machine-readable format |
| Objection (Art. 21) | Object to processing based on legitimate interest |
| Withdraw Consent | Withdraw any consent you have given at any time |
| Lodge a Complaint | Complain to the Irish Data Protection Commission (dataprotection.ie) |
To exercise any of these rights, contact us at info@heptadata.com. We will respond within 30 days. We may require identity verification before processing certain requests.
10. Cookies
We use essential cookies required for the platform to function (authentication, session management). We do not use advertising or tracking cookies. If we add analytics cookies in the future, we will seek your explicit consent first through a cookie banner compliant with the ePrivacy Directive.
11. Security
We implement appropriate technical and organisational measures to protect your personal data, including:
- TLS/SSL encryption for all data in transit
- AES-256 encryption for data at rest
- Role-based access controls (RBAC) limiting staff access to data
- Regular security audits and penetration testing
- Multi-factor authentication for staff accessing production systems
- Incident response plan with 72-hour breach notification to the Data Protection Commission as required by GDPR Art. 33
12. Children's Privacy
Hepta Data is intended for use by adults operating professional practices. We do not knowingly collect personal data from individuals under 18 years of age. If you become aware that a minor has provided us with personal data, please contact us immediately at info@heptadata.com.
13. Changes to This Policy
We may update this Privacy Policy from time to time. Material changes will be communicated to registered users by email and by a prominent notice on our website at least 30 days before the changes take effect. Continued use of the platform after the effective date constitutes acceptance of the updated Policy.
14. Contact Us
For any questions, concerns, or requests relating to this Privacy Policy or your personal data:
Email: info@heptadata.com
Phone: +353 89 981 5670
Website: heptadata.com
Polygon Digital Ltd., 3 The Grove, Donabate, Co. Dublin, K36 KD27, Ireland
Supervisory Authority: Data Protection Commission, Ireland | www.dataprotection.ie