Privacy Policy

Effective date: 4/9/2025

Company Details

Legal entity: Product Heads Limited

Trading name: Sensaro / Sensaro NPS

Registered address: 14 High Street, Saffron Walden, Essex, United Kingdom, CB10 1AY

Company number: 13175509

Contact: privacy@sensaro.ai

Data Protection Officer (DPO): dpo@sensaro.ai

Representative (if applicable for EU): Tim Wilkinson (tim@sensaro.ai)

Domains covered: www.sensaro.ai

Privacy Policy

This Privacy Policy explains how Product Heads Limited ("Company", "we", "us", "our") collects, uses, and shares information when you use Sensaro NPS (the "Service"). It also describes your rights and choices. If you are a Customer (an organization with a Sensaro account), we process certain data as your processor; for our own account administration, marketing, and site analytics we are a controller.

1) Scope & Roles

  • Customers are organizations that subscribe to Sensaro.
  • End Users/Respondents are individuals who submit NPS scores or feedback via links or widgets provided by Customers.
  • Visitors are users of our marketing website.

Role: For Customer Data (NPS scores, comments, end‑user identifiers provided by the Customer), we are a processor and the Customer is the controller. For Account, Billing & Marketing Data, we are a controller.

2) Information We Collect

A) Customer Data (processor role)

  • NPS scores and free‑text comments
  • Respondent identifiers supplied by the Customer (e.g., email, internal user ID, cohort, plan)
  • Metadata the Customer chooses to send (e.g., device, app version, locale)

B) Account, Billing & Support (controller role)

  • Account details (name, business email, organization, role)
  • Authentication data (hashed passwords, OAuth tokens)
  • Billing and subscription details (plan and invoices. All payment information is stored by our payment provider Stripe; we do not store card numbers)
  • Support communications and attachments

C) Usage & Device Data (controller role)

  • Log files (IP address, timestamps, referrer/UTM, user agent)
  • App telemetry and events (feature usage, performance metrics)
  • Cookies and similar technologies

D) Website & Marketing (controller role)

  • Analytics and A/B testing data
  • Marketing preferences and campaign performance

Special categories: We do not intend to collect special category or sensitive data. Customers must not submit such data in free‑text fields.

  • Provide and improve the Service (Art. 6(1)(b) contract; Art. 6(1)(f) legitimate interests for diagnostics and security)
  • Account administration, billing, collections (Art. 6(1)(b))
  • Security, fraud prevention, abuse detection (Art. 6(1)(f))
  • Marketing to business contacts (Art. 6(1)(a) consent where required; otherwise Art. 6(1)(f))
  • Legal compliance, tax and accounting (Art. 6(1)(c))

Processor role: We process Customer Data only on the Customer’s documented instructions under the DPA.

4) Sharing & Disclosure

  • Service providers/sub‑processors (e.g., hosting, email delivery, analytics, payments).
  • Payment processor for subscription billing (e.g., Stripe).
  • Professional advisors (legal, accounting, auditors).
  • Corporate transactions (merger, acquisition, asset sale) with appropriate safeguards.
  • Legal requests where required by law.

We do not sell personal information.

5) International Transfers

We may transfer data outside the UK/EU. Where we do so, we rely on appropriate safeguards such as the UK Addendum to the EU Standard Contractual Clauses (SCCs), the EU SCCs, and/or Data Privacy Framework participation of eligible providers. Details are in our DPA and Sub‑processor List.

6) Security

  • Encryption in transit (TLS) and at rest
  • Role‑based access controls, least privilege
  • Audit logging and monitoring
  • Regular backups and disaster recovery procedures
  • Vulnerability management and vendor due diligence

No method of transmission or storage is 100% secure.

7) Data Retention

  • Customer Data: retained for the subscription term and deleted or returned within 30–90 days after termination, unless law requires longer retention.
  • Account & billing records: retained as required for tax/accounting and legitimate interests.
  • Support tickets and logs: retained for operational needs, typically 12–24 months.

8) Your Rights

Depending on your location (e.g., UK/EU/EEA and certain US states): access, rectification, deletion, restriction, portability, objection, withdraw consent. Requests may be directed to the Customer (controller) for Customer Data, or to us for controller data at privacy@sensaro.ai. You may lodge a complaint with a supervisory authority (e.g., ICO in the UK).

9) Cookies & Similar Technologies

We use cookies for authentication, preferences, and analytics. You can manage preferences via your browser settings.

10) Children

The Service is not directed to children under 16. We do not knowingly collect data from children. If you believe a child has provided personal data, contact us to delete it.

11) Changes to this Policy

We may update this Policy. Material changes will be notified via the app or email. The "Effective date" will be updated.

12) Contact

Product Heads Limited — Privacy Team
Email: privacy@sensaro.ai
Address: 14 High Street, Saffron Walden, Essex, United Kingdom, CB10 1AY