Herarx is in early access — free tier, always. Paid plans coming for power users. See pricing →

Privacy Policy

Last updated: 29 May 2026  ·  Effective immediately

This Privacy Policy explains how Herarx collects, uses, stores, and shares your personal data when you use our service at herarx.com. Please read it carefully. By accessing or using Herarx — including simply browsing the site — you agree to this policy and to our use of cookies as described below. By creating an account you additionally agree to our Terms of Use.

1. Who is responsible for your data

The data controller is:

  • Name: Giorgos Nikolaou, operating as Herarx
  • Country: Cyprus (European Union)
  • Contact: info@regalholdings.org

As a data controller established in Cyprus, Herarx is subject to the EU General Data Protection Regulation (GDPR) and the applicable Cyprus data protection legislation.

2. Data we collect about you

2.1 Account data

When you register, we collect the following:

  • Email address (required)
  • Username, first name, last name, middle name
  • Password (stored as a one-way bcrypt hash — we never see your plain password)
  • Date of birth, gender, nationality (optional profile fields)
  • Full address (optional)
  • Mobile number, alternate email address (optional)
  • Profile picture and bio (optional)

2.2 Security and authentication data

  • Two-factor authentication (2FA) secret key
  • Security questions and answers (answers stored as bcrypt hashes)
  • Password reset tokens (time-limited, stored encrypted)

2.3 Technical and usage data

Collected automatically when you use Herarx:

  • IP address at login and during active sessions
  • Device type, operating system, browser name and version
  • Approximate geolocation derived from IP (country and city)
  • Login timestamps and total login count
  • Audit log records of actions you take within the platform (create, edit, delete)

2.4 Subscription and billing data

If you subscribe to a paid plan, billing is processed by Stripe. We store a Stripe customer ID and subscription status against your account. We do not store card numbers or full payment details — these are held by Stripe under their own data processing terms.

2.5 Contact data you store (data you enter about third parties)

Herarx allows you to store profiles of your own contacts (clients, colleagues, etc.). This data belongs to you and is processed by Herarx as a data processor on your behalf. See Section 9 for more detail.

2.6 Files and case content

Files you upload are stored encrypted. Case data (title, notes, attachments) is stored on our servers and, where S3 storage is enabled, on Amazon Web Services (AWS) infrastructure in encrypted form.

3. Why we collect your data and the legal basis

Purpose Legal basis (GDPR Art. 6)
Providing the service (account, cases, files, contacts) Contract performance (Art. 6(1)(b))
Processing subscription payments via Stripe Contract performance (Art. 6(1)(b))
Security, fraud prevention, audit logging Legitimate interests (Art. 6(1)(f))
Sending transactional emails (verification, password reset, notifications) Contract performance / Legitimate interests (Art. 6(1)(b)(f))
Analytics and advertising cookies (Google Ads) Legitimate interests (Art. 6(1)(f)) — use of the site constitutes acceptance

4. Cookies

Strictly necessary cookies

  • session — keeps you signed in during a visit (HttpOnly, Secure)
  • remember_token — persists your login when you choose "Remember this device" (HttpOnly, Secure)
  • csrf_token — protects forms against cross-site request forgery

These cookies are essential for the service to function and do not require consent.

Analytics and advertising cookies

We load Google Ads (gtag.js) which sets cookies including _gcl_* and _ga. Google reCAPTCHA is loaded on the login and registration pages and may set its own cookies as part of Google's fraud detection service.

By using this site you agree to the use of these cookies. A notice is shown on your first visit. If you do not wish to accept cookies, please do not use the site. You can remove stored cookies at any time by clearing your browser's local storage and cookies for herarx.com.

5. Third-party services and data sharing

We share personal data with the following third parties, solely to provide the service:

Google Ads & reCAPTCHA (Google LLC)

We use Google Ads (account ID: AW-18188631881) for conversion tracking and advertising. Google reCAPTCHA is used to protect login and registration forms from automated abuse. These services are provided by Google LLC (USA). Data is transferred under Google's Standard Contractual Clauses.

Google Customer Match disclosure: We share customer data (including email addresses of registered users) with Google to create Customer Match advertising lists. This data is collected via our conversion tags and Google's API. It is used solely to match your account to Google services for advertising purposes and to ensure compliance with Google's Customer Match policies. We confirm that this sharing complies with Google's Customer Match policies and, where required by law, is subject to appropriate user notice. If you do not wish your data to be used in this way, you may opt out by contacting us at info@regalholdings.org.

Stripe (Stripe, Inc.)

Subscription billing is handled by Stripe. When you subscribe, your billing information is processed by Stripe under their own Privacy Policy. We receive a customer token and subscription status only.

Amazon Web Services (AWS)

Encrypted file data may be stored on AWS S3 (EU region). Files are encrypted before upload; AWS does not have access to plaintext file content.

Email delivery provider

Transactional emails (account verification, password reset, notifications) are sent via our configured SMTP provider. Your email address is shared with this provider for delivery purposes only.

OpenAI (if AI file analysis is enabled)

If the AI-assisted file keyword extraction feature is enabled on your account, excerpts of text extracted from your uploaded files (up to 12,000 characters) are sent to OpenAI's API to generate search keywords. No file is uploaded to OpenAI in its entirety. If this feature is not enabled, no file content leaves our infrastructure.

We do not sell your personal data to any third party.

6. International data transfers

Herarx is based in Cyprus (EU). Some of our service providers (Google, Stripe, AWS, OpenAI) are based in the United States. Data transfers to these providers are governed by Standard Contractual Clauses (SCCs) approved by the European Commission, or equivalent transfer mechanisms.

7. Data retention

  • Active accounts: personal data is retained for as long as your account is active.
  • Account deletion: upon a valid deletion request, all personal data is deleted immediately. If technical issues prevent immediate deletion, we will complete it manually within 1 month.
  • After subscription ends: your content (cases, files, contacts) is retained for 6 months. During the first month after expiry you retain full read access. After that, content exceeding your free-tier limits is locked. After 6 months, locked content may be permanently deleted.
  • Audit logs: retained for up to 2 years for security and legal compliance purposes, even after account deletion.
  • Billing records: retained as required by applicable tax and accounting law (typically 7 years).

8. Your rights under GDPR

As a data subject under EU GDPR, you have the following rights:

  • Access: request a copy of the personal data we hold about you.
  • Rectification: request correction of inaccurate or incomplete data.
  • Erasure ("right to be forgotten"): request deletion of your data. To request account deletion, email us at info@regalholdings.org.
  • Restriction: request that we limit processing of your data in certain circumstances.
  • Data portability: receive your data in a structured, machine-readable format.
  • Objection: object to processing based on legitimate interests or for direct marketing.
  • Objection to analytics cookies: you may opt out of Google Analytics at any time via Google's opt-out tool or by clearing your browser cookies and local storage for herarx.com and discontinuing use of the site.

To exercise any of these rights, contact us at info@regalholdings.org. We will respond within 30 days.

You also have the right to lodge a complaint with the Cyprus Commissioner for Personal Data Protection (dataprotection.gov.cy) or the supervisory authority in your EU member state of habitual residence.

9. Herarx as a data processor for contact data

When you store contact profiles of third-party individuals within Herarx (e.g. clients, case subjects), you are the data controller for that personal data and Herarx acts as your data processor. You are responsible for ensuring you have a lawful basis to store that data and that your use of Herarx complies with your own data protection obligations. Herarx processes that data solely on your instructions and in accordance with this policy.

10. Security

We implement appropriate technical and organisational measures to protect your data, including:

  • All connections encrypted via TLS (HTTPS enforced)
  • Passwords hashed with bcrypt (never stored in plaintext)
  • Files stored encrypted (AES-256)
  • Two-factor authentication available (TOTP and hardware security keys)
  • Full audit trail of all data access and modifications
  • Role-based access controls

11. Children

Herarx is not intended for use by persons under the age of 16. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us and we will delete it promptly.

12. Changes to this policy

We may update this Privacy Policy from time to time. When we do, we will update the "Last updated" date at the top of this page. For material changes, we will notify you by email or by a notice within the application.

13. Contact us

For any privacy-related questions, data subject requests, or concerns: