Privacy Policy
This Privacy Policy explains how Herarx collects, uses, stores, and shares your personal data when you use our service at herarx.com. Please read it carefully. By accessing or using Herarx — including simply browsing the site — you agree to this policy and to our use of cookies as described below. By creating an account you additionally agree to our Terms of Use.
1. Who is responsible for your data
The data controller is:
- Name: Giorgos Nikolaou, operating as Herarx
- Country: Cyprus (European Union)
- Contact: info@regalholdings.org
As a data controller established in Cyprus, Herarx is subject to the EU General Data Protection Regulation (GDPR) and the applicable Cyprus data protection legislation.
2. Data we collect about you
2.1 Account data
When you register, we collect the following:
- Email address (required)
- Username, first name, last name, middle name
- Password (stored as a one-way bcrypt hash — we never see your plain password)
- Date of birth, gender, nationality (optional profile fields)
- Full address (optional)
- Mobile number, alternate email address (optional)
- Profile picture and bio (optional)
2.2 Security and authentication data
- Two-factor authentication (2FA) secret key
- Security questions and answers (answers stored as bcrypt hashes)
- Password reset tokens (time-limited, stored encrypted)
2.3 Technical and usage data
Collected automatically when you use Herarx:
- IP address at login and during active sessions
- Device type, operating system, browser name and version
- Approximate geolocation derived from IP (country and city)
- Login timestamps and total login count
- Audit log records of actions you take within the platform (create, edit, delete)
2.4 Subscription and billing data
If you subscribe to a paid plan, billing is processed by Stripe. We store a Stripe customer ID and subscription status against your account. We do not store card numbers or full payment details — these are held by Stripe under their own data processing terms.
2.5 Contact data you store (data you enter about third parties)
Herarx allows you to store profiles of your own contacts (clients, colleagues, case subjects, etc.). This data belongs to you and is processed by Herarx as a data processor on your behalf. See Section 9 for more detail.
2.6 Files, cases, and documents
Files you upload are stored encrypted (AES-256). Case data (title, notes, custom fields, attachments) is stored on our servers. Where S3 storage is configured, files are stored on Amazon Web Services (AWS) infrastructure in encrypted form. Documents generated using the document creation feature, including those processed through the electronic signature feature, are also stored encrypted.
2.7 Connected email accounts
If you use the Mail feature and connect a personal or shared email account (via IMAP/SMTP), we collect and store the following, all encrypted at rest using AES-256-GCM under a per-user encryption key:
- Your email account address and display name
- IMAP login credentials or app passwords (encrypted; used only to fetch and send mail on your behalf)
- Email folder structure (folder names and paths)
- Message metadata and content: sender address, recipient addresses (To/CC), subject line, and a message snippet for each email synced from your account
- Attachments you open or download within Herarx (processed transiently; not stored separately unless you explicitly save them to your Files)
This data is visible only to you (and, in an organisation context, to the designated mailbox owner or an admin with mailbox management permissions). Herarx staff do not access the content of your email messages. You can disconnect a mailbox at any time from your account settings, which stops further sync and removes stored credentials.
If the AI-assisted email monitoring feature is enabled for a specific case, incoming emails may be scored for relevance by sending the sender address, subject, and a short excerpt of the message body to an AI language model endpoint. This feature must be explicitly configured per case and is off by default.
2.8 Workspace and messaging data
If your account belongs to an organisation that uses the Workspace feature, we store the content of messages you send in organisation channels and direct messages (including group direct messages). Workspace message data belongs to the organisation. Organisation administrators may access, manage, or delete workspace messages as part of managing the organisation.
2.9 Client portal and automated contact interactions
When you share a case with a contact via the secure client portal, the contact's email address is used to deliver a portal invitation. Portal access events are logged for audit purposes. When you configure automated email notifications, date-approaching alerts, or work dispatch messages to be sent to your contacts, we process those contacts' email addresses to deliver those messages on your behalf.
3. Why we collect your data and the legal basis
| Purpose | Legal basis (GDPR Art. 6) |
|---|---|
| Providing the service (account, cases, files, contacts, mail, workspace) | Contract performance (Art. 6(1)(b)) |
| Processing subscription payments via Stripe | Contract performance (Art. 6(1)(b)) |
| Security, fraud prevention, audit logging | Legitimate interests (Art. 6(1)(f)) |
| Sending transactional emails (verification, password reset, notifications, portal invitations) | Contract performance / Legitimate interests (Art. 6(1)(b)(f)) |
| Sending automated emails to your contacts on your behalf (record notifications, date alerts, dispatch, portal invitations) | Your instruction as data controller (Art. 6(1)(b)); you are responsible for the legal basis for contacting your recipients |
| Analytics and advertising cookies (Google Ads) | Legitimate interests (Art. 6(1)(f)) — use of the site constitutes acceptance |
4. Cookies
Strictly necessary cookies
- session — keeps you signed in during a visit (HttpOnly, Secure)
- remember_token — persists your login when you choose "Remember this device" (HttpOnly, Secure)
- csrf_token — protects forms against cross-site request forgery
These cookies are essential for the service to function and do not require consent.
Analytics and advertising cookies
We load Google Ads (gtag.js) which sets cookies including _gcl_* and _ga. Google reCAPTCHA is loaded on the login and registration pages and may set its own cookies as part of Google's fraud detection service.
By using this site you agree to the use of these cookies. A notice is shown on your first visit. If you do not wish to accept cookies, please do not use the site. You can remove stored cookies at any time by clearing your browser's local storage and cookies for herarx.com.
5. Third-party services and data sharing
We share personal data with the following third parties, solely to provide the service:
Google Ads & reCAPTCHA (Google LLC)
We use Google Ads (account ID: AW-18221685684) for conversion tracking and advertising. Google reCAPTCHA is used to protect login and registration forms from automated abuse. These services are provided by Google LLC (USA). Data is transferred under Google's Standard Contractual Clauses.
We use Google's Customer Match feature to create advertising audiences from our registered user data. Specifically:
- Customer data (including email addresses) collected via our conversion tags and Google's API is shared with Google in compliance with Google's Customer Match policies.
- The data shared with Google will only be used to match your account to Google's systems and to ensure that our Customer Match campaigns comply with Google's policies. It is not used for any other purpose.
- To comply with the General Data Protection Regulation (GDPR), Google Ads Data Processing Terms apply to Customer Match and are incorporated into the Google Ads terms of service. Under these terms, Google acts as a data processor of the personal data we share with them for Customer Match.
Stripe (Stripe, Inc.)
Subscription billing is handled by Stripe. When you subscribe, your billing information is processed by Stripe under their own Privacy Policy. We receive a customer token and subscription status only.
Amazon Web Services (AWS)
Encrypted file data and encrypted data exports may be stored on AWS S3 (EU region). All content is encrypted before upload; AWS does not have access to plaintext content.
Email delivery provider
Transactional and automated emails (account verification, password reset, notifications, portal invitations, date-approaching alerts, and other messages you configure) are sent via our configured SMTP provider. Email addresses involved in delivery are shared with this provider for that purpose only.
Your email provider (when Mail is connected)
When you connect a mailbox, Herarx communicates with your email provider (e.g. any IMAP/SMTP server) to sync messages and send outgoing mail on your behalf. Your email provider's own privacy policy governs how they handle your data independently of Herarx.
AI language model provider (if AI email monitoring is enabled)
If you explicitly enable AI-assisted email monitoring for a case, short excerpts of incoming emails (sender address, subject, and a brief body snippet) are sent to a configured AI language model endpoint to assess relevance. This feature is off by default and must be configured deliberately. If not enabled, no email content is sent to any AI provider for this purpose.
OpenAI (if AI file analysis is enabled)
If the AI-assisted file keyword extraction feature is enabled, excerpts of text from your uploaded files (up to 12,000 characters) are sent to OpenAI's API to generate search keywords. No full file is sent. If this feature is not enabled, no file content leaves our infrastructure for this purpose.
We do not sell your personal data to any third party.
6. International data transfers
Herarx is based in Cyprus (EU). Some of our service providers (Google, Stripe, AWS, OpenAI) are based in the United States. Data transfers to these providers are governed by Standard Contractual Clauses (SCCs) approved by the European Commission, or equivalent transfer mechanisms.
7. Data retention
- Active accounts: personal data is retained for as long as your account is active.
- Account deletion: upon a valid deletion request, all personal data is deleted immediately. If technical issues prevent immediate deletion, we will complete it manually within 1 month.
- Connected mailboxes: when you disconnect a mailbox, stored credentials are deleted and mail sync stops. Emails already synced and linked to cases are retained as part of those case records until the case or account is deleted.
- After subscription ends: your content (cases, files, contacts, mail data, workspace messages) is retained for 6 months. During the first month after expiry you retain full read access. After that, content exceeding your free-tier limits is locked. After 6 months, locked content may be permanently deleted.
- Audit logs: retained for up to 2 years for security and legal compliance purposes, even after account deletion.
- Billing records: retained as required by applicable tax and accounting law (typically 7 years).
8. Your rights under GDPR
As a data subject under EU GDPR, you have the following rights:
- Access: request a copy of the personal data we hold about you.
- Rectification: request correction of inaccurate or incomplete data.
- Erasure ("right to be forgotten"): request deletion of your data. To request account deletion, email us at info@regalholdings.org.
- Restriction: request that we limit processing of your data in certain circumstances.
- Data portability: receive your data in a structured, machine-readable format. Herarx supports data exports from within the application.
- Objection: object to processing based on legitimate interests or for direct marketing.
- Objection to analytics cookies: you may opt out of Google Analytics at any time via Google's opt-out tool or by clearing your browser cookies and local storage for herarx.com and discontinuing use of the site.
To exercise any of these rights, contact us at info@regalholdings.org. We will respond within 30 days.
You also have the right to lodge a complaint with the Cyprus Commissioner for Personal Data Protection (dataprotection.gov.cy) or the supervisory authority in your EU member state of habitual residence.
9. Herarx as a data processor
9.1 Contact records and case data
When you store contact profiles of third-party individuals within Herarx (e.g. clients, case subjects), you are the data controller for that personal data and Herarx acts as your data processor. You are responsible for ensuring you have a lawful basis to store that data and that your use of Herarx complies with your own data protection obligations. Herarx processes that data solely on your instructions and in accordance with this policy.
9.2 Organisation workspace messages
Messages sent in organisation workspace channels and direct messages are stored as organisation data. The organisation (and its owner) is the data controller for workspace content. Herarx processes that content as data processor. Organisation members with appropriate permissions may access or manage workspace messages.
9.3 Portal access and automated contact communications
When you invite a contact to the client portal, or when you configure the platform to automatically send emails to your contacts (notifications, date alerts, dispatch requests), you are the data controller for those contacts' personal data. You are responsible for having a lawful basis to contact them. Herarx sends those communications only on your explicit instruction, acting solely as data processor.
10. Security
We implement appropriate technical and organisational measures to protect your data, including:
- All connections encrypted via TLS (HTTPS enforced)
- Passwords hashed with bcrypt (never stored in plaintext)
- Files and data exports stored encrypted (AES-256)
- Email account credentials, addresses, and message content stored encrypted at rest (AES-256-GCM, per-user encryption key)
- Searchable encrypted fields use blind indexes — plaintext is not stored in indexed columns
- Two-factor authentication available (TOTP and hardware security keys)
- Full audit trail of all data access and modifications
- Role-based access controls within organisations
11. Children
Herarx is not intended for use by persons under the age of 16. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us and we will delete it promptly.
12. Changes to this policy
We may update this Privacy Policy from time to time. When we do, we will update the "Last updated" date at the top of this page. For material changes, we will notify you by email or by a notice within the application.
13. Contact us
For any privacy-related questions, data subject requests, or concerns:
- Email: info@regalholdings.org
- Controller: Giorgos Nikolaou, operating as Herarx, Cyprus