![](data:image/svg+xml,<svg display="block" role="presentation" viewBox="0 0 392 84" xmlns="http://www.w3.org/2000/svg"><defs ><linearGradient id="KHdlBVDzM-2037857189-linear-gradient" x1="0.49751243781094523" x2="0.5024875621890548" y1="0" y2="1"><stop offset="0" stop-color="rgb(139, 174, 255)"/><stop offset="1" stop-color="rgba(243, 45, 45, 0.2)"/></linearGradient><linearGradient id="cDxFcS0Gh-2037857189-linear-gradient" x1="1.6831485946812565" x2="-0.5845528784578186" y1="-0.7000000000000001" y2="1.6"><stop offset="0" stop-color="rgb(140, 175, 255)"/><stop offset="0.30434782608695654" stop-color="rgb(109, 144, 227)"/><stop offset="1" stop-color="rgb(44, 63, 158)"/></linearGradient><linearGradient id="ntDRMiwH_-2037857189-linear-gradient" x1="0.9929785811171902" x2="0.007021418882809827" y1="0" y2="1"><stop offset="0" stop-color="rgb(140, 175, 255)"/><stop offset="0" stop-color="rgb(109, 144, 227)"/><stop offset="1" stop-color="rgb(44, 63, 158)"/></linearGradient></defs><path d="M 0 0 L 15.663 0 L 15.663 74.348 L 0 74.348 Z M 59.875 0 L 75.438 0 L 75.438 74.348 L 59.875 74.348 Z M 8.525 29.937 L 66.814 29.937 L 66.814 43.617 L 8.525 43.617 Z" fill="rgb(0, 0, 0)" height="74.34776746386652px" id="R6fGi3jY7" transform="translate(74.657 5.953)" width="75.43826082312543px"/><path d="M 34.398 59.28 C 27.789 59.28 21.875 58.025 16.654 55.513 C 11.499 53.001 7.435 49.532 4.461 45.104 C 1.487 40.61 0 35.423 0 29.541 C 0 23.659 1.388 18.537 4.163 14.176 C 7.005 9.748 10.904 6.278 15.861 3.767 C 20.817 1.256 26.5 0 32.911 0 C 39.322 0 44.84 1.454 49.466 4.362 C 54.158 7.203 57.76 11.202 60.271 16.357 C 62.849 21.511 64.137 27.591 64.137 34.597 L 12.193 34.597 L 12.193 23.99 L 56.108 23.99 L 49.565 27.856 C 49.367 24.419 48.541 21.511 47.087 19.132 C 45.633 16.687 43.717 14.804 41.337 13.482 C 38.958 12.16 36.116 11.499 32.812 11.499 C 29.309 11.499 26.27 12.226 23.692 13.68 C 21.115 15.068 19.099 17.017 17.645 19.529 C 16.257 22.04 15.563 25.014 15.563 28.45 C 15.563 32.416 16.456 35.852 18.24 38.76 C 20.024 41.602 22.568 43.782 25.873 45.303 C 29.243 46.823 33.275 47.583 37.967 47.583 C 42.262 47.583 46.591 46.954 50.953 45.699 C 55.315 44.377 59.213 42.593 62.65 40.346 L 62.65 50.854 C 59.015 53.497 54.72 55.579 49.763 57.099 C 44.873 58.553 39.751 59.28 34.398 59.28 Z" fill="rgb(0, 0, 0)" height="59.27993478260868px" id="Qti8hp6m5" transform="translate(162.503 22.508)" width="64.1373913043478px"/><path d="M 1.983 22.602 L 9.616 23.99 L 17.348 22.602 L 17.348 79.403 L 1.983 79.403 Z M 9.616 16.357 C 6.774 16.357 4.461 15.63 2.677 14.176 C 0.892 12.656 0 10.64 0 8.129 C 0 5.683 0.892 3.734 2.677 2.28 C 4.461 0.76 6.774 0 9.616 0 C 12.458 0 14.738 0.76 16.456 2.28 C 18.24 3.734 19.132 5.683 19.132 8.129 C 19.132 10.64 18.24 12.656 16.456 14.176 C 14.738 15.63 12.458 16.357 9.616 16.357 Z" fill="rgb(0, 0, 0)" height="79.40341570381497px" id="atqgKejC9" transform="translate(236.629 0.898)" width="19.132173913043488px"/><path d="M 64.237 40.247 C 64.237 44.212 63.08 47.616 60.767 50.457 C 58.52 53.299 55.149 55.48 50.656 57 C 46.162 58.52 40.61 59.28 34.002 59.28 C 27.194 59.28 21.247 58.421 16.158 56.703 C 11.135 54.984 7.237 52.605 4.461 49.565 C 1.685 46.459 0.198 42.89 0 38.859 L 15.663 38.859 C 16.059 40.776 17.05 42.461 18.637 43.915 C 20.288 45.303 22.436 46.393 25.08 47.186 C 27.723 47.913 30.796 48.276 34.299 48.276 C 39.256 48.276 42.956 47.715 45.402 46.591 C 47.913 45.468 49.169 43.782 49.169 41.536 C 49.169 39.884 48.309 38.661 46.591 37.868 C 44.873 37.009 41.701 36.381 37.075 35.984 L 26.369 35.092 C 20.156 34.563 15.233 33.506 11.598 31.92 C 8.03 30.334 5.485 28.351 3.965 25.972 C 2.445 23.527 1.685 20.917 1.685 18.141 C 1.685 14.11 2.907 10.772 5.353 8.129 C 7.864 5.485 11.301 3.47 15.663 2.082 C 20.09 0.694 25.245 0 31.127 0 C 37.141 0 42.494 0.826 47.186 2.478 C 51.878 4.13 55.612 6.41 58.388 9.318 C 61.229 12.16 62.849 15.497 63.245 19.33 L 47.583 19.33 C 47.318 17.943 46.558 16.621 45.303 15.365 C 44.113 14.043 42.295 12.953 39.85 12.094 C 37.471 11.235 34.299 10.805 30.334 10.805 C 26.038 10.805 22.701 11.334 20.322 12.391 C 18.008 13.449 16.852 14.969 16.852 16.951 C 16.852 18.339 17.546 19.496 18.934 20.421 C 20.388 21.28 23.097 21.875 27.063 22.205 L 40.842 23.395 C 46.855 23.923 51.548 24.948 54.918 26.468 C 58.289 27.922 60.668 29.838 62.056 32.217 C 63.509 34.53 64.237 37.207 64.237 40.247 Z" fill="rgb(0, 0, 0)" height="59.27993478260868px" id="hawlOmO0I" transform="translate(265.098 22.508)" width="64.23652173913041px"/><path d="M 0 26.468 L 0 19.628 L 11.896 16.059 L 18.339 0 L 27.261 0 L 27.261 14.87 L 52.539 14.87 L 52.539 26.468 L 27.261 26.468 L 27.261 48.277 C 27.261 52.77 28.186 55.91 30.037 57.694 C 31.953 59.478 35.158 60.37 39.652 60.37 C 42.494 60.37 45.005 60.106 47.186 59.577 C 49.433 58.983 51.548 58.156 53.53 57.099 L 53.53 69.193 C 51.68 70.052 49.169 70.845 45.997 71.572 C 42.824 72.299 39.586 72.663 36.282 72.663 C 30.532 72.663 25.84 71.737 22.205 69.887 C 18.637 68.037 16.026 65.459 14.374 62.155 C 12.722 58.784 11.896 54.885 11.896 50.457 L 11.896 26.468 Z" fill="rgb(0, 0, 0)" height="72.66254347826086px" id="zoUpiAa2F" transform="translate(334.598 9.126)" width="53.53043478260872px"/><path d="M 0 74.348 L 0 47.609 L 47.609 0 L 74.348 0 Z" fill="url(%23KHdlBVDzM-2037857189-linear-gradient)" height="74.34776086956523px" id="KHdlBVDzM" transform="translate(-0.348 5.953)" width="74.34782611028008px"/><path d="M 31.304 0 L 31.304 31.304 L 0 31.304 Z" fill="rgb(0, 0, 0)" height="31.304282608695672px" id="T30T86M87" transform="translate(30.304 36.605)" width="31.304347826086953px"/><path d="M 31.304 31.304 L 31.304 0 L 0 31.304 Z" fill="rgb(26, 26, 26)" height="31.304282608695672px" id="apAet4OjV" transform="translate(30.304 36.605)" width="31.304347826086953px"/><path d="M 31.304 31.304 L 31.304 0 L 0 31.304 Z" fill="url(%23cDxFcS0Gh-2037857189-linear-gradient)" height="31.304282608695672px" id="cDxFcS0Gh" transform="translate(30.304 36.605)" width="31.304347826086953px"/><path d="M 47.609 0 L 74.348 0 L 0 74.348 L 0 47.609 Z" fill="url(%23ntDRMiwH_-2037857189-linear-gradient)" height="74.34776086956523px" id="ntDRMiwH_" transform="translate(-0.348 5.953)" width="74.34782611028008px"/></svg>)
Privacy Policy
Last updated: 2026-03-03
Who we are
Heist AS ("Heist", "we", "us") provides an autonomous penetration testing platform that enables customers to run continuous application security tests (the "Service"). This Privacy Policy explains how we collect, use, and protect personal data in connection with the Service and our business activities.
Heist AS is the data controller for the processing described in this policy. For questions about your personal data, contact us at privacy@heisthq.com.
Heist AS Org. nr. 935 833 973 Sandbrekkevegen 100 5225 Nesttun Norway
What this policy covers
This policy covers personal data we process in our role as data controller, meaning data we collect and use for our own purposes.
Heist also acts as a data processor on behalf of customers. That processing is governed by our Data Processing Agreement, not this policy. If your personal data is processed as part of a customer's use of the Service, please contact that customer. See Section 12 below for more detail.
The information we collect
Account and contact information
When you sign up for or use the Service, we process your name, work email address, role, company name, and any other contact details you provide.
Service usage
We process information about how you use the Service, including account activity, support enquiries, communications with us, and configuration settings.
Technical information
We process IP addresses, device and browser information, and log data for system administration, reliability, and security.
Website visitors
Our website (heisthq.com) is built on Framer and uses minimal analytics. We use PostHog for product analytics within the Service. You can manage cookie preferences in your browser settings.
Business contacts and prospecting
We collect contact information about potential customers from publicly available sources and third-party data providers in order to market our services. This includes name, work email, job title, company, and professional background. If you have not interacted with us directly but have received communication from us, your information was likely obtained from a publicly available source or a data enrichment provider. You can request deletion of this information at any time (see Section 10).
Event and newsletter subscribers
If you sign up for our newsletter or attend our events, we process your name, email address, job title, and company.
Why we process your data and on what legal basis
To deliver the Service (legal basis: performance of contract)
Creating and maintaining your account, granting access, delivering the Service, responding to support enquiries, and notifying you of changes to the Service or these terms.
To improve and secure the Service (legal basis: legitimate interest)
Improving the Service, its content, and user experience. Maintaining, monitoring, and strengthening security, preventing fraud and abuse. We consider that these interests do not override your privacy interests, given that we process only business contact information and service usage data.
To market our services (legal basis: legitimate interest)
Communicating with existing and prospective business customers about the Service. We use Loops for marketing emails. You can unsubscribe from marketing emails at any time. We consider that our interest in reaching relevant business contacts does not override your privacy interests, given the professional context and the ease of opting out.
To comply with legal obligations (legal basis: legal obligation)
Retaining records required by accounting legislation or other statutory requirements.
Who we share data with
We use service providers who perform services on our behalf. We have data processing agreements in place with each provider. These providers only process personal data according to our instructions and for the purposes described in this policy.
Our current providers include:
Provider | Purpose |
|---|---|
Stripe | Payment processing |
Google Workspace | Internal communication and productivity |
Attio | Customer relationship management |
Loops | Marketing email |
PostHog | Product analytics |
Cal.com | Scheduling |
Framer | Website hosting |
Slack | Internal communication |
Notion | Internal documentation |
Anthropic (Claude) | AI-assisted work |
Granola | Meeting notes |
Wisprflow | Meeting transcription |
Kaspr | Sales prospecting |
Lusha | Sales prospecting |
LinkedIn Sales Navigator | Sales prospecting |
A full list of sub-processors that process Customer Data on behalf of our customers is available at heisthq.com/sub-processors. That list covers Heist's role as a data processor and is separate from the providers listed above.
International transfers
Several of our service providers are based in the United States. Where personal data is transferred outside the EEA, we ensure appropriate safeguards are in place, including EU Standard Contractual Clauses and, where applicable, certification under the EU-US Data Privacy Framework.
We do not sell, rent, or exchange your personal data with third parties for their own purposes.
Security
We take appropriate technical and organisational measures to protect personal data against unauthorised access, loss, and misuse. For details on how we secure the Service, see our security page at heisthq.com/trust.
Obligation to provide data
To create an account and use the Service, you must provide your name and work email address. Without this information, we cannot deliver the Service. All other data you provide is voluntary.
How long we keep your data
We retain personal data for as long as necessary to fulfil the purposes described in this policy.
Account data is deleted when you cancel your account or at your request, unless legal obligations require continued storage. Purchase and payment documentation is retained for five years in accordance with Norwegian accounting legislation. Prospecting data is deleted when you request it or when we determine it is no longer relevant. Marketing preferences are retained until you unsubscribe.
Your rights
Under the General Data Protection Regulation, you have the right to access the personal data we hold about you, to have inaccurate data corrected, to request deletion of your data, to restrict or object to processing, and to receive your data in a portable format.
To exercise any of these rights, contact us at privacy@heisthq.com. We may need to verify your identity before processing your request.
If your request relates to Customer Data processed on behalf of a customer, please contact that customer directly. We will assist customers in responding to such requests as required.
Complaints
You have the right to lodge a complaint with a supervisory authority. In Norway, the supervisory authority is Datatilsynet (datatilsynet.no). You may also complain to the supervisory authority in the EU/EEA country where you live or work.
Heist as a data processor
Heist tests customer applications using dedicated test accounts provisioned by the customer. During testing, our agents may incidentally encounter personal data that exists in the target application. Heist does not intentionally collect end-user personal data. Where personal data is clearly identifiable in findings, it is anonymised before storage.
Customers are the data controllers for Customer Data. Heist processes this data strictly according to customer instructions and our Data Processing Agreement, available at heisthq.com/dpa. A list of sub-processors involved in this processing is maintained at heisthq.com/sub-processors.
If you believe your personal data has been processed as part of a customer's use of the Service, please contact that customer.
Changes to this policy
We may update this Privacy Policy from time to time. The current version is always available at heisthq.com/privacy-policy. We will notify users of material changes that affect how we process their personal data.
Contact
Heist AS Org. nr. 935 833 973 Sandbrekkevegen 100 5225 Nesttun Norway privacy@heisthq.com