hey squad
on s'installe ?

legal · privacy

Privacy
policy.

Your data is your business. Here's what we collect, why, how we protect it, and the rights you have over all of it.

Last updated · April 24, 2026

01

Who is responsible for your data

The data controller is HeySquad sous la gestion d'Elan Invest, company number BE 0839.904.588, registered office at Rue des Nouvelles Technologies 10, 4821 Thimister-Clermont, Belgium.

For any question about your data: hello@heysquad.be. You can also write to us by post at the address above.

02

Why we collect this data

We collect data for a very limited set of reasons:

  • Reply when you write to us. An email to hello@heysquad.be, a contact form — we need your name + email to reply.
  • Understand what works on the site. Measure the most-read pages, time spent, traffic sources — to adjust what we publish and drop what doesn't serve.
  • Improve your journey. Remember your preferences (language, cookie choices) so the site stays consistent on your next visit.
  • Distribute our content. When you consent, we may reach you on LinkedIn, Meta or Google with relevant content — never more often than necessary.
  • Meet our legal obligations. Invoicing, accounting, retention of commercial emails — obligations under the Belgian Code of Economic Law.
03

On what legal basis

The GDPR requires a legal basis for each processing activity. Here are ours:

  • Consent (GDPR art. 6.1.a) — for measurement, marketing, and preference cookies. You give consent via the cookie banner and can withdraw it anytime.
  • Legitimate interest (GDPR art. 6.1.f) — to respond to your messages and ensure site security (anti-fraud, anti-spam, error logs).
  • Contract execution (GDPR art. 6.1.b) — if you become a client, to run our collaboration (invoices, deliverables, project exchanges).
  • Legal obligation (GDPR art. 6.1.c) — accounting, invoicing, retention of pre-contractual exchanges when required by law.
04

What data exactly

  • Identification & contact — last name, first name, email, company, phone. Collected only if you provide them.
  • Navigation — pages visited, duration, traffic source, device type, browser, country. Only if you accept analytics cookies.
  • Technical — IP address (anonymized for analytics), session identifiers. Required for the site to function.
  • Content of your messages — when you write to us, the email content is kept for the time strictly necessary to follow up on the conversation.

We collect no sensitive data (health, orientation, origin, political opinions, religion) — our work doesn't require it.

05

Cookies & trackers

A cookie is a small text file placed on your browser. We use four categories. By default everything is refused except strictly necessary cookies — we wait for your explicit consent to activate the rest.

Nécessaires · toujours actifs

Indispensables au fonctionnement du site (session, sécurité, préférence de langue, choix de consentement). On ne peut pas les désactiver.

Tools
Session applicative, CSRF, cookie hs_consent (13 mois)
Legal basis
Legitimate interest
Duration
Session ou 13 mois max

Analyses · optionnels

Mesurent l'audience et le parcours pour qu'on puisse améliorer le site. IP anonymisées, données agrégées. Aucune identification personnelle.

Tools
Google Analytics 4, Vercel Analytics, Vercel Speed Insights
Legal basis
Consent
Duration
14 mois (GA4) · 90 jours (Vercel)

Marketing · optionnels

Nous permettent de te retrouver avec des contenus pertinents sur d'autres plateformes et de mesurer nos campagnes.

Tools
Meta Pixel, LinkedIn Insight Tag, Google Ads remarketing (via Google Tag Manager)
Legal basis
Consent
Duration
13 mois max

Préférences · optionnels

Mémorisent tes choix non-essentiels (thème, dernière section visitée) pour un parcours cohérent au prochain passage.

Tools
localStorage applicatif
Legal basis
Consent
Duration
6 mois

change your mind

You can change your consent anytime. Takes 10 seconds.

06

How long we keep it

  • Cookies — 13 months max (CNIL/APD recommendation). The consent cookie expires after 13 months → we ask again.
  • Email exchanges — 3 years after the last contact, unless a specific legal obligation applies.
  • Client data — duration of the relationship + 10 years (accounting obligation, Belgian Code of Economic Law art. III.86).
  • Anonymized navigation data — 14 months in GA4 (default setting).
  • Technical logs — 90 days (Vercel, Neon).
07

Who we share it with

We never sell your data. We work with certified sub-processors who only handle it on our behalf, under a strict contractual framework (signed DPA).

Vercel Inc.

Hébergement du site + Analytics + Speed Insights

États-Unis (certifié EU-US Data Privacy Framework)

Neon Inc.

Base de données Postgres (contenus éditoriaux)

Union européenne (Frankfurt)

Google Ireland Ltd.

Google Tag Manager + Google Analytics 4 (sous réserve de ton accord)

Irlande + États-Unis (DPF)

Meta Platforms Ireland Ltd.

Meta Pixel (sous réserve de ton accord marketing)

Irlande + États-Unis (DPF)

LinkedIn Ireland Unlimited Company

LinkedIn Insight Tag (sous réserve de ton accord marketing)

Irlande + États-Unis (DPF)

The Rocket Science Group LLC (Mailchimp)

Envoi d'emails transactionnels et marketing (le cas échéant)

États-Unis (DPF)

08

Transfers outside the European Union

Some sub-processors (Vercel, Google, Meta, LinkedIn) are based in the United States. Transfers are made under the EU-U.S. Data Privacy Framework (DPF), a transfer mechanism adopted by the European Commission in July 2023.

For sub-processors not certified under DPF, transfers are governed by standard contractual clauses adopted by the European Commission (Decision 2021/914).

09

How we secure it

  • Encrypted exchanges over HTTPS (TLS 1.3).
  • Database hosted in the EU, encrypted at rest (AES-256).
  • Tool access secured by multi-factor authentication (2FA).
  • Access logs kept for 90 days for intrusion detection.
  • Minimization principle — we store only what serves a purpose.
  • Annual review of the security policy.

In case of a data breach affecting us that is likely to result in a high risk to your rights, we notify you without delay (GDPR art. 34).

10

Your rights

The GDPR gives you a set of rights over your personal data. We respect them without question, and free of charge.

  • Right of access — know what data we hold about you and get a copy.
  • Right to rectification — correct inaccurate or incomplete data.
  • Right to erasure ("right to be forgotten") — request deletion of your data, unless a legal obligation applies.
  • Right to restriction — request that we freeze the processing of your data in certain cases.
  • Right to object — oppose processing based on our legitimate interest.
  • Right to portability — retrieve your data in a structured, machine-readable format.
  • Right to withdraw consent — anytime, without affecting the lawfulness of prior processing.
  • Right not to be subject to automated decisions — we make none about you, but the right is preserved.

To exercise one of these rights, write to us at hello@heysquad.be. We reply within one month (extendable by 2 months for complex requests, GDPR art. 12).

11

Contact us & APD complaint

For any question or request related to your personal data:

  • By email: hello@heysquad.be
  • By post: HeySquad, Rue des Nouvelles Technologies 10, 4821 Thimister-Clermont, Belgium

If you believe we're not respecting your rights, you can file a complaint with the Belgian Data Protection Authority (APD), Rue de la Presse 35, 1000 Brussels — autoriteprotectiondonnees.be.

This policy may change — the last updated date is shown at the top of the page. Major changes are notified via the cookie banner.

← Back to home

HeySquad · Thimister-Clermont · Belgium