Why this page exists. Processing a voice recording to verify a reviewer's identity involves special-category personal data under UK GDPR (Article 9). That's a high bar. This statement explains how we meet it and what you can do if you disagree with our approach.
01Our GDPR commitment
We commit to processing personal data in line with the UK GDPR and the Data Protection Act 2018. In practical terms this means: we process the minimum necessary data, for specified purposes, with a lawful basis, under strong security, and with transparency.
02Voice biometric data (special category)
Voice biometric processing at Heard falls under Article 9(1) special-category processing. Our legal basis is Article 9(2)(a): explicit consent, captured at the moment a reviewer records.
What we tell reviewers at recording time
- Their voice will be recorded.
- A voice fingerprint will be derived for verification.
- Approximate location and timestamp will be attached.
- The review (audio and text) will be published to the business's Heard profile.
- They can withdraw consent and request deletion at any time.
What we do differently from traditional biometrics
- We do not build or store persistent voiceprint identities linked to an individual across businesses.
- Fingerprints are scoped to the verification window for a specific review.
- Raw recordings are segregated from fingerprints and accessed only for audit.
03Your rights
Under UK GDPR you have the right to:
- Access a copy of the personal data we hold about you.
- Rectify data that is inaccurate or incomplete.
- Erase your data, subject to lawful retention requirements.
- Restrict or object to certain processing.
- Withdraw consent at any time where consent is the legal basis.
- Port your data to another provider in a structured, machine-readable format.
- Not be subject to decisions based solely on automated processing (we do not make any such decisions that produce legal or similarly significant effects).
- Complain to the Information Commissioner's Office (ICO).
To exercise any of these rights, email hello@heard.reviews. We respond within 30 calendar days.
04Data Protection Officer
Our Data Protection lead is contactable at hello@heard.reviews. A named DPO will be appointed before general availability; pilot queries are handled by the founding team.
05ICO registration
ASI Corporation Ltd will be registered with the Information Commissioner's Office. Our registration number will be published here once confirmed.
06International transfers
Primary data storage is in the UK. Where a sub-processor operates in the EEA, transfers are covered by UK adequacy or equivalent safeguards. We don't transfer personal data outside the UK or EEA without appropriate protections (UK International Data Transfer Agreement or equivalent).
07DPIA (Data Protection Impact Assessment)
Because voice biometric processing is high-risk, we maintain a DPIA under Article 35. Pilot participants may request a redacted summary by emailing hello@heard.reviews.
08Breach notification
In the event of a personal data breach that poses a risk to individuals, we notify the ICO within 72 hours and affected data subjects without undue delay, as required by Articles 33 and 34.
09Complaints
If you believe we've mishandled your data, tell us first at hello@heard.reviews. You can also complain directly to the ICO at ico.org.uk or by calling 0303 123 1113.