The short version. We collect the minimum we need to run Heard: your business details, the voice recordings customers send you, and basic analytics. We never sell data. Voice recordings are stored in the UK, encrypted, and retained only as long as your compliance audit trail requires.
01Who we are
Heard is a trading name of ASI Corporation Ltd, a company registered in England and Wales. Our registered office is in London. For the purposes of UK GDPR we are the data controller for information collected through heard.reviews.
You can contact our data protection lead at hello@heard.reviews.
02What we collect
From you (business account holder)
- Contact details: name, email, business name, business type, location.
- Account credentials.
- Billing details (processed by our payment provider; we don't store full card numbers).
- Support correspondence.
Pilot signups
If you join the founding pilot, we only collect: your business email, business name, business type, the page you signed up from, and a timestamp. We don't take billing details during the pilot, and we don't issue account credentials until your account is provisioned.
From your customers (reviewers)
- Voice recording of the review (up to 30 seconds).
- A voice fingerprint derived from that recording.
- Approximate location and timestamp at the moment of recording.
- Display name or initials (as provided).
Voice biometric data is classified as special-category data under UK GDPR. We process it only with the reviewer's explicit, freely given consent, captured at the moment of recording. Reviewers are shown clearly what we collect and why.
From partnership and general enquiries
When you contact us via the partnerships form, the press page, or any of our published email addresses (hello@, partnerships@, press@), we collect your name, email, organisation, the category of enquiry, and the content of your message. We use this information only to respond and, where you've asked us to, to discuss a working arrangement. We hold these records for 24 months from last contact unless a commercial relationship is established, in which case account-records retention applies (see §07).
03Why we process it
We use your data to:
- Verify that a review is from a real, distinct human at a specific time and place.
- Publish verified reviews to your Heard profile.
- Generate a compliance audit trail to meet your obligations under the DMCCA.
- Send product and account communications.
- Debug, improve, and secure the service.
04Our legal bases
- Contract. Processing necessary to provide the service you've signed up to.
- Legitimate interests. Fraud prevention, service security, and direct product communications where you'd reasonably expect them.
- Consent. For voice biometric processing (reviewer), and for optional marketing communications (business).
- Legal obligation. Where we're required to retain records under UK law or respond to lawful requests.
05Who we share data with
We never sell your data. We share it only with:
- Sub-processors who help us run the service: hosting, transcription, email delivery, and analytics. Each is contractually bound by UK GDPR obligations. A current list is available on request.
- UK authorities where legally compelled to do so, including the Competition and Markets Authority (CMA) in the context of a DMCCA audit or investigation.
- Other parties only with your explicit instruction.
06Where data lives
Primary application data is stored on UK or EEA-region infrastructure where possible. Some sub-processors — notably our hosting provider Vercel and our records platform Airtable — process data in the United States. These transfers are covered by the UK Extension to the EU-US Data Privacy Framework (where the sub-processor is certified under it) or by the UK International Data Transfer Addendum to Standard Contractual Clauses.
07How long we keep it
- Raw voice recordings: retained for the statutory minimum needed to maintain a defensible DMCCA audit trail, plus any period you elect when purchasing a Compliance Audit package.
- Voice fingerprints and metadata: retained for the life of the associated review, or until you or the reviewer request deletion.
- Account records: retained while your account is active, plus up to six years thereafter to meet accounting and tax obligations.
08Your rights
Under UK GDPR you have the right to:
- Access a copy of your data.
- Correct inaccurate data.
- Request erasure (subject to lawful retention requirements).
- Restrict or object to processing.
- Withdraw consent where consent is the legal basis.
- Port your data to another provider.
- Complain to the Information Commissioner's Office (ico.org.uk).
To exercise any of these rights, email hello@heard.reviews. We aim to respond within 30 calendar days.
09Security
Voice recordings and fingerprints are encrypted in transit (TLS 1.3) and at rest (AES-256). Access to raw audio is tightly scoped and logged. We run regular vulnerability scans and maintain an incident-response runbook.
10Changes to this policy
When we make material changes we'll notify account holders by email and update the "Last updated" date above. Minor wording changes won't trigger a notice.
This is a pilot-era policy. We're updating it as the product evolves and as DMCCA guidance matures. Significant updates will be flagged. The version above is dated 25 April 2026.