Data protection is close to our heart

We are fans of the GDPR, data protection is close to our hearts. That's why we have done everything in our power to implement the protection of personal data exactly as prescribed. As a SaaS provider, we strictly separate our marketing site from our product short, this means that personal data is processed in the web app and is only available to the respective users in encrypted form. On the marketing side, we do not use tracking cookies, so we do not automatically collect data to uniquely identify you. If we ask for personal data, then only explicitly after the user's consent.

Your data stays in the EU

Our software is a trust and security product, which is why we refrain from collecting marketing data in our product. In addition, as a German company, we commit to storing all personal data that we (have to) collect for operational purposes exclusively in the EU. When purchasing via self-service in the app, this also includes the UK. By the way, we don't just say this, it is laid down in our order processing contract and can be read at any time. We are also transparent with our sub-processors, the list of which can be viewed here at any time.

We have also stipulated that the inclusion of providers outside the European Economic Area requires explicit consent from the customer (§7 in our GCU). This means that we cannot simply introduce additional sub-processors "through the back door". To protect these conditions and guarantee implementation, we have established numerous technical and organisational measures. All these measures have been additionally audited by activeMind AG.

No marketing trackers? Not a matter of course.

Even in the early development phase of heylogin, it was clear to us that marketing trackers had no place in our software. You can check this at any time in heylogin's Exodus Report: We are proud to be one of the exceptions on the password manager market, alongside 1Password and a few others, that do not use marketing trackers. However, in order to automatically record and eliminate errors, we use "Sentry" (recognised as a tracker by Exodus), a self-hosted error reporting system from heylogin GmbH. No personal data is collected that is not already known through the heylogin account. As the system is self-hosted, no data is transferred to third-party providers.

Minimum data - maximum protection

In addition to all previous measures, we also adhere to the data minimisation requirements of the GDPR. In the case of, this means that we only collect the data that we really need, i.e. the user's email and the organisation name. For troubleshooting purposes, we also see communication data between the smartphone, server and browser extension, but not the content of the communication. All other data stored in heylogin is end-to-end encrypted and only accessible by the respective user, but not by us.

Our biscuit tin remains empty

Have you noticed? Our website does not have a cookie banner, because this is only necessary if personal data is automatically collected via tracking cookies. We do not use tracking cookies, but only aggregated usage data for our marketing. For this, we rely on Plausible, as it allows appropriate settings for adequate data protection compliance. You can read more about this here.

If we do process personal data, we will ask for your explicit consent at that moment. For example, when using the chat or booking a video call.