Legal

Privacy policy

Last updated: 31 May 2026 · Version 1.0

This Privacy Policy explains how Get Velp Limited, trading as Headsum, collects and uses personal data in connection with the Headsum application, website, software, and related services (the "Service"). Get Velp Limited is a company registered in England and Wales (Co. No. 15905887), with its registered office at 30-32 Gildredge Road, Eastbourne, East Sussex, United Kingdom, BN21 4SH.

We are committed to handling personal data in line with applicable data protection law, including the UK GDPR, the EU GDPR where applicable, the Data Protection Act 2018, and the Privacy and Electronic Communications Regulations 2003.

1. Our two roles

Headsum handles personal data in two different roles depending on the type of data and the purpose for which it is processed.

As a processor for Customer Content. When a customer or its users use Headsum to capture, transcribe, analyse, summarise, or generate support from meeting content, uploaded documents, playbooks, decks, CRM content where enabled, prompts, notes, and AI outputs, the customer is generally the controller and Get Velp acts as processor. Our processor obligations are set out in the Headsum Data Processing Agreement ("DPA").

As a controller for operational data. We act as an independent controller for the limited personal data we need to run, secure, support, bill, administer, and improve the technical reliability of the Service — including account data, authentication data, billing status, usage data, diagnostics, security logs, support communications, and business administration data.

2. Personal data we process

The categories below describe the main types of personal data processed in connection with Headsum.

— Account data — name, business email address, account identifiers, authentication identifiers, profile and workspace metadata

— Billing and subscription data — subscription status, plan details, billing contact details, invoices, payment status, and purchase records

— Usage, diagnostics, and security data — feature usage, device and app diagnostics, log data, IP address, approximate location derived from technical data, error reports, and security events

— Support and communications data — messages sent to us, support requests, feedback, and records of how we respond

— Uploaded Customer Content — documents, playbooks, decks, prompts, notes, and other files uploaded or connected by a customer or user (processed as processor)

— Meeting content — audio while processed, speech, transcripts, summaries, insights, AI outputs, names, and contact details of meeting participants (processed as processor)

— Website and cookie data — cookie identifiers, analytics events, consent preferences, pages viewed, and similar technical data

Headsum is not designed to collect special-category data. However, such data may appear incidentally in meeting content or uploaded materials. Where that occurs in Customer Content, we process it as processor on the customer's instructions.

3. Sources of personal data

We collect personal data directly from users when they create an account, use the Service, contact us, upload materials, connect integrations, or participate in meetings where Headsum is used. We may also receive personal data from the customer organisation, from integrated services that the customer enables, from Apple or another authorised billing route, from authentication providers, and from technical systems that support the Service.

4. Lawful bases for our controller processing

Where Get Velp acts as controller, we rely on the following lawful bases under Article 6 UK/EU GDPR:

— Contract — to create and operate accounts, provide subscribed features, manage subscriptions, provide support, and administer the Service

— Legitimate interests — to secure, maintain, troubleshoot, measure, and improve the technical reliability of the Service; prevent abuse or fraud; and protect our legal rights

— Legal obligation — to comply with legal, tax, accounting, regulatory, and security obligations

— Consent — where required for non-essential cookies, analytics, or similar technologies

Where Headsum acts as processor for Customer Content, the customer determines the lawful basis and is responsible for providing required privacy information and obtaining any consent or permission required before using the Service to record, transcribe, or analyse meeting content.

5. How we use personal data

— To provide, operate, secure, maintain, and support the Service

— To capture, transcribe, analyse, summarise, and generate outputs from Customer Content on the customer's instructions

— To manage accounts, authentication, subscriptions, billing, and support

— To enable integrations that customers choose to connect

— To monitor, troubleshoot, and improve the technical reliability and performance of the Service

— To communicate with users and customers about the Service

— To comply with legal obligations, enforce our Terms, and protect rights and safety

6. No AI training on Customer Content

We do not use Customer Content — including meeting audio, transcripts, summaries, insights, prompts, AI outputs, CRM content, or uploaded documents — to train, fine-tune, or improve any artificial-intelligence or machine-learning models, whether our own or those of our providers, unless the customer has expressly agreed to that in a separate written agreement.

We do not sell personal data. We do not use Customer Content for advertising.

7. Sharing and sub-processors

We share personal data only where needed to provide, secure, support, administer, or improve the Service. Our main providers include:

— OpenAI — AI and language model processing to generate live assistance, summaries, insights, and responses from Customer Content

— Auth0 / Okta — authentication, identity management, and secure sign-in

— Google Cloud / Google Analytics — cloud services, storage, infrastructure, and analytics

— HubSpot — CRM integration, customer communications, and support workflows

We may also disclose personal data to professional advisers, regulators, courts, law enforcement, and other parties where required or permitted by law.

8. International transfers

Some of our providers are located outside the UK and EEA, including in the United States. Where we transfer personal data internationally, we use an appropriate transfer mechanism — such as an adequacy decision, the EU Standard Contractual Clauses, the UK International Data Transfer Agreement, or another lawful mechanism.

9. Retention

We keep personal data only for as long as needed for the purposes described in this Policy or as required by law.

— Meeting audio — processed transiently; not stored after processing unless a feature expressly enables storage or retention is required for security or legal reasons

— Transcripts, summaries, insights, and uploaded documents — retained until deleted by the customer or user, or on account closure or termination

— Account and authentication data — retained for the duration of the account and a reasonable period after closure

— Billing, subscription, and invoice records — retained as needed for tax, accounting, audit, and compliance purposes

— Support and customer communications — retained as needed to handle requests and protect legal rights

— Usage, diagnostics, and security logs — normally retained for a limited operational period unless needed for security, legal, or compliance purposes

— Cookie and consent data — retained according to the relevant cookie and consent-management settings; see our Cookie Policy

10. Your rights

Subject to applicable law, you may have the right to access your personal data; have it corrected; have it erased; restrict or object to its processing; receive a copy in a portable format; withdraw consent; and complain to a data protection authority.

Where Get Velp acts as controller, contact us using the details below. We will respond within one month where required by UK/EU GDPR.

Where Headsum acts as processor for Customer Content, requests from meeting participants or other data subjects should usually be directed to the relevant customer, who is the controller. You have the right to complain to the UK Information Commissioner's Office at ico.org.uk.

11. Cookies and similar technologies

We use cookies, analytics technologies, and similar tools on our website and application. Some are necessary for the Service to work; others help us understand usage and improve reliability. Where required by law, we ask for consent before using non-essential cookies. More information is in our Cookie Policy.

12. AI outputs and automated decision-making

Headsum generates AI outputs — such as transcripts, summaries, insights, and live assistance — that may be inaccurate, incomplete, or unsuitable. Customers and users remain responsible for reviewing outputs before using or sharing them.

We do not use Headsum to make solely automated decisions about individuals that produce legal or similarly significant effects. Customers must not use the Service as the sole basis for decisions with legal, financial, employment, health, or similarly significant effects on individuals.

13. Security

We use appropriate technical and organisational measures to protect personal data — including encryption in transit and at rest where supported, access controls, authentication, supplier due diligence, monitoring, incident response, and retention and deletion routines. No system can be guaranteed completely secure.

14. Data breaches

If a personal data breach occurs and notification is required by law, we will notify the relevant supervisory authority and affected individuals where required. Where the breach affects Customer Personal Data that we process as processor, we will notify the relevant customer without undue delay in accordance with the DPA.

15. Children

Headsum is a business tool intended for users aged 18 and over. It is not directed at children, and we do not knowingly collect personal data from anyone under 18.

16. Changes to this policy

We may update this Privacy Policy from time to time. Where changes are material, we will give reasonable notice by email, in-app notice, or website notice.

17. Contact

Data protection enquiries: compliance@headsum.com

Get Velp Limited, 30-32 Gildredge Road, Eastbourne, East Sussex, United Kingdom, BN21 4SH.

Questions? compliance@headsum.com