How we handle your data.
The How Company B.V.
Amsterdam, Netherlands
KVK registration: pending
Data protection contact: privacy@haven-does.com
Haven is built by operators. We collect only what we need, store it where it makes sense (primarily EU, with US sub-processors disclosed below), and give you full control over your data. This policy explains what we collect, why, and what you can do about it.
What we collect
CX Maturity Diagnostic
The diagnostic runs in your browser. When you submit it, your responses are saved to our database only if you tick the consent box on the context screen. The consent box is unticked by default. If you do not tick it, your diagnostic is processed in-session and nothing is persisted.
If you do consent, we save the data below and show you a submission ID. Quote that ID in any email to privacy@haven-does.com to request deletion.
| Data | Purpose | Required |
|---|---|---|
| Diagnostic answers | Generate your maturity report and recommendations | Yes |
| Per-function scores and overall composite | Calculate maturity levels and benchmarks | Yes |
| Submission ID (8-character random) | Identifier you can quote to request deletion | Automatic |
| Name | Personalise your report | No |
| Send your report if requested. Tie deletion requests to your submission. | No | |
| Role, team size, company stage | Tailor recommendations to your context | No |
| CX tool, chatbots, automation | Contextualise tooling recommendations | No |
| Salted hash of IP address | Fraud detection only. Cannot be reversed to your IP. Not used for tracking. | Automatic |
| Truncated user-agent string | Debugging and abuse detection | Automatic |
| Consent record | Demonstrate valid consent per GDPR Art. 7 | Automatic |
Waitlist
If you join the waitlist, we collect your email address. We use it to send a launch notification when Haven opens and occasional product news. You can unsubscribe from any email we send and we will delete your record on request.
Website analytics
We use Netlify's built-in analytics for basic traffic data (page views, referrers). This is server-side only, uses no cookies, sets no tracking identifiers, and does not follow you across sites.
Cookies and browser storage
We set one cookie. Its name is haven_access and it is issued only after you successfully submit an early-access code. It contains a timestamp and an HMAC signature, has a 30-day lifetime, and is marked Secure and SameSite=Lax. Its sole purpose is to remember that you have already entered your access code so you don't have to do it again. It contains no personal data, no tracking identifiers, and is not shared with any third party.
The cookie is strictly necessary for the access feature you have requested, which makes it exempt from prior-consent requirements under the ePrivacy Directive (Art. 5(3) and the corresponding Dutch Telecommunicatiewet Art. 11.7a). You can delete it at any time through your browser settings.
Legal basis
| Activity | Legal basis (GDPR Art. 6) |
|---|---|
| Processing diagnostic answers to generate results in-session | Consent (Art. 6(1)(a)). You actively submit the diagnostic. |
| Storing diagnostic submissions for benchmarks and tool improvement | Consent (Art. 6(1)(a)). Opt-in checkbox on the context screen, unticked by default. |
| Waitlist email (launch notification and product updates) | Consent (Art. 6(1)(a)). You tick a box and provide your email voluntarily. |
| Access cookie (haven_access) | Legitimate interest (Art. 6(1)(f)) and strictly-necessary exemption under the ePrivacy Directive Art. 5(3). |
| Salted IP hash and truncated user-agent for fraud detection | Legitimate interest (Art. 6(1)(f)). The hash cannot be reversed to your IP. |
| Server-side analytics | Legitimate interest (Art. 6(1)(f)). No personal data is processed. |
| Consent record keeping | Legal obligation (Art. 6(1)(c)). Required by Art. 7(1). |
Automated processing
The diagnostic uses automated scoring to generate your maturity report. Your answers are scored numerically, averaged per function, and mapped to maturity levels (Reactive, Emerging, Defined, Optimised). Recommendations are generated based on these scores.
This is informational only. No decisions with legal or similarly significant effects are made solely by automated means (GDPR Art. 22). The output is a report for your consideration, not a binding assessment. You are free to disregard any recommendation.
Consent records
When you give consent (waitlist or diagnostic) we write a record to a dedicated consent_records table. This is what allows us to demonstrate valid consent under Art. 7(1) if a supervisory authority asks.
| Field | What we store |
|---|---|
| Source | Either waitlist or diagnostic |
| Identifier | Your email (waitlist) or submission ID (diagnostic). This is what we use to find your record if you exercise rights. |
| Consent given | Whether you opted in |
| Consent text | The exact wording of the checkbox you ticked, stored verbatim |
| Policy version | The version of this privacy policy in effect at the time (currently v1.1) |
| Given at | ISO 8601 timestamp of when consent was recorded |
| Withdrawn at | ISO 8601 timestamp if you later withdraw consent. Null otherwise. |
| Salted IP hash | One-way hash, fraud detection only |
| Truncated user-agent | Debugging and abuse detection |
Where your data is stored
The database that holds waitlist records, diagnostic submissions, and consent records is hosted in the European Union (Supabase, EU West region in Frankfurt). The website itself is served from Netlify's global edge network with EU processing where available.
Sub-processors
The following third parties process data on our behalf. Each is bound by a Data Processing Agreement (DPA).
| Processor | Purpose | Location | Transfer basis |
|---|---|---|---|
| Supabase Inc. (running on AWS) | Database for waitlist, diagnostic submissions, and consent records | EU West (Frankfurt). AWS sub-processor. | DPA in place. SCCs (Art. 46(2)(c)) for AWS sub-processing. |
| Netlify Inc. (USA) | Website hosting, server-side analytics, function execution | EU edge processing where available. US parent jurisdiction. | DPA in place. EU-US Data Privacy Framework (Art. 45) and SCCs (Art. 46(2)(c)). |
| Resend Inc. (USA) | Transactional email (waitlist confirmation, internal notifications) | EU processing where configured. US parent jurisdiction. | DPA in place. EU-US Data Privacy Framework (Art. 45) and SCCs (Art. 46(2)(c)). |
Some sub-processors are headquartered in the United States. Personal data they handle may be subject to US legal jurisdiction (FISA 702, the CLOUD Act). We rely on the EU-US Data Privacy Framework adequacy decision under Art. 45 and Standard Contractual Clauses under Art. 46(2)(c) as the legal basis for these transfers. We do not sell, rent, or share your personal data with third parties for their own purposes.
Security measures
We apply the technical and organisational measures required by Art. 32:
| Measure | Implementation |
|---|---|
| Encryption in transit | HTTPS (TLS 1.2+) on every page and API call. HSTS enabled. |
| Encryption at rest | Supabase default (AES-256). Database backups encrypted. |
| Access controls | Production data accessible to a single administrator with multi-factor authentication. No shared credentials. |
| Secrets management | API keys and HMAC secrets stored as Netlify environment variables, never committed to source control. |
| Cookie integrity | The access cookie is HMAC-signed. The browser cannot forge a valid cookie without the server-side secret. |
| Backups | Daily Supabase backups, retained 7 days, encrypted at rest. |
| Logging and monitoring | Netlify function logs reviewed regularly for unusual activity. No request bodies are logged. |
How long we keep it
| Data | Retention |
|---|---|
| Diagnostic submissions (with consent) | 24 months from submission. Automatically deleted by a scheduled job that runs daily. |
| Diagnostic submissions (without consent) | Processed in-session only. Never persisted. |
| Consent records | Retained for the duration of the data they relate to, plus 12 months. Then automatically deleted. |
| Waitlist emails | Until you unsubscribe, you ask us to delete it, or 12 months after collection if Haven hasn't yet opened, whichever comes first. |
| Access cookie (haven_access) | 30 days from issue. Deleted by your browser automatically. You can clear it earlier in browser settings. |
| Salted IP hash and truncated user-agent | Same as the record they are attached to. Cannot be reversed. |
| Server-side analytics | 30 days (Netlify default) |
| Function execution logs | Up to 7 days (Netlify default), no request bodies logged |
Automated deletion is enforced via a scheduled pg_cron job in Supabase that runs daily. If you request deletion before the retention period expires, we process your request within one month.
Your rights
Under the GDPR, you have the following rights. To exercise any of them, email privacy@haven-does.com. For a diagnostic submission, include the submission ID we showed you. We will respond within one month (Art. 12(3)). For complex requests we may extend this by up to two further months and will tell you within the first month if we need to.
Before fulfilling access, deletion, or portability requests, we may ask for additional information to verify your identity (Art. 12(6)). This protects your data from being released to someone impersonating you.
| Right | What it means |
|---|---|
| Access (Art. 15) | Request a copy of any personal data we hold about you |
| Rectification (Art. 16) | Correct inaccurate or incomplete data |
| Erasure (Art. 17) | Request deletion of your data. We will delete within one month and confirm by email. |
| Restriction (Art. 18) | Limit how we process your data while a concern is resolved |
| Portability (Art. 20) | Receive your data in a structured, machine-readable format (JSON) |
| Objection (Art. 21) | Object to processing based on legitimate interest |
| Withdraw consent (Art. 7(3)) | Withdraw consent at any time. Every email we send includes a one-click unsubscribe link. You can also email us. This does not affect the lawfulness of processing that occurred before withdrawal. Upon withdrawal, we will delete your stored data within one month. |
Cookies
We set one cookie, haven_access, after you successfully submit an early-access code. It is described in detail in the "Cookies and browser storage" section above. It is strictly necessary for the access feature you have actively requested, contains no personal data, and is not shared with third parties.
We do not use tracking cookies, advertising cookies, or any third-party cookies. We do not use analytics cookies on this site.
Data breach notification
In the event of a personal data breach, we will:
Supervisory authority: Notify the Autoriteit Persoonsgegevens within 72 hours of becoming aware of a qualifying breach (Art. 33), unless the breach is unlikely to result in a risk to your rights and freedoms.
Affected individuals: Notify you without undue delay if the breach is likely to result in a high risk to your rights and freedoms (Art. 34), including the nature of the breach, likely consequences, and measures taken.
Internal record: Document all breaches regardless of severity, including facts, effects, and remedial action (Art. 33(5)).
Children
Haven is a professional tool for CX operators. We do not knowingly collect data from anyone under 16. If you believe we have, contact us and we will delete it immediately.
Changes to this policy
We may update this policy as Haven evolves. Each version is numbered (currently v1.0). Material changes will be communicated on the website. The "last updated" date and version number at the top reflect the most recent revision. Previous versions are available on request.
Supervisory authority
If you believe we are processing your data unlawfully, you have the right to lodge a complaint with the Dutch Data Protection Authority, or with the supervisory authority in the EU country where you live, work, or where the alleged infringement took place (Art. 77):
Autoriteit Persoonsgegevens
Bezuidenhoutseweg 30, 2594 AV Den Haag
Contact
Questions about this policy or your data? Email privacy@haven-does.com.