Example H2
Example H3
Example H4
Example H5
Example H6

Platform Privacy Notice

Last Updated: June 20, 2025

1. About this Privacy Notice

Privacy Notice Applicability

This privacy notice sets out how Heka contributes to the processing of personal data by our clients in providing them with access to our intelligence platform which helps them trace and confirm accurate details for individuals entitled to pension or other financial services benefits (each, a “Client Service”). While Heka processes personal data solely on behalf of its clients in providing a Client Service, we are publishing this notice voluntarily to enhance transparency and in line with industry best practices.

Heka Solutions Ltd. and Heka Global Inc. (“Heka”, “we”, “us”) act strictly as data processors, not controllers, with respect to any personal data collected through or processed via our Client Services. Responsibility for determining the purposes and lawful basis of such processing lies exclusively with our clients, who act as data controllers. If you contact us to find out who the client is in relation to personal data relating to you, we will let you know provided we have the means to link you to a specific client and may ask for confirmation of information to do that. For our privacy policy relating to our website, please see our Privacy Policy.

This notice may be supplemented by service-specific privacy terms or contractual disclosures, as applicable.

We do not determine the purposes or means of the personal data we process—this is determined exclusively by our clients. However, this notice includes key information about:

  • The categories of personal data that we may process on behalf of our clients
  • The nature and purpose of the processing activities
  • How long we retain personal data
  • Our use of third-party entities (e.g., subprocessors) with whom we may share data under client instruction
  • The security measures we implement to protect personal data
  • International transfers of personal data and the safeguards we apply
  • The rights available to individuals under GDPR and UK GDPR, and how to exercise those rights
  • Children’s privacy
  • How to contact us and our Data Protection Officer for questions or requests
  • Changes to the Policy

This notice does not apply to personal data that we process solely on behalf of our clients in our capacity as a service provider or processor under applicable data protection laws. In such cases, we act on the documented instructions of the data controller.

2. Categories of Personal Data Processed

In the course of providing Client Services to the trustees of pension schemes, insurance company pension providers and annuity providers, Heka processes personal data on behalf of our clients. The specific categories of data may vary depending on the service and client instruction, but typically include the following:

Data Categories

Data Categories Processed

Data Category Examples Legacy Data Aggregators
Identity Information Name, date of birth, national ID (e.g., national insurance or social security numbers) / passport Provided by client
Contact Details Address, phone numbers, email addresses Provided by client or public sources
Status Indicators Deceased status, marital status Public records, third-party vendors
Relationship Data Next-of-kin relationships Public records, third-party vendors

3. The Nature and Purposes of Data Processing

We receive identity and contact details from clients in relation to individuals who are entitled to pension (or other financial service product) benefits and who our clients need to trace, confirm whether they are alive and/or find and trace their next of kin (who may be entitled to the benefits in some circumstances). This could be to find pension beneficiaries where the pension scheme’s contact details are out of date or finding next of kin where a pension holder has died, by leveraging third-party data sources and Heka’s web intelligence platform. Our clients’ objectives in using the Client Services are to ensure that those properly entitled to pension or other benefits receive them.

We then assess and filter the information provided from clients to ensure it is suitable to share with our third-party data sources and then will share the individual’s name only with third-party data sources, selected on the basis that they are likely to hold information responsive to the client’s needs. The selected third-party data sources return to Heka enriched data potentially relevant to the individual concerned. Heka’s data processing engine filters and analyses the information returned from the data sources to maximise the relevance of information returned. The filtered and verified results are then shared with Heka’s client so they can deal as appropriate, for instance in making contact with the individual or their next of kin.

The purposes and lawful bases relating to our processing of personal data in providing Client Services are determined by our clients in their role as controllers, so we have listed those that we find most commonly apply. We provide the information below for illustrative purposes only as each client determines the lawful basis based on their own circumstances.

Lawful basis can differ from one client to another, as their regulatory, legal and contractual positions can differ, and those elements impact what lawful bases are appropriate under GDPR. However, in our experience, the following lawful bases are often relevant:

  • Necessary for the purposes of a contract
    • In most cases, our client will have a direct relationship with the beneficiary and an obligation to provide them with their pension benefits;
    • In such a case, our client will typically need to make efforts to find pension-holders they have lost touch with in order to comply with that contract.
  • Legitimate interests
    • An insurer or pension fund trustees or operator are likely to have a legitimate interest in finding and confirming the current details of a pension holder or their next of kin in order to ensure that pensions funds are paid out correctly or, for the insurer client, that their risk is managed appropriately;
    • In this case, the client would be required to balance its interests with those of the beneficiary or its next of kin as part of a legitimate interests assessment. As processor under GDPR, we are not in a position to prejudge that assessment as it is the controller’s responsibility, but we see strong arguments that the objective of ensuring the beneficiary or their family receive the financial benefits to which they are entitled and the way the Client Services are designed to retrieve only information relevant to tracing them form a strong basis for a positive legitimate interests assessment.
  • Compliance with a legal obligation:
    • Some clients, in particular trustees of pension funds, often have an overriding obligation to ensure the proper administration of the scheme. Trustees will need to make their own assessment, but we expect some trustee and other pension operator clients will conclude that the Client Service is required where they cannot trace beneficiaries in order for them to comply with their legal duties.

4. Personal Data Retention

As a data processor, Heka retains personal data strictly in accordance with the instructions of our clients, who determine the retention period based on their own legal and regulatory obligations.

Unless instructed otherwise, we retain personal data only for as long as necessary to fulfil the agreed processing purposes and to support the audit, compliance, or operational needs of our clients. After the client engagement ends, we retain personal data for up to 30 days. Where our clients provide shorter or longer retention periods, we follow their instructions accordingly.

After the retention period ends, we securely delete or anonymize the data in accordance with our internal data retention and destruction policies.

5. Categories of Third Parties (e.g., subprocessors) With Whom We May Share Data

Heka engages carefully vetted third parties to support the delivery of our services. These third parties may process personal data as required to assist our delivery of the Client Service. These may include:

Third Parties

Categories of Third Parties

General Data Source Examples Privacy Policy Link
Government and Official Registers Electoral Register UK Electoral Commission
Social Media Platforms Pipl Pipl Privacy Notice
Search Engines and Indexes Google Google Privacy Policy
Online Obituary Databases Funeral Notices Funeral Notices Privacy Policy
Public News Sites and Journals The Times The Times Privacy Policy

We do not share personal data with third parties for independent use or for marketing purposes.

6. Security Measures We Implement

At Heka, we maintain a strong commitment to protecting personal data through rigorous security and compliance practices. As part of our role as a data processor, we implement robust technical and organizational measures to safeguard the data entrusted to us by our clients.

  • ISO 27001:2013 Certification
    Heka’s information security management system is audited and certified to the international standard ISO 27001:2013. This demonstrates our structured, risk-based approach to managing information security across our organization.
  • Security Policies and Controls
    Our security framework includes regularly reviewed and updated policies, controls, and procedures designed to reflect best practices and ensure alignment with applicable legal and regulatory requirements.
  • Vendor and Subprocessor Oversight
    We engage third-party service providers and subprocessors where necessary to support our services. Where these providers may process personal data on our behalf, we seek to ensure that appropriate safeguards are in place, consistent with applicable data protection requirements.
Security Measures

Security Measures – Third-Party Providers

General Data Source Purpose of Processing Privacy Policy Link
Cloud Infrastructure Providers Hosting and secure storage of data ISO 27001, access control, encryption
Data Enrichment Vendors Supplementing datasets with additional and enriched information relating to beneficiaries or their next of kin DPA, SCCs

7. International Data Transfer and Safeguards

Heka operates globally and may store or access personal data in jurisdictions including the United Kingdom, European Union, United States, and Israel. Where data is transferred outside the UK or EEA, we ensure appropriate safeguards are in place, such as Standard Contractual Clauses (SCCs), or adequacy decisions under Article 45 GDPR.

8. Your Rights

You have the following rights regarding your personal data processed as part of the Client Services:

  • Access: You can request a copy of the personal data our clients process.
  • Correction: You can ask for your personal data to be corrected in cases that its inaccurate or incomplete.
  • Deletion: In certain cases, you can request the deletion of your personal data.
  • Restriction: You can request limits on how your personal data is used.
  • Objection: When legitimate interests is the lawful basis of processing, you can object to the use of your personal data.
  • Portability: You can ask to receive your data in a commonly used format or have it transferred to another provider.
  • Withdrawal of consent: When consent is the lawful basis, you can withdraw it at any time.

You can exercise these rights against the relevant client who is controller for your data, and we will pass on any request you make to us to them provided we have the means to link you to a specific client.

9. Children’s Privacy

Heka’s Client Services are not directed to children and are not intended for use by individuals under the age of 18. It is possible that personal data relating to a child are inputted to or retrieved through the Client Services, for instance if the next of kin of a pension beneficiary is a child. In such a case, it may be necessary for our client to receive and retain that personal data so that the child’s entitlement can be processed in accordance with applicable law and the pension scheme rules or the terms of the relevant insurance policy. Otherwise, we do not knowingly collect or process personal data relating to children under the age of 13 (or under 16 where required by applicable data protection laws).

If we become aware that we have inadvertently received personal data from a child without appropriate consent or lawful basis, we will take steps to delete such data promptly.

10. Contact Us

You may wish to contact us if you:

  • Have questions about the contents of this privacy notice;
  • Would like to exercise your rights under data protection law (such as access, rectification, objection, or deletion);
  • Require this notice in an alternative format (e.g., large print, braille, or audio); or
  • Wish to raise a concern or lodge a complaint regarding our processing of your personal data.

Please note that Heka acts primarily as a data processor. If your request concerns personal data processed on behalf of one of our clients, we may forward your request to the appropriate data controller for review and response.

You can contact our Data Protection Officer (DPO) at:

Heka Solutions Ltd. / Heka Global Inc.
Attention: Data Protection Officer
Email: privacy@hekaglobal.com

Our EU Representative
Name: Ignacio García Barrero
Address: Jerez 4 Portal1, Apt #4C. Madrid, 28016 Spain

Our UK Representative
Name: Douglas Weirens, on behalf of Orion Global Advisors UK Limited
Address: 20 Old Bailey, 5th Floor, London EC4M7AN

Supervisory Authority Contact (UK / EU)
If you are based in the UK or EU and are not satisfied with our response, you have the right to lodge a complaint with your local data protection authority.

United Kingdom
Information Commissioner’s Office (ICO)
Wycliffe House, Water Lane
Wilmslow, Cheshire, SK9 5AF
Telephone: 0303 123 1113
Website: www.ico.org.uk

European Union
A full list of national data protection authorities is available here:
https://edpb.europa.eu/about-edpb/board/members_en

11. Changes to This Privacy Notice

We may update this privacy notice from time to time to reflect changes in our practices, legal obligations, or the services we provide. Any updates will be published on this page with a revised “last updated” date. We encourage you to review this notice periodically to stay informed about how we process personal data.