Privacy and Analytics (PostHog)

Purpose

PostHog is used by Heimdall Power to understand how our customer-facing platforms are used, so we can improve usability, reliability, and performance.
‍

Scope

Applies to analytics and session replay data collected through PostHog from Heimdall Power platforms and services.
‍

Data Categories

Analytics events: user interactions such as clicks, navigation paths, and feature usage.
Session replay: short recordings of anonymized user sessions for troubleshooting and UX improvement.
Technical metadata: browser type, OS, screen size, and approximate region (no precise geolocation).
‍

Data Minimisation

We collect only what is necessary for improving product experience and service reliability. Personally identifiable information (PII) is avoided wherever possible and, where captured, automatically masked or removed by PostHog’s privacy settings.
‍

Retention

Analytics data: retained for 7 years.
Session replay data: retained for 30 days.
These limits follow GDPR Article 5(1)(c) and (e) (data minimisation and storage limitation) and CPRA §1798.100(a)(3) (reasonable and disclosed retention).
If data is fully anonymized, retention rules no longer apply.
‍

Lawful Basis

Processing of analytics data is based on legitimate interest (GDPR Art. 6(1)(f)) to improve Heimdall Power’s services, balanced against user privacy.
Users may opt out of analytics by contacting privacy@heimdallpower.com
‍

Data Location and Security

All analytics data is hosted in EU data centers (PostHog EU Cloud).
Data in transit and at rest is encrypted. Access is restricted to authorized Heimdall Power staff.
‍

Vendor and Compliance

PostHog acts as a data processor under Heimdall Power’s Data Processing Agreement (DPA).
The service supports GDPR and CPRA compliance by allowing configurable retention, masking, and deletion.
‍

Review and Governance

Retention and privacy settings are reviewed annually or upon regulatory or vendor change.
Contact privacy@heimdallpower.com for questions or access requests.