Heka VR

Legal

Privacy Policy

Last updated 21 May 2026

This Privacy Policy explains how Challenge ApS, trading as Heka VR ("we", "us", "our"), processes personal data when you visit hekavr.com, contact us, or use the Heka VR avatar therapy platform. We act as a data controller for personal data collected through this website and our commercial relationships, and as a data processor for clinical data handled inside the platform on behalf of healthcare providers.

We process personal data in accordance with Regulation (EU) 2016/679 (the GDPR), the Danish Data Protection Act (Databeskyttelsesloven, lov nr. 502 af 23. maj 2018, as amended), and — for electronic communications — the Danish Executive Order on Cookies (Cookiebekendtgørelsen, BEK nr. 1148/2011) implementing the ePrivacy Directive (2002/58/EC).

1. Data controller

Challenge ApS (CVR 43428675)
Høkerboderne 8, 1.
1712 København V, Denmark
Email: contact@hekavr.com

We have assessed that we are not required to designate a Data Protection Officer under Art. 37 GDPR. All privacy enquiries can be addressed to the email above.

2. Categories of personal data and legal bases

2.1 Website visitors

  • Contact form submissions: name, email, organisation, topic, and the content of your message. Purpose: respond to your enquiry. Legal basis: Art. 6(1)(f) GDPR — our legitimate interest in responding to incoming enquiries; where the message concerns a potential agreement, also Art. 6(1)(b) GDPR (steps prior to entering a contract).
  • Server log data: IP address, user-agent, timestamps, requested URL, referrer. Purpose: security, abuse prevention, and ensuring the technical availability of the website. Legal basis: Art. 6(1)(f) GDPR.
  • Cookies and similar technologies: see our Cookie Policy. Non-essential cookies are only set with your prior consent (Art. 6(1)(a) GDPR and §3 of the Danish Cookie Order).

2.2 Hospital, research, and supplier contacts

Business-contact data (name, work email, telephone, role, organisation), correspondence, and contract data. Purposes: managing the customer or supplier relationship, delivering the platform, training and support, invoicing, and meeting our obligations as a medical device manufacturer. Legal bases: Art. 6(1)(b) GDPR (performance of a contract), Art. 6(1)(c) GDPR (compliance with legal obligations, including the EU Medical Device Regulation and the Danish Bookkeeping Act), and Art. 6(1)(f) GDPR (legitimate interest in managing the relationship).

2.3 Patients using the Heka VR platform

Heka VR is provided to healthcare organisations who remain the data controller for patient health data processed within the platform. We act as a data processor under a written Data Processing Agreement (Art. 28 GDPR) and process personal data — including special categories of data under Art. 9 GDPR (health data) — solely on documented instructions from the controller. The controller's lawful basis is typically Art. 6(1)(c) or 6(1)(e) combined with Art. 9(2)(h) GDPR (provision of health care). Patients should direct privacy enquiries to the treating hospital or clinic in the first instance.

2.4 Job applicants

If you apply for a position with us, we process the data contained in your application on the basis of Art. 6(1)(b) GDPR (steps prior to a contract) and, where relevant, Art. 6(1)(f) GDPR. Applications for unfilled positions are deleted no later than 6 months after the recruitment process ends, unless you have consented to a longer retention period.

3. How we use personal data

  • Respond to enquiries and provide requested information.
  • Deliver, maintain, secure, and improve the Heka VR platform.
  • Comply with our obligations under the EU Medical Device Regulation (MDR), including post-market surveillance, vigilance, and traceability.
  • Conduct security monitoring and prevent fraud or misuse.
  • Send service-related communications and, where you have given prior consent under §10 of the Danish Marketing Practices Act (Markedsføringsloven), product updates and newsletters. You can withdraw consent at any time using the unsubscribe link in each message or by emailing us.
  • Comply with statutory bookkeeping and tax obligations.

4. Automated decision-making

We do not use personal data collected via this website for automated decision-making or profiling that produces legal or similarly significant effects on you within the meaning of Art. 22 GDPR.

5. Recipients and sub-processors

We share personal data only when necessary and on a lawful basis, including with:

  • Carefully selected sub-processors (e.g. cloud hosting, email delivery, customer support and analytics tooling) bound by Art. 28 GDPR data processing agreements.
  • Notified bodies, the Danish Medicines Agency (Lægemiddelstyrelsen), and other competent authorities and auditors as required by the MDR or applicable law.
  • Public authorities where we are legally required to disclose data (e.g. tax authority, courts, police).
  • Professional advisors (legal, accounting, insurance) under confidentiality.

We do not sell personal data and do not share it for third-party marketing. A current list of sub-processors is available on request via contact@hekavr.com.

6. International transfers

Personal data is primarily stored within the EU/EEA. Where transfers to a third country are necessary, we rely on an adequacy decision under Art. 45 GDPR (e.g. the EU–US Data Privacy Framework, where applicable) or on appropriate safeguards under Art. 46 GDPR, in particular the European Commission's Standard Contractual Clauses (Decision (EU) 2021/914), supplemented by a transfer impact assessment and any additional technical and organisational measures required by the Schrems II judgment. A copy of the relevant safeguards is available on request.

7. Retention

We retain personal data only for as long as necessary for the purposes for which it was collected and to comply with legal obligations.

  • Contact form submissions: up to 24 months from the last interaction, then deleted or anonymised.
  • Accounting records: retained for 5 years from the end of the financial year, as required by the Danish Bookkeeping Act (Bogføringsloven).
  • Medical device records: retained for the period required by Article 10(8) MDR (at least 10 years after the last device has been placed on the market).
  • Clinical data processed on behalf of healthcare controllers: retained in accordance with the relevant Data Processing Agreement and the controller's obligations under national health-record legislation.

8. Your rights under the GDPR

Subject to the conditions in the GDPR, you have the right to:

  • Access the personal data we hold about you (Art. 15).
  • Request rectification of inaccurate or incomplete data (Art. 16).
  • Request erasure ("right to be forgotten") (Art. 17).
  • Restrict processing (Art. 18).
  • Object to processing based on legitimate interests (Art. 21).
  • Data portability (Art. 20).
  • Withdraw consent at any time, where processing is based on consent (Art. 7(3)), without affecting the lawfulness of processing before withdrawal.

To exercise your rights, email contact@hekavr.com. We respond within one month of receipt and may extend the period by two further months for complex requests (Art. 12(3) GDPR). We may need to verify your identity before responding.

You also have the right to lodge a complaint with the Danish Data Protection Agency (Datatilsynet), Carl Jacobsens Vej 35, 2500 Valby, Denmark, tel. +45 33 19 32 00, datatilsynet.dk, or with the supervisory authority in the EU/EEA Member State of your residence or workplace.

9. Security

In accordance with Art. 32 GDPR we maintain appropriate technical and organisational measures, including encryption in transit and at rest, role-based access controls, logging and monitoring, regular penetration testing, secure software development practices, and staff confidentiality and training. Our quality and information-security management is aligned with the requirements applicable to a CE-marked medical device manufacturer.

10. Children

The website is not directed at children. Clinical use of the platform with paediatric patients takes place under the supervision of a healthcare professional and is governed by the healthcare controller's own legal basis and safeguards.

11. Changes to this policy

We may update this Privacy Policy from time to time. Material changes will be communicated via this page and, where appropriate, by direct notice. The "last updated" date at the top indicates when it was last revised.

12. Contact

For any privacy-related question, contact us at contact@hekavr.com.