Privacy Policy

Last updated: 1 April 2026

1. Introduction and purpose of the privacy policy

1.1. HeroLabs d.o.o., Ravne 185, 3325 Šoštanj, Slovenia, company registration number: 9510214000, VAT number: SI12533505, entered in the court register at the District Court in Celje under number 2023/36823 (hereinafter: the Controller or MooHero), is aware of the importance of personal data protection and the privacy of its users. We are therefore committed to the lawful, fair and transparent processing of personal data in accordance with applicable Slovenian and European legislation, in particular Regulation (EU) 2016/679 of the European Parliament and of the Council (General Data Protection Regulation – GDPR) and the Slovenian Personal Data Protection Act (ZVOP-2).

1.2. The purpose of this Privacy Policy is to clearly and understandably inform you, as a visitor to our website moohero.com and a potential or existing user of our services (mobile application and smart collars), about which personal data we collect, why we collect it, how we use it, to whom we transfer it, how long we keep it, and what your rights are in relation to your personal data.

1.3. This Privacy Policy applies to all individuals who visit our website (which primarily serves to collect inquiries – lead generation), submit an inquiry, communicate with us by phone or email, enter into a subscription relationship, or use our services. We expressly note that users cannot self-register for the MooHero application; the user account and onboarding are set up by MooHero after the conclusion of the contract and receipt of payment. By using the website and/or submitting an inquiry, you confirm that you are familiar with this Privacy Policy and agree with it.

2. Data controller and contact

2.1. The controller of your personal data is:

HeroLabs d.o.o.
Ravne 185, 3325 Šoštanj, Slovenia
Company registration number: 9510214000
VAT number: SI12533505

2.2. For any questions, requests, or to exercise your rights regarding the protection of personal data, you can reach us through our Data Protection Officer (DPO) or our privacy contact:

  • Email: info@moohero.com
  • Post: The company address listed above, marked "For DPO".

To resolve your requests more quickly and efficiently, please include your first name, last name, and the email address you used to register or submit an inquiry.

3. What personal data do we collect and why?

We collect and process only the personal data that is strictly necessary to achieve specific, explicit and legitimate purposes. We collect data directly from you (e.g. when submitting an inquiry via a web form, during phone or email communication) or automatically while you use our services (e.g. via cookies, data from the collars).

The table below details the types of data, the purposes of processing, and the legal bases:

Type of personal dataPurpose of processingLegal basis (GDPR)
Identification and contact data: First name, last name, email address, phone number, address of residence/farm, company name (where applicable).Lead generation and quotation phase: Responding to inquiries, preparing and sending tailored quotations, phone and email communication prior to concluding the contract. Contract performance phase: Setting up and managing the user account (created by MooHero), identifying the user, communicating about the services, fulfilling orders, delivering hardware, providing technical support, handling complaints, and onboarding (including video calls and follow-up within 30 days of payment).Article 6(1)(b) – Performance of a contract: Processing is necessary for the conclusion and performance of a contract with you (including steps taken at your request prior to entering into the contract). Article 6(1)(f) – Legitimate interest: Our legitimate interest is effective communication with potential and existing customers and the provision of a high-quality service.
Farm data: Number of animals, type of husbandry (free, tied, robot, pasture, suckler cows), location of the barn.Adapting the MooHero system to the specifics of your farm, planning the installation of hardware, optimising the algorithms for your type of husbandry, setting up the farm in the application during onboarding.Article 6(1)(b) – Performance of a contract: The data is necessary for the correct operation and customisation of the service. Article 6(1)(f) – Legitimate interest: Our legitimate interest is to ensure the optimal functionality of the system and to improve the user experience.
Animal data (IoT data): Activity, rumination, health status, reproductive cycle, location of the animal within the farm (collected via the smart collars).Providing the core functionality of the MooHero service (heat detection, health monitoring, alerts). This data primarily relates to the animals but is indirectly associated with you as the owner/manager.Article 6(1)(b) – Performance of a contract: Without this data, the service cannot operate. Article 6(1)(f) – Legitimate interest: Our legitimate interest is to provide and improve the functionality of the system and to develop new solutions.
Application and website usage data: IP address, device information (operating system, browser), login times, interactions with the application, error logs.Ensuring the security and stability of the information system, preventing fraud and abuse, fixing technical errors, improving the user experience, website analytics.Article 6(1)(f) – Legitimate interest: Our legitimate interest is to ensure the secure and uninterrupted operation of the services and to optimise the user experience. Article 6(1)(a) – Consent: For analytics cookies and website tracking, where applicable.
Payment and financial data: Information on issued invoices, payment history, bank account (for refunds). Note: We do not store credit card information; payments are processed by external providers.Processing payments for subscriptions and hardware, meeting accounting and tax obligations, debt collection.Article 6(1)(b) – Performance of a contract and Article 6(1)(c) – Legal obligation: Compliance with tax legislation (e.g. the Slovenian VAT Act and Accounting Act).
Marketing and communication data: Email address, name (for sending newsletters, offers, tips).Direct marketing, news updates, educational content.Article 6(1)(a) – Consent: Processing is carried out solely on the basis of your explicit consent, which you may withdraw at any time. Article 6(1)(f) – Legitimate interest: For direct marketing to existing customers in relation to similar products or services they already use, with an opt-out option.
Anonymised data: Aggregated data about animals and system usage from which an individual cannot be identified.Statistical analysis, scientific research, improvement of machine learning algorithms, development of new products.Article 6(1)(f) – Legitimate interest: Development and improvement of services. (Note: anonymised data is not personal data and is not subject to the GDPR.)

4. How long do we keep your data?

4.1. We keep personal data only for as long as is necessary to fulfil the purposes for which it was collected, or for as long as required by applicable law.

4.2. Retention periods are set as follows:

  • User account and contract data: We keep this for the entire duration of the subscription relationship and for a further 5 years after its termination. This period is based on the general statute of limitations for contractual claims under the Slovenian Code of Obligations (OZ), to allow us to bring, pursue or defend any legal claims. In the event of a dispute, the data is retained until the dispute is finally resolved.
  • Accounting and tax data (invoices): We keep this for 10 years from the end of the year to which it relates, in accordance with the Slovenian VAT Act (ZDDV-1) and the Accounting Act (ZR).
  • Animal data (IoT data): We keep this in a form that allows you to be identified as the owner for the duration of the subscription relationship. After termination of the relationship, this data is anonymised or pseudonymised where possible. Anonymised data may be retained indefinitely for statistical purposes and algorithm improvement, as it no longer constitutes personal data.
  • Data collected on the basis of consent (e.g. newsletters): We keep this until you withdraw your consent. After withdrawal we delete your data from marketing systems, unless there is another legal basis for retention (e.g. you are also a subscriber).
  • Server logs and IP addresses: We keep these for a short period (typically up to 6 months), solely for the purpose of ensuring network security and preventing incidents.

5. Who do we share your data with (processors and third parties)?

5.1. We do not sell, rent or market your personal data to third parties.

5.2. To provide our services, we work with carefully selected external service providers (data processors) who process personal data on our behalf and strictly according to our instructions. With all processors we have concluded appropriate Data Processing Agreements (DPAs) ensuring a high level of security and GDPR compliance.

Our processors include:

  • Cloud and hosting providers: For secure data storage and operation of the Application (e.g. Amazon Web Services, Microsoft Azure, Google Cloud). The servers where personal data is stored are located within the European Union (EU) or the European Economic Area (EEA).
  • Communication tool providers: For sending emails, SMS notifications and system messages (e.g. SMTP providers).
  • Analytics providers: For analysing the use of the website and application (e.g. Google Analytics). Data is pseudonymised and processed in accordance with the GDPR. We obtain your consent before using analytics cookies.
  • Payment service providers: For processing payments (e.g. banks, payment gateway providers).
  • Delivery services: For delivering hardware (we share only your name, address and phone number).
  • External installation partners: If you opt for paid installation, we may share your contact details with an authorised partner to carry out the installation.

5.3. Transfer of data outside the EU/EEA: As a rule, we do not transfer your personal data outside the European Economic Area (EEA). If a transfer outside the EEA is necessary (e.g. when using a specific subprocessor), we will ensure that the transfer is carried out in accordance with the GDPR (e.g. based on a European Commission adequacy decision or using Standard Contractual Clauses – SCCs).

5.4. Disclosure to public authorities: We may disclose your personal data to competent state authorities (police, courts, inspectorates) where required by law or where necessary to protect our legitimate rights.

6. How do we protect your data?

6.1. We take the security of your data extremely seriously. We have implemented and regularly update appropriate technical and organisational measures to protect personal data from accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access.

6.2. Our security measures include:

  • Encryption: All data transfers between your device and our servers are encrypted using secure protocols (HTTPS/TLS). Sensitive data in our databases is encrypted at rest.
  • Access control: Access to personal data is strictly limited to those employees and contractors who need it to perform their work. We use strong passwords, two-factor authentication (2FA) and log all accesses.
  • Physical security: Our servers are located in highly secured data centres with controlled physical access that comply with industry security standards.
  • Regular testing and backups: We regularly carry out security reviews of our systems and create backups so that data remains available in the event of an incident.
  • Employee training: Our employees are regularly trained on the importance of personal data protection and security protocols.

7. Your rights regarding personal data

7.1. Under the GDPR, as a data subject you have a number of rights that allow you to control your data. You can exercise these rights free of charge, except in the case of manifestly unfounded or excessive requests.

Your rights are:

  • Right of access (Article 15 GDPR): You have the right to obtain confirmation as to whether we are processing your personal data and, if so, to request access to that data and information about the purpose of processing, categories of data, recipients, and retention periods. You also have the right to a copy of your personal data.
  • Right to rectification (Article 16 GDPR): You have the right to request that inaccurate personal data be corrected, or incomplete data be completed, without undue delay.
  • Right to erasure / "right to be forgotten" (Article 17 GDPR): You have the right to request the erasure of your personal data where: the data is no longer necessary for the purposes for which it was collected; you withdraw consent and there is no other legal basis; you object to processing and there are no overriding legitimate grounds; the data has been processed unlawfully; or it is required by law. Note: The right to erasure is not absolute and we cannot fulfil it if we need the data to comply with legal obligations (e.g. invoice retention) or for legal claims.
  • Right to restriction of processing (Article 18 GDPR): You have the right to request the restriction of processing where: you contest the accuracy of the data (during verification); the processing is unlawful but you oppose erasure; we no longer need the data but you need it for legal claims; or you have objected (pending verification of overriding grounds).
  • Right to data portability (Article 20 GDPR): You have the right to receive the personal data you have provided to us in a structured, commonly used and machine-readable format, and the right to transmit that data to another controller, where processing is based on consent or a contract and is carried out by automated means.
  • Right to object (Article 21 GDPR): You have the right to object at any time to processing of your personal data that is based on our legitimate interest (Article 6(1)(f)). In that case we will stop processing the data unless we demonstrate compelling legitimate grounds for the processing that override your interests, or for legal claims. You have the right to object at any time to processing for direct marketing purposes.
  • Right to withdraw consent (Article 7(3) GDPR): Where processing is based on your consent, you may withdraw it at any time. Withdrawal does not affect the lawfulness of processing before withdrawal.

7.2. How to exercise your rights? You can exercise your rights by sending a written request to the email address: info@moohero.com. To ensure security, we may ask you for additional identification before fulfilling the request. We will respond to your request without undue delay and at the latest within one month of receiving the complete request.

8. Right to lodge a complaint with the supervisory authority

8.1. If you believe that the processing of your personal data breaches the GDPR or ZVOP-2, you have the right to lodge a complaint with the competent supervisory authority in the Republic of Slovenia:

Information Commissioner of the Republic of Slovenia
Dunajska cesta 22, 1000 Ljubljana
Phone: 01 230 97 30
Email: gp.ip@ip-rs.si
Website: www.ip-rs.si

Before filing a complaint, we ask that you first contact us, as we will strive to resolve your issue quickly and amicably. Your satisfaction and the protection of your data are our priority.

9. Automated decision-making and profiling

9.1. The MooHero service uses algorithms to analyse animal data (e.g. for heat detection). However, we do not carry out automated decision-making or profiling that has legal effects on you or similarly significantly affects you within the meaning of Article 22 of the GDPR. All decisions regarding farm and animal management are made by you as the user.

10. Changes to the privacy policy

10.1. The Controller reserves the right to amend this Privacy Policy at any time. We will notify Users of any changes by publishing the updated version on our website and, where appropriate, by direct notice (e.g. by email). Changes take effect on the date of publication. We recommend that you regularly review this Privacy Policy for any changes.

11. Contact

For any questions about this Privacy Policy or the processing of your personal data, please contact us at the email address listed in section 2.