PRIVACY
Effective Date: 3/6/2026
Last Updated: 3/6/2026
This Privacy Policy describes how Headroom HQ ("we," "us," or "our") collects, uses, and protects the personal data of visitors to theheadroomhq.com and users of our services, including Headroom HQ newsletter, the HQ Score assessment, the HQ Vault subscription, and the Headroom HQ Store.
Headroom HQ is operated by Mr. Viral Doshi, based in India. We are the data controller for the personal information described in this policy.
If you have questions about this policy or want to exercise any of your data rights, contact us at privacy@theheadroomhq.com.
1. WHAT DATA WE COLLECT AND WHY
1.1 Newsletter Subscriptions
When you subscribe to the Headroom HQ newsletter through theheadroomhq.com, we collect the following:
Your email address. It is used to deliver the newsletter, send automated welcome and onboarding emails, and communicate operational updates about the publication (such as pricing changes or platform migrations). We do not send marketing emails to newsletter subscribers on behalf of third parties.
Subscription metadata. The date you subscribed, whether you confirmed your subscription, and your subscription status (active, unsubscribed). It is used to manage the subscriber list and comply with anti-spam requirements.
Engagement data. Whether you opened a specific email, which links you clicked, and whether you forwarded or reported an email. It is collected automatically by our email delivery infrastructure (operated by Synapse Media through Ghost). It is used to improve content relevance and to measure the publication's reach.
Legal basis under GDPR: Legitimate interest (delivering the service you requested by subscribing) and consent (provided by completing the subscription confirmation step).
Legal basis under CCPA/CPRA: You are a California resident who voluntarily provided your email address to receive a commercial electronic newsletter.
1.2 HQ Score Assessment
When you complete the HQ Score assessment at theheadroomhq.com/hq-score,
we collect:
Your email address (optional). If you provide your email address, it is used exclusively to deliver your personalized HQ Score results. Your email address is not used to add you to the newsletter mailing list without your separate consent. You may complete the HQ Score without providing an email address; in this case, your results are displayed on screen only and not stored in association with any identifying information.
Assessment responses. Your answers to the 30 assessment questions, including your company's approximate revenue range, your role type, and your responses to the 10 operational dimension questions. This data is used for two purposes: (a) generating your personalized score result, and (b) contributing to the anonymous HQ benchmark dataset described in Section 3.
No individual company or individual respondent is ever identified in any published benchmark data. All benchmark reporting uses aggregated, anonymized data only.
Legal basis under GDPR: Consent (you voluntarily initiated the assessment) and legitimate interest (building an anonymized benchmark dataset that benefits the broader operations leader community).
1.3 HQ Vault Subscriptions
When you purchase a HQ Vault subscription through Systeme.io, we collect:
Your email address and name. It is used to deliver your HQ Vault access credentials, send access notifications for new content, and send renewal reminders before your access period expires.
Purchase and access metadata. The plan you purchased (monthly or annual), the purchase date, the access end date, and renewal history. It is used to manage your access period and to send appropriate renewal communications.
Payment information. We do not collect or store your payment card details or PayPal credentials. All payment processing is handled directly by Systeme.io and PayPal. We receive only a confirmation that a successful payment was made, the amount, and the transaction reference number.
Legal basis under GDPR: Performance of a contract (the access period you purchased).
1.4 Template and Course Purchases
When you purchase a template or course through Gumroad, we collect:
Your email address. It is used to deliver your purchased product and to send product update notifications if the template or course is materially updated after your purchase.
Purchase metadata. The product purchased, the purchase date, and the transaction amount. It is used for purchase records and product delivery.
Payment information. We do not collect or store payment card details or PayPal credentials. All payment processing is handled directly by Gumroad and PayPal.
Legal basis under GDPR: Performance of a contract.
1.5 Website Analytics
When you visit theheadroomhq.com, we collect the following:
Anonymized browsing data. Page views, session duration, traffic source (how you arrived at the site), geographic region (country or state level only, not precise location), device type, and browser type. It is collected through Google Analytics 4.
Google Analytics 4 uses IP anonymization by default. We do not collect or store your precise IP address. We have not enabled Google Analytics 4's advertising personalization features.
Legal basis under GDPR: Legitimate interest (understanding how visitors use the website in order to improve the content and experience).
1.6 Contact and Correspondence
When you send an email to any Headroom HQ address (hello@, support@, interviews@, affiliates@, sponsors@, or privacy@theheadroomhq.com), we collect the content of your message and your email address. This data is used only to respond to your inquiry and is not added to any mailing list without your separate consent.
2. HOW WE USE YOUR DATA
We use the personal data described above for the following purposes:
Delivering services you have requested. Sending the newsletter you subscribed to, delivering your HQ Score results, providing access to HQ Vault content you have purchased and delivering templates and courses you have purchased.
Operating and improving the publication. Understanding which content generates engagement, which subscriber acquisition channels are most effective, and which operational topics are most relevant to our audience. This analysis uses aggregated engagement data, not individual-level profiling.
Building the HQ benchmark dataset. Anonymized HQ Score responses are aggregated to build the benchmark dataset that powers the annual HQ Benchmark Report. Individual responses are never identified in any report or dataset. The benchmark dataset is the primary long-term research asset of Headroom HQ.
Communicating about your subscription. Sending renewal reminders for HQ Vault access, notifying you of new content in the HQ Vault, and informing you of material changes to the publication or its pricing structure.
Legal and compliance obligations. Maintaining records necessary to comply with applicable tax, accounting, and data protection requirements.
We do not use your data for:
- Selling or sharing your personal data with third parties for their marketing purposes
- Behavioral advertising or ad retargeting
- Automated profiling or decisions that have legal or significant effects on you
- Any purpose not described in this policy
3. THE HQ BENCHMARK DATASET
The HQ Benchmark dataset is a proprietary, anonymized dataset built from aggregated HQ Score responses. It is the data foundation of the annual HQ Benchmark Report.
How anonymization works: Individual HQ Score responses are aggregated by company revenue range, industry category, and operational maturity stage. No individual company name, respondent name or email address appears in the benchmark dataset or in any report derived from it.
What the benchmark dataset contains: Aggregated scores across 10 operational dimensions, segmented by revenue range and company stage. The dataset answers questions like "what is the average process documentation coverage score for the Systematizer stage companies in the $30M–$60M revenue range?" — it does not answer questions about any specific company.
Retention of individual response data: Individual-level HQ Score responses (before anonymization) are retained for 24 months and then permanently deleted. The anonymized aggregate data is retained indefinitely as the benchmark dataset.
Your right to be excluded: If you completed the HQ Score and do not wish your responses to contribute to the benchmark dataset, you may request exclusion by emailing privacy@theheadroomhq.com. We will remove your individual response from the dataset within 30 days. This request does not affect your personalized score results, which were generated at the time of completion.
4. THIRD-PARTY SERVICES
Headroom HQ uses the following third-party services to operate the publication. Each service is a data processor that handles personal data only on our behalf and according to our instructions.
Synapse Media (Ghost-managed hosting)
Role: Hosts theheadroomhq.com and operates the newsletter delivery infrastructure, including subscriber management and email sending.
Data processed: Subscriber email addresses, engagement data, website traffic data.
Privacy policy: https://synapse.media/privacy-policy/
Location: Germany (EU)
Tally.so
Role: Operates the HQ Score assessment form.
Data processed: Assessment responses and, email addresses if provided.
Privacy policy: https://tally.so/help/privacy-policy
Location: Belgium (EU)
Systeme.io
Role: Processes HQ Vault subscription payments and hosts the HQ Vault content library.
Data processed: Email addresses, names, and purchase transaction records.
Privacy policy: https://systeme.io/privacy-policy
Location: Dietikon, Switzerland
Gumroad
Role: Processes template and course purchases.
Data processed: Email addresses, purchase transaction records, and product delivery.
Privacy policy: https://gumroad.com/privacy
Location: United States
PayPal
Role: Processes all financial transactions for Systeme.io and Gumroad purchases.
Data processed: Payment card details, PayPal account information, and transaction records. Note: we do not receive or store your PayPal credentials or payment card details. PayPal processes this data directly.
Privacy policy: https://www.paypal.com/uk/legalhub/privacy-full
Location: United States / Luxembourg (EU)
Google Analytics 4
Role: Provides website analytics.
Data processed: anonymized browsing data, device type, geographic region.
Privacy policy: https://policies.google.com/privacy
Location: United States
We do not sell, rent, or share your personal data with any third party outside of the processors listed above.
5. YOUR RIGHTS UNDER APPLICABLE LAW
5.1 Rights Under GDPR (EU and UK Residents)
If you are located in the European Union or the United Kingdom, you have the following rights under the General Data Protection Regulation (GDPR) and UK GDPR:
Right of access. You may request a copy of the personal data we hold about you.
Right to rectification. You may request that we correct any inaccurate personal data we hold about you.
Right to erasure ("right to be forgotten"). You may request that we delete your personal data. We will comply with this request unless we are required to retain the data by law or need it to fulfill a contract with you.
Right to restriction. You may request that we restrict the processing of your data in certain circumstances.
Right to data portability. You may request that we provide your personal data to you in a structured, commonly used, machine-readable format, or transfer it directly to another controller where technically feasible.
Right to object. You may object to our processing of your personal data where that processing is based on legitimate interests. We will stop processing unless we can demonstrate compelling legitimate grounds that override your interests.
Rights related to automated decision-making. Headroom HQ does not use automated decision-making or profiling that produces legal or similarly significant effects on individuals.
To exercise any of these rights, contact us at privacy@theheadroomhq.com. We will respond within 30 days. We may need to verify your identity before processing your request.
If you are an EU resident and are not satisfied with our response, you have the right to lodge a complaint with the supervisory authority in your EU member state. The EU Data Protection Board maintains a list of national supervisory authorities at edpb.europa.eu.
If you are a UK resident, you may also lodge a complaint with the Information Commissioner's Office at ico.org.uk.
5.2 Rights Under CCPA/CPRA (California Residents)
If you are a California resident, you have the following rights under the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA):
Right to know. You may request that we disclose the categories of personal information we have collected about you, the categories of sources from which we collected it, the business purposes for collecting it, and the categories of third parties with whom we shared it.
Right to delete. You may request that we delete the personal information we have collected about you, subject to certain exceptions.
Right to correct. You may request that we correct inaccurate personal information we maintain about you.
Right to opt out of sale or sharing. Headroom HQ does not sell your personal information and does not share it for cross-contextual behavioral advertising. You have this right, and we comply with it by default.
Right to limit use of sensitive personal information. We do not collect sensitive personal information as defined under CPRA.
Right to non-discrimination. We will not discriminate against you for exercising any of your CCPA/CPRA rights.
To exercise your California rights, contact us at privacy@theheadroomhq.com or by post at the address below.
5.3 Rights Under India's Digital Personal Data Protection Act (DPDP Act)
If you are an Indian resident, you have the following rights under the Digital Personal Data Protection Act, 2023 (DPDP Act):
Right to access. You may request information about the personal data we process about you and the purposes for which it is processed.
Right to correction and erasure. You may request that we correct inaccurate personal data or erase personal data that is no longer necessary for the purpose for which it was collected.
Right to grievance redressal. If you have a grievance regarding our processing of your personal data, you may contact our Data Protection Officer at privacy@theheadroomhq.com. We will acknowledge your grievance within 48 hours and resolve it within 30 days.
Right to nominate. You may nominate an individual to exercise your DPDP Act rights on your behalf in the event of your death or incapacity.
Consent withdrawal: Where processing is based on your consent, you may withdraw your consent at any time. Withdrawal of consent does not affect the lawfulness of processing before the withdrawal.
6. DATA RETENTION
Newsletter subscriber data: Retained for as long as your subscription is active. Deleted within 30 days of unsubscribe request. If your email address hard-bounces (the email address no longer exists), it is deleted from our subscriber list
immediately upon detection.
HQ Score individual response data: Retained for 24 months from the date of completion, then permanently deleted or anonymized. The anonymized aggregate contribution to the benchmark dataset is retained indefinitely.
HQ Vault subscriber data: Email address and access records retained for 36 months after your last access period ends, then deleted. Retention is required to manage potential disputes about access periods and to honor requests for re-access during that window.
Template purchase data: Email address and purchase records retained for 7 years to comply with Indian tax and accounting regulations. After 7 years, this data is permanently deleted.
Contact and correspondence: Retained for 24 months from the date of the correspondence, then deleted, unless the correspondence relates to an ongoing dispute or legal matter.
Website analytics data: Google Analytics 4 retains data for 14 months by default. Headroom HQ has not modified this default setting.
7. INTERNATIONAL DATA TRANSFERS
Headroom HQ is based in India. Some of our third-party processors including Google Analytics, Gumroad, and PayPal are based in or process data in the United States. Synapse Media processes data in Germany, EU.
For EU and UK residents, transfers of personal data to countries without an EU or UK adequacy decision are covered by:
Standard Contractual Clauses (SCCs) in the processors' data processing agreements. Google, PayPal, and Gumroad provide SCCs as part of their standard terms for GDPR compliance. We rely on these clauses for the transfer of EU and UK personal data to the United States.
The EU-US Data Privacy Framework for US-based processors that are certified under it.
If you would like more information about the safeguards in place for any specific transfer, contact us at privacy@theheadroomhq.com.
8. COOKIES AND TRACKING TECHNOLOGIES
Headroom HQ uses the following tracking technologies:
Google Analytics 4 cookies. These cookies collect anonymized data about how visitors use theheadroomhq.com. They do not track you across other websites and are not used for advertising.
Ghost session cookies. These cookies are set when you are logged in as a subscriber and are used only to maintain your session. They expire when you close your browser or log out.
No third-party advertising cookies. Headroom HQ does not use any advertising network cookies, Facebook Pixel, LinkedIn Insight Tag, or similar advertising tracking technologies.
If you are an EU or UK visitor, you may see a cookie consent notice on your first visit. You may opt out of Google Analytics tracking by installing the Google
Analytics opt-out browser add-on at tools.google.com/dlpage/gaoptout.
9. SECURITY
We implement appropriate technical and organizational measures to protect your personal data against unauthorized access, loss, or destruction. These measures include:
HTTPS encryption for all data transmitted between your browser and theheadroomhq.com (indicated by the padlock icon in your browser address bar).
Password protection and two-factor authentication for all administrative access to Ghost, Systeme.io, Gumroad, and Google Analytics.
Access limitation: personal data is accessible only to the publication's operator and the authorized administrators of the third-party processors listed above.
No security measure is 100% effective. If you become aware of any security vulnerability affecting Headroom HQ, please report it to privacy@theheadroomhq.com immediately.
10. AFFILIATE LINKS
Some links on theheadroomhq.com point to third-party products and services through affiliate programs. When you click an affiliate link and make a purchase,
Headroom HQ may receive a commission.
Affiliate links are always identified with the marker [A] adjacent to the link on the HQ Resources page and with a disclosure statement in any newsletter issue that
contains affiliate links.
Affiliate relationships do not influence editorial coverage. Products are included in the resource library because they are genuinely useful for mid-market operations leaders, not because an affiliate relationship exists.
11. CHILDREN'S PRIVACY
Headroom HQ is a B2B professional publication intended for business professionals. We do not knowingly collect personal data from anyone under the age of 18. If you believe we have inadvertently collected personal data from a minor, contact us immediately at privacy@theheadroomhq.com.
12. CHANGES TO THIS POLICY
We may update this Privacy Policy from time to time. Material changes such as changes that affect your rights or how we use your data in ways that differ significantly
from this version will be communicated by:
A notice in the Headroom HQ newsletter to all active subscribers at least 14 days before the change takes effect.
An updated "Last Updated" date at the top of this page.
Your continued use of theheadroomhq.com after a policy change takes effect constitutes acceptance of the updated policy.
For material changes that require your consent under GDPR or CCPA/CPRA, we will request fresh consent before the change takes effect.
13. CONTACT US
For all privacy and data protection inquiries:
Email: privacy@theheadroomhq.com
Response time: Within 30 days as required by applicable data protection law. Mark urgent requests with "URGENT DATA REQUEST" in the subject line.
Headroom HQ is an independent media publication operated by Mr. Viral Doshi, India. It is not a registered company. For all data protection correspondence, use the email address above.