Platform Terms

EH Platform definition Tightened to exclude managed services, which are governed by separate service-specific terms.

Clause 20 (data) Substantively updated with three new sub-clauses covering user consent to EH’s use of their data per the Privacy Policy, acknowledgment of and agreement to the DPA where it applies, and a controller-to-controller framework for features where EH shares personal data in its own controller capacity. Under that framework, each party is an independent controller, the customer is responsible for its own lawful basis, and use is limited to the purpose for which data was shared.

AI Terms (Appendix 3) A new appendix governing AI Services across the platform, covering:

• Definitions (AI Services, Output, AI Actions)
• General responsibilities applying to all parties, including no sole reliance on Output for consequential decisions and acknowledgment of automation bias risk
• Organisation responsibilities covering governance, compliance, configuration obligations, prohibited uses, and responsibility for decisions made on the basis of Output
• User responsibilities covering not inputting data without authority, not representing Output as solely human-generated, and responsibility for AI Actions they initiate and confirm
• EH’s responsibilities for default-on features such as HeroAI and AI-assisted workflows, scoped to the feature operating as described rather than outcomes from user-initiated actions
• AI Actions clause placing responsibility for agentic and automated actions with the user who initiates and confirms them, organisation responsibility limited to admin controls, and EH responsible for the feature operating within its described scope

DPA

No-model-training commitment Explicit obligation added that EH will not use customer data to train AI models, and that AI subprocessors are contractually bound by the same restriction.

Controller-to-controller acknowledgment Resolved at the Platform Terms level in clause 20.4 rather than in the DPA itself. The DPA now cross-references the T&Cs as the governing framework for those scenarios.

Processor/controller capacity distinction Clarification added in clause 2.1 to distinguish when EH acts as processor versus when it acts as an independent controller, particularly for AI-related processing.

Privacy Policy

Structure The policy was restructured in some sections. The main driver was clarity, as the previous version had grown organically and was harder to navigate.

Data collection Previously overlapping collection sections were merged into a single section with three subsections organised by source: directly provided, automatically collected, and from third parties.

HeroForce scoping A carve-out was added in Section 2 to make clear that employment data for HeroForce workers is covered by the separate HeroForce Worker Privacy Policy, not this document. HeroForce was stripped from employment-specific data rows in the collection table, and the HeroForce customer row was reframed to cover EH’s relationship with the employer customer only.

AI disclosures Rather than a standalone AI section, disclosures were integrated throughout the policy using a three-lane framework:

• User-facing AI features (EH as controller) covered in the policy
• Employer-enabled AI features (EH as processor) with a one-liner pointing to the employer’s own notice obligations
• EH’s internal AI use (EH as controller) covered in the policy

The policy explicitly states EH does not train its own models on personal data, and approved AI tools are contractually prohibited from doing so.

Hero Foundation Added as a standalone section within the main policy covering charitable purpose, data collected, partner organisation sharing, sensitive information handling, and user rights.

California (CCPA/CPRA) A new Section 16 was added with a category mapping table, rights list, 45-day response timeframe, automated decision-making opt-out, and Shine the Light disclosure.