What does the AI Agent do in TeamHero?

The agent works proactively: it spots declining engagement in teams, launches micro-surveys, drafts recognition based on company values, flags work anniversaries, and recommends concrete steps to HR. HR approves — the agent publishes. No manual feed moderation.

How is TeamHero different from Bonusly or Motivosity?

Bonusly and Motivosity are points and gamification only. TeamHero covers recognition + surveys + ideas + updates + org chart in one plan. Our recognition currency ties to company values, not HR bonus grids. The big difference is the proactive agent: it initiates engagement instead of waiting for HR to set up the next campaign.

How does it differ from Bitrix24 or other intranets?

Bitrix24 handles processes, tasks, and CRM. Most intranets focus on documents. TeamHero is about people: recognition, engagement, culture. We don't replace them — we sit alongside and integrate with your HRIS and let Bitrix do its job.

How much does it cost?

Free plan: up to 30 employees. Growth: $5 per user/month ($4 with annual billing), AI Agent included. Enterprise: $10 per user/month with dedicated manager, SLA 99.9%, and self-hosted option. Fair-use policy — we contact you before overages, never surprise bills.

How fast can we deploy?

Pilot launches in days. Org structure import, agent rules setup, company values config, go-live — no integrators needed. We guide you at every step.

Is employee data secure?

Yes. SOC 2 compliant, data stored in US, SSL encryption, SSO (SAML/OIDC) on Growth and Enterprise. Enterprise supports self-hosted and signed DPA. AI is transparent — no secret employee ratings.

Is there SSO and integration with our HRIS?

SSO (single sign-on) is available on Growth and Enterprise. HRIS integration covers org structure, employee events, and lookups. Public API for the rest.

Is there a mobile app?

Web version is mobile-optimized and works now. Native iOS and Android are in development, launching in 2026. Early access available by request.

TeamHero Privacy Policy

Name: TeamHero
Author: TeamHero

Version: 10 June 2026 Effective from: 10 June 2026

This Privacy Policy explains how TeamHero processes personal data in accordance with the EU General Data Protection Regulation (Regulation (EU) 2016/679, the "GDPR"). The current version is published at https://theteamhero.com/privacy.

1. Controller and contact details

1.1. The controller for the processing described in this Policy is ADCRAFT LTD, a company registered in the Republic of Bulgaria (UIC 208314115; VAT BG208314115), registered address: 3 Industrialna Str., fl. 12, apt. 1202, Burgas 8130, Bulgaria, operating the TeamHero service ("TeamHero", "we", "us").

1.2. Contact points:

Data protection / privacy enquiries: privacy@theteamhero.com
Data Protection Officer: not appointed (no statutory requirement; reassess if processing scope changes)
EU representative under Art. 27 GDPR: not required — the controller is established in the EU (Bulgaria). A UK representative will be appointed if and when required for UK personal data.

1.3. Note on roles: where we process personal data contained in a Customer's workspace on that Customer's behalf, the Customer is the controller and we act as processor; that processing is governed by our Data Processing Agreement. This Policy describes processing for which we are the controller (for example, our website, account administration, billing, and security).

2. Personal data we collect

2.1. Website visitors: IP address; browser and device type; operating system; pages visited, time, and referrer; cookie identifiers.

2.2. Customer representatives and Administrators: name; job title and organisation; business email and phone; account credentials (login, password hash); session identifiers and access tokens; IP address, device and browser data; audit logs of actions in the Service.

2.3. Billing contacts: name, email, organisation billing details, and payment-related metadata.

2.4. We do not intentionally collect special categories of personal data (Art. 9 GDPR) or data of children below the applicable age of digital consent. Users must not publish such data in the Service.

3. Purposes of processing and legal basis

For each purpose we rely on a legal basis under Art. 6(1) GDPR:

#	Purpose	Legal basis (Art. 6(1))
1	Providing and operating the Service for the Customer	(b) performance of a contract
2	Authenticating users and managing accounts and access	(b) contract
3	Providing technical support and handling requests	(b) contract
4	Service notifications (incidents, maintenance, changes)	(f) legitimate interests (operating the Service reliably)
5	Invoicing, accounting, and tax records	(c) legal obligation
6	Usage analytics and improving the Service	(f) legitimate interests; (a) consent where cookies require it
7	Information security, fraud and abuse prevention	(f) legitimate interests; (c) legal obligation
8	Responding to lawful requests from authorities	(c) legal obligation
9	Marketing communications (newsletters)	(a) consent

Where we rely on legitimate interests (f), we have balanced those interests against your rights and freedoms; you may object as described in Section 7.

4. Recipients of personal data

4.1. We share personal data with service providers acting as our processors (sub-processors). At present these are: cloud infrastructure and hosting (within the EEA); payment and invoicing; and analytics/error monitoring (where used). Email delivery, customer support, and authentication are operated on our own infrastructure. The current list of sub-processors is maintained in, and incorporated by reference from, our Data Processing Agreement.

4.2. We may disclose personal data where required by law, to competent authorities, or to protect our rights, and to a successor entity in the context of a merger, acquisition, or reorganisation, subject to appropriate safeguards.

5. International transfers

5.1. Where personal data is transferred outside the European Economic Area, we rely on an adequacy decision or appropriate safeguards under Chapter V GDPR — primarily the European Commission's Standard Contractual Clauses (Decision 2021/914) — supplemented by additional technical and organisational measures where necessary.

5.2. The transfer mechanism and the relevant sub-processor locations are described in the Data Processing Agreement. You may request a copy of the relevant safeguards using the contact details in Section 1.

6. Retention

6.1. We keep personal data only as long as necessary for the purposes above:

Website visitor logs and cookies — up to 12 months from the last visit;
Representative/Administrator account data — for the duration of the customer relationship and 3 years thereafter;
Billing, accounting, and tax records — for the statutory retention period (typically up to the period required by applicable law);
Customer-workspace personal data processed as processor — per the DPA (returned or deleted within 30 days of termination).

6.2. When retention periods expire, personal data is securely deleted or anonymised.

7. Your rights as a data subject

7.1. Subject to the conditions in the GDPR, you have the right to:

Access your personal data (Art. 15);
Rectification of inaccurate or incomplete data (Art. 16);
Erasure ("right to be forgotten", Art. 17);
Restriction of processing (Art. 18);
Data portability (Art. 20);
Object to processing based on legitimate interests or to direct marketing (Art. 21);
Withdraw consent at any time, where processing is based on consent (without affecting prior processing).

7.2. To exercise these rights, contact us using the details in Section 1. We respond without undue delay and within one month, extendable by two further months for complex requests (Art. 12(3)). We do not charge a fee unless requests are manifestly unfounded or excessive.

7.3. Where we act as processor for a Customer's workspace, please direct your request to that Customer (the controller); requests received by us directly are forwarded to the relevant controller.

8. Right to lodge a complaint

8.1. You have the right to lodge a complaint with a supervisory authority, in particular in the EU member state of your habitual residence, place of work, or place of the alleged infringement (Art. 77 GDPR), without prejudice to other remedies.

9. Automated decision-making

9.1. We do not make decisions producing legal or similarly significant effects based solely on automated processing (Art. 22 GDPR). AI features in the Service produce advisory outputs only and do not replace human decision-making.

10. Security

10.1. We implement appropriate technical and organisational measures under Art. 32 GDPR, including encryption in transit (TLS 1.2/1.3) and of backups, role-based access control, multi-factor authentication for administrators, logging and monitoring, regular backups, vulnerability management, and malware protection.

10A. United States — state privacy rights

10A.1. If you are a resident of California or another US state with a comprehensive privacy law, this Section applies in addition to the rest of this Policy.

10A.2. Notice at Collection. We collect the categories of personal data described in Section 2 for the purposes in Section 3. We do not sell personal information and do not share it for cross-context behavioral advertising. We do not use or disclose sensitive personal information beyond the purposes permitted by applicable law.

10A.3. Your rights. Subject to the applicable state law, you may request to know, access, delete, and correct your personal information; opt out of any sale or sharing; and limit the use of sensitive personal information. You will not be discriminated against for exercising these rights. Some states also provide a right to appeal a denied request.

10A.4. How to exercise. Use the contacts in Section 1 or the "Do Not Sell or Share My Personal Information" / "Your Privacy Choices" control on our website. You may use an authorized agent. We honor opt-out preference signals such as Global Privacy Control (GPC) where required.

10A.5. Retention. We retain each category of personal data for the periods set out in Section 6.

If marketing or advertising cookies are used to target advertising, that activity may constitute "sharing" under the CCPA; in that case Section 10A.2 will be updated and an effective opt-out provided (see the Cookie Policy).

10B. Other jurisdictions

10B.1. United Kingdom. Processing of UK personal data is governed by the UK GDPR and PECR; the supervisory authority is the Information Commissioner's Office (ICO). Where required, we appoint a UK representative. [UK representative to be confirmed.] UK transfers rely on the UK International Data Transfer Addendum to the EU SCCs.

10B.2. Brazil (LGPD), Canada (PIPEDA / Quebec Law 25), Singapore (PDPA), Australia (Privacy Act). Where these laws apply, we process personal data in accordance with them, including their data-subject/consumer rights, breach-notification, and international-transfer requirements, and cooperate with the competent authority (e.g., ANPD, OPC, PDPC, OAIC). [Local representative/officer requirements to be confirmed by counsel per market.]

11. Changes to this Policy

11.1. We may update this Policy. Material changes are communicated via the Service and/or by email before they take effect. Previous versions are archived and available on request.

Disclaimer. This document is a drafting framework prepared for review. It must be reviewed and approved by qualified EU legal counsel before use in production. It does not constitute legal advice.

Cookies & personal data