Skip to main content
WAIMAKERS
About UsCareersContact
|
Schedule Free Call
Back to overview

HeyGen

HeyGen

PartialEU: Not AvailableNo TrainingCustomMulti-region

Business Plan Price

$29/mo (Creator), $149/mo (Business) - billed in USD

Enterprise Features

DPA (all tiers), SOC 2 Type II, DPO in Europe, EU-US DPF certified, EU AI Act compliance

Last Updated

March 23, 2026

HeyGen - GDPR & Data Privacy Overview for European Clients

Version: March 2026 - prepared by WAIMAKERS B.V.

1 Purpose

This overview explains how HeyGen (Free, Creator, Business, and Enterprise tiers) handles data in relation to GDPR, with a focus on European customers. HeyGen is an AI-powered video generation platform that enables users to create synthetic media, including AI avatars and videos, developed by HeyGen Technology Inc. (Delaware, USA).[1][2]

2 Comparison of HeyGen Tiers (EU focus)

Tier Training on User Data DPA Available EU Data Residency Biometric Retention Compliance Price (USD)
Free ✅ No training ❌ No ⚠️ Not specified ≤3 years or on request Basic $0/month (3 videos/month, up to 3 min)
Creator ✅ No training ✅ Yes (all tiers) ⚠️ Not specified ≤3 years or on request SOC 2, GDPR $29/month (unlimited short videos)
Business ✅ No training ✅ Yes (all tiers) ⚠️ Not specified ≤3 years or on request SOC 2, GDPR $149/month + $20/seat additional
Enterprise ✅ No training ✅ Yes (standard) ⚠️ Not specified ≤3 years or on request SOC 2, GDPR, EU AI Act compliance page Custom pricing

Notes for Europe

  • No AI training on user content: HeyGen explicitly states that user inputs, videos, avatars, and generated content are never used to train their AI models.[1][2]
  • Infrastructure location: HeyGen does not publicly disclose specific data center locations (AWS, Azure, GCP) or whether EU-only processing is available. Multi-region infrastructure is likely but unconfirmed.[2]
  • Data Processing Addendum: Now available for all tiers (including Creator) with Standard Contractual Clauses for international data transfers.[3]
  • Biometric data retention: Biometric information (facial geometry for avatar creation) is retained for up to 3 years or deleted upon user request.[4]
  • EU-US Data Privacy Framework (DPF): HeyGen is certified under the EU-US DPF, providing a formal transfer mechanism for EU-US data flows.
  • DPO confirmed in Europe: HeyGen has confirmed a Data Protection Officer in Europe, with the Irish DPC as lead supervisory authority.
  • EU AI Act compliance: HeyGen has published an EU AI Act compliance page. Article 50 deepfake labelling obligations apply from August 2026, representing high regulatory exposure given HeyGen's core use case.
  • ISO 27001: Status unconfirmed from current trust center documentation; verify directly with HeyGen sales.
  • Pricing: Global pricing in USD. Creator plan at $29/month; Business plan at $149/month + $20/seat for additional users; Enterprise pricing is custom and negotiated directly with sales.[5][6]

3 Is HeyGen GDPR-Compliant?

Short answer: ⚠️ Partial compliance. HeyGen is GDPR-compliant for EU business use on Business and Enterprise plans with signed DPA. DPA is now available for all tiers including Creator. However, the lack of explicit EU data residency disclosure and infrastructure transparency may be a concern for organisations with strict data localisation requirements.

What applies to all plans:

  • No AI/ML training on user data - HeyGen commits that user inputs, uploaded videos, avatars, prompts, and generated outputs are never used to train their AI models or shared with third parties for training purposes.[1][2]
  • Biometric data transparency - HeyGen provides a detailed Biometric Information Privacy Notice outlining collection, use, and retention of facial geometry data used for avatar creation.[4]
  • Content moderation - Robust content moderation policies prevent misuse, including consent requirements for creating avatars of other individuals.[7]
  • Security certifications - SOC 2 Type II certified; encryption in transit and at rest. ISO 27001 status unconfirmed from current trust center documentation.[8][9]
  • EU-US Data Privacy Framework - HeyGen is certified under the EU-US DPF, providing a formal legal mechanism for transatlantic data transfers.
  • EU AI Act - HeyGen has published a compliance page for the EU AI Act. Article 50 deepfake labelling obligations apply from August 2026 - a significant compliance event given HeyGen's core deepfake/avatar use case.

What's plan-dependent:

  • Free plan: No DPA, no contractual protections, limited to personal use only.
  • Creator plan: DPA now available for all tiers; individual use license. Suitable for solo creators with basic GDPR contractual coverage.[3]
  • Business plan: $149/month + $20/seat; DPA included; multi-user workspace; suitable for teams processing EU personal data.[3]
  • Enterprise plan: Full DPA with Standard Contractual Clauses, admin controls, SSO, and dedicated support.[3][10]

Infrastructure limitations (all plans):

  • Data center locations not disclosed - HeyGen does not publicly document where data is processed or stored (e.g., AWS US-East, EU-West, Azure regions). This lack of transparency may be problematic for GDPR Article 30 processing records.[2]
  • No explicit EU data residency option - Unlike competitors (OpenAI, Anthropic, Microsoft), HeyGen has not published documentation confirming EU-only data processing for Enterprise customers.
  • Multi-region infrastructure assumed - Job postings and technical architecture suggest multi-region cloud deployment, but specifics are unavailable publicly.

What that means in practice:

  • For personal creative projects: Free or Creator plans are acceptable; DPA now available even for Creator if needed for contractual coverage.
  • For small businesses processing EU personal data: Use Business plan ($149/month + $20/seat) with signed DPA and conduct Transfer Impact Assessment if US processing is involved.
  • For enterprises and regulated industries: Use Enterprise plan; request written confirmation of data processing locations and available regional controls from HeyGen sales before deployment.
  • For organisations with strict EU-only policies: HeyGen may not be suitable until infrastructure transparency improves; consider alternatives with explicit EU data residency (e.g., Adobe Firefly with EU storage, or self-hosted open-source solutions).
  • EU AI Act planning: Organisations using HeyGen for avatar/deepfake content should begin preparing for Article 50 labelling requirements, effective August 2026.

Buyer's note: HeyGen offers strong privacy protections (no training, DPA, certifications) but lacks infrastructure transparency common among enterprise AI vendors. EU customers should request detailed processing location documentation during procurement.

4 Details by Offering

Free Plan

  • Video generation: 3 videos per month, up to 3 minutes each, 720p export, standard processing speed.[5]
  • Data collection: Account data (email, name), video generation history (prompts, settings, outputs), uploaded content for avatar creation.
  • Training: No training on user inputs or outputs.[1]
  • Retention: Biometric data retained for up to 3 years or deleted upon user request. Other user data retained per Privacy Policy (no specific automatic deletion timeline documented).[4][2]
  • Pricing: Free
  • When to use: Testing HeyGen's capabilities, personal creative projects, non-commercial experimentation.
  • When not to use: Any business use, commercial projects, processing of EU personal data without contractual safeguards.

Creator Plan ($29/month)

  • Video generation: Unlimited videos up to 5 minutes each, 1080p export, faster processing, access to Avatar IV (latest generation).[5][6]
  • Features: 1 custom video avatar, 500+ stock avatars, 30+ languages, voice cloning capabilities.
  • Important limitation: Individual license; no DPA, no admin controls, no contractual GDPR protections.
  • Training: No training on user data (same policy as Free).[1]
  • Retention: Same as Free plan.
  • Pricing: $29/month (billed monthly or $24/month billed annually)
  • When to use: Solo creators, freelancers, content creators not processing EU personal data at scale.
  • When not to use: Business workflows requiring DPA, team collaboration, or processing identifiable EU personal data.

Business Plan ($149/month + $20/seat additional)

  • Includes: Multi-user workspace, collaboration features, shared brand assets, centralised billing, enhanced support.[10]
  • DPA: Data Processing Agreement available (now available for all tiers) with Standard Contractual Clauses.[3]
  • Admin controls: User management, usage analytics, basic governance features.
  • Pricing: $149/month base price plus $20/month per additional seat.
  • When to use: Small to mid-size teams, agencies, marketing departments requiring contractual data protection. Replaces the deprecated Team plan (deprecated January 2026).
  • When not to use: When explicit EU-only processing is mandatory (verify with HeyGen sales first).

Enterprise Plan (Custom Pricing)

  • Includes: Everything in Team, plus:
    • Full Data Processing Agreement with Standard Contractual Clauses
    • ISO 27001 and SOC 2 Type II certifications
    • Single Sign-On (SSO) integration
    • Dedicated account manager and priority support
    • Advanced admin controls and usage reporting
    • Custom avatar and voice development
    • Brand control and governance features
    • API access options[9][10]
  • Compliance: SOC 2 Type II, GDPR-compliant with DPA/SCCs, EU-US DPF certified, CCPA-compliant. ISO 27001 status unconfirmed from current trust center - verify with Enterprise sales.[8][9]
  • Pricing: Custom pricing; negotiate with Enterprise sales based on usage volume and requirements.
  • When to use: Enterprises processing EU personal data, regulated industries, organisations requiring contractual guarantees and advanced security controls.
  • When not to use: Small teams without budget for enterprise licensing; organisations with strict "EU-only" data localisation policies (unless HeyGen can confirm EU-only processing).

5 Data Processing Flow

[User creates video (uploads avatar video, enters script, selects voice)]
  ↓
[Content uploaded to HeyGen infrastructure]
  ├─ Storage location: Not publicly disclosed (likely multi-region cloud)
  ├─ Biometric processing: Facial geometry extracted for avatar creation
  │   └─ Retained ≤3 years or until user requests deletion
  └─ Content moderation: AI + human review for policy compliance
  ↓
[AI video generation processing]
  ├─ Processing location: Not disclosed
  ├─ Models: Proprietary HeyGen avatar/voice synthesis models
  │   ├─ Enterprise/Team: DPA applies, no training on user data
  │   └─ Free/Creator: No training on user data, no DPA
  └─ Third-party APIs: Voice cloning partners (trusted partners per Privacy Policy)
  ↓
[Generated video returned to user]
  ├─ User can download, share, or delete
  └─ Generation history stored in user account (no automatic purge documented)

*Note: HeyGen does NOT use user content for AI training.*
*Infrastructure and processing locations not publicly documented.*

6 Recommendations (GDPR-first)

  • For personal creative work, Free or Creator plans are suitable; no GDPR concerns for non-commercial use.
  • For freelancers and solo creators not processing personal data, Creator plan offers excellent value.
  • For small to mid-size businesses processing EU personal data, use Business plan with signed DPA; conduct Transfer Impact Assessment if HeyGen confirms US processing.
  • For enterprises and regulated industries, use Enterprise plan and:
    • Request written confirmation of data processing locations from HeyGen sales
    • Conduct Data Protection Impact Assessment (DPIA) per GDPR Article 35
    • Verify availability of EU data residency or regional controls
    • Document subprocessor relationships
  • Do not use Free or Creator plans for business processing of EU personal data (no DPA available).
  • Consider alternatives if explicit EU-only processing is a hard requirement and HeyGen cannot confirm EU data residency (e.g., Synthesia with EU hosting, or self-hosted open-source avatar solutions).

7 EU Rollout Checklist (Practical)

  1. Choose the right tier - Business or Enterprise if processing EU personal data; Creator now includes DPA for solo creators needing contractual coverage.
  2. Request and sign DPA - DPA with Standard Contractual Clauses is now available for all tiers; obtain from HeyGen.[3]
  3. Verify data processing locations - Contact HeyGen Enterprise sales to confirm:
    • Where data is stored (AWS/Azure/GCP regions)
    • Where video generation processing occurs
    • Whether EU-only processing is available
    • List of subprocessors and their locations
  4. Conduct Transfer Impact Assessment - If data is processed outside EU/EEA, complete TIA documenting safeguards per GDPR Article 46.
  5. Conduct DPIA if needed - For high-risk processing (biometric data at scale, sensitive personal data), complete Data Protection Impact Assessment per GDPR Article 35.
  6. Configure admin controls - For Team/Enterprise, set up SSO, user access controls, and usage monitoring.
  7. Train users on acceptable use - Educate team on HeyGen's Content Moderation Policy, especially consent requirements for avatar creation.[7]
  8. Establish data deletion procedures - Document process for users to request deletion of biometric data and other personal information.[4]
  9. Document vendor relationship - Maintain records of DPA, processing locations (once confirmed), compliance certifications, and subprocessor list for GDPR Article 30 processing records.
  10. Review biometric consent - Ensure users uploading videos for avatars provide explicit consent and understand biometric data collection per HeyGen's Biometric Privacy Notice.[4]

8 Procurement Quick Answers (EU)

Does HeyGen train AI models on our video content?

No. HeyGen explicitly commits that user inputs, uploaded videos, avatars, prompts, and generated outputs are never used to train their AI models.[1][2] This applies to all tiers (Free, Creator, Team, Enterprise).

What is HeyGen's EU data residency offering?

⚠️ Not publicly documented. HeyGen does not disclose data center locations or offer explicit EU-only processing options in their public documentation.[2] Enterprise customers should request clarification from sales and obtain written confirmation of processing locations.

Do we need a Data Processing Agreement (DPA)?

Yes, if processing EU personal data using HeyGen (e.g., creating avatars of employees, generating videos with customer information). DPAs with Standard Contractual Clauses are now available for all paid tiers including Creator.[3] Free plan does not include a DPA.

What compliance certifications does HeyGen hold?

HeyGen maintains SOC 2 Type II certification and is EU-US Data Privacy Framework (DPF) certified.[8][9] ISO 27001 status is unconfirmed from the current trust center - verify with HeyGen sales. They are GDPR-compliant with DPA availability for all tiers and CCPA-compliant. Member of Content Authenticity Initiative (C2PA) and Coalition for Content Provenance and Authenticity. HeyGen has published an EU AI Act compliance page.[11]

How long does HeyGen retain our data?

  • Biometric data (facial geometry for avatars): Retained for up to 3 years or deleted upon user request.[4]
  • Other user data (videos, prompts, account data): Retention periods not explicitly specified in Privacy Policy; users can request deletion under GDPR rights.[2]
  • Generation history: No automatic purge policy documented; users can manually delete content.

What happens to biometric data when we create avatars?

When you upload a video to create a custom avatar, HeyGen extracts biometric information (facial geometry, facial landmarks) to generate the avatar.[4] This data is:

  • Used solely for avatar creation and video generation
  • Never used for AI model training
  • Retained for up to 3 years or deleted upon request
  • Requires explicit consent (provided when uploading video)
  • Subject to GDPR deletion rights

Can users request deletion of their data?

Yes. Under GDPR Article 17 (Right to Erasure), EU users can request deletion of their personal data, including biometric information.[4][2] Contact HeyGen support to initiate deletion requests.

Does HeyGen share data with third parties?

HeyGen uses "trusted partners" for certain services (e.g., voice cloning technology) but does not share user data for AI training purposes.[2] The DPA should include a subprocessor list; Enterprise customers should request this during procurement.[3]

9 Notes & Caveats

  • Infrastructure transparency gap: HeyGen does not publicly disclose data center locations, cloud providers (AWS/Azure/GCP), or regional processing options. This lack of transparency is unusual for enterprise AI vendors and may complicate GDPR Article 30 processing records.
  • No confirmed EU data residency: Unlike competitors (OpenAI Enterprise with EU data residency, Microsoft Azure OpenAI with region selection), HeyGen has not published documentation confirming EU-only processing availability.
  • EU-US Data Privacy Framework certified: HeyGen's DPF certification provides a formal legal basis for EU-US data transfers, improving the transfer mechanism situation compared to relying solely on SCCs.
  • DPA now for all paid tiers: Significant improvement - previously only Team/Enterprise had DPA access; Creator plan can now sign a DPA.
  • ISO 27001 status unclear: Previous versions of this document listed ISO 27001 as confirmed; current trust center does not confirm this. Verify with HeyGen sales before relying on it for procurement decisions.
  • EU AI Act - deepfake labelling (August 2026): Article 50 of the EU AI Act requires providers and deployers of AI systems capable of generating synthetic media (deepfakes) to label content as AI-generated. HeyGen's core use case (avatar generation, voice cloning, video synthesis) is directly in scope. Organisations should begin compliance planning now.
  • Biometric data sensitivity: Creating custom avatars involves processing biometric data (facial geometry), which is special category data under GDPR Article 9. Organisations must have a valid legal basis and implement appropriate safeguards.[4]
  • Third-party voice cloning: HeyGen partners with third parties for voice cloning features. The privacy implications of these partnerships are not fully detailed in public documentation.[2]
  • Content moderation requirements: HeyGen requires consent from individuals before creating avatars of their likeness. Organisations must establish internal processes to ensure compliance.[7]
  • No automatic data deletion: Unlike some competitors with zero-retention modes, HeyGen does not offer automatic deletion of generation history or time-limited retention windows (except biometric data's 3-year limit).[4]
  • Team plan deprecated (January 2026): The Team plan has been replaced by the Business plan at $149/month + $20/seat. Customers on legacy Team pricing should confirm their contract status with HeyGen sales.[10][6]

10 Disclaimer

This overview is intended solely as an informative tool. We strongly advise customers to thoroughly review all Data Processing Agreements (DPAs) and privacy documentation before deploying HeyGen in production environments - especially when processing biometric data, creating avatars of identifiable individuals, or handling confidential information. WAIMAKERS applies this same principle internally; all tools we use have been thoroughly assessed and included in our own privacy and security documentation. Customers should always carefully evaluate the official documentation, terms, and DPAs of each AI provider they use. WAIMAKERS cannot be held legally liable for any mistakes, errors, inaccuracies, or for the accuracy, currency, or completeness of the information in this document; the ultimate responsibility for GDPR compliance rests with the customer.

Prepared and issued by WAIMAKERS B.V. - March 2026.

References

  • https://www.heygen.com/gdpr - HeyGen GDPR Compliance Statement
  • https://www.heygen.com/privacy-policy - HeyGen Privacy Policy
  • https://www.heygen.com/dpa - HeyGen Data Processing Addendum
  • https://www.heygen.com/biometric-information-privacy-notice - HeyGen Biometric Information Privacy Notice
  • https://www.heygen.com/content-moderation-policy - HeyGen Content Moderation Policy
  • https://help.heygen.com/en/articles/9183134-heygen-privacy-and-security-standards - HeyGen Privacy and Security Standards
  • https://security.heygen.com/ - HeyGen Security Portal (subprocessor list)

Need help navigating AI?

Schedule Free Call
WAIMAKERS

Learn. Lead. Make.

AI Transformation Boutique · Amsterdam

Make work exciting, make businesses unstoppable.

Who We Help

View all roles & industriesCEOs & Board MembersPE & Investment ManagersCFOs & Finance LeadersInnovation DirectorsCTOs & IT LeadersCommercial Directors

What We Do

View all servicesOur ApproachLearnTailored Training ProgrammesAI Champions ProgrammeAgentic Way of WorkingE-learningLeadMake

Company

About UsResourcesContactCareersPodcast ↗

© 2026 WAIMAKERS. All rights reserved.

Privacy PolicyCookie Policy