Privacy Policy | HELM OS — Ireland's AI Sales Platform

Contents

Who We Are
Data We Collect
How We Use Your Data
AI and Automation
Data Sharing
Third-Party Integrations
Data Storage and Security
Data Retention
Your Rights (GDPR)
Cookies
Children's Privacy
Changes to This Policy
Contact and Data Deletion

1 Who We Are

HELM OS is an AI-powered revenue operating system for field sales teams and business owners. We help you manage leads, tasks, pipelines, team communication, and AI-assisted outreach from one platform.

Controller: HELM OS ("we", "us", "our")
Contact: privacy@helmos.io
Platform: helmos.ie

2 Data We Collect

2.1 Account Data

Data	Source	Purpose
Email address	Registration	Authentication, account management, billing
Display name	Profile setup	Showing your identity to teammates
Role and industry	Onboarding	Personalising AI recommendations
Revenue goal and ICP	Onboarding	Building your revenue plan and AI context

2.2 CRM and Business Data

Data	Source	Purpose
Lead records (names, companies, phone numbers, emails)	You enter or import	CRM core functionality
Call logs, notes, follow-up dates	You enter	Sales activity tracking
Pipeline stages and deal values	You enter	Revenue forecasting
Tasks and priorities	You create	Task management
Imported CSV or spreadsheet data	You upload	Bulk lead import

2.3 AI Memory Data

HELM's AI brain builds a persistent memory of your business to improve recommendations over time. This includes:

Patterns in your sales activity and outcomes
Lead scoring signals derived from your pipeline
Business context you share in AI conversations (e.g. "my average deal size is €5,000")
Conversation history within a session (cleared after 7 days unless referenced)

Important: AI memory is scoped to your workspace only. No memory is shared across workspaces or with other HELM users.

2.4 Integration Data (Optional)

Integration	Data Accessed	Stored?
Gmail	Email subject lines and thread context linked to leads	Metadata only — no email body stored server-side
Google Calendar	Event titles, times, and attendees linked to follow-ups	Metadata only
Google Sheets	Lead data you explicitly import	Imported into your CRM only
Airtable	Lead data you explicitly import	Imported into your CRM only

All OAuth tokens are stored encrypted. We request the minimum permissions necessary and never read data you have not explicitly connected.

2.5 Usage and Analytics Data

We collect anonymised usage events (e.g. "dashboard viewed", "AI chat used") to improve product features. This data contains no personal information about your leads or prospects.

2.6 Billing Data

Payments are processed by Stripe. We store only your subscription status, plan tier, and Stripe customer ID — never your card number or payment details.

3 How We Use Your Data

To provide and improve the HELM OS platform
To personalise AI recommendations based on your business context
To process subscription payments and manage your account
To send essential service emails (account, billing, security)
To detect and prevent fraud and abuse
To comply with legal obligations

We do not use your lead data, call logs, or AI conversations to train shared AI models. Your business data stays in your workspace.

4 AI and Automation

HELM Brain uses the Anthropic Claude API to generate responses, recommendations, and actions. When you chat with HELM or trigger an AI action:

Relevant context from your workspace (leads, tasks, memory) is included in the AI prompt
This context is sent to Anthropic's API to generate a response
Anthropic processes this data in accordance with their Privacy Policy
We use Anthropic's zero-data-retention API endpoint where available — prompts are not used to train their models

What HELM AI can see: Only data in your workspace — your leads, tasks, pipeline, and memory. It cannot access other users' workspaces or any external data unless you have explicitly connected an integration.

5 Data Sharing

We never sell your data. We share data only with the following categories of recipients, all bound by data processing agreements:

Recipient	Purpose	Data Shared
Supabase	Database and authentication infrastructure	All app data (encrypted at rest)
Anthropic	AI inference (HELM Brain)	Workspace context included in prompts
Stripe	Payment processing	Email, subscription metadata
Netlify	App hosting and CDN	Web traffic only (no app data)
Google APIs	Gmail and Calendar integrations (optional)	Only if you connect your Google account

If we are required by law or legal process to disclose your data, we will notify you where permitted.

6 Third-Party Integrations

When you connect external services, those services own privacy policies apply to data held on their platforms. HELM only accesses data from these services when you initiate an action (e.g. "read my inbox"). Relevant links:

Google Privacy Policy (Gmail, Calendar, Sheets)
Anthropic Privacy Policy (AI inference)
Stripe Privacy Policy (billing)
Supabase Privacy Policy (database)

7 Data Storage and Security

Infrastructure: Supabase PostgreSQL on AWS (EU region)
Encryption at rest: AES-256 for all stored data
Encryption in transit: TLS 1.2+ for all connections
OAuth tokens: Stored encrypted, scoped per workspace, never shared
Row-level security: Database enforces workspace isolation — users can only read their own workspace data
Authentication: Supabase Auth with email confirmation and session expiry
Payments: Stripe handles all card data — we never receive or store payment details

8 Data Retention

Data Type	Retention Period
Account and CRM data	Duration of account + 30 days after deletion request
AI conversation memory	Short-term: 7 days · Long-term business memory: until you delete it
Billing records	7 years (legal requirement)
Anonymised usage analytics	24 months
OAuth tokens	Until you disconnect the integration
Error logs	30 days

9 Your Rights (GDPR)

If you are located in the EU/EEA or UK, you have the following rights under the General Data Protection Regulation:

Access: Request a copy of all data we hold about you
Rectification: Correct inaccurate data
Erasure ("right to be forgotten"): Request deletion of your account and all associated data
Portability: Export your CRM data in CSV format (available in-app: Settings → Export)
Restriction: Request we stop processing your data in certain circumstances
Objection: Object to processing based on legitimate interests
Withdraw consent: Disconnect integrations at any time in Settings → Connected Apps

To exercise any right, email privacy@helmos.io. We respond to all requests within 30 days.

Data deletion in-app: You can delete your account and all data directly from Settings → Account → Delete Account. This permanently removes all your leads, tasks, AI memory, and workspace data within 30 days.

10 Cookies

HELM OS uses minimal cookies for authentication session management only (Supabase Auth). We do not use tracking cookies, advertising cookies, or third-party analytics cookies that follow you across sites.

Cookie	Purpose	Duration
sb-access-token	Authentication session	Session / 1 hour
sb-refresh-token	Session refresh	7 days

11 Children's Privacy

HELM OS is a professional business tool not intended for users under 18. We do not knowingly collect personal data from minors. If you believe a minor has registered, contact privacy@helmos.io.

12 Changes to This Policy

We may update this policy as we add features. Material changes will be notified by email to registered users at least 14 days before they take effect. The current version is always at helmos.ie/privacy.html.

13 Contact and Data Deletion

For privacy questions, data requests, or to request account deletion:

Email: privacy@helmos.io
In-app: Settings → Account → Delete Account
Response time: Within 5 business days for questions, 30 days for deletion