Privacy Policy

1. Scope

This policy applies when (a) you visit helodata.com and its subdomains; (b) you register for and use the Helodata console, API, or SDK; (c) you correspond with our sales, support, or compliance teams via email or tickets.

It does not cover third-party websites. When you click outbound links (e.g. sources cited in blog posts, GitHub repositories referenced in docs) you fall under those parties' own privacy policies.

It also does not cover the data you collect from target websites using our service — there you act as data controller and bear your own compliance obligations.

2. Information we collect

Account & profile: at sign-up we collect name, business email, company name, industry, role, optional phone, billing address, tax identifier (where applicable), and KYC documents (see the KYC Policy).

Usage metadata: when you call the API or use the console we record timestamps, source IP, user agent, request path, target domain (we never store request bodies), status code, response size, and billing dimensions (traffic / requests / sessions). We use metadata for billing, rate limiting, abuse mitigation, and capacity planning.

Device and logs: browser type, operating system, screen resolution, language preference, Referer header, and de-identified console interaction trails (clicks, form submissions).

Payment data: credit and debit cards, and bank accounts, are processed and stored by Stripe (PCI-DSS Level 1 service provider). We retain only the brand, last four digits, expiration, and billing address. Crypto settlements retain the on-chain transaction hash and originating address.

Communications: emails to and from sales, support, or compliance; Intercom chat transcripts; ticket contents. Voice calls are not recorded by default — only with explicit consent.

Peer nodes: peers who join via our SDK or app partners explicitly opt in to a 'idle bandwidth in exchange for app features' agreement. We do not collect peers' names, emails, location finer than city-level, device fingerprints, or browsing history.

3. How we use information

Service delivery and maintenance: authentication, quota enforcement, billing, abuse mitigation, technical support, SLA notices.

Security and fraud prevention: detecting anomalous logins, credential stuffing, API abuse, and KYC fraud. Where automated decision-making is involved, you have the right to human review (see Section 9).

Product improvement: analysing usage patterns at aggregated or de-identified level. We never use personal profiles for differential pricing.

Compliance and legal: tax filings, anti-money-laundering, sanctions screening, KYC, export controls, GDPR obligations.

Marketing communications (only with your consent): product updates, feature previews, industry insights. Every email has one-click unsubscribe; opting out does not affect transactional notices like billing or security alerts.

4. Legal bases under GDPR

Performance of contract (Art. 6(1)(b)): account provisioning, API operations, billing, technical support.

Legal obligation (Art. 6(1)(c)): tax reporting, AML, KYC, regulatory disclosure.

Legitimate interests (Art. 6(1)(f)): network security monitoring, product improvement, fraud prevention. We document a balancing test for each processing activity and retain it on file.

Consent (Art. 6(1)(a)): marketing emails, optional cookies. Consent is withdrawable at any time without affecting the lawfulness of prior processing.

5. How we disclose

No sale: we never sell, rent, or share your personal information for third-party marketing.

Sub-processors: limited to vendors strictly necessary to operate the service, each bound by a Data Processing Addendum: Stripe (payments), AWS (infrastructure, eu-west-1 / us-east-1 / ap-east-1), Cloudflare (CDN / WAF), Datadog (log aggregation), Sentry (error monitoring), Intercom (support chat), Sumsub / Onfido (KYC), Postmark (transactional email), HubSpot (CRM, enterprise prospects only). Full list and processing locations available on request from privacy@helodata.com or at /security/sub-processors.

Legal disclosure: only in response to a lawful, valid, and narrowly-scoped court order, subpoena, or regulator request, and only the minimum necessary information. We notify you in advance where legally permitted and publicly commit to challenging requests that are obviously overbroad or jurisdictionally unfounded.

Business transfers: in a merger, acquisition, or divestiture, relevant data may transfer to the successor entity, but only under privacy obligations equal to or stricter than these. We give 30 days notice in advance.

Aggregated data: fully de-identified statistics that cannot be re-identified may be used in industry reports and blog posts.

6. International data transfers

Our servers are primarily in the EU (Ireland), United States (Virginia), and APAC (Hong Kong). Where your data is stored depends on your location and the product region you select.

Transfers out of the EU rely on (a) Standard Contractual Clauses Modules 2/3 under EU Commission Decision 2021/914; (b) supplementary measures (end-to-end encryption, minimised access, onward-transfer restrictions) where required; (c) a documented Transfer Impact Assessment.

UK transfers rely on the International Data Transfer Agreement (IDTA) or SCCs with the UK Addendum.

Mainland China data exports follow Chapter III of the PIPL, including security assessments or standard contracts where required.

Copies of TIAs, SCCs, and IDTAs are available on request from privacy@helodata.com.

7. Data retention

Account and billing data: duration of the contract plus 7 years (tax, audit).

Usage metadata / API logs: 12-month rolling window, then auto-purged.

Security audit logs: 12 months.

KYC documents: regulator-required minimum 5 years (extended to 10 years for sanctions-list matches).

Support and sales communications: 3 years.

Marketing cookies / contacts: deleted on consent withdrawal or after 3 years of no interaction.

When retention expires we use secure deletion (overwrite or cryptographic destruction); short-lived presence on backup media may persist within rotation cycles.

8. Your rights

The following GDPR / UK GDPR / CCPA / PIPL rights are extended to all users worldwide regardless of residence:

Right of access: obtain a copy of personal information we hold about you.

Right to rectification: correct inaccurate or outdated information.

Right to erasure ("right to be forgotten"): delete your data within the limits set by law.

Right to portability: export in a structured, commonly used, machine-readable format (JSON / CSV).

Right to restrict / object: restrict or object to processing based on legitimate interest.

Right to withdraw consent at any time without affecting prior lawful processing.

Right to object to automated decisions: our KYC and abuse-mitigation systems involve automated decisions; you may request human review (Section 9).

How to exercise: email privacy@helodata.com from your account email and state the request type. We respond within 30 days (GDPR) or 45 days (CCPA), extendable by 60 days for complex requests with prior notice. We do not charge fees unless requests are clearly unfounded or repetitive.

If you believe our processing violates the law, you may complain to your local data protection authority (EU / UK) or the California Attorney General.

9. Automated decision-making

We use automated decisioning in three contexts: (a) sign-up anti-fraud risk scoring; (b) KYC document authenticity and sanctions-list screening; (c) real-time abuse mitigation (DDoS, CSAM, credential-stuffing signatures).

Where these decisions produce significant effects (e.g. account denial or suspension) you have the right to human review, to express your view, and to contest the decision. Email compliance@helodata.com.

10. Cookies & similar technologies

We use strictly necessary cookies (session management, CSRF protection, load balancing) — these cannot be disabled.

Functional cookies remember language and light/dark theme — only when you set those preferences.

Analytics cookies use self-hosted Plausible (no fingerprinting, no cross-site tracking).

We do not deploy Google Analytics, Meta Pixel, TikTok Pixel, or any third-party tracker.

A complete cookie inventory is at /legal/cookies.

11. California rights (CCPA / CPRA)

In the past 12 months we collected the following CCPA §1798.140 categories: identifiers; commercial information; internet activity; geolocation (city-level); professional or employment information.

We do not "sell" personal information as defined by the CCPA, nor "share" it for cross-context behavioral advertising.

We do not process "sensitive personal information" as defined by CPRA, although KYC documents may fall within "government identifiers" — we use them only to the minimum extent compliance requires.

California residents may designate an authorized agent; we will verify identity through CCPA standard flows.

12. EU / UK rights

All Articles 13–22 GDPR rights are available to EU/UK data subjects (see Section 8).

Lodge a complaint with EU DPAs at https://edpb.europa.eu/about-edpb/about-edpb/members_en or with the UK ICO at https://ico.org.uk.

EU representative: Helodata EU Rep, EC2A, London, United Kingdom — contact privacy@helodata.com.

13. Children

Helodata services are intended for businesses and adults using them for business purposes. They are not directed to anyone under 18, and we do not knowingly collect personal information from minors.

If you are a parent or guardian and discover your child has provided us with personal information, please contact privacy@helodata.com and we will delete it promptly.

14. Security

TLS 1.3 in transit; AES-256 at rest; keys managed by AWS KMS with automatic rotation.

Production access requires SSO + hardware key + ticketed approval; every access is logged in a tamper-evident audit trail.

The team operates to SOC 2 / ISO 27001 framework controls; the first independent third-party audit is in preparation. Payments are processed by Stripe (PCI-DSS Level 1), keeping us in SAQ-A scope.

No system can be guaranteed absolutely secure, but we commit to industry-leading practices against an evolving threat landscape.

15. Breach notification

In the event of a security incident affecting personal information, we will notify affected data subjects and supervisory authorities within 72 hours of confirmation (GDPR Art. 33–34 standard), describing measures taken and recommended.

16. Policy updates

We may update this policy from time to time. Material changes (new processing purposes, new sub-processors) will be announced via email, console banner, or in-app notice at least 30 days before they take effect. Continued use of the service constitutes acceptance.

Historical versions are archived at /legal/privacy/archive.

17. Contact

Data Protection Officer

privacy@helodata.com

Registered legal entity

Helodata Pte. Ltd., Singapore

EU representative

United Kingdom — contact privacy@helodata.com for the full address

Sub-processors list

/security/sub-processors