Legal

Privacy Policy

Last updated: May 2026

We collect the minimum we need to run Helm. We don't sell your data. We don't use it to train AI models. This page is the long version.

What we collect

Account info: name, email, password hash, organisation name. You give us this when you sign up.
Workspace data: clients, tasks, time entries, comments, credentials (encrypted), invoices, and anything else you store. You enter this.
Connected accounts: Gmail OAuth tokens (encrypted) if you connect email-to-task. Tokens are scoped to read-only message metadata + content.
Operational logs: activity log (who did what, when), AI call log (which features ran, latency, cost), error logs. Pruned after 30 days.
Cookies: a single auth cookie set by NextAuth. No analytics cookies, no advertising cookies, no third-party trackers.
Server logs: Vercel records IP, user-agent, and path for every request, retained 4–7 days for diagnostics. We don't add any extra logging beyond this.

What we don't collect

Payment card numbers — those go directly to PayPal.
Browsing history outside Helm.
Location data beyond what's inferable from IP.
Health, biometric, or government-ID data.

Why we collect it

To run the service you signed up for. Specifically: to authenticate you, render your workspace, run AI features when enabled, deliver invoice and trial-expiry emails, prevent abuse, and meet our legal obligations. The legal basis is "performance of a contract" (GDPR Art. 6(1)(b)) plus "legitimate interest" (Art. 6(1)(f)) for security and fraud prevention.

Who we share it with

Vercel — hosts the app and serves traffic. US/EU regions.
Neon — Postgres database hosting. US region.
Anthropic — receives AI prompts when AI features are enabled. Their data-use terms forbid training on customer data. Your AI history (which prompts) is logged in our DB; the prompt content is not retained beyond the immediate response.
Resend — sends transactional email (password reset, invitations, trial expiring). EU/US data residency.
PayPal — processes subscription payments. We pass them an organization id; they handle the card details.

We don't share data with anyone else unless legally required (subpoena, court order), or you tell us to (e.g. data-export support tickets).

How long we keep it

Active workspace data: until you delete it.
Soft-deleted workspace: 30 days, then erased.
AI call logs, raw captures: 30 days.
Activity log: 90 days (configurable).
Server logs (Vercel): 4–7 days.

Your rights (GDPR / CCPA)

If you're in a jurisdiction with data-protection laws, you have the right to:

Access: see what we have. Use Settings → Workspace → Export.
Rectify: correct it. Edit it in the dashboard.
Erase: delete your account. Settings → Workspace → Delete workspace.
Object: push back on a processing activity. Email privacy@theauctores.com.
Port: get a machine-readable copy. CSV export covers this.
Withdraw consent: for any optional processing (AI features, Gmail integration). Toggle them off in Settings.

We respond within 30 days. We may verify your identity before acting on a request.

Security

TLS 1.2+ everywhere. AES-256-GCM for the credential vault (with a per-deployment master key, rotatable). Bcrypt for passwords (10 rounds). Tenant data is scoped at the database layer — every relevant table carries an organizationId column and every query is filtered by it. We do internal security reviews of new code paths.

International transfers

Our infrastructure providers (Vercel, Neon, Resend, Anthropic) are based in the US. If you're in the EEA, your data may be transferred to the US under standard contractual clauses. PayPal handles its own cross-border transfer compliance.

Children

Helm is for businesses. We don't knowingly collect data from anyone under 18. If you believe we have, email privacy@theauctores.com and we'll delete it.

Changes

We'll email the workspace owner about material changes 30 days before they take effect. Minor clarifications get a "last updated" bump and no notice.

Contact

Privacy questions: privacy@theauctores.com. General support: support@theauctores.com.