back

Helm
Privacy Policy

Last updated: October 11, 2025

Overview

Controller: Helm, a company to be incorporated in France. Full legal details (SIREN, SIRET, RCS registration, VAT number, legal form, and share capital) will be provided upon company registration.

Contact: privacy@helmkit.com

If you are in the EEA, Helm is your data controller for the purposes described below. You may lodge a complaint with CNIL (cnil.fr).

Scope & Definitions

This Policy explains how we collect, use, disclose, and protect personal data when you use Helm. Capitalized terms not defined here have the meanings in the Terms of Service.

Categories of Data We Process

  • Account & Profile: name, email, business details, languages, skills, service areas, profile photos, preferences, verification/KYC status.
  • Calendar Signals: busy/free and start/end times; if you opt in to enhanced matching, location and (optionally) title.
  • Booking & Operations: invitations, accept/decline, assignments, schedules, chat/notes, completion/cancellation, audit logs.
  • Passenger Data: When Agencies use the Service to coordinate events, we process personal data about passengers/tourists provided by Agencies, including names, contact information (email, phone), nationality, country of residence, age category, and any special requirements or notes necessary for event coordination. This data is processed on behalf of the Agency to facilitate Guide coordination and event delivery.
  • Integrations Data: from Bokun or similar booking/OTA platforms (e.g., event metadata, booking details, and passenger information as described above).
  • Telemetry & Security: device/browser, IP, timestamps, request metadata, error logs.
  • Notifications: email/app/push content and delivery logs.
  • Embeddings/Matching: pseudonymous vectors/IDs used to rank/route Guides.

We do not intentionally collect special categories of data (e.g., health, race, religion). Please do not include such data in free-text fields.

Purposes & Legal Bases (GDPR Art. 6)

  • Provide the Service & Accounts (Art. 6(1)(b)): create and manage accounts; profiles; staffing workflows.
  • Event Coordination (Art. 6(1)(b) or 6(1)(f)): process passenger data on behalf of Agencies to enable Guides to coordinate and deliver events, including communicating with passengers about event details, pickup locations, and special requirements.
  • Availability & Conflict Prevention (Art. 6(1)(b) or 6(1)(f)): process calendar signals to check availability and avoid conflicts/minimize travel time.
  • Security & Fraud (Art. 6(1)(f)): protect accounts, detect abuse, rate-limit, ensure integrity.
  • Product Analytics & Reliability Metrics (Art. 6(1)(f)): compute aggregated/pseudonymized reliability metrics (e.g., staffing rates, response times, conflict detections). We do not use data for advertising and do not sell personal data.
  • Communications (Art. 6(1)(b)/(f)): service emails, operational notifications.
  • Compliance & Reporting (Art. 6(1)(c)): DAC7/tax reporting and legal requests.

Where we rely on legitimate interests, we balance our interests with your rights and implement minimization and opt-outs where feasible.

Roles: Controller vs. Processor

  • Helm acts as independent controller for: accounts, billing, security/fraud, platform analytics, vendor management, and compliance.
  • Helm acts as processor for: passenger data coordination, availability checks, and certain staffing workflows performed on behalf of Agencies/Guides. Our Data Processing Addendum governs such processing (Art. 28), including security measures, subprocessors, and deletion.

Calendar Integration (Google Limited Use)

  1. With your explicit consent, we request read-only access limited to busy/free and start/end times of events. If you enable enhanced matching, we may also read location (and optionally title) to compute travel-time feasibility. We do not access descriptions, attendees, or notes.
  2. Processing is automated. Human access occurs only (i) at your request, (ii) to investigate abuse/security issues, or (iii) if required by law. We do not use calendar data for ads.
  3. You can disconnect in Helm → Settings → Profile → Personal details and revoke access in Google Account → Security → Third-party access at any time.
  4. We comply with Google's API Services User Data Policy (Limited Use).

Sources of Data

  • You: when creating an account, profile, connecting integrations, or communicating with us.
  • Your Organization: Agencies may provide data about their Guides or passengers for coordination purposes.
  • Integrated Services: Bokun and similar booking/OTA platforms provide event/participant metadata necessary to staff and coordinate an event.
  • Automatic Collection: telemetry, logs, cookies (see §12).

Where we receive personal data indirectly, we inform individuals as required or rely on the providing organization's notice and lawful basis.

Disclosures & Subprocessors

We share data with:

  • Payments: Stripe (subscription payment processing for Agencies).
  • Hosting/Delivery: Vercel (hosting/edge, asset storage/CDN).
  • Observability/Security: Vercel, Sentry (error logs), anti-abuse tools.
  • Integrations: Bokun (event sync/coordination).
  • Notifications: Knock & Resend (email/push delivery).
  • ML/Embeddings: Pinecone (vector DB); OpenAI, Anthropic (inference where used; no raw calendar content).
  • Professional advisors & authorities: where legally required.

We do not sell personal data to third parties.

International Transfers

If your data is processed outside the EEA, we implement appropriate safeguards in line with applicable law, including:

  • Standard Contractual Clauses (SCCs) approved by the European Commission where subprocessors are located outside the EEA;
  • Adequacy decisions where the destination country has been deemed to provide adequate protection by the European Commission.

No transfers are made for advertising purposes.

Retention

We retain your data for as long as necessary to provide the Service and comply with legal obligations (including tax, accounting, and regulatory requirements).

Specific retention periods depend on the type of data and applicable legal requirements. Generally:

  • Account data: retained until you delete your account, then archived for legal compliance periods.
  • Transaction records: retained for the periods required by French tax and accounting law.
  • Security logs: retained for reasonable periods to detect and prevent abuse.

You may request deletion of your data at any time, subject to our legal obligations to retain certain records.

Your Rights

You have the right to:

  • Access: request a copy of your personal data.
  • Correction: request correction of inaccurate or incomplete data.
  • Deletion: request deletion of your data (subject to legal retention requirements).
  • Restriction: request restriction of processing in certain circumstances.
  • Objection: object to processing based on legitimate interests.
  • Portability: receive your data in a structured, commonly used format.
  • Withdraw consent: where we rely on consent, you may withdraw it at any time.

We will respond to requests within one month (extendable where permitted by law). We may need to verify your identity before processing requests.

EU residents may lodge a complaint with CNIL (Commission Nationale de l'Informatique et des Libertés) at cnil.fr.

Non-EU residents receive comparable rights to the extent required by local law.

To exercise your rights, contact us at privacy@helmkit.com.

Security

We implement reasonable technical and organizational measures to protect your data against unauthorized access, disclosure, or loss, including:

  • Encryption of data in transit (TLS/HTTPS);
  • Access controls and authentication;
  • Restricted production data access to trained personnel under confidentiality obligations;
  • Regular security assessments and monitoring.

We notify you of personal data breaches as required by law.

Cookies & Similar Technologies

We use cookies and similar technologies for:

  • Necessary cookies: authentication, security, and essential Service functionality (no consent required).
  • Analytics/performance cookies: with consent where required, we use Vercel Web Analytics to understand how users interact with the Service. These analytics are privacy-preserving and do not track users across sites.

You can manage cookie preferences through your browser settings. Disabling necessary cookies may affect Service functionality.

Automated Decision-Making & Profiling

We compute availability and skills/fit scores to rank Guides for events. This processing:

  • Uses automated algorithms to match Guides with suitable events based on skills, availability, location, and historical performance;
  • Does not produce legal or similarly significant effects on individuals;
  • Can be objected to, though this may limit staffing features.

You have the right to obtain human intervention, express your point of view, and contest any automated decision.

Children

The Service is not intended for individuals under 18. We do not knowingly collect personal data from children. If you become aware that a child has provided us with personal data, please contact us and we will take steps to delete such information.

Changes to This Policy

We may update this Policy from time to time. Material changes will be notified in advance where feasible (e.g., by email or through a notice in the Service). The "Last updated" date at the top indicates the latest version.

Your continued use of the Service after changes take effect constitutes acceptance of the updated Policy.

Data Processing Addendum

For business users (Agencies and Guides), when Helm acts as a processor on your behalf, our Data Processing Addendum (DPA) sets out additional terms governing data processing, security obligations, subprocessor use, and data subject rights assistance.