Back to home
Legal

Privacy Policy

Effective Date: January 1, 2025  ·  Last Updated: January 1, 2025

HelmIQ, Inc. is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use the HelmIQ platform.

1. Information We Collect

Account and business information: business name, owner name, email, hashed password, billing info (via Stripe tokens only), and staff details.

Client data (entered by you): client names, email addresses, phone numbers, addresses, pet and vehicle profiles, appointment records, signed waivers, and payment records.

Usage data: pages and features accessed, API request logs, browser type, OS, device, IP address, and session identifiers.

Location data: GPS coordinates from the mobile app when Route Optimizer or fleet tracking features are active. Staff can disable GPS from app settings.

From third parties: payment status from Stripe, SMS delivery status from Twilio, and calendar events from Google (if you connect Google Calendar via OAuth).

2. How We Use Information

We use collected information to: provide and operate the Service; process payments and manage subscriptions; send appointment reminders on your behalf; provide AI-powered features; calculate routes and ETAs; prevent fraud and unauthorized access; comply with legal obligations; and send service announcements and (with your consent) marketing communications.

4. Cookies and Tracking Technologies

Session cookies are strictly necessary for authentication and cannot be disabled. Preference cookies remember display settings (sidebar state, locale) and expire after 30 days. We do not serve third-party advertising cookies or use cross-site tracking. Future marketing site analytics will require your consent.

5. Data Sharing and Third-Party Processors

We do not sell, rent, or trade your personal data. We share data only with service providers as necessary to operate the Service:

ProviderPurpose
Stripe, Inc.Payment processing, subscription billing (PCI DSS compliant — no raw card data stored by HelmIQ)
Twilio, Inc.SMS appointment reminders and notifications (A2P 10DLC)
Microsoft AzureCloud hosting, SQL database, blob storage, push notifications, email
OpenAI, LLCAI Assist features — notes generation, scheduling, SMS classification (contractually no model training on your data)
Google LLCGoogle Calendar bi-directional sync (optional, OAuth user-initiated, revocable at any time)

We may also disclose data as required by law, to protect safety, or in connection with a business transfer (with advance notice).

6. Data Retention

Account and client data is retained for the duration of your account plus 90 days post-cancellation. Payment records and audit logs are retained for 7 years per financial regulations. API and error logs are retained for 90 days. GPS location history is retained for 30 days on a rolling basis. Backups are retained for 30 days.

7. Data Security

All data in transit is encrypted with TLS 1.2+. All data at rest is encrypted with AES-256. PII fields are additionally encrypted at the application layer before storage. Passwords are hashed with Argon2id. Application secrets are stored in Azure Key Vault. Access to production systems is MFA-protected and role-limited. We will notify you of a qualifying breach within 72 hours of discovery.

8. International Data Transfers

HelmIQ is based in the United States. For transfers from the EEA, UK, or Switzerland, we rely on Standard Contractual Clauses (SCCs) and, where applicable, the EU-U.S. Data Privacy Framework. All processors are contractually bound to protect your data.

9. Your Privacy Rights

GDPR rights (EEA/UK/Switzerland): Access, Rectification, Erasure, Restriction, Portability, Object, Withdraw Consent, and Lodge a Complaint with your local supervisory authority.

CCPA rights (California): Know, Delete, Correct, Opt Out of Sale or Sharing (we do not sell data), and Non-Discrimination. California residents may designate an authorized agent.

To exercise any right, email privacy@helmiq.app or use the Privacy Settings in your account. We respond within 30 days (GDPR) or 45 days (CCPA).

10. Children's Privacy (COPPA)

HelmIQ is not directed to individuals under 13. We do not knowingly collect personal information from children under 13. If you believe we have collected such information, contact privacy@helmiq.app and we will delete it promptly.

11. Data Deletion Requests

When you close your account, Customer Content is retained for 90 days then permanently deleted. For GDPR Article 17 erasure requests for individual client records, use Settings → GDPR → Submit Erasure Request in the app. PII fields are anonymized within 30 minutes. Appointment history is retained with anonymized identifiers for financial record purposes.

12. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. Material changes will be communicated via email at least 30 days before taking effect. Continued use after the effective date constitutes acceptance.

13. Contact Information

Privacy requests: privacy@helmiq.app
General contact: hello@helmiq.app
Data Protection Officer (EU/UK): dpo@helmiq.app
Mailing address: HelmIQ, Inc., [Address TBD], United States

This Privacy Policy was last updated on January 1, 2025. For privacy inquiries, email privacy@helmiq.app.

Terms of Service →