Privacy Policy

1. Data Controller

The data controller responsible for your personal data is:

For any privacy-related inquiries or to exercise your data protection rights, please contact us at the above address.

2. Data We Collect

2.1 Account Information

When you create an account, we collect your email address for authentication purposes. We use a secure authentication process: new users (and existing users without a passkey) receive a verification code by email, then passkey setup or verification; existing users with a passkey sign in directly with their passkey (biometrics via your device). We store:

• Your email address (used for authentication and account recovery)
• A unique internal identifier (UUID) generated automatically
• Passkey credentials (public key and metadata for authentication)
• Encryption passkey parameters (PRF salt values for deriving encryption keys, for Helvety Tasks which uses end-to-end encryption)

Your email address is used solely for authentication (verification codes for new users, passkey for returning users) and important account notifications. We do not share your email with third parties for marketing purposes.

2.2 Order and Transaction Data

When you make a purchase, we collect:

• Purchase history and order details
• Shipping address (if and when physical products are offered)
• Billing information (processed by Stripe; we do not store complete payment card details)

2.3 Technical and Usage Data

We automatically collect certain information when you use the Services:

• IP address
• Browser type and version
• Device information
• Pages visited and features used
• Date and time of access
• Referring website

2.4 Communication Data

If you contact us, we collect the information you provide in your communication, including your email address and message content.

2.5 License Validation Data

For enterprise products (such as SharePoint extensions), our software may validate licenses by sending your organization's tenant identifier (e.g., "contoso" from contoso.sharepoint.com) to our servers at store.helvety.com. This data:

• Does not include personal data, only your organization's tenant identifier
• Is used solely to verify your subscription status
• Is processed in accordance with this Privacy Policy
• Is cached locally to minimize API calls and ensure offline reliability

2.6 Data Provision Requirements

In accordance with GDPR Article 13(2)(e), we inform you about whether providing personal data is a statutory or contractual requirement:

• Account Creation: Creating an account requires your email address (for verification codes when signing up or recovering access) and passkey setup using your device's biometrics (Face ID, fingerprint, or PIN). Your email is necessary for account verification and recovery. A unique identifier is generated automatically.
• Purchases: When you make a purchase, payment and billing information (including email, name, and address) is collected directly by our payment processor, Stripe. This information is required to process your order and is subject to Stripe's privacy policy. Helvety does not collect or store this information directly.
• License Validation: For enterprise products, sending your organization's tenant identifier is necessary for license validation. Without this, the software cannot verify your subscription status.
• Communication: Providing contact information when you reach out to us is voluntary but necessary if you wish to receive a response.

2.7 Encryption Data

Helvety Tasks uses end-to-end encryption to protect your data. For this service, we store:

• PRF parameters (Pseudo-Random Function extension data) used to derive encryption keys from your passkey
• Encrypted data fields (where applicable)

Important: Encryption keys are derived client-side in your browser using the WebAuthn PRF extension. We never have access to your actual encryption keys. This zero-knowledge architecture means that even if our servers were compromised, your encrypted data would remain protected.

Browser Requirements: End-to-end encryption requires a modern browser with WebAuthn PRF support (Chrome 128+, Edge 128+, Safari 18+, Firefox 139+ desktop only). Firefox for Android does not support the PRF extension.

3. Legal Basis for Processing

We process your personal data based on the following legal grounds (as required by GDPR and Swiss DSG):

• Contract Performance (Art. 6(1)(b) GDPR): Processing necessary to fulfill our contractual obligations to you, including processing orders, managing subscriptions, and providing the Services.
• Legal Obligations (Art. 6(1)(c) GDPR): Processing required to comply with applicable laws, such as tax and accounting requirements.
• Legitimate Interests (Art. 6(1)(f) GDPR): Processing for our legitimate business interests, such as fraud prevention, security, and improving our Services, where such interests are not overridden by your rights.
• Consent (Art. 6(1)(a) GDPR): Where you have given explicit consent, such as for marketing communications. You may withdraw consent at any time.

4. How We Use Your Data

We use your personal data for the following purposes:

• To create and manage your account
• To process and fulfill your orders
• To manage subscriptions and billing
• To send transactional emails (order confirmations, receipts, etc.)
• To provide customer support
• To detect and prevent fraud and security incidents
• To comply with legal obligations
• To improve and optimize the Services
• To enforce our Terms of Service

4.1 Marketing Communications

We will only send you marketing communications (such as newsletters, promotional offers, or product announcements) if you have given us your explicit consent to do so.

Opt-Out: You can withdraw your consent and unsubscribe from marketing communications at any time by:

• Clicking the "unsubscribe" link at the bottom of any marketing email
• Updating your communication preferences in your account settings
• Contacting us at contact@helvety.com

Please note that even if you opt out of marketing communications, we may still send you transactional or service-related communications (such as order confirmations, account notifications, or important service updates) as necessary to provide the Services.

5. Third-Party Service Providers

We share your personal data with the following third-party service providers who process data on our behalf:

All service providers are contractually obligated to protect your data and process it only according to our instructions. We have entered into Data Processing Agreements (DPAs) with these providers. We maintain a record of processing activities (Verzeichnis der Bearbeitungstätigkeiten) as required by Art. 12 nDSG and Art. 30 GDPR.

Stripe: As a PCI DSS Level 1 certified payment processor, Stripe handles all payment card information. We do not have access to or store your complete card details. Stripe may perform automated fraud analysis on payment data as part of its processing services; for details, see Stripe's Privacy Policy.

Resend: Resend operates as a sub-processor of Supabase for email delivery. Email addresses and transactional email content (such as verification codes) transit through Resend's infrastructure.

6. International Data Transfers

Your personal data may be transferred to and processed in countries outside Switzerland and the European Economic Area (EEA), particularly the United States, where our service providers are located.

For transfers to the USA, we rely on the following safeguards to ensure adequate protection of your data:

• EU-US Data Privacy Framework (DPF): Where applicable, our US-based providers are certified under the EU-US Data Privacy Framework. Key providers such as Vercel, Stripe, and Supabase participate in the DPF.
• Swiss-US Data Privacy Framework: The Swiss Federal Data Protection and Information Commissioner (FDPIC) has recognized the Swiss-US Data Privacy Framework (effective September 15, 2024) as providing adequate protection for data transfers to certified US organizations.
• Standard Contractual Clauses (SCCs): Where providers are not certified under the DPF, or as an additional safeguard, we use EU Commission-approved Standard Contractual Clauses for data transfers.

By using the Services, you acknowledge that your data may be transferred internationally as described above. You can obtain further information about the safeguards in place by contacting us at contact@helvety.com.

7. Data Retention

We retain data only for as long as necessary to fulfill the purposes for which it was collected:

• Account data: Your account consists of your email address, an internal identifier (UUID), and passkey credentials. This data is retained while your account is active and for up to 2 years after account deletion for legal compliance.
• Transaction data: Subscription and purchase records (linked to your account ID and Stripe customer ID) are retained for 10 years as required by Swiss accounting and tax laws (Art. 958f Swiss Code of Obligations). Note that your email and billing details are stored by Stripe, not by Helvety.
• Communication records: Retained for up to 3 years after last contact.
• Technical logs: Retained for up to 90 days for security purposes.
• Subscription data: Retained for the duration of your subscription plus 10 years for tax and accounting compliance. Subscription history (plan changes, upgrades, downgrades, cancellations) is retained as part of transaction records.

8. Your Rights

Under the GDPR, Swiss DSG, and other applicable laws, you have the following rights regarding your personal data:

• Right of Access (Art. 15 GDPR / Art. 25 DSG): You have the right to request a copy of the personal data we hold about you.
• Right to Rectification (Art. 16 GDPR / Art. 32 DSG): You have the right to request correction of inaccurate or incomplete data.
• Right to Erasure (Art. 17 GDPR): You have the right to request deletion of your personal data, subject to legal retention requirements.
• Right to Restrict Processing (Art. 18 GDPR): You have the right to request limitation of processing in certain circumstances.
• Right to Data Portability (Art. 20 GDPR / Art. 28 DSG): You have the right to receive your data in a structured, commonly used format.
• Right to Object (Art. 21 GDPR / Art. 32 DSG): You have the right to object to processing based on legitimate interests.
• Right to Withdraw Consent: Where processing is based on consent, you may withdraw it at any time without affecting prior processing.

To exercise any of these rights, please contact us at contact@helvety.com with the subject line "Data Export Request," "Account Deletion Request," or a description of the right you wish to exercise. We will verify your identity and respond to your request within 30 days.

Right to Lodge a Complaint: If you believe your data protection rights have been violated, you have the right to lodge a complaint with a supervisory authority. In Switzerland, this is the Federal Data Protection and Information Commissioner (FDPIC). In the EU, you may contact the data protection authority in your country of residence.

9. California Privacy Rights (CCPA/CPRA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA):

• Right to Know: You have the right to request information about the categories and specific pieces of personal information we have collected about you, the sources of that information, our purposes for collecting it, and the categories of third parties with whom we share it.
• Right to Delete: You have the right to request that we delete the personal information we have collected from you, subject to certain exceptions.
• Right to Correct: You have the right to request that we correct inaccurate personal information we maintain about you.
• Right to Opt-Out of Sale/Sharing: You have the right to opt-out of the "sale" or "sharing" of your personal information. We do not sell or share your personal information as defined under CCPA/CPRA.
• Right to Limit Use of Sensitive Personal Information: You have the right to limit the use and disclosure of sensitive personal information.
• Right to Non-Discrimination: You have the right not to receive discriminatory treatment for exercising your privacy rights.

How to Exercise Your Rights: To exercise any of these rights, please contact us at contact@helvety.com. We will verify your identity before processing your request and respond within 45 days (or up to 90 days in certain circumstances, with notice).

Authorized Agents: You may designate an authorized agent to make a request on your behalf. We may require proof of your authorization and verification of your identity.

10. Cookies and Tracking

We use only essential cookies that are strictly necessary for the operation of the Services. These include:

• Authentication cookies: To keep you logged in during your session.
• Security cookies: To protect against security threats.
• Preference cookies: To remember your settings (e.g., theme preference).

We use Vercel Analytics, a privacy-focused analytics service, to understand how our Services are used. Vercel Analytics collects:

• Page view counts and navigation patterns
• Referrer URLs (how you arrived at our site)
• Browser and device type
• Country-level geographic location
• Performance metrics (on helvety.com only via Vercel Speed Insights)

Vercel Analytics does not use cookies and does not track individual users across sessions. Data is aggregated and anonymized. You can learn more at Vercel's Analytics Privacy Policy.

We do not use any other analytics services, advertising trackers, or cross-site tracking technologies.

Essential cookies do not require consent under Swiss and EU law as they are necessary for the Services to function. You can configure your browser to reject cookies, but this may affect your ability to use certain features.

10.1 Do Not Track (DNT)

"Do Not Track" (DNT) is a browser setting that requests websites not to track the user. We do not currently respond to DNT signals in a standardized manner, as there is no industry-wide standard for DNT. However, because we do not engage in cross-site tracking or sell your personal information, the practical effect is the same regardless of your DNT setting.

10.2 Automated Decision-Making

We do not use automated decision-making processes, including profiling, that produce legal effects concerning you or similarly significantly affect you, as described in Article 22 GDPR. While we may use automated tools for fraud detection, spam filtering, or service optimization, these processes do not result in decisions that have legal or similarly significant effects on individuals. If this changes in the future, we will update this policy and, where required, provide you with notice and an opportunity to object.

Note: Our payment processor, Stripe, may perform automated fraud analysis on payment transactions as part of its processing services. Such analysis is conducted by Stripe as an independent controller or joint controller and is subject to Stripe's Privacy Policy.

11. Security Measures

We implement appropriate technical and organizational measures to protect your personal data against unauthorized access, alteration, disclosure, or destruction:

• Encryption of data in transit (TLS/HTTPS)
• Encryption of data at rest
• Client-side end-to-end encryption using passkey-derived keys (for applicable services)
• Zero-knowledge architecture where encryption keys are never transmitted to or stored on our servers
• Secure authentication mechanisms
• Access controls and authentication for administrative access
• Rate limiting to protect against brute force attacks on authentication endpoints
• CSRF (Cross-Site Request Forgery) protection using secure token validation
• Automatic session timeout after periods of inactivity
• Security event logging for audit trails and incident response
• Regular security assessments
• Secure hosting infrastructure

While we strive to protect your personal data, no method of transmission over the internet or electronic storage is 100% secure. We cannot guarantee absolute security.

11.1 Data Breach Notification

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will:

• For EU residents: Notify the applicable EU data protection authority within 72 hours of becoming aware of the breach, as required by Article 33 GDPR
• For Swiss residents: Notify the Swiss FDPIC as soon as possible after becoming aware of the breach, as required by Article 24 nDSG
• Notify affected individuals without undue delay if the breach is likely to result in a high risk to their rights and freedoms
• Document the breach, including its effects and the remedial actions taken

Our breach notification will include, where possible: a description of the nature of the breach, the likely consequences, the measures taken to address the breach, and contact information for further inquiries.

11.2 End-to-End Encryption

Helvety Tasks implements end-to-end encryption to protect your task data. Other Helvety services (helvety.com, Helvety Auth, Helvety PDF, Helvety Store) do not use end-to-end encryption. For Helvety Tasks:

• Encryption keys are derived from your passkey using the WebAuthn PRF (Pseudo-Random Function) extension
• All encryption and decryption operations occur locally in your browser
• We store only PRF parameters (salt values) that allow your device to re-derive the same key
• We cannot decrypt your data as we never possess your encryption key
• Your passkey (stored on your device) is the only way to access encrypted data

This approach ensures that your encrypted data remains protected even in the event of a data breach on our servers. Browser requirements for end-to-end encryption: Chrome 128+, Edge 128+, Safari 18+, Firefox 139+ (desktop only).

12. Children's Privacy

The Services are not intended for individuals under 18 years of age. We do not knowingly collect personal data from children under 18.

If you are a parent or guardian and believe your child has provided us with personal data, please contact us at contact@helvety.com. If we become aware that we have collected personal data from a child under 18, we will take steps to delete such information promptly.

13. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or applicable laws. When we make material changes, we will:

• The "Last updated" date at the top of this page is displayed automatically (no manual update needed)
• Notify you via email (if you have an account) or through a notice on the Services

We encourage you to review this Privacy Policy periodically. Your continued use of the Services after changes are posted constitutes your acceptance of the revised policy.

14. Contact Information

For any questions about this Privacy Policy or our data practices, or to exercise your data protection rights, please contact us: