Privacy Policy

1. Data Controller

The data controller responsible for your personal data is:

For any privacy-related inquiries or to exercise your data protection rights, please contact us at the above address.

2. Data We Collect

2.1 Account Information

When you create an account, we collect:

• Email address (required for authentication)
• Name (if provided)

2.2 Order and Transaction Data

When you make a purchase, we collect:

• Purchase history and order details
• Shipping address (for physical products)
• Billing information (processed by Stripe; we do not store complete payment card details)

2.3 Technical and Usage Data

We automatically collect certain information when you use the Services:

• IP address
• Browser type and version
• Device information
• Pages visited and features used
• Date and time of access
• Referring website

2.4 Communication Data

If you contact us, we collect the information you provide in your communication, including your email address and message content.

3. Legal Basis for Processing

We process your personal data based on the following legal grounds (as required by GDPR and Swiss DSG):

• Contract Performance (Art. 6(1)(b) GDPR): Processing necessary to fulfill our contractual obligations to you, including processing orders, managing subscriptions, and providing the Services.
• Legal Obligations (Art. 6(1)(c) GDPR): Processing required to comply with applicable laws, such as tax and accounting requirements.
• Legitimate Interests (Art. 6(1)(f) GDPR): Processing for our legitimate business interests, such as fraud prevention, security, and improving our Services, where such interests are not overridden by your rights.
• Consent (Art. 6(1)(a) GDPR): Where you have given explicit consent, such as for marketing communications. You may withdraw consent at any time.

4. How We Use Your Data

We use your personal data for the following purposes:

• To create and manage your account
• To process and fulfill your orders
• To manage subscriptions and billing
• To send transactional emails (order confirmations, receipts, etc.)
• To provide customer support
• To detect and prevent fraud and security incidents
• To comply with legal obligations
• To improve and optimize the Services
• To enforce our Terms of Service

4.1 Marketing Communications

We will only send you marketing communications (such as newsletters, promotional offers, or product announcements) if you have given us your explicit consent to do so.

Opt-Out: You can withdraw your consent and unsubscribe from marketing communications at any time by:

• Clicking the "unsubscribe" link at the bottom of any marketing email
• Updating your communication preferences in your account settings
• Contacting us at contact@helvety.com

Please note that even if you opt out of marketing communications, we may still send you transactional or service-related communications (such as order confirmations, account notifications, or important service updates) as necessary to provide the Services.

5. Third-Party Service Providers

We share your personal data with the following third-party service providers who process data on our behalf:

All service providers are contractually obligated to protect your data and process it only according to our instructions. Where applicable, we have entered into Data Processing Agreements (DPAs) with these providers.

Stripe: As a PCI DSS Level 1 certified payment processor, Stripe handles all payment card information. We do not have access to or store your complete card details.

6. International Data Transfers

Your personal data may be transferred to and processed in countries outside Switzerland and the European Economic Area (EEA), particularly the United States, where our service providers are located.

For transfers to the USA, we rely on the following safeguards to ensure adequate protection of your data:

• EU-US Data Privacy Framework: Where applicable, our US-based providers are certified under the EU-US Data Privacy Framework.
• Standard Contractual Clauses (SCCs): We use EU Commission-approved Standard Contractual Clauses for data transfers where required.
• Swiss-US Safeguards: We implement appropriate safeguards recognized under Swiss data protection law.

By using the Services, you acknowledge that your data may be transferred internationally as described above.

7. Data Retention

We retain your personal data only for as long as necessary to fulfill the purposes for which it was collected:

• Account data: Retained while your account is active and for up to 2 years after account deletion for legal compliance.
• Transaction data: Retained for 10 years as required by Swiss accounting and tax laws (Art. 958f Swiss Code of Obligations).
• Communication records: Retained for up to 3 years after last contact.
• Technical logs: Retained for up to 90 days for security purposes.

8. Your Rights

Under the GDPR, Swiss DSG, and other applicable laws, you have the following rights regarding your personal data:

• Right of Access (Art. 15 GDPR / Art. 25 DSG): You have the right to request a copy of the personal data we hold about you.
• Right to Rectification (Art. 16 GDPR / Art. 32 DSG): You have the right to request correction of inaccurate or incomplete data.
• Right to Erasure (Art. 17 GDPR): You have the right to request deletion of your personal data, subject to legal retention requirements.
• Right to Restrict Processing (Art. 18 GDPR): You have the right to request limitation of processing in certain circumstances.
• Right to Data Portability (Art. 20 GDPR / Art. 28 DSG): You have the right to receive your data in a structured, commonly used format.
• Right to Object (Art. 21 GDPR / Art. 32 DSG): You have the right to object to processing based on legitimate interests.
• Right to Withdraw Consent: Where processing is based on consent, you may withdraw it at any time without affecting prior processing.

To exercise any of these rights, please contact us at contact@helvety.com. We will respond to your request within 30 days.

Right to Lodge a Complaint: If you believe your data protection rights have been violated, you have the right to lodge a complaint with a supervisory authority. In Switzerland, this is the Federal Data Protection and Information Commissioner (FDPIC). In the EU, you may contact the data protection authority in your country of residence.

9. California Privacy Rights (CCPA/CPRA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA):

• Right to Know: You have the right to request information about the categories and specific pieces of personal information we have collected about you, the sources of that information, our purposes for collecting it, and the categories of third parties with whom we share it.
• Right to Delete: You have the right to request that we delete the personal information we have collected from you, subject to certain exceptions.
• Right to Correct: You have the right to request that we correct inaccurate personal information we maintain about you.
• Right to Opt-Out of Sale/Sharing: You have the right to opt-out of the "sale" or "sharing" of your personal information. We do not sell or share your personal information as defined under CCPA/CPRA.
• Right to Limit Use of Sensitive Personal Information: You have the right to limit the use and disclosure of sensitive personal information.
• Right to Non-Discrimination: You have the right not to receive discriminatory treatment for exercising your privacy rights.

How to Exercise Your Rights: To exercise any of these rights, please contact us at contact@helvety.com. We will verify your identity before processing your request and respond within 45 days (or up to 90 days in certain circumstances, with notice).

Authorized Agents: You may designate an authorized agent to make a request on your behalf. We may require proof of your authorization and verification of your identity.

10. Cookies and Tracking

We use only essential cookies that are strictly necessary for the operation of the Services. These include:

• Authentication cookies: To keep you logged in during your session.
• Security cookies: To protect against security threats.
• Preference cookies: To remember your settings (e.g., theme preference).

We may use privacy-respecting analytics (such as Vercel Analytics) to understand how our Services are used. These tools are configured to respect user privacy and do not track users across websites.

Essential cookies do not require consent under Swiss and EU law as they are necessary for the Services to function. You can configure your browser to reject cookies, but this may affect your ability to use certain features.

10.1 Do Not Track (DNT)

"Do Not Track" (DNT) is a browser setting that requests websites not to track the user. We do not currently respond to DNT signals in a standardized manner, as there is no industry-wide standard for DNT. However, because we do not engage in cross-site tracking or sell your personal information, the practical effect is the same regardless of your DNT setting.

10.2 Automated Decision-Making

We do not use automated decision-making processes, including profiling, that produce legal effects concerning you or similarly significantly affect you, as described in Article 22 GDPR. While we may use automated tools for fraud detection, spam filtering, or service optimization, these processes do not result in decisions that have legal or similarly significant effects on individuals. If this changes in the future, we will update this policy and, where required, provide you with notice and an opportunity to object.

11. Security Measures

We implement appropriate technical and organizational measures to protect your personal data against unauthorized access, alteration, disclosure, or destruction:

• Encryption of data in transit (TLS/HTTPS)
• Encryption of data at rest
• Secure authentication mechanisms
• Access controls and authentication for administrative access
• Regular security assessments
• Secure hosting infrastructure

While we strive to protect your personal data, no method of transmission over the internet or electronic storage is 100% secure. We cannot guarantee absolute security.

11.1 Data Breach Notification

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will:

• Notify the relevant supervisory authority (Swiss FDPIC and/or applicable EU data protection authorities) within 72 hours of becoming aware of the breach, as required by Article 33 GDPR and Swiss DSG
• Notify affected individuals without undue delay if the breach is likely to result in a high risk to their rights and freedoms
• Document the breach, including its effects and the remedial actions taken

Our breach notification will include, where possible: a description of the nature of the breach, the likely consequences, the measures taken to address the breach, and contact information for further inquiries.

12. Children's Privacy

The Services are not intended for individuals under 18 years of age. We do not knowingly collect personal data from children under 18.

If you are a parent or guardian and believe your child has provided us with personal data, please contact us at contact@helvety.com. If we become aware that we have collected personal data from a child under 18, we will take steps to delete such information promptly.

13. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or applicable laws. When we make material changes, we will:

• Update the "Last updated" date at the top of this page
• Notify you via email (if you have an account) or through a notice on the Services

We encourage you to review this Privacy Policy periodically. Your continued use of the Services after changes are posted constitutes your acceptance of the revised policy.

14. Contact Information

For any questions about this Privacy Policy or our data practices, or to exercise your data protection rights, please contact us: