Helm
Sign InGet Started

Privacy Policy

Last updated: December 2025

1. Data Controller

Helm is operated by Bruvora Global Private Limited (CIN: [REGISTRATION NUMBER]) ("Company", "we", "us", or "our").

Registered Address: [REGISTERED ADDRESS]
Data Protection Contact: privacy@bruvora.com

2. Information We Collect

2.1 Account Information

When you create an account, we collect your name, email address, and company information. This is used to provide the Service and communicate with you.

2.2 Financial Data

We collect data you input including income records, expenses, contacts, and financial metrics. This data is used solely to provide the Service and is never shared with third parties for marketing purposes.

2.3 Usage Data

We may collect information about how you use Helm, including pages visited, features used, and time spent. This helps us improve the product.

2.4 Device Information

We collect information about your device including browser type, IP address, and operating system for security and service improvement purposes.

3. Legal Basis for Processing

We process your data based on the following legal grounds:

Under GDPR (EU/EEA)

  • Contract Performance (Art. 6(1)(b)): To provide the Service you signed up for
  • Consent (Art. 6(1)(a)): For analytics and marketing (withdrawable anytime)
  • Legitimate Interest (Art. 6(1)(f)): To improve our product and prevent fraud
  • Legal Obligation (Art. 6(1)(c)): To comply with tax and regulatory requirements

Under UK GDPR

For users in the United Kingdom, we process data under the same legal bases as outlined above under the UK General Data Protection Regulation.

4. How We Use Your Information

  • To provide, maintain, and improve the Service
  • To send account notices and transaction reminders
  • To improve the product based on usage patterns
  • To provide customer support
  • To send product updates and marketing (you can opt out)
  • To detect and prevent fraud and abuse
  • To comply with legal obligations
  • To enforce our Terms of Service

5. Data Security

We implement security measures to protect your data, including:

  • TLS encryption for all data in transit
  • Encryption for sensitive data at rest
  • Secure hosting with reputable cloud providers
  • Access controls and authentication measures
  • Regular security monitoring

While we strive to protect your data, no method of transmission over the Internet or electronic storage is 100% secure. We cannot guarantee absolute security.

6. Third-Party Processors

We share data with the following categories of service providers:

CategoryProviderLocation
HostingVercelUS / EU
DatabaseSupabaseEU (Frankfurt)
EmailResendUS
PaymentsPolarEU

All third-party processors are bound by data processing agreements and are required to maintain appropriate security measures. We may update this list as our service providers change.

7. International Data Transfers

Your data may be transferred to and processed in countries outside your residence, including the United States and India. For transfers from the EU/EEA/UK, we rely on:

  • Standard Contractual Clauses (SCCs) approved by the European Commission
  • Adequacy decisions where applicable
  • Other lawful transfer mechanisms

You may request a copy of the applicable transfer mechanisms by contacting us.

8. Data Sharing

We do not sell your data. We share information only:

  • With service providers who help us operate (listed above)
  • When required by law, court order, or government request
  • To protect our rights, property, or safety
  • With your explicit consent
  • In connection with a merger, acquisition, or sale of assets (you will be notified)

Artificial Intelligence & Machine Learning

We never use your raw financial data or Personally Identifiable Information (PII) to train public or foundational artificial intelligence models. If we use machine learning to improve the Service (e.g., transaction categorization), it is done in an aggregated, anonymized format or strictly isolated to your own workspace.

9. Your Rights

Under GDPR (EU/EEA) and UK GDPR

You have the right to:

  • Access (Art. 15): Request a copy of your personal data
  • Rectification (Art. 16): Correct inaccurate personal data
  • Erasure (Art. 17): Request deletion of your data ("right to be forgotten")
  • Portability (Art. 20): Export your data in a machine-readable format
  • Restriction (Art. 18): Limit how we process your data
  • Object (Art. 21): Object to processing based on legitimate interest
  • Withdraw Consent: Withdraw consent at any time for consent-based processing
  • Lodge Complaint: File a complaint with your local supervisory authority

To exercise these rights, contact us at privacy@bruvora.com. We will respond within 30 days (or as required by applicable law).

10. California Privacy Rights (CCPA/CPRA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA):

  • Right to Know: Request information about data we collect, use, and disclose
  • Right to Delete: Request deletion of your personal information
  • Right to Opt-Out: Opt out of the "sale" or "sharing" of personal information (we do not sell your data)
  • Right to Correct: Request correction of inaccurate personal information
  • Right to Non-Discrimination: We will not discriminate against you for exercising your rights

To exercise these rights, contact us at privacy@bruvora.com or submit a request through your account settings.

Categories of Data Collected: Identifiers, commercial information, internet activity, professional information.
Categories Sold: None. We do not sell personal information.
Categories Shared for Targeted Advertising: None.

11. Cookies

We use cookies and similar technologies for authentication and essential functionality. See our Cookie Policy for details.

12. Data Retention

We retain your data as long as your account is active or as needed to provide the Service. After account deletion:

  • Personal data is deleted within a reasonable timeframe
  • Backup copies are purged according to our backup retention schedule
  • We may retain anonymized, aggregated data for analytics
  • Data required for legal compliance may be retained as required by law

13. Data Breach Notification

In the event of a data breach that affects your personal data, we will:

  • Notify affected users without undue delay
  • Notify relevant supervisory authorities as required by law (within 72 hours for GDPR)
  • Take appropriate measures to mitigate the breach

14. Children's Privacy

Helm is not intended for users under 18 years of age. We do not knowingly collect data from children. If you believe a child has provided us data, contact us immediately and we will delete it.

15. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by email or through the Service at least 30 days before they take effect. Your continued use of the Service after such notice constitutes acceptance of the updated policy.

16. Contact Us

For privacy questions or to exercise your rights:

Company: Bruvora Global Private Limited
Email: privacy@bruvora.com
Address: [REGISTERED ADDRESS]

EU Representative: [EU REPRESENTATIVE]