GDPR & UK GDPR

Last updated: June 29, 2026

This statement explains how HelmIQ handles personal data under the EU General Data Protection Regulation and the UK GDPR. It sits alongside our Privacy Policy and Data Processing Agreement.

1. Our two roles: controller and processor

HelmIQ plays two distinct roles depending on the data:

• Controller for the account data we collect to run the service: your name, work email, hashed password, firm membership, and operational logs. We decide why and how this is processed.
• Processor for the data your firm loads into HelmIQ (contacts, companies, deals, notes, email and call content). Your firm is the controller of that data; we process it only on your documented instructions under the Data Processing Agreement.

2. Lawful bases (where we are the controller)

• Performance of a contract (Art. 6(1)(b)): creating and operating your account and delivering the service you signed up for.
• Legitimate interests (Art. 6(1)(f)): securing the platform, preventing abuse, debugging, and improving the product in aggregate, balanced against your rights.
• Legal obligation (Art. 6(1)(c)): retaining records where financial-services or tax law requires it.
• Consent (Art. 6(1)(a)): only where we specifically ask for it, which you may withdraw at any time.

Where your firm is the controller of the data it loads, your firm is responsible for establishing the lawful basis for that processing and for the notices it owes its own contacts.

3. Your rights

Subject to the conditions in the GDPR, you have the right to:

• Access the personal data we hold about you.
• Rectify data that is inaccurate or incomplete.
• Erase your data (right to be forgotten).
• Restrict or object to certain processing.
• Receive your data in a portable format.
• Withdraw consent where processing relies on it.
• Lodge a complaint with your supervisory authority (for example, your national Data Protection Authority, or the UK ICO).

You can exercise access, correction, portability, and erasure directly in the product (Settings has data export and account deletion), or by emailing jack@helmiq.net. If your request concerns data your firm loaded (where we are the processor), we will refer you to that firm as the controller, or act on their instruction.

4. International transfers

HelmIQ is operated from the United States and stores data in US data centers. When personal data of EEA or UK individuals is transferred to us or our sub-processors, we rely on the European Commission's Standard Contractual Clauses (and the UK International Data Transfer Addendum where applicable), together with the technical safeguards described on our Security page (encryption in transit and at rest, access controls, audit logging). These clauses are offered as part of our Data Processing Agreement.

5. Sub-processors

We use a short list of vetted sub-processors (database, hosting, email, voice, payments, AI inference). The current list, with purpose and region, is published on our Security page. We notify firm owners of material changes before a new sub-processor begins handling customer data, as described in the DPA.

6. Retention

We keep personal data while your account is active, retain it for 30 days after termination in case you reactivate, then permanently delete it. Some records are retained longer where financial-services compliance law requires it, stored separately from your live data. Full detail is in the Privacy Policy.

7. Contact

For any data-protection question or to exercise a right, contact jack@helmiq.net. We respond to verified requests within the timeframes the GDPR requires (generally within one month).

This statement summarizes our practices and is not legal advice. EEA or UK customers requiring a signed Data Processing Agreement with Standard Contractual Clauses should write to jack@helmiq.net.