Privacy Policy

Last updated: June 29, 2026

HelmIQ is a customer-relationship platform built for M&A advisory firms. We hold sensitive deal information on behalf of every firm that uses us, and we treat that responsibility as the foundation of the product, not an afterthought.

This page explains exactly what we collect, how we use it, who else sees it, and how to get it back or delete it. If anything here is unclear, write us at jack@helmiq.net and we'll answer in plain English.

1. What we collect

Account & firm data

Your name, email address, and bcrypt-hashed password.
Two-factor (TOTP) secret, encrypted at rest with AES-256-GCM.
Your firm's name, optional logo, and per-org settings.
Membership role within your firm (owner / admin / member / viewer).

Your firm's data

Contacts, companies, and deals you create or import.
Notes, tasks, and meeting transcripts (when you turn on the meeting bot).
Email content sent through HelmIQ's sequencing engine, plus delivery metadata (opens, clicks, replies, bounces).
Call recordings and transcripts (when you turn on call recording with consent).

This is your firm's data. It is logically isolated from every other firm on the platform via per-row organizationId scoping enforced on every API route. We never use it to train AI models, sell to third parties, or include it in marketing.

Integration tokens

Gmail / Outlook OAuth refresh tokens, encrypted at rest. Used to send and read email under your authorization. Scopes are limited to what each feature needs.
Google Calendar / Microsoft Calendar OAuth refresh tokens, encrypted at rest. Used to read free/busy and create events.
Google Drive / OneDrive / SharePoint OAuth refresh tokens, encrypted at rest. Used (read-only) to view and download files you connect or use in HelmIQ workflows.
InvenAPI key (when you connect one), encrypted at rest. Used only to call Inven's public API on your behalf.
Twilio account credentials (when configured), encrypted at rest.
Slack webhook URLs (when configured), encrypted at rest.
DocuSign / Zoom OAuth tokens (when configured), encrypted at rest.

Operational data

Request paths, response codes, IP addresses, and error stacks. Used for debugging and abuse prevention. Retained roughly 90 days, then deleted.
Audit log of every mutation on deals, contacts, members, and integration keys. Retained for the life of the account for compliance review.

2. How we use it

To operate the Service: render your dashboard, send your email, run the cron jobs that move deals forward.
To send transactional email (verification, password reset, team invites, daily summaries), only ever to addresses you have given us.
To improve the Service in aggregate, anonymized form (e.g., median time to first deal email after signup).
We do not sell, rent, or share your data with third parties for advertising. There is no third-party tracking on the authenticated app.

3. AI providers and sub-processors

Most AI features (call summaries, contact intel, draft emails, sequence generation, task suggestions) run through a unified AI gateway (Concentrate) configured for Zero Data Retention (ZDR). Under ZDR, those requests are routed only to model providers that certify zero retention: currently Anthropic (Claude) and OpenAI (GPT). For gateway requests, your prompts and the AI’s outputs are not retained by the model providers, and a request that cannot be served by a zero-retention provider is refused rather than downgraded. The gateway itself keeps an encrypted log of requests and responses for your firm’s own history; that logging is a separate control we can disable on request.

Some features call OpenAI directly rather than through the gateway: the in-app assistant, call transcription, semantic-search indexing, and certain research and contact-lookup helpers. For these, OpenAI does not use your data to train its models, and retains it only within OpenAI’s standard abuse-monitoring window (removed when zero-retention is enabled on the account).

In all cases, no AI provider we use trains its models on your data, and we never sell it or use it for advertising.

Other sub-processors:

Concentrate: AI gateway. Routes model requests to providers under Zero Data Retention; keeps an encrypted request/response log for your firm’s history (disable on request).
OpenAI: model inference for the in-app assistant, call transcription, and semantic search. Does not train on your data; retention per OpenAI’s data-control terms.
Neon: managed Postgres database (US-East).
Vercel: application hosting and edge network.
Twilio: voice calls, SMS, and number provisioning.
Stripe: payment processing. We never see your card number.
Resend / Postmark: transactional email delivery, when configured.
Cloudflare R2: call-recording object storage, when configured.

The current sub-processor list, with each one's purpose and region, is also published on our Security page, which is the canonical version. We notify firm owners before a new sub-processor begins handling customer data, and you may object on reasonable data-protection grounds (see the Data Processing Agreement). If a security breach ever affects your data, we will notify you without undue delay, and in any event within 72 hours of confirming it, as committed in the DPA.

4. Connected accounts (Google, Microsoft, Zoom)

When you connect an account, HelmIQ requests only the OAuth scopes the features you use require, and only to provide features that are visible to you inside HelmIQ. You can disconnect any account at any time in Settings, and you can request full deletion of the associated data (see “Your rights” below).

Google (Gmail, Google Calendar & Drive)

When you connect a Google account, HelmIQ requests only the scopes needed to power the features you turn on. The scopes we currently request are:

openid: used to authenticate user sign-in.
userinfo.email: used to identify the connected Google account email address.
userinfo.profile: used to identify the connected Google account profile.
calendar.freebusy: used to check user availability when scheduling meetings.
calendar.readonly: used to read calendar information needed to display calendar context and support scheduling workflows inside HelmIQ.
calendar.events: used to read meeting and event details and to create, update, and manage calendar invites scheduled through HelmIQ.
gmail.readonly: used to read and sync email activity relevant to a user’s deals, contacts, companies, and CRM timeline.
gmail.drafts.create: used to create Gmail drafts from HelmIQ for outreach and follow-up emails initiated by the user.
gmail.send: used to send emails that users explicitly approve or configure through HelmIQ, including outbound outreach and follow-up messages.
drive.readonly: used to view and download Google Drive files that users connect or use in HelmIQ workflows, including files related to meetings, contacts, companies, deal records, and CRM activity.

How HelmIQ uses Gmail access

To read and sync email activity relevant to your deals and contacts.
To create drafts that you initiate from HelmIQ.
To send emails you have explicitly approved.
To run outreach sequences you have configured.

How HelmIQ uses Google Calendar access

To check your availability and free/busy when scheduling.
To read calendar information needed to display calendar context and support scheduling workflows inside HelmIQ.
To read meeting and event details.
To create, update, and manage calendar invites that you schedule through HelmIQ.

How HelmIQ uses Google Drive access

To view and download Google Drive files that you connect or use in HelmIQ workflows.
To work with files related to your meetings, contacts, companies, deal records, and CRM activity.

Google API Services User Data Policy: Limited Use

HelmIQ’s use and transfer of information received from Google APIs to any other app will adhere to the Google API Services User Data Policy, including the Limited Use requirements.

Specifically: information received from Google Workspace APIs is used only to provide and improve user-facing features that are prominent in HelmIQ. We do not sell Google Workspace data, and we do not use or transfer Google Workspace data for advertising, marketing, or unrelated purposes. We do not use Google Workspace data to train generalized or non-personalized AI or machine-learning models, and no AI provider we use trains its models on your Google Workspace data. AI processing of your Google Workspace data follows the data-retention terms described in section 3. We allow humans to read this data only with your explicit consent, where necessary for security (such as investigating abuse), or to comply with applicable law. Data is transferred only with your consent, for security, to comply with law, or in connection with a merger or acquisition with prior user notice.

HelmIQ does not use Google Workspace data to delete Drive files, modify Drive files, change Drive permissions, archive emails, delete emails, modify Gmail labels, or change Gmail settings unless a user explicitly takes an action that requires such functionality.

HelmIQ does not sell Google user data. HelmIQ does not use Google Workspace API data for advertising. HelmIQ does not use Google Workspace API data to train generalized AI or machine learning models.

You can disconnect your Google account at any time from Settings, which stops future access and revokes our stored tokens. You can request deletion of the data associated with your Google account by contacting us (see “Your rights” below).

Microsoft (Outlook mail, Calendar, Files, Teams)

Outlook mail (read and send) and Calendar (read and write): the same conversation-logging, reply, and scheduling features described for Google, on Microsoft 365 accounts.
OneDrive / SharePoint files (read): used only when you ask the in-app assistant to find or reference a file you point it to.
Online meetings: to create Teams meeting links for events you schedule through HelmIQ.

Zoom

When you connect Zoom, HelmIQ creates Zoom meeting links for meetings and bookings you schedule through HelmIQ, and identifies the authorized Zoom user. HelmIQ does not access Zoom recordings, transcripts, or chat messages. If you remove HelmIQ from your Zoom account, we delete the associated tokens and data on receipt of Zoom’s deauthorization notice.

5. Security

All traffic is served over TLS.
Passwords are stored as bcrypt hashes (never plaintext, never reversible).
Two-factor TOTP secrets and integration OAuth tokens are encrypted at rest with AES-256-GCM. Backup codes are stored as SHA-256 hashes.
Multi-tenant data isolation is enforced server-side on every API route via organizationId scoping. There is no client-trusted org parameter.
Auth endpoints are rate-limited per IP to prevent brute-force attacks.
An immutable audit log captures all mutations to deals, contacts, members, and integration credentials.
2FA is offered to every user and can be enforced at the firm level.

6. Your rights

Access: export every record on your account at any time from Settings → Data.
Correction: edit or delete any field directly in the app.
Portability: CSV and JSON exports cover contacts, companies, deals, notes, tasks, and audit log.
Deletion: a firm owner can request deletion of the account and all its data in Settings (Data tab), or by emailing jack@helmiq.net. Nothing is deleted automatically: we review and process requests within 30 days and confirm by email.
Restriction: disable any AI feature in Settings without deleting your data.

7. Data retention

We keep your data while your account is active. On termination we retain it for 30 days (in case you reactivate) and then permanently delete it.

Audit logs may be retained beyond that window per applicable financial-services compliance requirements (typically up to seven years for dealing-record retention) but are stored separately from your live data.

8. International transfers

Data is stored in United States data centers. When personal data of individuals in the EEA or UK is transferred to us or our sub-processors, we rely on the European Commission's Standard Contractual Clauses (and the UK International Data Transfer Addendum where applicable), as set out in our GDPR statement and Data Processing Agreement. Region-specific hosting is available on request for enterprise customers. Write us at jack@helmiq.net.

9. Children

HelmIQ is a B2B product for investment professionals. It is not intended for anyone under 18 and we do not knowingly collect their data.

10. Changes to this policy

Material changes will be announced by email to firm owners 30 days before they take effect. Non-material edits (typo fixes, clarifications) take effect immediately and bump the “Last updated” date at the top.

11. Contact

Privacy questions, deletion requests, or anything else: jack@helmiq.net.

For everything else, including sales and support: jack@helmiq.net.

Postal address: 30 N Gould Street, Sheridan, WY 82801, United States.

This document is a plain-English summary of our actual practices, not legal advice. If you need a counter-signed Data Processing Agreement (DPA) for enterprise procurement, write to jack@helmiq.net.