Privacy Policy
Last updated: 19 February 2026
1. Who We Are
Helium Systems Ltd ("Helium", "we", "us", or "our") is the data controller for personal data processed through the Helium Systems platform, including the main application, the B2B wholesale portal, the support site, and any satellite applications (Helium Snap, Helium Listings).
If you have questions about this policy or wish to exercise your data rights, contact our Data Protection Officer at dpo@heliumsystems.app.
2. Data We Collect
2.1 Account Data
When you create an account we collect your name, email address, and password (hashed by Firebase Authentication). If you sign up via Google OAuth, we receive your name, email, and profile picture URL.
2.2 Organisation and Team Data
Organisation administrators provide company name, registered address, VAT/tax registration numbers, and contact details. Team member records include name, email, department, role, and optionally salary, hourly rate, and start date.
2.3 Customer Data
Your organisation stores customer records that may include: name, email, telephone numbers, postal addresses, company name, company registration number, tax ID, payment terms, credit limits, and marketing communication preferences.
2.4 Supplier Data
Supplier records may include: company name, contact name, contact email, telephone numbers, postal address, bank details (for payment), and representative information.
2.5 Order and Transaction Data
Orders contain customer name, email, shipping address, billing address, items purchased, quantities, prices, payment method references, and fulfilment status.
2.6 Communications
Customer service conversations, support tickets, and supplier communications may contain personal data in message bodies and attachments.
2.7 AI Interaction Data
When you use Nucleus AI or other AI-powered features, your queries and the system's responses are temporarily stored to provide the conversation experience. AI usage metadata (token counts, feature used) is retained for billing and cost management.
2.8 Analytics and Activity Data
We log administrative actions (who did what, when) for audit and security purposes. Activity logs include the actor's name, email, action performed, and affected entity. These logs are retained for 30 days before automatic deletion.
2.9 Technical Data
We collect standard web request data including IP address, browser type, device type, and referring URL. Firebase Authentication manages session tokens and authentication state.
3. How We Use Your Data
| Purpose | Lawful Basis |
|---|---|
| Providing and operating the platform | Contract performance |
| Processing customer orders and fulfilment | Contract performance |
| Employee/team management | Employment contract / Legitimate interest |
| Customer service and support | Contract performance / Legitimate interest |
| AI-powered features (Nucleus, content generation, compliance documents) | Consent / Legitimate interest |
| Analytics and business intelligence | Legitimate interest |
| Marketing communications | Consent |
| Security monitoring and audit logging | Legitimate interest / Legal obligation |
| Financial record-keeping and tax compliance | Legal obligation |
| Third-party marketplace integration (Amazon, eBay, Shopify, etc.) | Contract performance |
| Shipping and carrier integration | Contract performance |
| Accounting software synchronisation | Contract performance / Legitimate interest |
4. Third-Party Processors
We share personal data with the following categories of service providers, all of whom process data on our behalf under Data Processing Agreements:
| Processor | Purpose | Data Shared | Location |
|---|---|---|---|
| Google Cloud (Firebase) | Infrastructure, authentication, database, storage | All application data | EU (europe-west1) |
| Google AI (Gemini) | AI-powered features | Query context, business data summaries | US (Google AI infrastructure) |
| Google BigQuery | Analytics and reporting | Aggregated business metrics, activity logs | EU (europe-west1) |
| SendGrid (Twilio) | Transactional and marketing email | Recipient email, message content | US |
| Meilisearch | Search indexing | Customer names, order references | EU (self-hosted) |
| Xero / QuickBooks | Accounting synchronisation | Customer contacts, invoices, payments | Regional / US |
| Amazon, eBay, Shopify, WooCommerce, TikTok Shop | Marketplace order sync | Order data, customer details | US / Global |
| FedEx, UPS, DHL, Royal Mail, DPD, Evri | Shipping and label generation | Recipient name, address, phone | US / UK / EU |
| PrintNode | Label and document printing | Label content (addresses) | US |
5. International Data Transfers
Your data is primarily stored in the EU (Google Cloud europe-west1 region, Belgium). Some processors are based in the United States. Where personal data is transferred outside the UK/EEA, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission, supplemented by appropriate technical and organisational measures as required following the Schrems II decision.
6. Data Retention
| Data Type | Retention Period |
|---|---|
| Activity / audit logs | 30 days |
| AI interaction events | 14 days |
| AI cost logs | 90 days |
| Nucleus AI sessions | 4 hours active, then expired; hard-deleted after 7 days |
| Customer service conversations | 2 years after closure, then anonymised |
| Webhook delivery logs | 90 days |
| Customer records | Until deletion requested or account closure |
| Order and financial records | 7 years (legal obligation for tax records), then anonymised |
| Account data | Duration of your account, plus 30 days after deletion |
7. Your Rights
Under the UK GDPR and EU GDPR, you have the following rights:
- Right of access — Request a copy of all personal data we hold about you (Subject Access Request).
- Right to rectification — Request correction of inaccurate or incomplete personal data.
- Right to erasure — Request deletion of your personal data where there is no compelling reason for continued processing.
- Right to restrict processing — Request that we limit how we use your data.
- Right to data portability — Receive your personal data in a structured, machine-readable format (JSON).
- Right to object — Object to processing based on legitimate interest, including profiling and direct marketing.
- Rights related to automated decision-making — AI-powered features do not make legally binding decisions without human review. You may request human review of any AI-generated output.
To exercise any of these rights, contact dpo@heliumsystems.app or use the Privacy & GDPR section in your organisation settings. We will respond within 30 calendar days.
8. Cookies and Tracking
We use essential cookies for authentication and session management. Optional cookies for analytics, marketing, and AI features are only set with your consent via our cookie consent banner. You can change your preferences at any time by clicking "Cookie Preferences" in the footer.
Email click tracking is disabled by default. We do not use third-party advertising trackers.
9. AI Processing
When you use AI-powered features (Nucleus AI, compliance document generation, image analysis, customer service suggestions), your queries and relevant business context are processed by Google Gemini AI. This processing occurs on Google's infrastructure and is subject to Google's AI data processing terms. You can opt out of AI features in your cookie preferences or by contacting your organisation administrator.
10. Data Security
We implement appropriate technical and organisational measures to protect personal data, including:
- Encryption at rest (Google-managed keys) and in transit (TLS 1.3+)
- Granular role-based access control with 21 permission modules
- Multi-tenancy isolation ensuring organisations cannot access each other's data
- Session timeout (30-minute idle, 24-hour maximum)
- API key security with SHA-256 hashing, rotation, and IP allowlists
- Webhook payload signing with HMAC-SHA256
- Security headers (HSTS, X-Frame-Options, Content-Type-Options) on all applications
- Comprehensive audit logging of administrative actions
11. Data Breach Notification
In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours and, where the risk is high, notify affected individuals without undue delay.
12. Children's Data
Our services are not directed at individuals under the age of 16. We do not knowingly collect personal data from children. If you believe we have inadvertently collected such data, please contact us immediately.
13. Changes to This Policy
We may update this privacy policy from time to time. Material changes will be communicated via email or a prominent notice within the platform. The "Last updated" date at the top indicates the most recent revision.
14. Complaints
If you are unsatisfied with our handling of your data, you have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk or with your local supervisory authority.
15. Contact
Helium Systems Ltd
Data Protection Officer
Email: dpo@heliumsystems.app