privacy policy

Helia is operated by Lucas Neves Pereira, trading as Snowztech (SIREN 907 666 887), a French sole proprietorship. As the operator of gethelia.dev, app.gethelia.dev, and api.gethelia.dev, we are the data controller for the personal data described below. Contact: gethelia@protonmail.com.

Account data. Email address, a bcrypt hash of your password, optional display name, and the name of the workspace you create. We never store your password in plain text.

Workspace data. Sources you upload (PDFs, pasted text, crawled pages), tool configurations and the encrypted headers you provide, widget branding (colour, copy, suggestions), and the identity-signing secret for your widget (encrypted at rest with AES-256-GCM).

Conversation data. Messages your end-users send to the assistant, the assistant's replies, the tool calls and search queries the assistant performs, and the snippets it cites. When your widget passes a signed user identity, the verified user id and name are stored alongside the conversation.

Usage data. Token counts per message, request timestamps, and request paths. Used for billing, quotas, and diagnostics.

Technical data. IP address (for rate limiting and abuse prevention), user-agent string, and the session cookie that keeps you logged in (httpOnly, secure, same-site).

We process this data only to run the service: authenticate you, generate replies, enforce monthly token quotas, send transactional emails (verification, password reset), surface usage and conversation history in your admin, and protect the service from abuse and fraud.

We do not run analytics scripts, advertising pixels, or third-party trackers on any Helia surface. We do not profile users or use conversations for any purpose other than serving the next turn.

Performance of a contract. Authenticating you, generating replies, processing payment when paid plans are active.

Legitimate interest. Security, abuse prevention, rate limiting, and aggregated reliability metrics.

Legal obligation. Retaining billing records for the periods required by French and EU tax law (when paid plans are active).

We do not train models on your data. We do not sell your data. We do not share data across workspaces. Your end-users' conversations are visible only to you (and only to the workspace members you invite, once that feature ships).

We use the following subprocessors. Each receives only the data required to perform its function. Several are located in the United States; transfers rely on the Standard Contractual Clauses (SCCs) adopted by the European Commission.

• OpenAI Ireland Ltd (Ireland), LLM inference and embeddings.
• Neon Inc. (USA), Postgres database hosting.
• Railway Corp. (USA), application and API hosting.
• Vercel Inc. (USA), marketing site hosting.
• Resend Inc. (USA), transactional email delivery.

Active accounts. Account, workspace, and conversation data are kept for as long as your account is active.

Deleted accounts. When you delete your account from settings, all associated data (workspace, sources, tools, conversations) is purged from our primary database within 30 days. Backups roll over within 90 days.

Email verification and reset tokens. Expire after 24 hours and 1 hour respectively, and are deleted from the database after use.

Diagnostic logs. Application logs containing IP addresses and request paths are kept for 90 days.

Under GDPR you can request access to your data, correct it, delete it, restrict its processing, port it to another service, and object to its processing. Most of these are available directly from your settings page (edit profile, export conversations, delete account). For anything else, email us.

You also have the right to lodge a complaint with the French data protection authority, the CNIL.

Passwords are hashed with bcrypt. Identity-signing secrets and tool headers are encrypted at rest with AES-256-GCM. All traffic uses HTTPS. Session cookies are httpOnly, secure, and same-site. Database access is limited to the operator.

We use one cookie (helia_session) to keep you logged in. It is strictly necessary and exempt from consent requirements under EU ePrivacy rules. We store your theme preference (light or dark) in your browser's localStorage, and the embedded widget stores a conversation id in sessionStorage to group messages during a visit. None of these are used for tracking or advertising.

Helia is not directed at children under 16. If we learn we have collected data from a child under 16 without parental consent, we will delete it.

We will email account holders before making material changes to this policy. The "last updated" date at the top reflects the most recent revision.

Questions, or to exercise your rights: gethelia@protonmail.com.