Heli Privacy Policy
1. Who we are
Heli is operated by Brainpower, a company registered in the Netherlands. For privacy matters, contact us at info@heindewilde.com. We are your data controller for account data, and your data processor for the contact data you store in Heli.
2. What we collect
Account data
When you register with email and password: your email address, a username, and a hashed password. We never store your password in plain text. When you register or sign in with Google: your Google account email address, display name, and a Google account identifier. We do not receive or store your Google password.
Your contact data
Everything you enter into Heli — people, companies, interactions, notes, tags, reminders — is your data. You are the data controller for it; we process it on your behalf to provide the service. You are responsible for having a lawful basis under GDPR to store information about your contacts.
Google Contacts import
If you choose to import from Google Contacts, Heli requests read-only access to your Google Contacts
(contacts.readonly scope). We fetch your contacts, compare them against contacts already in your Heli
account, and present a preview for your confirmation. Only the contacts you explicitly confirm are saved to
your Heli account. We do not retain your Google access token after the import is complete; it is used
once, in memory, and discarded.
The imported contact records (name, email, phone, role, location, notes, organization) become part of
your Heli contact data, governed by section 2 above.
Heli's use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. Specifically: Google user data is used only to provide the in-app import feature you requested; it is not used for advertising, sold to third parties, or used for any purpose unrelated to the feature.
Server logs
Our infrastructure records IP addresses, request timestamps, and HTTP status codes for security and debugging. These logs are not linked to your account and are purged after 30 days.
3. Legal basis for processing
- Account data — necessary to perform the contract (Art. 6(1)(b) GDPR).
- Your contact data — processed on your behalf under the same contract.
- Google Contacts import — performed only on your explicit request; data is then governed by the contract.
- Server logs — legitimate interest in security and service reliability (Art. 6(1)(f) GDPR).
4. Where data is stored
Data is hosted on Fly.io in Amsterdam (EU) by default. Traffic passes through Cloudflare's network for DDoS protection, TLS termination, and caching. If your account is routed to a replica region (EU/US/APAC), your data may be replicated to Turso infrastructure in that region. All providers are bound by data processing agreements and handle data in accordance with GDPR.
5. Cookies
We use first-party, HttpOnly, Secure cookies for authentication and short-lived OAuth flows only. These include your session cookie, and temporary state cookies used during Google sign-in or Google Contacts import (each expires within 10–15 minutes). None of these cookies contain tracking identifiers or are shared with third parties. We do not use advertising cookies, third-party trackers, or fingerprinting.
6. Analytics
The landing page uses Simple Analytics, a cookieless analytics service that does not collect personal data and is exempt from cookie consent requirements under GDPR. No analytics scripts run inside the authenticated app.
7. Data retention
We retain your account and contact data for as long as your account is active. When you delete your account, all your data is permanently erased from the primary database. Encrypted backups may retain data for up to 30 additional days before they age out.
8. Your rights
Under GDPR you have the right to:
- Access — request a copy of your personal data (use the Export feature in Settings).
- Rectification — correct inaccurate account data in Settings.
- Erasure — delete your account and all data in Settings → Danger zone.
- Portability — export your data as CSV from Settings.
- Restriction / Objection — contact us at info@heindewilde.com.
- Complaint — you may lodge a complaint with the Dutch supervisory authority, the Autoriteit Persoonsgegevens.
9. Self-hosted instances
If you run your own Heli instance, you are the data controller for all data on that instance. This policy does not apply to self-hosted deployments. You are responsible for your own privacy and security obligations.
10. Changes
We will notify registered users by email at least 14 days before any material change to this policy. Minor clarifications may be made without notice; the "last updated" date above always reflects the current version.