Heli Privacy Policy

Last updated: 21 May 2025 · Applies to the cloud service at heli.so

1. Who we are

Heli is operated by Brainpower, a company registered in the Netherlands. For privacy matters, contact us at info@heindewilde.com. We are your data controller for account data, and your data processor for the contact data you store in Heli.

2. What we collect

Account data

When you register with email and password: your email address, a username, and a hashed password. We never store your password in plain text. When you register or sign in with Google: your Google account email address, display name, and a Google account identifier. We do not receive or store your Google password.

Your contact data

Everything you enter into Heli — people, companies, interactions, notes, tags, reminders — is your data. You are the data controller for it; we process it on your behalf to provide the service. You are responsible for having a lawful basis under GDPR to store information about your contacts.

Google Contacts import

If you choose to import from Google Contacts, Heli requests read-only access to your Google Contacts (contacts.readonly scope). We fetch your contacts, compare them against contacts already in your Heli account, and present a preview for your confirmation. Only the contacts you explicitly confirm are saved to your Heli account. We do not retain your Google access token after the import is complete; it is used once, in memory, and discarded. The imported contact records (name, email, phone, role, location, notes, organization) become part of your Heli contact data, governed by section 2 above.

Heli's use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. Specifically: Google user data is used only to provide the in-app import feature you requested; it is not used for advertising, sold to third parties, or used for any purpose unrelated to the feature.

Server logs

Our infrastructure records IP addresses, request timestamps, and HTTP status codes for security and debugging. These logs are not linked to your account and are purged after 30 days.

3. Legal basis for processing

  • Account data — necessary to perform the contract (Art. 6(1)(b) GDPR).
  • Your contact data — processed on your behalf under the same contract.
  • Google Contacts import — performed only on your explicit request; data is then governed by the contract.
  • Server logs — legitimate interest in security and service reliability (Art. 6(1)(f) GDPR).

4. Where data is stored

Data is hosted on Fly.io in Amsterdam (EU) by default. Traffic passes through Cloudflare's network for DDoS protection, TLS termination, and caching. If your account is routed to a replica region (EU/US/APAC), your data may be replicated to Turso infrastructure in that region. All providers are bound by data processing agreements and handle data in accordance with GDPR.

5. Cookies

We use first-party, HttpOnly, Secure cookies for authentication and short-lived OAuth flows only. These include your session cookie, and temporary state cookies used during Google sign-in or Google Contacts import (each expires within 10–15 minutes). None of these cookies contain tracking identifiers or are shared with third parties. We do not use advertising cookies, third-party trackers, or fingerprinting.

6. Analytics

The landing page uses Simple Analytics, a cookieless analytics service that does not collect personal data and is exempt from cookie consent requirements under GDPR. No analytics scripts run inside the authenticated app.

7. Data retention

We retain your account and contact data for as long as your account is active. When you delete your account, all your data is permanently erased from the primary database. Encrypted backups may retain data for up to 30 additional days before they age out.

8. Your rights

Under GDPR you have the right to:

  • Access — request a copy of your personal data (use the Export feature in Settings).
  • Rectification — correct inaccurate account data in Settings.
  • Erasure — delete your account and all data in Settings → Danger zone.
  • Portability — export your data as CSV from Settings.
  • Restriction / Objection — contact us at info@heindewilde.com.
  • Complaint — you may lodge a complaint with the Dutch supervisory authority, the Autoriteit Persoonsgegevens.

9. Self-hosted instances

If you run your own Heli instance, you are the data controller for all data on that instance. This policy does not apply to self-hosted deployments. You are responsible for your own privacy and security obligations.

10. Changes

We will notify registered users by email at least 14 days before any material change to this policy. Minor clarifications may be made without notice; the "last updated" date above always reflects the current version.