Terms & Policies
Privacy Policy
Last updated: July 8, 2026
1. Introduction
This Privacy Policy explains how Helin AI Indonesia ("Helin", "we", "us", "our") collects, uses, stores, and shares personal data when you use the Helin website, dashboard, and services at gethelin.com (the "Service"), or when you interact with a Helin-powered chat widget embedded on a customer's website.
Helin is an AI customer-support agent for SaaS companies. Our customers embed a Helin chat widget on their websites; the widget answers their visitors' questions using a knowledge base the customer provides.
If you do not agree with this policy, please do not use the Service.
Contact: support@gethelin.com · Helin AI Indonesia, Karawang City, West Java Province, Indonesia.
2. The two roles we play
Helin handles personal data in two distinct capacities. Your rights and who you should contact depend on which group you fall into:
a) You are a Helin customer (or their team member) — we are the data controller. If you create a Helin account, we decide how and why your data is processed, and this policy applies to you directly.
b) You are a visitor chatting with a Helin widget on someone else's website — we are a data processor. The company whose website you are visiting (our customer) is the data controller of your data. We process your chat messages and any details you submit on that company's behalf and under their instructions. Their privacy policy governs that processing; please direct privacy requests to them first. If you contact us directly, we will forward your request to the relevant customer where required.
3. Data we collect
3.1 From customers (account holders)
| Category | Examples | Source |
|---|---|---|
| Account data | Name, email address, password (hashed) or Google OAuth identity | You, at sign-up |
| Workspace & onboarding data | Company size, tools you use, website domain | You, during onboarding |
| Billing data | Plan tier, subscription status, country, tax status. Card details are collected and processed by Paddle (our merchant of record) — we never see or store full card numbers | You / Paddle |
| Knowledge base content | Documents you upload (PDF, DOCX), text you paste, content of website pages you ask us to crawl | You |
| Usage data | AI replies consumed, features used, dashboard activity, log data (IP address, browser type, timestamps) | Automatic |
| Support communications | Emails you send us | You |
3.2 From end users (visitors chatting with the widget) — processed on our customers' behalf
| Category | Examples |
|---|---|
| Conversation data | Messages the visitor types, AI replies, conversation timestamps |
| Contact / lead data | Name and email, only if the visitor voluntarily submits them via a lead form or handoff form |
| Technical data | Conversation identifier stored in the visitor's browser (see §7), coarse technical logs needed to deliver and secure the Service |
The widget does not use advertising trackers and does not build cross-site profiles of visitors.
4. How we use data (purposes & legal bases)
| Purpose | Data used | Legal basis (GDPR) |
|---|---|---|
| Provide the Service: run your agents, answer visitor questions from your knowledge base | Account, knowledge base, conversation data | Contract performance |
| Generate AI answers via our AI subprocessors (see §6) | The visitor's question + relevant knowledge base excerpts | Contract performance |
| Billing & subscription management | Billing data | Contract performance / legal obligation |
| Enforce plan limits, prevent abuse, and secure the Service | Usage data, technical logs | Legitimate interests |
| Improve the Service (aggregate, de-identified analytics) | Usage data | Legitimate interests |
| Communicate with you (service notices, support, and — with consent where required — product updates) | Account data | Contract performance / consent |
| Comply with law | As required | Legal obligation |
We do not sell personal data. We do not use your knowledge base content or your visitors' conversations to train AI models — neither our own nor third parties'. Our AI subprocessors are contractually bound to the same restriction (API data is not used for model training).
5. AI processing — what happens to a chat message
When a visitor sends a message to a Helin widget:
- The message is checked for safety and relevance, and rewritten for better search.
- Relevant excerpts are retrieved from the customer's knowledge base (semantic search).
- The message and those excerpts are sent to our AI subprocessors (OpenAI for answer generation; Voyage AI for search embeddings and reranking) solely to produce the answer.
- The answer is generated strictly from the customer's knowledge base content.
AI subprocessors process this data under data processing agreements as processors; they do not use it for their own purposes or for model training.
AI limitations: answers are machine-generated and may occasionally be inaccurate or incomplete despite grounding safeguards. Conversations may be reviewed by the customer (the website owner) in their dashboard.
6. Who we share data with (subprocessors)
We share personal data only with service providers who help us run Helin, under data processing agreements:
| Subprocessor | Purpose | Location |
|---|---|---|
| Supabase | Database, authentication, and file storage (knowledge documents, embeddings, conversations) | ap-southeast-1 (Singapore) |
| Cloudflare | Application hosting and content delivery (dashboard, widget) | Global edge network |
| OpenAI | AI answer generation (API) | United States |
| Voyage AI | Search embeddings and reranking (API) | United States |
| Paddle | Payments, invoicing, and tax as merchant of record — Paddle is an independent controller of the billing data it collects | United Kingdom / United States |
We may also disclose data if required by law, to protect our rights or users' safety, or as part of a merger or acquisition (with notice to you).
We will update this list before adding or replacing subprocessors and, where required, notify customers with an opportunity to object.
8. International data transfers
We operate globally. Data may be processed in countries other than your own — including the United States (AI subprocessors) and Singapore (ap-southeast-1, our Supabase project region). Where data of EEA/UK/Swiss residents is transferred to countries without an adequacy decision, we rely on Standard Contractual Clauses (SCCs) and equivalent safeguards in our subprocessor agreements.
9. Data retention
| Data | Retained |
|---|---|
| Account & workspace data | For the life of the account, then deleted within [30] days of account deletion |
| Knowledge base content | Until you delete the source or your account |
| Conversations & leads | Until the customer deletes them or their account; customers can delete individual conversations/contacts from the dashboard |
| Billing records | As long as required by tax and accounting law (kept by Paddle and us) |
| Technical logs | Up to [90] days |
| Backups | Rolling backups expire within [30] days of deletion |
10. Your rights
Depending on where you live (e.g. GDPR in the EEA/UK, CCPA/CPRA in California, UU PDP in Indonesia), you may have the right to:
- Access the personal data we hold about you and receive a portable copy;
- Correct inaccurate data;
- Delete your data ("right to be forgotten");
- Restrict or object to certain processing;
- Withdraw consent at any time (where processing is based on consent);
- Opt out of sale/sharing of personal data (California — note: we do not sell or share personal data for cross-context advertising);
- Not be discriminated against for exercising these rights;
- Complain to your supervisory authority.
To exercise these rights, email support@gethelin.com. We respond within the timeframe required by applicable law (e.g. 30 days under GDPR, 45 days under CCPA). We may need to verify your identity first.
Widget visitors: because we act as a processor, please contact the website owner (our customer) first — they control your data. We support them in fulfilling your request.
11. Security
We take commercially reasonable technical and organizational measures to protect personal data, including: encryption in transit (TLS) and at rest, row-level security isolating each workspace's data, access controls and least-privilege keys for internal systems, isolation of the widget from host websites, and hardening against common web attacks. No system is 100% secure; we will notify affected customers and authorities of personal data breaches as required by law.
12. Children
The Service is a business tool and is not directed at children under 16 (or the equivalent minimum age in your jurisdiction). We do not knowingly collect children's data. Customers are responsible for ensuring their own websites' compliance regarding minors.
13. Changes to this policy
We may update this policy from time to time. We will post the new version on this page with an updated "Last updated" date, and for material changes we will notify customers by email or in-app notice before the changes take effect.
14. Contact
Helin AI Indonesia
Karawang City, West Java Province, Indonesia
Email: support@gethelin.com
