Helmies

Last updated · 11 May 2026

Privacy Policy

This policy explains what personal data Helmies Oy (“Helmies”, “we”, “us”) collects when you use app.helmies.fi (the “Service”), why we collect it, and the rights you have over it under the EU General Data Protection Regulation (GDPR) and the Finnish Data Protection Act.

1. Data controller

Helmies Oy (Y-tunnus 3577819-7), 15110 Lahti, Finland, is the data controller for personal data processed in the Service. Contact: info@helmies.fi.

2. What we collect

We collect only the data we need to run the workspace and provide the features you use:

  • Account data — your name, email address, and profile photo when you sign in with Google. We do not store your Google password.
  • Workspace content — anything you create or upload inside Helmies: customers, projects, tasks, invoices, time entries, files, calendar appointments, finance receipts, and the text extracted from them.
  • Connected services — when you connect Google Calendar (or another integration), we store the OAuth access and refresh tokens needed to sync, plus the calendar events themselves.
  • Operational logs — IP address, browser user-agent, and timestamps for security and abuse prevention. Retained for up to 30 days.

We do not collect: payment card data (handled directly by Stripe / Paytrail when applicable), browsing history, location data, biometric data, or any data from people who are not registered users.

3. Why we process it (legal basis)

  • Performance of contract — running your workspace, authenticating you, storing the content you create, and syncing with the integrations you connect.
  • Legitimate interest — keeping the service secure, preventing abuse, and improving reliability through anonymous usage metrics.
  • Legal obligation — keeping accounting records (invoices, expenses) for the period required by Finnish law (currently six years).

4. AI processing of your documents

When you upload a receipt or invoice to the Finance module, the document is sent to a vision-capable language model so it can extract the merchant, amount, date, and other fields. The model runs on infrastructure we control (or, when explicitly enabled, a third-party model provider listed in your workspace settings). Extracted text is stored alongside your transaction to power search. We do not use your documents to train any model.

5. Who we share data with

We share personal data only with processors who help us run the Service, and only what they need to do their job. Current processors:

  • Hosting provider — server hosting in the EU.
  • Supabase Inc. — open-source authentication and storage stack, self-hosted on our own infrastructure.
  • Google Ireland Ltd. — OAuth sign-in and (if you connect it) calendar sync.
  • European Central Bank / frankfurter.app — historical exchange-rate lookups (no personal data sent).
  • Apollo.io— B2B contact data provider used for sales-lead enrichment (see “Data obtained from third parties” below).

We never sell personal data. We never share it with advertisers.

5b. Data obtained from third parties (enrichment)

For sales and lead-qualification purposes we may obtain limited business contact information about professionals from a third-party B2B data provider (currently Apollo.io) rather than directly from the individual. This is disclosed in line with Article 14 GDPR.

  • Categories: name, work email, employer, job title, and public professional profile links (e.g. LinkedIn). No special-category data.
  • Source: Apollo.io’s B2B dataset. We record the source and retrieval date on each enriched record internally.
  • Purpose: assessing and contacting potential business customers.
  • Legal basis: legitimate interests (Art. 6(1)(f)) in B2B prospecting, balanced against the individual’s rights.

If you are an individual whose data we obtained this way, the rights in section 8 (access, rectification, erasure, objection) apply in full — contact us and we will tell you exactly what we hold and where it came from.

6. Where data is stored

All workspace data is stored on servers physically located in the European Union. Backups are encrypted and stored in the EU. When you connect Google Calendar, calendar event data also exists on Google servers under their privacy terms.

7. How long we keep it

  • Active accounts: as long as the account is active.
  • Closed accounts: deleted within 90 days of closure, except for accounting records we must keep under Finnish law (kept six years).
  • Operational logs: 30 days.

8. Your rights

Under the GDPR you have the right to:

  • Access your personal data and get a copy.
  • Correct inaccurate or incomplete data.
  • Erase your data, subject to legal retention requirements (see §7).
  • Restrict or object to certain processing.
  • Port your data to another service in a machine-readable form.
  • Lodge a complaint with the Finnish Data Protection Ombudsman (tietosuoja.fi).

Most of these you can act on yourself in the workspace. For anything you cannot, email info@helmies.fi and we will respond within 30 days.

9. Cookies and local storage

We use only strictly necessary cookies — to keep you signed in and to remember your theme and sidebar preferences. No analytics, tracking, or advertising cookies.

10. Security

Data is encrypted in transit (HTTPS) and at rest. Access to production systems is limited to named personnel and protected by multi-factor authentication. We assess our infrastructure regularly and patch promptly. If we ever learn of a breach affecting your data, we will notify you and the Finnish Data Protection Ombudsman within 72 hours of discovery, as required by the GDPR.

11. Changes to this policy

We may update this policy from time to time. Material changes will be announced inside the workspace and via email at least 30 days before they take effect. The “Last updated” date at the top reflects the current version.

12. Contact

Helmies Oy
Y-tunnus 3577819-7
15110 Lahti, Finland
info@helmies.fi