Privacy Policy

Introduction and Scope

This Privacy Policy describes how helpful bits GmbH ("we," "us," or "our") collects, uses, and shares your personal information when you use our desktop application and related services. This policy applies to all users of our AI-powered workflow automation platform.

Data Controller

The data controller responsible for your personal information under the General Data Protection Regulation (GDPR) is:

Data Protection Contact: For data protection inquiries, please contact our Data Protection Contact at [email protected].

Territorial Scope & Geolocation Controls

The Service is intended only for users in the Approved Regions: the European Union/European Economic Area, the United Kingdom, and the United States. We process coarse location data (IP-based country determination) to enforce territorial and sanctions restrictions.

Location Processing: We process location data based on our legitimate interests in:

• Ensuring compliance with export control and sanctions laws
• Preventing unauthorized access from restricted territories
• Protecting our service from fraudulent use

Access Denial: If we determine you are outside the Approved Regions or in a restricted jurisdiction, we will deny access and may delete or minimize related personal data consistent with our retention policy. We do not knowingly collect personal data from residents of other countries, except minimal technical logs associated with blocked access attempts.

Data Minimization: Location data is processed only at a country level and is not used for any purpose other than territorial compliance. This data is retained for the minimum period necessary for security and legal compliance (typically 30 days for access logs).

Definitions

• Personal Data: Any information relating to an identified or identifiable natural person
• Processing: Any operation performed on personal data, including collection, storage, use, or deletion
• Data Subject: The natural person to whom personal data relates
• Controller: The entity that determines the purposes and means of processing personal data

Data Categories We Collect

• Account Data: Email address, username, authentication credentials
• Authentication Data: Managed securely through Auth0 identity platform
• Billing Data: Transaction records, billing address (payment processing via Stripe)
• Usage Data: Anonymized application usage statistics, error reports
• AI Interaction Data: Prompts and workflow data sent to AI providers when using AI features
• Website Analytics: Page views, session data (with consent)

Desktop Application Data

Our desktop application employs a distributed architecture where primary data storage occurs locally on your device. Your workflow data, project files, and configurations remain under your direct control. We do not automatically scan, index, or transmit the contents of your source code or project files. Such content is only processed when you explicitly submit it for AI-powered analysis. We may collect anonymized usage statistics and error reports to improve our service performance.

Legal Basis for Processing

We process your personal data based on the following legal bases under Article 6 of the GDPR:

• Consent (Art. 6(1)(a) GDPR): For optional features such as website analytics, marketing communications, and non-essential cookies
• Contract Performance (Art. 6(1)(b) GDPR): For service provision, account management, processing payments, and fulfilling our contractual obligations
• Legitimate Interests (Art. 6(1)(f) GDPR): For security measures, fraud prevention, service improvement, and protecting our systems and users
• Legal Obligation (Art. 6(1)(c) GDPR): For tax compliance, regulatory requirements, and other legal obligations

Where we rely on legitimate interests, we have carefully balanced our interests against your rights and freedoms, ensuring your interests do not override our legitimate business interests.

Desktop Application

Our desktop application is designed with a hybrid architecture that combines local data storage with cloud-based AI processing:

• Local Data Storage: Your workflow sessions, history, and application configurations remain stored locally on your device
• Limited Transmission: We don't transmit project contents except when you send them in prompts or enable diagnostics. Limited technical metadata (e.g., device, version, network) may be sent for security/updates
• Optional Telemetry: We may collect anonymized usage statistics and error reports to improve application performance. You can opt out of telemetry collection in the application settings
• Data Minimization: Only essential data required for AI processing is transmitted when you use AI features

Local Data: Your project files, session history, application settings, and any content not explicitly submitted for AI processing remain on your device.

Data Transmission: When you utilize AI-powered features within the Service, the content you explicitly select for processing is transmitted to third-party AI service providers. Additionally, we may collect anonymized error reports (if enabled), usage analytics (subject to your consent), and limited technical metadata necessary for security and service updates.

Sharing and Processors

We work with trusted third-party service providers (data processors) to deliver our services. We do not sell or share personal information under the California Privacy Rights Act (CPRA). Our processors include:

• Stripe: Payment processing
• AI Service Providers: OpenAI, Google AI, xAI, OpenRouter (for AI feature processing)
• Analytics: Website analytics providers (with consent)

For a complete and up-to-date list of our data processors and their locations, please visit our subprocessors page.

Third-Party AI Providers

When you use AI features in our application, your prompts and associated data may be processed by third-party AI service providers. Important details about AI data processing:

• Training Data Usage: We configure third-party AI providers to disable training where available and to use your data only to provide the Service. Providers may retain limited logs for fraud, abuse, or security for short periods per their policies
• Data Minimization: Only the content you explicitly include in prompts is sent to AI providers
• Limited Retention: Providers may retain short-term logs for fraud, abuse, or security per their policies; we configure to disable training where available and restrict use to providing the Service

AI Provider Privacy Policies

• OpenAI: Privacy Policy
• Google Gemini: Privacy Policy
• OpenRouter: Privacy Policy
• xAI: Privacy Policy

For the complete and current list of AI providers we work with, please check our subprocessors page.

International Transfers

Your personal data may be transferred to and processed in countries outside the European Economic Area (EEA), particularly when using AI service providers and other third-party processors. We ensure appropriate safeguards are in place for all international transfers:

• Adequacy Decisions: We rely on European Commission adequacy decisions where available for countries deemed to provide adequate protection
• Standard Contractual Clauses (SCCs): We use EU Standard Contractual Clauses (Implementing Decision 2021/914) with processors in non-adequate third countries
• Supplementary Measures: We implement additional technical and organizational measures as recommended by EDPB Recommendation 01/2020 to ensure effective protection
• Periodic Review: We periodically review and update safeguards (SCCs/adequacy, plus supplementary measures) as needed

For detailed information about our current data processors, their locations, and the specific safeguards in place, please visit our subprocessors page.

Data Retention Periods

We retain personal data only as long as necessary for the purposes outlined in this policy or as required by law:

Criteria for Determining Retention: Where specific periods are not fixed, we determine retention based on: (1) the purpose for which data was collected, (2) legal obligations, (3) statute of limitations for legal claims, and (4) industry best practices.

Security Measures

We implement industry-standard technical and organizational security measures to protect your personal data:

• Encryption: TLS 1.3 for data in transit, AES-256 encryption for data at rest
• Access Controls: Role-based access control (RBAC) with principle of least privilege
• Authentication: Multi-factor authentication available via Auth0
• Monitoring: 24/7 security monitoring and intrusion detection systems
• Regular Audits: Quarterly security assessments and annual penetration testing
• Employee Training: Annual security awareness training for all staff
• Incident Response: Documented incident response plan with 72-hour breach notification
• Physical Security: Data centers with SOC 2 Type II certification

While we implement robust security measures, no method of electronic transmission or storage is 100% secure. We cannot guarantee absolute security but commit to promptly notifying you of any breach that may impact your rights and freedoms.

Your Rights

Under the GDPR and other applicable data protection laws, you have the following rights regarding your personal data:

• Right of Access: Obtain information about processing of your personal data and receive a copy of your data
• Right to Rectification: Correct inaccurate or incomplete personal data
• Right to Erasure: Request deletion of personal data ("right to be forgotten") under certain circumstances
• Right to Restriction of Processing: Restrict processing in certain situations
• Right to Data Portability: Receive your data in a structured, commonly used, and machine-readable format
• Right to Object: Object to processing based on legitimate interests or for direct marketing purposes
• Right to Withdraw Consent: Withdraw consent where processing is based on consent, without affecting the lawfulness of processing before withdrawal
• Right to Lodge a Complaint: Lodge a complaint with a supervisory authority if you believe your rights have been violated
• Rights Related to Automated Decision-Making: You have the right not to be subject to decisions based solely on automated processing, including profiling, which produce legal effects or similarly significantly affect you

How to Exercise Your Rights

Contact us at [email protected] with your request. We will respond within one month of receiving your request, as required by GDPR Article 12(3). In complex cases, this period may be extended by two additional months.

Supervisory Authority

You have the right to lodge a complaint with your local data protection authority. In Germany, you may contact:

Detailed Legal Basis for Processing

We process your personal data only when we have a valid legal basis under Article 6 of the GDPR:

Cookies and Tracking

Our website uses cookies and similar technologies in compliance with §25 TDDDG (German Telecommunications-Telemedia Data Protection Act) and the GDPR:

• Consent-Based Processing: Non-essential cookies and third-party SDKs load ONLY after you provide opt-in consent through our consent banner
• No Pre-Ticked Boxes: Our consent interface does not use pre-selected options - all consent must be actively given
• Strictly Necessary Cookies: Essential cookies required for website functionality (such as session management and security) are exempt from consent requirements under §25 TDDDG
• Withdraw Consent: You can withdraw your consent at any time through your browser settings or by clicking the "Manage cookie settings" button below

Types of Cookies We Use

• Necessary: Authentication, security, and core website functionality
• Analytics: Website performance and usage statistics (requires consent)
• Functional: Enhanced user experience features (requires consent)
• Marketing: Marketing and advertising cookies (requires consent)

Children's Privacy

Our services are not intended for anyone under 18 years of age. We do not knowingly collect personal information from individuals under 18. If we become aware that we have collected personal information from someone under 18, we will take steps to delete such information immediately.

Changes to This Policy

We may update this privacy policy from time to time to reflect changes in our practices or applicable laws. We will notify you of any material changes by posting the updated policy on our website and updating the effective date. Your continued use of our services after such changes constitutes acceptance of the updated policy.

Contact Us

If you have any questions about this privacy policy or our data practices, please contact us at [email protected]. You also have the right to lodge a complaint with your local data protection authority if you believe your rights have been violated.

Data Breach Notification

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify you without undue delay and within 72 hours of becoming aware of the breach, where feasible and as required by GDPR. Notifications will be made via email to your registered address or through prominent notice on our website.

CPRA Compliance

California residents have additional rights under the California Privacy Rights Act (CPRA). You may exercise these rights by contacting us at [email protected].

Additional California Rights

• Right to Know: Information about the categories and specific pieces of personal information collected
• Right to Delete: Request deletion of personal information, subject to certain exceptions
• Right to Correct: Request correction of inaccurate personal information
• Right to Opt-Out: Opt out of the sale or sharing of personal information
• Right to Non-Discrimination: Not be discriminated against for exercising your privacy rights

Do Not Sell or Share

We do not sell or share personal information as defined by the CPRA. We do not use your personal information for cross-context behavioral advertising. However, if our practices change in the future:

• We will update this policy and provide appropriate opt-out mechanisms
• We will honor Global Privacy Control (GPC) signals as an opt-out method
• We will provide at least two methods for opting out of sales or sharing

Opt-Out Methods

While we currently do not sell or share personal information, California residents may opt out using these methods if needed in the future:

• Email us at [email protected]
• Use Global Privacy Control (GPC) browser settings, which we will honor