Privacy Policy

Introduction and Scope

This Privacy Policy describes how helpful bits GmbH ("we," "us," or "our") collects, uses, and shares your personal information when you use our desktop application and related services. This policy applies to all users of our AI-powered workflow automation platform and has been tailored for US users to comply with applicable US privacy laws.

Effective Date: This Privacy Policy is effective as of August 12, 2025.

Company Information

The entity responsible for your personal information is:

Privacy Officer: For privacy inquiries and rights requests, please contact our Privacy Officer at [email protected].

Territorial Scope & Geolocation Controls

The Service is intended only for users in the Approved Regions: the United States (excluding US territories), the European Union/European Economic Area, and the United Kingdom. We process coarse location data (IP-based country determination) to enforce territorial and sanctions restrictions.

Why We Process Location: We collect minimal location data to:

• Comply with US export control laws and OFAC sanctions
• Prevent access from comprehensively sanctioned countries
• Block unauthorized access from non-approved regions
• Detect and prevent fraud and service abuse

Access Restrictions: If we determine you are outside the Approved Regions or in an OFAC-sanctioned territory, we will immediately block access. We do not knowingly collect or process personal information from residents of non-approved countries. Technical logs of blocked access attempts are retained for security purposes only.

Data Retention: Location verification data is retained only as long as necessary for compliance and security purposes (typically 30 days for access logs, longer if required for legal proceedings or investigations).

Notice at Collection

We collect the following categories of personal information from and about you:

Retention Periods: We retain personal information for the periods specified in our data retention schedule or as required by law:

Criteria for Determining Retention: Where specific periods are not fixed, we determine retention based on: (1) the purpose for which data was collected, (2) legal obligations, (3) statute of limitations for legal claims, and (4) industry best practices.

How We Use Information

We use your personal information for the following purposes:

• Service Provision: Providing, maintaining, and improving our AI workflow automation services
• Account Management: Creating and managing your account, authenticating users
• Payment Processing: Processing payments, maintaining billing records, preventing fraud
• Customer Support: Responding to your inquiries and providing technical support
• Security: Protecting against security threats, fraud, and unauthorized access
• Legal Compliance: Complying with applicable laws, regulations, and legal processes
• Service Improvement: Analyzing usage patterns to improve our services (with anonymized data)
• Communications: Sending you important account and service-related communications

Marketing: We do not use your personal information for marketing purposes without your explicit consent.

Desktop Application Privacy

Our desktop application is designed with a hybrid architecture that combines local data storage with cloud-based AI processing:

• Local Data Storage: Your workflow sessions, history, and application configurations remain stored locally on your device
• No Content Scanning: We do not scan, index, or automatically transmit the contents of your source code or project files
• Limited Transmission: We only transmit data you explicitly include in AI workflow prompts and minimal technical metadata for security and updates
• Optional Telemetry: Anonymous usage statistics and error reports are collected only with your consent and can be disabled in settings
• Data Minimization: Only essential data required for AI processing is transmitted when you use AI features

Local Data: Your project files, session history, application settings, and any content not explicitly submitted for AI processing remain on your device.

Data Transmission: When you utilize AI-powered features within the Service, the content you explicitly select for processing is transmitted to third-party AI service providers. Additionally, we may collect anonymized error reports (if enabled), usage analytics (subject to your consent), and limited technical metadata necessary for security and service updates.

Information Sharing and Disclosure

We do not sell or share your personal information as defined by the California Privacy Rights Act (CPRA) and other applicable privacy laws. We may disclose personal information in the following circumstances:

Service Providers

We work with trusted third-party service providers who help us deliver our services:

• Stripe: Payment processing and billing management
• AI Service Providers: OpenAI, Google AI, xAI, OpenRouter (for AI feature processing)
• Analytics Providers: Website analytics services (only with your consent)
• Cloud Infrastructure: Hosting and technical infrastructure providers

Legal Requirements

We may disclose personal information when required by law or to:

• Comply with legal processes, court orders, or government requests
• Protect the rights, property, or safety of our company, users, or others
• Investigate potential violations of our terms of service
• Respond to claims of intellectual property infringement

Business Transfers

In the event of a merger, acquisition, or asset sale, your personal information may be transferred as part of the business assets. We will provide notice before your information is transferred and becomes subject to different privacy practices.

For a complete and up-to-date list of our service providers and their locations, please visit our subprocessors page.

Third-Party AI Providers

When you use AI features in our application, your prompts and associated data may be processed by third-party AI service providers. Important details about AI data processing:

• No Training Use: We configure third-party AI providers to disable training where available and to use your data only to provide the Service
• Limited Retention: Providers may retain short-term logs for fraud, abuse, or security per their policies; we configure to disable training where available and restrict use to providing the Service
• Data Minimization: Only the content you explicitly include in prompts is sent to AI providers

AI Provider Privacy Policies

• OpenAI: Privacy Policy
• Google Gemini: Privacy Policy
• OpenRouter: Privacy Policy
• xAI: Privacy Policy

Your Privacy Rights by State

Depending on your state of residence, you may have additional privacy rights. Here's a summary of key state privacy rights:

Response Time: We will respond to verified requests within 45 days (with possible 45-day extension for complex requests). Some rights may be subject to exceptions under applicable law.

California Privacy Rights (CCPA/CPRA)

California residents have specific rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA):

Right to Know

• The categories and specific pieces of personal information we collect
• The categories of sources from which we collect personal information
• The business or commercial purpose for collecting personal information
• The categories of third parties with whom we share personal information
• The categories of personal information we disclose for business purposes

Right to Delete

You have the right to request deletion of your personal information, subject to certain exceptions such as:

• Completing transactions or providing requested goods/services
• Detecting security incidents or protecting against fraudulent activity
• Complying with legal obligations
• Enabling solely internal uses reasonably aligned with your expectations

Right to Correct

You have the right to request correction of inaccurate personal information we maintain about you.

Right to Opt-Out of Sale/Share

We do not sell or share personal information as defined by the CCPA/CPRA. However, if our practices change, we will:

• Update this privacy policy with clear notice
• Provide prominent opt-out mechanisms
• Honor Global Privacy Control (GPC) signals
• Offer at least two methods for opting out

Right to Non-Discrimination

We will not discriminate against you for exercising your privacy rights, including by:

• Denying you goods or services
• Charging you different prices or rates
• Providing you a different level or quality of goods or services
• Suggesting that you may receive a different price or rate or level or quality

Sensitive Personal Information

We do not process sensitive personal information such as precise geolocation, Social Security numbers, or financial account numbers. Billing addresses are collected for payment processing but are not considered sensitive personal information under CPRA.

Global Privacy Control (GPC)

We recognize and honor Global Privacy Control (GPC) signals. If your browser or device sends a GPC signal, we will treat it as a request to opt-out of the sale/sharing of your personal information for that browser or device.

Nevada Privacy Rights

Nevada residents have the right to opt-out of the sale of covered information under Nevada Senate Bill 220. We do not sell covered information as defined by Nevada law. However, if our practices change, Nevada residents may opt-out by emailing us at [email protected].

Children's Privacy (COPPA)

Our services are not intended for anyone under 18 years of age, and we do not knowingly collect personal information from individuals under 18. While our service requires users to be 18 or older, we maintain compliance with the Children's Online Privacy Protection Act (COPPA) principles for additional protection.

Parental Rights: If we become aware that we have collected personal information from someone under 18, we will take steps to delete such information immediately. Parents or guardians may:

• Request to review any information we may have collected from someone under 18
• Request immediate deletion of such information
• Report any unauthorized use by minors

Parents or guardians with concerns should contact us immediately at [email protected].

Security Measures

We implement industry-standard technical and organizational security measures to protect your personal data:

• Encryption: TLS 1.3 for data in transit, AES-256 encryption for data at rest
• Access Controls: Role-based access control (RBAC) with principle of least privilege
• Authentication: Multi-factor authentication available via Auth0
• Monitoring: 24/7 security monitoring and intrusion detection systems
• Regular Audits: Quarterly security assessments and annual penetration testing
• Employee Training: Annual security awareness training for all staff
• Incident Response: Documented incident response plan with 72-hour breach notification
• Physical Security: Data centers with SOC 2 Type II certification

While we implement robust security measures, no method of electronic transmission or storage is 100% secure. We cannot guarantee absolute security but commit to promptly notifying you of any breach that may impact your rights and freedoms.

Data Breach Notification

In the event of a data breach that creates a substantial risk of identity theft or fraud, we will notify affected individuals without unreasonable delay and in accordance with applicable state and federal laws. Notifications will include:

• Description of the incident and timeline
• Types of information involved
• Steps we are taking to address the breach
• Steps you can take to protect yourself
• Contact information for questions

International Data Transfers

Your personal information may be transferred to and processed in countries outside the United States, including Germany where our company is based, and other countries where our service providers operate. We ensure appropriate safeguards are in place for all international transfers through:

• Contractual protections with service providers
• Adherence to recognized international frameworks
• Regular review of data protection practices

How to Exercise Your Rights

To exercise your privacy rights, you may contact us using the following methods:

Verification Process

To protect your privacy, we will verify your identity before processing rights requests. We may ask you to:

• Provide information that matches what we have on file
• Confirm your email address associated with your account
• Provide additional documentation if necessary for sensitive requests

Authorized Agents

You may designate an authorized agent to make privacy rights requests on your behalf. Authorized agents must provide:

• Written permission signed by you
• Proof of their own identity
• We may still require you to verify your identity directly

Do Not Sell or Share Personal Information

We do not sell or share personal information as those terms are defined under applicable privacy laws, including the CCPA/CPRA.

We do not use your personal information for cross-context behavioral advertising or other activities that would constitute "selling" or "sharing" under state privacy laws. If our practices change in the future, we will:

• Provide clear notice in an updated privacy policy
• Offer prominent opt-out mechanisms before any sale/sharing begins
• Honor Global Privacy Control (GPC) signals as an opt-out method
• Provide at least two methods for opting out

Current Opt-Out Methods

While we do not currently sell or share personal information, you may still exercise opt-out rights using these methods:

• Email: Send a request to [email protected]
• Global Privacy Control (GPC): Enable GPC in your browser settings, which we will honor

California "Shine the Light" Law

California Civil Code Section 1798.83 permits California residents to request information about disclosure of personal information to third parties for direct marketing purposes. We do not disclose personal information to third parties for their direct marketing purposes.

Cookies and Tracking Technologies

Our website uses cookies and similar technologies to improve your experience. We obtain your consent before placing non-essential cookies:

• Necessary: Essential cookies required for website functionality (session management, security)
• Analytics: Website performance and usage statistics (requires consent)
• Functional: Enhanced user experience features (requires consent)
• Marketing: Advertising and marketing cookies (requires consent)

Third-Party Cookies

Some third-party services we use may place their own cookies. These are governed by their respective privacy policies:

• Stripe: Payment processing cookies for security and fraud prevention
• Analytics Providers: Performance measurement cookies (only with consent)

Changes to This Privacy Policy

We may update this privacy policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will:

• Post the updated policy on our website with a new effective date
• Notify you via email if you have an account with us
• Provide additional notice as required by applicable law

We encourage you to review this privacy policy periodically to stay informed about our privacy practices.

Contact Us

If you have questions, concerns, or complaints about this privacy policy or our privacy practices, please contact us:

Response Times

We aim to respond to privacy inquiries within:

• General inquiries: 7 business days
• Rights requests: 45 days (with possible 45-day extension)
• Urgent matters: 1-2 business days

Regulatory Complaints

If you believe we have not addressed your privacy concerns adequately, you have the right to file a complaint with relevant regulatory authorities:

• California: California Privacy Protection Agency (CPPA)
• Other States: Your state's Attorney General office
• Federal: Federal Trade Commission (FTC)