Privacy Policy

Helm — operated by 38South Digital Pty Ltd (“we”, “us”, “our”). Last updated: 17 June 2026.

This policy explains what information Helm collects, how we use and protect it, and your choices. Helm is a personal productivity assistant: each customer runs their own private, isolated instance of the software on infrastructure we manage on their behalf.

1. Who this applies to

This policy covers the Helm service and the accounts you connect to it (calendar, email, and the information you create in the app).

2. Information we collect

• Account information: your name, email address, and a securely hashed password used to sign in to your Helm instance.
• Google Calendar data (via the Google Calendar API): your list of calendars and your calendar events (titles, times, locations, descriptions, attendees). We request read and write access so you can view, create, update, and sync events. This is the only category of Google data we access.
• Email (via IMAP): if you choose to connect an email account, you provide your own mail credentials (an app-specific password). We mirror your messages into your private instance to display them and power assistant features. Access is read-only — Helm never sends, moves, flags, or deletes mail in your mailbox.
• Other connected calendars (e.g. Zoho via CalDAV), using credentials you provide.
• Content you create: tasks, notes, habits, focus sessions, and similar information you enter.
• Technical data: basic logs needed to operate and secure the service.

3. Google user data — Limited Use disclosure

Helm's use and transfer of information received from Google APIs to any other app will adhere to the Google API Services User Data Policy, including the Limited Use requirements. Specifically:

• We access only Google Calendar data. We do not request Gmail, Drive, or Contacts access.
• Google Calendar data is used solely to provide and improve the user-facing features you request (viewing your schedule, daily briefings, meeting preparation, and creating/updating events).
• We do not sell Google user data, use it for advertising, or use it to train generalised AI/ML models.
• We do not allow humans to read your Google data except where you give explicit consent (e.g. to troubleshoot a problem you report), where required for security or to comply with the law, or where the data is aggregated/anonymised for operations.

4. How we use your information

To operate your private Helm instance: to display and organise your schedule, tasks, notes, and email; to generate briefings and reminders; to prepare you for meetings; and to power your private AI assistant when you interact with it.

5. AI assistant processing

Helm works with an AI assistant you control. When you interact with the assistant, the information needed to answer you (which may include calendar, task, or email content) is sent to the AI model provider you select and configure (for example Anthropic, OpenAI, or OpenRouter) using your own API key, solely to provide the assistant features you request. Where the provider offers it, we configure for no retention and no model training on your data. Your use of a provider is also subject to that provider's terms and privacy policy.

6. How we store and protect your information

• Your data is stored on your own dedicated instance, isolated from other customers — there is no shared customer database.
• Account credentials and connected-service secrets (OAuth tokens, app passwords) are encrypted at rest.
• Connections use HTTPS/TLS. We apply controls including hashed passwords, scoped access tokens, content-security policies, and rate limiting.
• Backups are encrypted and stored securely.

7. Sharing and sub-processors

We do not sell your information. We share it only with the limited service providers needed to run the service: the hosting provider (the server your instance runs on), the AI model provider you choose (see section 5), and a payment processor (for billing — they do not receive your calendar or email content). We may also disclose information if required by law.

8. Data retention

We retain your information while your subscription is active. On cancellation or termination, we provide an export of your data on request and then permanently delete your instance and its data within a defined wind-down period (see our Terms of Service).

9. Your rights

You may request access to, correction of, export of, or deletion of your personal information by emailing support@helmhub.app. You can revoke Helm's access to your Google account at any time at Google Account permissions. If you are in Australia and have a concern we cannot resolve, you may contact the Office of the Australian Information Commissioner (OAIC).

10. Cross-border processing

Some providers we use (e.g. AI model providers, hosting) may process data outside Australia. We take reasonable steps to ensure appropriate protection consistent with the Australian Privacy Principles.

11. Children

Helm is intended for business use by adults and is not directed to children.

12. Changes to this policy

We may update this policy from time to time. Material changes will be notified to active customers, and the “Last updated” date above will change.

13. Contact

38South Digital Pty Ltd — support@helmhub.app

This policy is governed by the laws of Victoria, Australia, and we handle personal information in accordance with the Australian Privacy Act 1988 (Cth) and the Australian Privacy Principles.