Back

Privacy Policy

Last updated 2026-04-26 · See also Terms of Service

1. Who is the controller?

For data you upload about your employees and contractors, your organization (the tenant) is the data controller. Helia HR is the data processor, acting on documented instructions captured in your subscription. For data we collect about your admins to operate the service (sign-in email, IP, audit log actor), we are the controller. Contact: privacy@heliahr.com.

2. What we collect

  • Account identifiers — your work email, display name, and tenant role.
  • Authentication metadata — magic-link tokens (hashed, 15-min TTL), OAuth provider IDs, last sign-in timestamps.
  • Tenant data — anything your HR team uploads: employee records, time-off requests, compensation, performance reviews. Treated as customer data.
  • Audit log — actor, IP, action, target row id, timestamp. Required for GDPR Article 30 records of processing.
  • Operational telemetry — error rates, request latency, feature-flag state. Aggregated; not linked to individuals.

3. What we DO NOT collect

  • No third-party analytics or session-replay tools.
  • No advertising trackers. We don't sell, share, or rent personal data — ever.
  • No biometric data, no precise geolocation, no behavioural fingerprinting.

4. Where data lives

Production data is hosted in EU data centres (Frankfurt or Dublin, depending on region selected at tenant creation). Backups stay in the same region. Data is never transferred outside the EU/EEA without explicit operator consent and a Standard Contractual Clauses agreement.

5. How long we keep it

  • Active tenant data — for the lifetime of your subscription.
  • Backups — encrypted, 30 days rolling.
  • Audit log — 7 years (statutory record-keeping requirement in most EU jurisdictions).
  • Magic-link tokens — 15 minutes; deleted after use or expiry.

6. Your rights (GDPR)

EU/UK residents have the right to access, rectify, erase, restrict, port, and object to processing of their personal data. Employees of a Helia HR tenant should direct these requests to their organization (the controller). For data Helia HR holds as controller — your operator account — email privacy@heliahr.com. We respond within 30 days.

7. Self-service exports

Owners and admins can export the full tenant bundle as JSON from Settings → Tenant data export. Per-employee Article 15 exports are available from each employee detail page. Both are operator-driven, audit-logged, and capped at standard rate limits.

8. Subprocessors

  • Supabase (Frankfurt / Dublin) — primary database + storage.
  • Resend (Frankfurt) — transactional email (magic links, invitations, notifications).
  • Google / Microsoft — identity providers, only when the operator chooses to sign in via OAuth.
  • Paddle (Berlin) — billing + EU VAT compliance. Activated only when you upgrade to a paid plan.

9. Security

  • TLS 1.2+ in transit; AES-256 at rest.
  • Row-level security on every table — tenants are isolated at the database layer, not just the app layer.
  • Sensitive fields (compensation, dependants) are encrypted at rest with separate keys per tenant.
  • Annual third-party penetration test. Latest report available under NDA on request.

10. Changes to this policy

Material changes are announced in-app and via email at least 14 days before they take effect. Archived versions available on request.

Questions or a data-subject request? Email privacy@heliahr.com — we respond within 30 days. For DPO matters, email dpo@heliahr.com.