Privacy Policy
Last updated: 18 March 2026
1. Who We Are
Helium Systems Ltd ("Helium", "we", "us", or "our") is the data controller for personal data processed through the Helium Systems platform, including the main application, the B2B wholesale portal, the support site, and any satellite applications (Helium Snap, Helium Listings).
If you have questions about this policy or wish to exercise your data rights, contact our Data Protection Officer at dpo@heliumsystems.app.
2. Data We Collect
2.1 Account Data
When you create an account we collect your name, email address, and password (hashed by Firebase Authentication). If you sign up via Google OAuth, we receive your name, email, and profile picture URL.
2.2 Organisation and Team Data
Organisation administrators provide company name, registered address, VAT/tax registration numbers, and contact details. Team member records include name, email, department, role, and optionally salary, hourly rate, and start date.
2.3 Customer Data
Your organisation stores customer records that may include: name, email, telephone numbers, postal addresses, company name, company registration number, tax ID, payment terms, credit limits, and marketing communication preferences.
2.4 Supplier Data
Supplier records may include: company name, contact name, contact email, telephone numbers, postal address, bank details (for payment), and representative information.
2.5 Order and Transaction Data
Orders contain customer name, email, shipping address, billing address, items purchased, quantities, prices, payment method references, and fulfilment status.
2.6 Marketplace Buyer Data (Amazon Selling Partner API)
When your organisation connects an Amazon Seller Central or Vendor Central account to Helium, we receive order data via the Amazon Selling Partner API (SP-API). For merchant-fulfilled orders, this includes buyer personally identifiable information (PII): shipping name, shipping address, and in some cases buyer email and phone number. This PII is used solely for generating shipping labels and fulfilling orders. It is never used for marketing, analytics, AI training, profiling, or any purpose beyond order fulfilment. Buyer PII is automatically purged 30 days after order delivery by our retention engine, which anonymises all identifying fields and logs the operation for audit purposes. Non-PII order data (items, quantities, prices, fees) is retained for financial reconciliation and reporting.
2.7 Communications
Customer service conversations, support tickets, and supplier communications may contain personal data in message bodies and attachments.
2.8 AI Interaction Data
When you use Nucleus AI or other AI-powered features, your queries and the system's responses are temporarily stored to provide the conversation experience. AI usage metadata (token counts, feature used) is retained for billing and cost management.
2.9 Analytics and Activity Data
We log administrative actions (who did what, when) for audit and security purposes. Activity logs include the actor's name, email, action performed, and affected entity. These logs are retained for 30 days before automatic deletion.
2.10 Technical Data
We collect standard web request data including IP address, browser type, device type, and referring URL. Firebase Authentication manages session tokens and authentication state.
3. How We Use Your Data
| Purpose | Lawful Basis |
|---|---|
| Providing and operating the platform | Contract performance |
| Processing customer orders and fulfilment | Contract performance |
| Employee/team management | Employment contract / Legitimate interest |
| Customer service and support | Contract performance / Legitimate interest |
| AI-powered features (Nucleus, content generation, compliance documents) | Consent / Legitimate interest |
| Analytics and business intelligence | Legitimate interest |
| Marketing communications | Consent |
| Security monitoring and audit logging | Legitimate interest / Legal obligation |
| Financial record-keeping and tax compliance | Legal obligation |
| Third-party marketplace integration (Amazon, eBay, Shopify, etc.) | Contract performance |
| Shipping and carrier integration | Contract performance |
| Accounting software synchronisation | Contract performance / Legitimate interest |
4. Third-Party Processors
We share personal data with the following categories of service providers, all of whom process data on our behalf under Data Processing Agreements:
| Processor | Purpose | Data Shared | Location |
|---|---|---|---|
| Google Cloud (Firebase) | Infrastructure, authentication, database, storage | All application data | EU (europe-west1) |
| Anthropic (Claude AI) | AI-powered features | Query context, business data summaries | US (Anthropic infrastructure) |
| Google BigQuery | Analytics and reporting | Aggregated business metrics, activity logs | EU (europe-west1) |
| Postmark (ActiveCampaign LLC) | Transactional and marketing email | Recipient email, message content | US |
| Meilisearch | Search indexing | Customer names, order references | EU (self-hosted) |
| Xero / QuickBooks | Accounting synchronisation | Customer contacts, invoices, payments | Regional / US |
| Amazon, eBay, Shopify, WooCommerce, TikTok Shop | Marketplace order sync | Order data, customer details | US / Global |
| FedEx, UPS, DHL, Royal Mail, DPD, Evri | Shipping and label generation | Recipient name, address, phone | US / UK / EU |
| PrintNode | Label and document printing | Label content (addresses) | US |
| Sentry (Functional Software Inc.) | Error monitoring and performance tracking | Operational metadata (PII excluded via filters) | US |
| Stripe | Payment processing and subscription billing | Organisation billing details, payment method tokens | US |
5. International Data Transfers
Your data is primarily stored in the EU (Google Cloud europe-west1 region, Belgium). Some processors are based in the United States. Where personal data is transferred outside the UK/EEA, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission, supplemented by appropriate technical and organisational measures as required following the Schrems II decision.
6. Data Retention
| Data Type | Retention Period |
|---|---|
| Activity / audit logs | 30 days |
| AI interaction events | 14 days |
| AI cost logs | 90 days |
| Nucleus AI sessions | 4 hours active, then expired; hard-deleted after 7 days |
| Amazon buyer PII (shipping name, address, contact details) | 30 days after order delivery, then automatically anonymised |
| Amazon non-PII order data (items, fees, financials) | 7 years (financial record-keeping obligation) |
| Customer service conversations | 2 years after closure, then anonymised |
| Webhook delivery logs | 90 days |
| Customer records | Until deletion requested or account closure |
| Order and financial records | 7 years (legal obligation for tax records), then anonymised |
| Account data | Duration of your account, plus 30 days after deletion |
7. Your Rights
Under the UK GDPR and EU GDPR, you have the following rights:
- Right of access — Request a copy of all personal data we hold about you (Subject Access Request).
- Right to rectification — Request correction of inaccurate or incomplete personal data.
- Right to erasure — Request deletion of your personal data where there is no compelling reason for continued processing.
- Right to restrict processing — Request that we limit how we use your data.
- Right to data portability — Receive your personal data in a structured, machine-readable format (JSON).
- Right to object — Object to processing based on legitimate interest, including profiling and direct marketing.
- Rights related to automated decision-making — AI-powered features do not make legally binding decisions without human review. You may request human review of any AI-generated output.
To exercise any of these rights, contact dpo@heliumsystems.app or use the Privacy & GDPR section in your organisation settings. We will respond within 30 calendar days.
8. Cookies and Tracking
We use essential cookies for authentication and session management. Optional cookies for analytics, marketing, and AI features are only set with your consent via our cookie consent banner. You can change your preferences at any time by clicking "Cookie Preferences" in the footer.
Email click tracking is disabled by default. We do not use third-party advertising trackers.
9. AI Processing
When you use AI-powered features (Nucleus AI, compliance document generation, image analysis, customer service suggestions), your queries and relevant business context are processed by Anthropic Claude AI. This processing occurs on Anthropic's infrastructure and is subject to Anthropic's data processing terms. You can opt out of AI features in your cookie preferences or by contacting your organisation administrator.
10. Amazon Selling Partner API Data
Helium integrates with the Amazon Selling Partner API (SP-API) to enable organisations to manage their Amazon Seller Central and Vendor Central accounts. This section describes how we handle data received from Amazon.
10.1 Data Collected via SP-API
We receive product catalogue data (titles, descriptions, images, identifiers), inventory levels, order details, pricing data, financial events and settlement reports, Buy Box and competitive pricing data, and account performance metrics. For merchant-fulfilled orders, we additionally receive buyer PII (shipping name, address, and contact details) necessary for fulfilment.
10.2 Use Restrictions
Amazon buyer PII is used exclusively for generating shipping labels and fulfilling orders. It is never used for marketing, advertising, customer profiling, analytics, AI model training, or any purpose beyond order fulfilment. Amazon data is never aggregated across organisations or shared with third parties for competitive intelligence. We comply with the Amazon Acceptable Use Policy and Data Protection Policy at all times.
10.3 Retention and Disposal
Buyer PII from Amazon Seller Central orders is automatically purged 30 days after order delivery. Our retention engine anonymises all identifying fields (names, email addresses, phone numbers, and postal addresses) and records the operation in an immutable audit log. Non-PII data (product information, order financials, fee breakdowns) is retained for financial reconciliation and reporting in accordance with legal record-keeping obligations.
10.4 Security Controls
Amazon refresh tokens are stored encrypted in Google Cloud Firestore with access restricted to server-side Cloud Functions. Access tokens are cached in memory with automatic refresh and are never persisted to disk or exposed to client-side code. Buyer PII is access-gated by role-based permissions — only users with shipping and dispatch permissions can view buyer details. All SP-API calls are signed with AWS Signature V4 and transmitted over TLS 1.2+.
11. General Data Security
We implement appropriate technical and organisational measures to protect personal data, including:
- Encryption at rest (Google-managed keys) and in transit (TLS 1.3+)
- Granular role-based access control with 23 permission modules
- Multi-tenancy isolation ensuring organisations cannot access each other's data
- Session timeout (30-minute idle, 24-hour maximum)
- API key security with SHA-256 hashing, rotation, and IP allowlists
- Webhook payload signing with HMAC-SHA256
- Security headers (HSTS, X-Frame-Options, Content-Type-Options) on all applications
- Comprehensive audit logging of administrative actions
12. Data Breach Notification
In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours and, where the risk is high, notify affected individuals without undue delay.
Where a breach involves Amazon marketplace data, we will additionally notify Amazon at security@amazon.com within 24 hours of detection, in accordance with the Amazon Data Protection Policy.
13. Children's Data
Our services are not directed at individuals under the age of 16. We do not knowingly collect personal data from children. If you believe we have inadvertently collected such data, please contact us immediately.
14. Changes to This Policy
We may update this privacy policy from time to time. Material changes will be communicated via email or a prominent notice within the platform. The "Last updated" date at the top indicates the most recent revision.
15. Complaints
If you are unsatisfied with our handling of your data, you have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk or with your local supervisory authority.
16. Contact
Helium Systems Ltd
Data Protection Officer
Email: dpo@heliumsystems.app