Privacy Policy

Last updated: 2026-05-14

This Privacy Policy explains how [Company Name] ("[Company Name]", "we", "our", "us"), registered in [Country] under company number [Registration Number] with registered address at [Company Address], collects and processes personal data when you use the Helmcraft service ("the Service"). We are the data controller for all personal data described in this policy.

We are committed to protecting your personal data and processing it in accordance with the General Data Protection Regulation (EU) 2016/679 ("GDPR") and any applicable national implementing legislation.

1. Data we collect

1.1 Account and profile data

Identity data — full name, work email address.
Authentication data — bcrypt-hashed password (we never store passwords in plain text).
Profile data — optional biography, skill tags, profile avatar (stored as a base64 image, max 200 KB), and weekly working capacity.

1.2 Content and usage data

Project content — projects, work breakdown structure (WBS) nodes, Gantt milestones, time entries, Kanban cards, to-do items, and notes that you or your organisation create within the Service.
Leave and availability — unavailability periods you register in the Service.
Technical log data — server-side error traces captured by our error monitoring service (Sentry) when exceptions occur; these may include browser type, operating system, and the URL that triggered the error. No personally identifiable information is deliberately included in error payloads.

1.3 Billing data

Payment processing is handled entirely by Paddle, our Merchant of Record. Paddle collects and stores all payment card information. We receive only a Paddle customer ID and subscription status in return; we do not store or process card numbers, bank details, or full billing addresses.

1.4 Session data

We use short-lived JSON Web Tokens (JWTs) for authentication. Access tokens are stored in browser memory only; refresh tokens are stored in sessionStorage (tab-scoped, cleared when the browser tab is closed). We do not use persistent tracking cookies or advertising cookies of any kind.

2. How and why we use your data

Purpose	Legal basis (GDPR Art. 6)
Providing and operating the Service you signed up for	Performance of a contract (Art. 6(1)(b))
Sending transactional emails (email verification, password reset, trial-expiry warnings, billing notifications)	Performance of a contract (Art. 6(1)(b))
Diagnosing errors and improving service reliability	Legitimate interests (Art. 6(1)(f)) — to keep the Service stable and secure
Fraud prevention, rate limiting, and security monitoring	Legitimate interests (Art. 6(1)(f)) — to protect users and the platform
Complying with legal obligations (e.g. financial record-keeping)	Legal obligation (Art. 6(1)(c))

We do not use your personal data for direct marketing without your explicit consent, and we do not sell or rent personal data to third parties.

3. Data storage and security

All data is stored exclusively on servers located in Germany (Hetzner Cloud, Nuremberg and Falkenstein data centres), within the European Union. We do not transfer personal data outside the EU/EEA. No subprocessor based outside the EU/EEA has access to your personal data.

We apply the following technical and organisational security measures:

All data in transit is encrypted using TLS 1.2 or higher.
Passwords are hashed using bcrypt with an appropriate cost factor; plaintext passwords are never stored or logged.
Access tokens have a 30-minute lifetime; refresh tokens are invalidated on logout via a server-side blocklist.
Authentication endpoints are rate-limited to prevent brute-force attacks.
HTTP security headers (including Content-Security-Policy, Strict-Transport-Security, and X-Frame-Options) are applied to all responses.
Access to production infrastructure is restricted to authorised personnel via SSH key authentication.

4. Data retention

Data category	Retention period
Active account and profile data	For the duration of your account
Account data after cancellation	30 days, then permanently deleted
Time entries (financial audit trail)	Retained in anonymised form after account deletion for the period required by applicable accounting law (typically 7 years)
Error log data (Sentry)	90 days
Server access logs	30 days
Billing records (held by Paddle)	Subject to Paddle's retention policy and applicable VAT law

5. Your rights under the GDPR

You have the following rights regarding your personal data:

Right of access (Art. 15) — You may download a full JSON export of all personal data we hold about you directly from the Account page at any time.
Right to rectification (Art. 16) — You may correct or update your name, email address, bio, and other profile fields at any time from the Account page.
Right to erasure (Art. 17) — You may permanently delete your account from the Account page. This anonymises your record immediately. Time entries are retained in anonymised form as described in Section 4.
Right to data portability (Art. 20) — Your data export (described under Right of access) is provided in machine-readable JSON format.
Right to restriction of processing (Art. 18) — You may request that we restrict processing of your data in certain circumstances (e.g. while a dispute is pending).
Right to object (Art. 21) — You may object to processing based on legitimate interests. We will cease such processing unless we can demonstrate compelling legitimate grounds.
Right to lodge a complaint (Art. 77) — You have the right to lodge a complaint with your national data protection supervisory authority. If you are based in the EU, a list of supervisory authorities is available at edpb.europa.eu.

To exercise any of the above rights, contact us at privacy@helmcraft.eu. We will respond within 30 days.

6. Cookies

We use only strictly necessary session cookies required for authentication (the JWT refresh token stored in sessionStorage). We do not set persistent cookies, analytics cookies, advertising cookies, or any third-party tracking cookies. No cookie consent banner is required beyond a brief informational notice.

7. Third-party processors

We share personal data with the following sub-processors, each bound by a Data Processing Agreement (DPA) with us:

Processor	Purpose	Location	Data shared
Hetzner Cloud GmbH	Server hosting and storage	Germany (EU)	All data at rest
Paddle.com Market Limited	Payment processing and VAT / Merchant of Record	UK (adequacy decision); EU DPA available	Billing contact details (name, email, country)
Wildbit LLC (Postmark)	Transactional email delivery	EU region (Amsterdam)	Email address and message content (verification, password reset, billing notifications)
Sentry (Functional Software, Inc.)	Error monitoring and diagnostics	EU region; DPA in place	Anonymised error traces (no PII is deliberately sent; `send_default_pii=False`)

8. Automated decision-making and profiling

We do not use your personal data for automated decision-making or profiling in any way that produces legal or similarly significant effects on you (Art. 22 GDPR).

9. Children

The Service is intended for use by professionals in business organisations and is not directed at children under the age of 16. We do not knowingly collect personal data from children. If you believe we have inadvertently collected data from a child, please contact us and we will delete it promptly.

10. Changes to this policy

We may update this policy from time to time. When we make material changes, we will update the "Last updated" date at the top of this page and, where appropriate, notify you by email. Continued use of the Service after the effective date constitutes acceptance of the revised policy.

11. Contact and Data Processing Agreements

For privacy questions, to exercise your rights, or to request a Data Processing Agreement (DPA) for enterprise use, contact our privacy team:

Email: privacy@helmcraft.eu
Post: [Company Name], [Company Address]

Placeholders in square brackets ([Company Name], [Country], etc.) must be replaced with your actual company details before this policy is published.