Last updated: March 25, 2026
Privacy Policy
This Privacy Policy explains how Helpi ("we", "us", "our") collects, uses, and protects your personal data when you use our website (helpi.me) and Chrome browser extension.
1. Identity of the Data Controller
Name: Ansorjon Juraev
Address: Eschersheimer Landstraße 42, 60322 Frankfurt am Main, Germany
Email: [email protected]
For full contact details, please see our Impressum.
2. What Data We Collect
Account Data
Email address, hashed password (or Google OAuth profile information) used for authentication and account management.
Usage Metadata & Action Logs
Action counts per day, action types used, timestamps, and input/output character lengths are always stored. Input text and AI output (up to 2,000 characters per action) are stored only when Save History is enabled — this feature is off by default and requires explicit opt-in in Settings. Pro users with Save History enabled can view their full action history in the dashboard, including raw input text and AI output. All action logs are deleted when you delete your account.
Authentication Tokens
Extension authentication tokens, hashed with SHA-256, with 30-day expiry. Stored in our database to validate extension sessions.
Payment Data (via Stripe)
Stripe customer ID, subscription status, plan type, and last payment date. We never store credit card numbers — all payment processing is handled entirely by Stripe (PCI DSS compliant).
Conversion & Analytics Events
Events such as extension_installed, onboarding_completed, first_action, tenth_action, upgrade_clicked, and upgrade_completed. These help us understand product adoption and improve the user experience.
Contact Form Data
Name, email, subject, and message content submitted through our contact form.
Application Logs
Error-level logs with anonymized data, used for debugging and maintaining service reliability.
3. What Data We Do NOT Collect
- Browsing history or page content: We do not collect your browsing history, page URLs, or full page content. Only the specific text you select and actively submit for processing is sent to our service.
- Personal context: The optional personal context setting is stored only in
chrome.storage.localon your device. It is sent with API requests to improve AI responses but is never persisted server-side. - Action text content (when Save History is off): When Save History is disabled (the default), your input text and AI output are never stored server-side.
4. Legal Bases for Processing (GDPR Art. 6)
| Data Category | Legal Basis |
|---|---|
| Account data | Contract performance (Art. 6(1)(b)) |
| Usage metadata (counts, types, timestamps, character lengths) | Legitimate interest — service delivery and rate limiting (Art. 6(1)(f)) |
| Action text content (input text, AI output) — when Save History is enabled | Consent — opt-in Save History toggle (Art. 6(1)(a)) |
| Payment data | Contract performance (Art. 6(1)(b)) |
| Analytics cookies | Consent (Art. 6(1)(a)) |
| Contact form data | Consent (Art. 6(1)(a)) |
| Application logs | Legitimate interest in security and debugging (Art. 6(1)(f)) |
5. Third-Party Processors
Groq
Purpose: AI text processing (free tier)
Data received: User-selected text for real-time AI processing
Location: United States
Privacy policy: https://groq.com/privacy-policy
xAI
Purpose: AI text processing (Pro tier)
Data received: User-selected text for real-time AI processing
Location: United States
Privacy policy: https://x.ai/legal/privacy-policy
Stripe
Purpose: Payment processing
Data received: Email address, payment method
Location: United States
Privacy policy: https://stripe.com/privacy
SendGrid
Purpose: Transactional emails (verification, password reset)
Data received: Email address
Location: United States
Privacy policy: https://sendgrid.com/policies/privacy/
Purpose: OAuth authentication (if user chooses Google sign-in)
Data received: Email and profile information
Location: United States
Privacy policy: https://policies.google.com/privacy
Google Analytics
Purpose: Website analytics (optional, opt-in only via cookie consent)
Data received: Anonymized usage data
Location: United States
Privacy policy: https://policies.google.com/privacy
Note on AI provider data practices: When you use Helpi, the text you select is transmitted to our AI providers (Groq for Free Tier, xAI for Pro Tier) for real-time processing. Helpi does not use your text to train AI models. However, each provider's own data retention, usage, and model training practices are governed solely by their respective privacy policies linked above — we have no control over these practices. We encourage you to review those policies if you have concerns about how third-party AI providers handle submitted text.
6. International Data Transfers
Our servers are located in the United States. If you are accessing our service from the European Union or European Economic Area, your data will be transferred to the United States.
Such transfers are conducted in compliance with GDPR Article 46, using Standard Contractual Clauses (SCCs) approved by the European Commission to ensure an adequate level of data protection.
7. Data Retention
- Action logs (all data): Every action log record — including action type, timestamps, character lengths, model used, response time, and any stored input text or AI output — is automatically and permanently deleted after 7 days via a daily automated cleanup process. No action log data is retained beyond 7 days under any circumstances. Logs are also deleted immediately upon account deletion.
- Action text content (input & output): Stored only when Save History is enabled (opt-in, off by default). Subject to the same 7-day automatic deletion as all other action log data.
- Save History toggle: Disabling Save History stops future text storage immediately. Any previously stored text entries are deleted along with all other action logs at the 7-day automated cleanup.
- Extension tokens: 30-day expiry, automatically purged after expiration.
- Account data: Retained until you request account deletion.
- Contact form messages: Retained until resolved, then deleted within 90 days.
- Analytics data: Retained per Google Analytics default retention settings (when consent is given).
Security Measures
We implement appropriate technical and organisational measures to protect your personal data in accordance with GDPR Art. 32, including:
- All data in transit is encrypted via TLS 1.2 or higher
- Passwords are hashed using a industry-standard algorithm and never stored in plaintext
- Extension authentication tokens are hashed with SHA-256 before storage and expire after 30 days
- Access to personal data is restricted to authorised personnel only
- Our hosting provider (Railway) maintains physical security, network isolation, and infrastructure-level controls
Data Breach Response
In the event of a personal data breach, we will notify the competent supervisory authority within 72 hours of becoming aware of the breach, as required by GDPR Art. 33. Where the breach is likely to result in a high risk to your rights and freedoms, we will also notify affected users directly without undue delay in accordance with GDPR Art. 34.
8. Your Rights
GDPR Rights (EU/EEA Residents)
Under the General Data Protection Regulation (GDPR), you have the following rights:
- Right of access (Art. 15) — request a copy of your personal data
- Right to rectification (Art. 16) — correct inaccurate personal data
- Right to erasure / "right to be forgotten" (Art. 17) — request deletion of your personal data
- Right to restriction of processing (Art. 18) — limit how we use your data
- Right to data portability (Art. 20) — receive your data in a structured, machine-readable format
- Right to object (Art. 21) — object to processing based on legitimate interests
- Right to withdraw consent (Art. 7(3)) — you may withdraw consent at any time without affecting the lawfulness of prior processing
- Right to lodge a complaint — with your local data protection supervisory authority
CCPA Rights (California Residents)
Under the California Consumer Privacy Act (CCPA), California residents have the following rights:
- Right to know what personal information is collected, used, and shared
- Right to delete personal information we hold about you
- Right to opt-out of the sale of personal information — we do not sell your data
- Right to non-discrimination for exercising your privacy rights
10. Children's Privacy
Helpi is not directed at children under the age of 16 (as required by GDPR) or 13 (as required by COPPA). We do not knowingly collect personal data from children. If we become aware that we have collected personal data from a child, we will take steps to delete that information promptly.
11. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify users of material changes via email. The "Last updated" date at the top of this page will be revised accordingly. Continued use of Helpi after changes constitutes acceptance of the updated policy.
12. Contact
For privacy-related inquiries, please contact us at: [email protected]
For full contact details, see our Impressum.
For EU residents: you have the right to contact your local data protection authority if you believe your data protection rights have been violated.
13. German-Specific Addendum (Datenschutzhinweise)
This Privacy Policy complies with the Datenschutz-Grundverordnung (DSGVO), the German implementation of the EU General Data Protection Regulation (GDPR). Where the Bundesdatenschutzgesetz (BDSG) supplements the DSGVO with additional requirements, those provisions also apply.
This privacy policy is available in German upon request. Please contact us at [email protected] to request a German-language version.
If you believe your data protection rights have been violated, you have the right to lodge a complaint with the competent Landesdatenschutzbeauftragte (state data protection officer) for your German federal state.