Privacy & data protection

Privacy policy

How Helmies Oy collects, uses, and protects your personal data — written in plain English, with the GDPR articles cited where relevant.

Last updated: 9 May 2026 · Effective immediately

1. Who we are

Helmies Oy is a Finnish limited company based in Lahti, Finland. We are the data controller for any personal information you give us through this site or our email. Reach us at info@helmies.fi — we don't have a separate DPO, so the same address handles every privacy request.

2. What we collect, and why

We try to collect the minimum we need to actually help you.

  • Contact form — name, email, and the message you send. Used only to reply. (Legal basis: GDPR Art. 6(1)(b) — pre-contractual measures at your request.)
  • AI chat conversations — what you type or say to our chatbot, plus a short-lived session ID. We see the messages so we can improve the bot's answers. Voice transcripts are processed in your own browser by the Web Speech API; we receive the resulting text. (Legal basis: legitimate interest, Art. 6(1)(f).)
  • Server logs — IP address, user agent, requested URL, timestamp. Kept for up to 30 days for security and abuse prevention. (Legal basis: legitimate interest, Art. 6(1)(f).)
  • Analytics (only if you opt in) — anonymous, aggregated page-view counts. No cross-site tracking, no advertising IDs. We don't run analytics until you accept it in the cookie banner. (Legal basis: consent, Art. 6(1)(a).)
  • Functional preferences (only if you opt in) — small things like your preferred language, stored locally so you don't reset them on every visit. (Legal basis: consent, Art. 6(1)(a).)

3. Cookies and local storage

We don't use any tracking cookies. The site uses your browser's localStorage for two things, and only with your permission:

  • Strictly necessary — your cookie choice itself, plus a per-tab chat session ID. These can't be turned off; without them the site can't remember that you said "no thanks" to the others.
  • Functional — UI preferences (e.g. preferred voice language).
  • Analytics — currently disabled by default. If we add a tool like Plausible or Umami, it will only run after you opt in.
  • Marketing — currently unused on this site.

You can review or change your choices at any time: open cookie preferences.

4. Who else sees your data

The site uses a small set of vendors. None of them sell your data:

  • Vercel — hosting for the site and the contact API. Data is processed in the EU/EEA region.
  • Self-hosted AI bridge (Hetzner, Finland) — runs the chat backend. Conversation logs are stored on our own server only.
  • SMTP provider — used to deliver contact-form emails to us.

We do not transfer personal data outside the EU/EEA. We do not share your data with advertisers, brokers, or social networks.

5. How long we keep things

  • Contact-form emails — kept until your project closes, then for up to 24 months for accounting and legal records.
  • Chat conversation logs — 90 days, then deleted.
  • Server logs — 30 days, then rotated out.
  • Analytics — anonymous, aggregated; retained at most 24 months.

6. Your rights under GDPR

You have the right, free of charge, to:

  • Access the data we hold about you (Art. 15).
  • Correct anything inaccurate (Art. 16).
  • Erase it — the "right to be forgotten" (Art. 17).
  • Restrict our processing of it (Art. 18).
  • Take it with you in a portable format (Art. 20).
  • Object to processing based on legitimate interest (Art. 21).
  • Withdraw consent at any time, without affecting prior processing (Art. 7(3)).

To exercise any of these, email info@helmies.fi. We aim to respond within five working days, and at the latest within the 30 days the GDPR allows.

You can also lodge a complaint with the Finnish Data Protection Ombudsman (Tietosuojavaltuutettu) — see tietosuoja.fi.

7. Security

All traffic to and from this site is encrypted with TLS. Server access is restricted to named accounts with two-factor authentication. We will notify affected users — and the Ombudsman, where required — within 72 hours of becoming aware of a personal data breach.

8. Children

This site is not directed at children under 16. We do not knowingly collect data from minors. If you believe we have, please contact us and we'll delete it.

9. Changes to this policy

We may update this policy if our tooling or services change. The "last updated" date at the top reflects the current version. Material changes will be highlighted on the home page or by email if we already have your address.

Helmies Oy
Lahti, Finland
info@helmies.fi