Privacy Policy

Last updated: May 14, 2026

This Privacy Policy describes how Helpr ("we", "us", "our") collects, uses, and protects information when you use our platform at helpr.so (the "Service"). It applies to two groups of people:

Customers — organizations and their agents who sign up for a Helpr account.
Visitors — end users who interact with the Helpr chat widget embedded on a Customer's website or application.

1. Information We Collect

1.1 Customer Account Data

When you create an account we collect:

Name, email address, and optional phone number
Profile photo (stored via Cloudflare Images)
Organization and team details (name, slug)
Authentication credentials — password (hashed with Argon2ID), TOTP 2FA secrets (encrypted at rest with AES-256-GCM), passkey/WebAuthn public keys, and biometric tokens
Login and session metadata — IP address, browser, operating system, device type, approximate location (city/region/country derived from IP), login method, and timestamps

1.2 Visitor Data

When a visitor opens a page containing the Helpr widget, we collect:

Device & browser information — browser name and version, operating system, device type (phone, tablet, or desktop), parsed from the user-agent string
Approximate location — city, region, and country derived from the visitor's IP address via Cloudflare geolocation headers. We do not use GPS or precise location services.
Page context — the current page URL, referrer domain, and UTM parameters
Visitor identifier — a randomly generated ID stored in a first-party cookie (helpr_vid, 365-day expiry) and localStorage, used to resume conversations across visits
Identity data — if the Customer's website calls our identify API, we may receive the visitor's name, email, and a customer-defined user ID
Custom attributes and events — any additional properties the Customer's website passes to the widget via our JavaScript API

We do not use browser fingerprinting, third-party tracking pixels, or cross-site tracking.

1.3 Chat & Communication Data

Chat messages — text, timestamps, sender, message type, and read receipts
File attachments — images, documents, audio, and video uploaded during chats (stored in Amazon S3 or Cloudflare Images)
Transactional email — when a conversation continues via email, we process inbound and outbound email content and attachments through our email provider (Mailgun)
Satisfaction ratings — optional 1–5 star ratings and text feedback left by visitors after a conversation is resolved

1.4 Shared Inbox (Email Channel) Data

When a Customer connects a Gmail or Microsoft account as a shared inbox, we collect and process:

OAuth credentials — access and refresh tokens (encrypted at rest with AES-256-GCM) used to sync inbound email
Email message bodies — inbound email content received after the account is connected. Bodies are encrypted with per-tenant AES-256-GCM keys (envelope encryption via AWS KMS) before storage in MySQL.
Email metadata — sender, recipients, CC, subject line, RFC message IDs, and Gmail/Microsoft thread IDs used for conversation threading
Attachments — files attached to inbound emails are stored in Amazon S3
Searchable index — message plaintext is indexed in OpenSearch (encrypted at rest, private VPC) for full-text search. This index is purged immediately when a channel or conversation is deleted.

For Gmail, we request the https://mail.google.com/ scope because Gmail SMTP XOAUTH2 requires it for per-recipient outbound delivery. We do not bulk-import historical email — only messages arriving after connection are processed. We do not read, store, or index any email outside the connected inbox workflow.

Helpr's use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.

1.5 Visual Assist (Co-browse) Data

If a visitor consents to a Visual Assist session, the following is captured in real time:

A DOM-level recording of the visitor's current webpage (structure and visual content)
Mouse movements, clicks, and scroll position
Console errors and network request metadata from the visitor's browser

Visual Assist data is end-to-end encrypted using ECDH P-256 key exchange and AES-256-GCM. Our servers relay the encrypted stream but cannot decrypt its contents. Sessions require explicit visitor consent before recording begins, and either party may end the session at any time.

1.6 AI Assistant (Luca) Data

Customers may optionally enable our AI assistant. When active:

Chat message history within the current conversation is sent to our AI provider (Anthropic) for response generation
Customer-authored knowledge base articles and catalog data may be included for context
If web search is enabled by the Customer, search queries may be issued on behalf of the AI

We do not send visitor personal information (email, phone, identity) to the AI provider unless that information appears in the chat message text itself. AI processing is governed by our data processing agreement with Anthropic, which prohibits using customer data for model training.

1.7 Usage & Analytics Data

Aggregate chat volume, first-response times, resolution times, and satisfaction scores — rolled up daily per team
AI token usage and resolution counts (for billing)
Translation usage (for billing)

2. How We Use Information

Provide the Service — deliver real-time chat, email, Visual Assist, AI assistance, push notifications, and analytics
Authenticate and secure accounts — verify identity, detect anomalous logins, enforce 2FA, manage sessions
Improve the Service — analyze aggregate usage patterns, monitor performance, and fix bugs
Communicate with Customers — send transactional emails (password reset, magic links, team invitations, chat notifications)
Prevent abuse — enforce rate limits, detect spam, and support visitor banning by Customers
Comply with law — respond to lawful requests and enforce our Terms of Service

We do not sell personal data to third parties. We do not use visitor data for advertising.

2.1 Lawful Basis (GDPR)

Where GDPR applies, we rely on the following legal bases for processing:

Processing activity	Lawful basis
Providing the Service (chat, email, co-browse, AI)	Performance of contract (Art. 6(1)(b))
Account authentication and session management	Performance of contract (Art. 6(1)(b))
Visitor identification and conversation continuity	Legitimate interest (Art. 6(1)(f)) — enabling the Customer to provide support
Visitor location (city/country from IP)	Legitimate interest (Art. 6(1)(f)) — fraud prevention and locale-appropriate service
Visual Assist (co-browse) sessions	Consent (Art. 6(1)(a)) — explicit visitor opt-in required
AI-generated responses	Legitimate interest (Art. 6(1)(f)) — enabled by the Customer; visitor may opt out
Security logging (login attempts, anomalies)	Legitimate interest (Art. 6(1)(f)) — protecting accounts and detecting abuse
Transactional emails (password reset, invitations)	Performance of contract (Art. 6(1)(b))
Aggregate analytics and billing	Performance of contract (Art. 6(1)(b))
Compliance with legal obligations	Legal obligation (Art. 6(1)(c))

Where we rely on legitimate interest, we have conducted balancing tests to ensure the processing does not override the fundamental rights and freedoms of data subjects. These assessments are available on request.

3. Cookies & Local Storage

Name	Type	Purpose	Duration
`helpr_vid`	First-party cookie	Unique visitor identifier for conversation continuity	365 days
`helpr_vid`	localStorage	Backup of visitor ID	Persistent
`helpr_last`	localStorage	Last-seen timestamp	Persistent
`helpr_chat`	localStorage	Active chat session for resumption	Persistent
`helpr_ident`	localStorage	Visitor identity (name, email) set by Customer	Persistent
`helpr_custom`	localStorage	Custom visitor attributes set by Customer	Persistent
`helpr_tabid`	sessionStorage	Per-tab identifier for multi-tab coordination	Tab session

We do not use third-party advertising or analytics cookies. All cookies and storage keys are first-party and strictly functional — they exist solely to maintain conversation continuity and widget state.

ePrivacy / GDPR: The helpr_vid cookie is classified as strictly necessary for the service the Customer has chosen to embed. It enables conversation continuity, visitor recognition, and real-time support — core functions of the widget. Under the ePrivacy Directive, strictly necessary cookies do not require separate consent. Customers (as data controllers) are responsible for disclosing the widget and its cookies in their own cookie policy or privacy notice.

4. Third-Party Service Providers

We share data with the following providers solely to operate the Service:

Provider	Purpose	Data Shared
Cloudflare	CDN, image hosting, geolocation	IP address (for geo headers), uploaded images
Amazon Web Services (S3)	File storage	Chat attachments, uploaded files
Mailgun	Transactional and inbound email	Email addresses, message content, attachments
Anthropic	AI assistant (Luca)	Chat messages, knowledge base content (when AI is enabled by Customer)
Google Cloud	Translation API, Gmail API, Pub/Sub	Message text (translation), email content and OAuth tokens (shared inbox), push notification delivery signals (Pub/Sub)
Amazon Web Services (KMS)	Envelope encryption key management	Wrapped data encryption keys (no plaintext data leaves the application)
Expo	Mobile push notifications	Push tokens, notification content
Stripe	Payment processing	Billing information (managed directly by Stripe; we store only a Stripe customer ID)

We may also integrate with third-party messaging channels (such as WhatsApp, Instagram, or Messenger) when enabled by the Customer. Data shared with those channels is governed by their respective privacy policies.

Sub-processor changes: We will notify Customers at least 30 days before adding a new sub-processor or materially changing how an existing sub-processor is used. Customers may object to such changes under the terms of their Data Processing Agreement.

5. Data Security

Encryption in transit — all connections use TLS (HTTPS). WebSocket connections are authenticated with HMAC-SHA-256 tokens rotated hourly.
Encryption at rest — sensitive fields (2FA secrets, backup codes, API secret keys, OAuth tokens) and email message bodies are encrypted with AES-256-GCM. Email bodies use per-tenant envelope encryption via AWS KMS.
Password hashing — Argon2ID with per-user salts (memory-hard, resistant to GPU attacks)
Co-browse encryption — end-to-end encrypted with ECDH P-256 key exchange; our servers cannot decrypt session content
Session security — 256-bit session tokens, device anomaly detection, automatic expiry, and remote revocation
API authentication — HMAC-signed API keys with granular scopes, rate limiting, and revocation support
Audit logging — append-only audit trail for organization and account security events

6. Breach Notification

In the event of a personal data breach that is likely to result in a risk to the rights and freedoms of individuals:

We will notify the relevant supervisory authority within 72 hours of becoming aware of the breach, as required by GDPR Article 33
We will notify affected Customers without undue delay, including the nature of the breach, categories of data affected, approximate number of records, likely consequences, and measures taken to mitigate
Where the breach is likely to result in a high risk to individuals, we will assist Customers in notifying affected data subjects (GDPR Article 34)
All breaches (whether or not reportable) are documented internally with facts, effects, and remedial actions taken

Customers will be notified via the email address associated with their account and via an in-app banner. For urgent incidents, we will also attempt direct contact with the account owner.

7. Data Retention

Chat messages and attachments — retained (encrypted) for the duration of the Customer's account, unless the Customer deletes them
Visual Assist sessions — encrypted session data is discarded after the session ends; audit metadata is retained for the Customer's account lifetime
Email channel data — when a shared inbox is deleted, conversations enter a 60-day soft-delete grace period (searchable index is purged immediately). After 60 days, all associated data is permanently removed from our systems.
Visitor data — retained while the Customer's account is active. Inactive visitor records may be purged after 12 months of inactivity.
Login and session logs — retained for up to 90 days for security purposes
Analytics rollups — retained for the Customer's account lifetime (aggregate, non-personal)

When a Customer closes their account, we delete all associated data within 30 days, except where retention is required by law.

8. Customer Responsibilities (Data Controller)

Helpr acts as a data processor on behalf of Customers. Each Customer is the data controller for the visitor data collected through their use of the Service. Customers are responsible for:

Providing appropriate notice and obtaining any required consent from visitors before deploying the widget, enabling co-browse, or activating AI features
Ensuring their use of Helpr complies with all applicable data protection laws in their jurisdiction (including GDPR, CCPA/CPRA, LGPD, PIPEDA, and others)
Responding to data subject access, deletion, and portability requests from their visitors
Configuring co-browse content blocking to exclude sensitive page elements (e.g., payment fields, health information) from recording
Deciding which custom attributes, identity data, and events to send to Helpr via the JavaScript API

We offer a Data Processing Agreement (DPA) that meets the requirements of GDPR Article 28, including sub-processor obligations, security measures, audit rights, and data deletion commitments. Contact [email protected] to execute a DPA.

9. International Data Transfers

Helpr's infrastructure is hosted in the United States. If you are located outside the US, your data will be transferred to and processed in the US. We rely on Standard Contractual Clauses (SCCs) or equivalent mechanisms where required by applicable law.

10. Your Rights

Depending on your jurisdiction, you may have the right to:

Access the personal data we hold about you
Correct inaccurate data
Request deletion of your data
Object to or restrict certain processing
Data portability
Withdraw consent at any time (where processing is based on consent)

Customers can manage their data directly in their account settings — update profile information, revoke sessions, delete their account, or export chat history.

Visitors should contact the Customer (the website or app where you encountered the Helpr widget) to exercise data rights. If needed, the Customer can contact us for assistance.

11. Children's Privacy

Helpr is not directed at children under 16. We do not knowingly collect personal information from children. If we learn that we have collected data from a child under 16, we will delete it promptly. If you believe a child has provided us with personal data, please contact us.

12. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated via email to registered Customers or by posting a prominent notice on our website. Continued use of the Service after changes take effect constitutes acceptance of the revised policy.

13. Contact

If you have questions about this Privacy Policy or wish to exercise your rights, contact us at:

[email protected]