Privacy Policy — Helm

1. Introduction

This Privacy Policy explains how Khidmat Tech Sdn. Bhd. (SSM 202601002071 (1664168-K)), doing business as Helm, collects, uses, stores, discloses, and protects personal data through the Helm platform at gethelm.asia and all related services (collectively, the "Platform").

In this policy, "we", "us", and "Helm" refer to Khidmat Tech Sdn. Bhd.. "You" refers to any individual or entity accessing or using the Platform, including merchants ("Business Users") and their end-customers ("End-Users").

We process personal data in accordance with the Personal Data Protection Act 2010 (PDPA) of Malaysia, the Personal Data Protection (Amendment) Act 2024 as it comes into force, and other privacy laws that apply to the countries where we make Helm available.

2. Data Controller & Data Processor

When you are a Business User: Helm is the data controller for your account information, billing data, and usage analytics. We decide how and why this data is processed.

When your customers (End-Users) interact with your Helm-powered services: You (the Business User) are the data controller for your customers' personal data. Helm acts as a data processor, processing End-User data solely on your behalf and according to your instructions. You are responsible for obtaining any necessary consents from your End-Users and for complying with applicable data protection laws in your use of the Platform.

3. Data We Collect

3.1 Information you provide directly:

• Account & business information: name, email address, phone number, business name, business category, business address, and SSM or registration number (if provided).
• Booking, waitlist, event, and service data: service selections, appointment dates and times, queue entries, event registrations, customer contact details submitted through public forms, and special requests.
• Customer records (CRM): names, email addresses, phone numbers, purchase history, and notes that Business Users store about their customers.
• Commerce, gift card, loyalty, invoicing & financial records: order details, checkout contact details, shipping information, gift card purchaser and recipient details, loyalty records, invoice line items, amounts, payment status, and customer billing details entered by Business Users.
• Communications: messages sent and received through integrated channels (WhatsApp Business API, email), including message content, timestamps, and delivery status.
• Verification phone number: the phone number submitted during loyalty lookup and verification flows so we can locate an eligible loyalty account and issue a verification challenge.
• Challenge & attempt metadata: challenge identifiers, issue and expiry timestamps, challenge type, success and failure markers, delivery status, rate-limit signals, IP-derived client identifiers, and verification attempt counts.
• Support requests: any information you provide when contacting us for assistance.

3.2 Information collected automatically:

• Device & browser data: IP address, browser type and version, operating system, device type, screen resolution, and language preferences.
• Usage data: pages visited, features used, click patterns, session duration, referral URLs, and navigation paths.
• Error & performance data: crash reports, stack traces, response times, and JavaScript errors captured for debugging.
• Cookies & similar technologies: see Section 8 below.

3.3 Payment data:

Subscription payments and one-time charges are processed securely by Stripe. We do not store your full credit or debit card number, CVV, or bank login credentials on our servers. We receive and store a limited payment record from Stripe (last four digits, card brand, billing email, transaction IDs) for invoicing and dispute resolution.

4. How We Use Your Data

We process personal data for the following purposes:

• Service delivery: operate, maintain, and improve the Platform, including hosting your website, processing bookings, waitlists, events, store orders, gift cards, loyalty records, forms, support tickets, invoices, receipts, and communications.
• Account management: authenticate users, manage subscriptions, process payments, and enforce plan entitlements.
• Transactional communications: send booking confirmations, appointment reminders, payment receipts, and account notifications via WhatsApp and email.
• Loyalty verification: issue one-time verification challenges, validate short-lived session tokens, prevent abuse, and confirm that a customer is entitled to view loyalty information.
• Analytics & product improvement: understand usage patterns, identify bugs, measure feature adoption, and improve user experience.
• Security & fraud prevention: detect and prevent unauthorised access, abuse, or fraudulent activity.
• Legal compliance: comply with applicable laws, regulations, legal processes, or enforceable governmental requests.
• Customer support: respond to your enquiries and resolve issues.

We do not sell your personal data to third parties. We do not use your data for automated decision-making or profiling that produces legal or similarly significant effects.

5. Processing Basis

For Malaysia, we process personal data only where the PDPA permits processing, including where consent has been given, where processing is necessary for a contract or requested service, where processing is directly related to a lawful purpose, where legal obligations apply, or where another PDPA exception applies. For other countries, we rely on the lawful bases available under applicable law.

• Consent and notice: you provide consent or receive notice when you create an account, submit a customer form, check out, verify loyalty access, or opt in to non-essential communications.
• Contract or requested service: processing is necessary to provide the Platform, authenticate users, process payments, fulfil bookings/orders/tickets, and send transactional messages.
• Legal and regulatory obligations: processing is required for tax, accounting, sanctions, payment, security, dispute, or lawful request obligations.
• Security and service integrity: processing is necessary to prevent abuse, protect accounts, operate infrastructure, debug incidents, and maintain service resilience, subject to applicable law.

6. WhatsApp Business Messaging

Helm uses the WhatsApp Business Cloud API (operated by Meta Platforms Ireland Ltd.) to send and receive messages on behalf of Business Users. This includes:

• Booking confirmations and reminders sent to End-Users.
• New booking alerts sent to Business Users.
• Customer enquiry messages routed through the Helm inbox.

Messages are sent only for transactional and service-related purposes. We do not send unsolicited marketing messages via WhatsApp unless the recipient has explicitly consented through the relevant Business User.

7. Third-Party Service Providers

We share personal data with the following third-party processors solely to operate and improve the Platform. Each provider processes data under their own privacy policy and applicable data protection agreements:

• Stripe (United States) — payment processing and subscription billing.
• Meta / WhatsApp Cloud API (Ireland / United States) — transactional messaging.
• Neon (Singapore, AWS ap-southeast-1) — database hosting.
• Railway + Cloudflare, including Cloudflare R2 where enabled (United States, Singapore, and global edge locations) — application hosting, networking, media storage, and content delivery.
• PostHog (United States / EU) — product analytics, feature adoption measurement, and dashboard usage analytics.
• Sentry (United States) — error monitoring and performance tracking.
• Resend (United States) — transactional email delivery.
• Google and Microsoft OAuth (global) — optional account sign-in when enabled.
• Upstash / QStash (global) — background workflow delivery and job dispatch where enabled.
• Better Auth — authentication layer (self-hosted within our infrastructure; no external data sharing).

We may also disclose personal data to professional advisors (accountants, lawyers), law enforcement, or regulatory authorities when required by law or to protect our legal rights.

8. Cookies & Tracking Technologies

The Platform uses cookies and similar technologies for the following purposes:

• Essential cookies: required for authentication, session management, and security. These cannot be disabled.
• Verification session cookies: short-lived session tokens used during loyalty verification to tie a challenge request to a follow-up verification attempt, enforce rate limits, and prevent replay or brute-force abuse.
• Public website analytics: Helm public pages may use privacy-first page view records without advertising cookies, browser fingerprinting, session replay, or heatmaps. Session references, where used for merchant site reporting, are pseudonymous and rotate.
• Optional public-page analytics: If you accept optional analytics on Helm-owned marketing, pricing, help, or educational pages, PostHog may use cookies or local storage to measure page views, campaign attribution, and manual conversion events. If you decline, optional PostHog analytics is not enabled on those public pages.
• Authenticated dashboard analytics: When Business Users create an account, sign in, or use the merchant dashboard, Helm uses bounded product analytics to measure feature adoption, support product operations, debug product issues, protect rollout state, and improve the Platform. Dashboard analytics can be associated with a logged-in Business User account and site, but we do not use advertising pixels, session replay, heatmaps, or unrestricted autocapture for this purpose.
• Error tracking: Sentry may use cookies or local storage to correlate error events within a session.

Verification-related session tokens are retained only for the short period needed to complete the challenge flow and rate-limit enforcement.

We do not use advertising or remarketing cookies. You can manage or delete cookies through your browser settings. Disabling essential cookies may impair Platform functionality.

9. Cross-Border Data Transfers

Your personal data may be transferred to and processed in countries outside Malaysia, including Singapore and the United States, where our third-party service providers operate. Under Section 129 of the PDPA 2010, we ensure that any such transfer is subject to appropriate safeguards, including:

• Data processing agreements with each provider requiring them to protect your data to a standard comparable to the PDPA.
• Providers certified under recognised frameworks (for example, SOC 2 and ISO 27001) or subject to equivalent data protection laws.

10. Data Retention

We retain personal data only for as long as reasonably necessary for the purposes below, unless a longer period is required by law, payment-network rules, tax obligations, disputes, security investigations, or an active merchant instruction. The schedule below is our operational target; some records may be deleted, anonymised, or aggregated earlier.

• Active account data: retained for as long as your account remains active and for up to 90 days after account closure or deactivation to allow reactivation.
• Customer-facing records: bookings, orders, waitlist entries, events, form submissions, CRM records, gift cards, loyalty records, reviews, support tickets, and merchant-created notes are retained while the Business User account is active and during the post-termination export window, unless the Business User deletes them earlier or law requires longer retention.
• Billing and transaction records: retained for 7 years to comply with Malaysian tax and accounting requirements (Income Tax Act 1967, Section 82).
• Verification phone numbers and challenge records: encrypted or pseudonymised where appropriate and retained for up to 90 days after the verification flow to enforce rate limits, detect abuse, and satisfy security auditing obligations, unless a security investigation requires longer retention.
• Verification attempt logs: retained for up to 90 days for security review and then deleted or anonymised unless an active investigation requires longer retention.
• Analytics and usage data: retained in identifiable form for up to 24 months for product analytics, rollout measurement, support, abuse prevention, and billing operations, then aggregated, anonymised, or deleted according to provider settings and internal retention jobs.
• Error and security logs: retained for up to 12 months to debug incidents, protect the Platform, and satisfy audit obligations; logs are scrubbed to avoid raw emails, phone numbers, message bodies, notes, tokens, and payment secrets.
• WhatsApp and email message records: retained for up to 24 months for service delivery, merchant history, abuse prevention, and dispute resolution, then deleted or anonymised according to merchant instructions and internal retention jobs unless law or payment disputes require longer retention.

Closure or deactivation is distinct from permanent deletion. When you request permanent deletion, we will delete or export customer-facing data within 30 days, while certain operational, legal, billing, or audit records may be retained according to the schedule in this Privacy Policy.

11. Data Security

We implement technical and organisational measures to protect your data, including:

• Encryption in transit (TLS 1.2+) and at rest (AES-256 for databases).
• Role-based access controls and principle of least privilege.
• Secure credential storage (hashed passwords, encrypted API keys).
• Regular security reviews and dependency updates.
• Infrastructure hosted on SOC 2 and ISO 27001 certified platforms.
• Encryption or access controls around verification data and security logs.

No system is 100% secure. While we take reasonable and industry-standard precautions, we cannot guarantee absolute security. If you discover a security vulnerability, please report it responsibly to [email protected].

12. Data Breach Notification

In the event of a personal data breach that is likely to cause significant harm to affected individuals, we will:

• Notify the relevant authorities as required by law.
• Notify affected individuals without undue delay where required by applicable law, via email, dashboard notification, or another appropriate channel, describing the nature of the breach, the data involved, and the steps we are taking.
• Take immediate steps to contain and remediate the breach.

Business Users are responsible for notifying their own End-Users where the breach involves End-User data processed on the Business User’s behalf.

13. Your Rights

Depending on where you live and your relationship to Helm or a Business User, you may have the right to:

• Access: request a copy of the personal data we hold about you.
• Correction: request correction of inaccurate or incomplete personal data.
• Deletion: request deletion of your personal data, subject to merchant instructions, legal retention obligations, payment records, security records, and other lawful exceptions.
• Withdraw consent: withdraw consent for non-essential processing at any time, without affecting the lawfulness of processing before withdrawal.
• Data portability: request an export of your data in a structured, machine-readable format (JSON or CSV) where applicable law or our product tooling supports it.
• Restrict or object to processing: request that we limit or stop certain processing where applicable law gives you that right.
• Complaint: lodge a complaint with the Department of Personal Data Protection Malaysia (JPDP) if you believe your rights have been violated.

To exercise any of these rights, contact us at [email protected]. We will respond within 21 days. We may request identity verification before processing your request.

14. Bahasa Malaysia PDPA Notice Summary

Notis ringkas ini disediakan untuk subjek data di Malaysia. Helm mengumpul dan memproses data peribadi seperti nama, emel, nombor telefon, butiran perniagaan, butiran pelanggan, tempahan, pesanan, bayaran, mesej perkhidmatan, data penggunaan, dan rekod sokongan untuk menyediakan Platform, mengesahkan akaun, memproses transaksi, menghantar komunikasi perkhidmatan, mencegah penyalahgunaan, memenuhi kewajipan undang-undang, dan menyokong pengguna.

Data boleh didedahkan kepada penyedia perkhidmatan seperti pemproses bayaran, penyedia mesej, hos awan, analitik, pemantauan ralat, emel transaksi, penasihat profesional, pihak berkuasa, atau peniaga yang menggunakan Helm. Anda boleh meminta akses, pembetulan, penarikan persetujuan bagi pemprosesan tidak penting, atau membuat pertanyaan melalui [email protected]. Jika maklumat wajib tidak diberikan, sesetengah fungsi Platform mungkin tidak dapat disediakan.

15. Children's Data

The Platform is not directed at individuals under 18 years of age. We do not knowingly collect personal data from children. If we become aware that we have inadvertently collected data from a child under 18, we will delete it promptly. If you believe a child has provided us with personal data, please contact us at [email protected].

16. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will:

• Update the "Last updated" date at the top of this page.
• Notify you via email or a prominent notice on the Platform at least 14 days before the changes take effect.

Continued use of the Platform after the effective date of changes constitutes acceptance of the updated policy. If you do not agree with the changes, you may close your account.

17. Contact Us

For any questions, concerns, or data requests related to this Privacy Policy:

Khidmat Tech Sdn. Bhd. (doing business as Helm)
A 3 3, Plaza Bukit Jalil (Aurora Place), No. 1, Persiaran Jalil 1, Bandar Bukit Jalil, 57000 Kuala Lumpur, Malaysia.
Privacy enquiries: [email protected]
Phone: +6012-430 7349