Helm

Privacy Policy

Last updated: 8 April 2026

1. Data Controller

Helm (“we”, “us”) is the data controller for the personal data processed through this service. We are committed to protecting your privacy in accordance with applicable data protection laws, including:

  • The UK General Data Protection Regulation (UK GDPR) and Data Protection Act 2018
  • The California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA)
  • Singapore’s Personal Data Protection Act 2012 (PDPA)
  • Thailand’s Personal Data Protection Act B.E. 2562 (PDPA)
  • Malaysia’s Personal Data Protection Act 2010 (PDPA)
  • The Philippines’ Data Privacy Act of 2012

2. What Data We Collect

We collect the following categories of personal data:

  • Account information– your name, email address, and profile picture, received from Google when you sign in via OAuth
  • CV content– work experience, education, skills, and other information contained in the CV you upload
  • Job descriptions– job description text you provide
  • Generated output– the tailored CVs produced by the Service

3. How We Use Your Data

We process your data solely to deliver the Service:

  • To authenticate your account via Google OAuth
  • To parse and analyse your CV for tailoring
  • To match your experience against job descriptions
  • To generate tailored CV content

We use your data to deliver the Service to you. For details on how third-party providers handle data during processing, see Section 7.

4. Legal Basis for Processing

We process your personal data on the basis of your consent (provided when you sign in and upload your CV) and our legitimate interest in delivering the Service. You may withdraw consent at any time by deleting your data.

5. Data Storage

Your CV and job description data is stored locally in your browser (localStorage) and temporarily cached on our servers during generation. Server-side caches are cleared when you delete your data from the Settings page.

6. Cookies

We use the following cookies:

  • Essential cookies– authentication session cookies required for sign-in (next-auth, authjs). These cannot be disabled.
  • Consent cookie– stores your cookie preference choice

We do not use analytics or advertising cookies. You can manage your cookie preferences through the consent banner shown on your first visit.

7. Third-Party Services

We share data with the following third parties, strictly to operate the Service:

  • Google– for authentication only. We receive your name, email, and profile picture. Google does not receive your CV data.
  • Anthropic– CV content and job descriptions are sent to Anthropic’s API for AI-powered generation. Anthropic’s data usage policies apply to this processing.

8. Data Retention and Deletion

We retain your data only for as long as you use the Service. You can delete all your data at any time from the Settings page. This removes your CV data from both your browser and our servers. Account deletion is instant with no waiting period.

9. Your Rights: United Kingdom (UK GDPR)

If you are located in the United Kingdom, you have the right to:

  • Access– request a copy of the personal data we hold about you
  • Rectification– request correction of inaccurate data
  • Erasure– request deletion of your data (available via Settings)
  • Data portability– receive your data in a structured, commonly used format
  • Objection– object to processing of your personal data
  • Restriction– request that we limit processing of your data

You also have the right to lodge a complaint with the Information Commissioner’s Office (ICO) at ico.org.uk.

10. Your Rights: United States

If you are a resident of California, Colorado, Connecticut, Virginia, or another US state with consumer privacy legislation, you may have the following rights:

  • Right to know– request disclosure of the categories and specific pieces of personal information we have collected about you
  • Right to delete– request deletion of your personal information (available via Settings)
  • Right to opt out of sale– you may exercise this right at any time by contacting us at [email protected].
  • Right to non-discrimination– we will not treat you differently for exercising your privacy rights
  • Right to correct– request correction of inaccurate personal information

Your personal information is used to provide the Service. We do not use personal information for targeted advertising. Sensitive personal information is processed only as needed to deliver core functionality. For questions about how your data is handled, contact us at [email protected].

To submit a verifiable consumer request, contact us at [email protected]. We will respond within 45 days.

11. Your Rights: Southeast Asia

If you are located in Southeast Asia, the following regional provisions apply in addition to the rights described above:

Singapore (PDPA 2012)

You have the right to access and correct your personal data held by us. You may withdraw consent for the collection, use, or disclosure of your personal data at any time by deleting your account. We will cease processing your data within a reasonable period. You may contact the Personal Data Protection Commission (PDPC) if you have concerns about our data handling practices.

Thailand (PDPA B.E. 2562)

You have the right to access, correct, delete, restrict, and port your personal data. You may withdraw consent at any time. We process your data on the basis of consent and contractual necessity. You may lodge a complaint with the Personal Data Protection Committee (PDPC) of Thailand.

Malaysia (PDPA 2010)

You have the right to access and correct your personal data. You may request that we cease processing your data or withdraw consent by contacting us. We will not transfer your data outside Malaysia without appropriate safeguards.

Philippines (Data Privacy Act 2012)

You have the right to be informed, to access, to object, to erasure, to rectification, and to data portability. You may file a complaint with the National Privacy Commission (NPC) if you believe your rights have been violated.

Indonesia (PDP Law 2022)

You have the right to obtain information about the processing of your personal data, to correct inaccuracies, to request deletion, and to withdraw consent. We process your data based on your explicit consent.

12. Children’s Privacy

Helm is designed for users aged 16 and over (or 13 and over in the United States, in accordance with COPPA). We do not knowingly collect data from children under the applicable age threshold in your jurisdiction. If you believe a child has provided us with personal data, please contact us and we will delete it promptly.

13. International Transfers

Your data may be processed outside your home country when sent to Anthropic’s API for CV generation. Anthropic’s servers are located in the United States. Where data is transferred internationally, we rely on:

  • UK International Data Transfer Agreements (for UK transfers)
  • Standard Contractual Clauses where applicable
  • Consent-based transfers where permitted by local law

We ensure that any third party receiving your data provides adequate protections consistent with the data protection laws applicable to you.

14. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated through the Service. The “Last updated” date at the top indicates the most recent revision.

Contact

For privacy-related queries, contact us at [email protected].

To exercise any of your rights under applicable law, email us with the subject line “Privacy Rights Request” and specify your country of residence. We will respond within the timeframe required by your local regulations.