This page explains what Helm collects, why we need it, who helps us process it, and how to contact us about privacy rights. The full policy below is the legal version. This summary gives the main points first.
We collect the data Helm needs to run accounts, bookings, store orders, CRM records, invoices, messages, support, analytics, security, and billing.
We do not sell personal data.
We do not use advertising or remarketing cookies.
We do not use your data for automated decisions with legal or similar effects.
Does Helm sell personal data?
No. Helm does not sell personal data, does not use advertising or remarketing cookies, and does not use personal data for automated decisions with legal or similar effects.
Is Helm a controller or processor?
For Business User account, billing, and usage data, Helm is the data controller. For customer data processed through a merchant workspace, the merchant is usually the controller and Helm acts as processor.
What cookies and analytics does Helm use?
Helm uses essential cookies for sign-in, security, verification, and platform operation. Optional Google Analytics on Helm-owned public pages only loads after optional analytics consent.
How can someone make a privacy request?
Most privacy requests can be sent through the Contact Us section below. Helm may verify identity before responding and targets a response within 21 days.
What data Helm collects
We collect account and business details, booking and order information, customer records, communications, support requests, device and browser data, Stripe payment records, and security logs. We use this data to run Helm and protect accounts.
How Helm uses data
We use personal data to provide Helm, process bookings and orders, manage subscriptions, send transactional messages, protect accounts, fix incidents, improve reliability, respond to support requests, and meet legal obligations.
Who processes data
Helm works with providers such as Stripe, Meta customer messaging, Neon, Cloudflare, PostHog, Google Analytics, Sentry, Resend, Google OAuth, Microsoft, and Better Auth. These providers help with payments, hosting, messaging, analytics, security, email, and sign-in.
Your privacy choices
You can contact Helm to request access, correction, deletion, portability, withdrawal of consent, or other privacy rights where applicable. We may ask you to verify your identity before we process a request.
Privacy data snapshot
This snapshot helps readers understand the main personal data categories in Helm before reading the full legal policy. It is a plain-language guide; the numbered policy sections below control if a detail differs.
Data category
Examples
Main purpose
Account and business data
Name, email, phone number, business name, business address, registration details, roles, and settings.
Create accounts, authenticate users, run subscriptions, manage workspaces, provide support, and protect access.
Customer workflow data
Bookings, waitlists, events, forms, orders, gift cards, loyalty records, CRM notes, invoices, receipts, and messages.
Operate merchant websites, booking flows, store checkout, customer records, payments, documents, follow-up, and daily operations.
Measure product usage, improve reliability, debug incidents, enforce security controls, and prevent fraud or abuse.
Payment and billing records
Stripe customer references, transaction IDs, billing email, last four card digits, card brand, invoice status, and dispute records.
Process subscriptions and one-time charges, issue receipts, reconcile invoices, handle disputes, and meet tax or accounting obligations.
Privacy questions answered
These answers summarize the same policy in question-and-answer form for people, search engines, and AI search tools that need a short, self-contained explanation.
What personal data does Helm collect?
Helm collects the information needed to provide a merchant operating system: account details, business settings, customer workflow records, payment records, support requests, analytics, diagnostics, security logs, and cookies used for essential platform operation.
Why does Helm process personal data?
Helm uses personal data to provide accounts, websites, bookings, store orders, forms, customer records, invoices, receipts, messages, support, analytics, security, billing, and legal compliance.
Does Helm use personal data for advertising?
No. Helm does not use advertising pixels, remarketing cookies, session replay, heatmaps, or unrestricted autocapture for public marketing pages or the authenticated dashboard.
How long does Helm keep personal data?
Retention depends on the record type. Account data is kept while the account is active, billing records may be kept for tax and accounting periods, analytics is retained for a limited operational period, and security logs are retained for incident review.
What privacy rights can someone request?
Where applicable, people may request access, correction, deletion, consent withdrawal, portability, restriction, objection, or complaint handling. Some records may be retained when required for merchant instructions, security, billing, tax, disputes, or law.
Who should an end-customer contact about privacy?
Business Users can contact Helm directly. End-customers may contact either the merchant that collected their data or Helm, and Helm may need to coordinate with the merchant when Helm acts as processor.
1. Introduction
This Privacy Policy explains how Khidmat Tech Sdn. Bhd. (SSM 202601002071 (1664168-K)), doing business as Helm, collects, uses, stores, discloses, and protects personal data through the Helm platform at gethelm.asia and all related services (collectively, the "Platform").
In this policy, "we", "us", and "Helm" refer to Khidmat Tech Sdn. Bhd.. "You" refers to any individual or entity accessing or using the Platform, including merchants ("Business Users") and their end-customers ("End-Users").
We process personal data in accordance with the Personal Data Protection Act 2010 (PDPA) of Malaysia, the Personal Data Protection (Amendment) Act 2024 as it comes into force, and other privacy laws that apply to the countries where we make Helm available.
2. Data Controller & Data Processor
When you are a Business User: Helm is the data controller for your account information, billing data, and usage analytics. We decide how and why this data is processed.
When your customers (End-Users) interact with your Helm-powered services: You (the Business User) are the data controller for your customers' personal data. Helm acts as a data processor, processing End-User data solely on your behalf and according to your instructions. You are responsible for obtaining any necessary consents from your End-Users and for complying with applicable data protection laws in your use of the Platform.
3. Data We Collect
3.1 Information you provide directly:
Account & business information: name, email address, phone number, business name, business category, business address, and SSM or registration number (if provided).
Booking, waitlist, event, and service data: service selections, appointment dates and times, queue entries, event registrations, customer contact details submitted through public forms, and special requests.
Customer records (CRM): names, email addresses, phone numbers, purchase history, and notes that Business Users store about their customers.
Commerce, gift card, loyalty, invoicing & financial records: order details, checkout contact details, shipping information, gift card purchaser and recipient details, loyalty records, invoice line items, amounts, payment status, and customer billing details entered by Business Users.
Communications: messages sent and received through integrated channels (customer messaging API, email), including message content, timestamps, and delivery status.
Verification phone number: the phone number submitted during loyalty lookup and verification flows so we can locate an eligible loyalty account and issue a verification challenge.
Challenge & attempt metadata: challenge identifiers, issue and expiry timestamps, challenge type, success and failure markers, delivery status, rate-limit signals, IP-derived client identifiers, and verification attempt counts.
Support requests: any information you provide when contacting us for assistance.
3.2 Information collected automatically:
Device & browser data: IP address, browser type and version, operating system, device type, screen resolution, and language preferences.
Usage data: pages visited, features used, click patterns, session duration, referral URLs, and navigation paths.
Error & performance data: crash reports, stack traces, response times, and JavaScript errors captured for debugging.
Cookies & similar technologies: see Section 8 below.
3.3 Payment data:
Subscription payments and one-time charges are processed securely by Stripe. We do not store your full credit or debit card number, CVV, or bank login credentials on our servers. We receive and store a limited payment record from Stripe (last four digits, card brand, billing email, transaction IDs) for invoicing and dispute resolution.
4. How We Use Your Data
We process personal data for the following purposes:
Service delivery: operate, maintain, and improve the Platform, including hosting your website, processing bookings, waitlists, events, store orders, gift cards, loyalty records, forms, support tickets, invoices, receipts, and communications.
Account management: authenticate users, manage subscriptions, process payments, and enforce plan entitlements.
Transactional communications: send booking confirmations, appointment reminders, payment receipts, and account notifications via email.
Loyalty verification: issue one-time verification challenges, validate short-lived session tokens, prevent abuse, and confirm that a customer is entitled to view loyalty information.
Analytics & product improvement: understand usage patterns, identify bugs, measure feature adoption, and improve user experience.
Security & fraud prevention: detect and prevent unauthorised access, abuse, or fraudulent activity.
Legal compliance: comply with applicable laws, regulations, legal processes, or enforceable governmental requests.
Customer support: respond to your enquiries and resolve issues.
We do not sell your personal data to third parties. We do not use your data for automated decision-making or profiling that produces legal or similarly significant effects.
5. Processing Basis
For Malaysia, we process personal data only where the PDPA permits processing, including where consent has been given, where processing is necessary for a contract or requested service, where processing is directly related to a lawful purpose, where legal obligations apply, or where another PDPA exception applies.
For other countries, we rely on the lawful bases available under applicable law.
Consent and notice: you provide consent or receive notice when you create an account, submit a customer form, check out, verify loyalty access, or opt in to non-essential communications.
Contract or requested service: processing is necessary to provide the Platform, authenticate users, process payments, fulfil bookings/orders/tickets, and send transactional messages.
Legal and regulatory obligations: processing is required for tax, accounting, sanctions, payment, security, dispute, or lawful request obligations.
Security and service integrity: processing is necessary to prevent abuse, protect accounts, operate infrastructure, debug incidents, and maintain service resilience, subject to applicable law.
6. Customer messaging
Helm uses the customer messaging Cloud API (operated by Meta Platforms Ireland Ltd.) to send and receive messages on behalf of Business Users. This includes:
Booking confirmations and reminders sent to End-Users.
New booking alerts sent to Business Users.
Customer enquiry messages routed through the Helm inbox.
Messages are sent only for transactional and service-related purposes. We do not send unsolicited marketing messages via customer messaging unless the recipient has explicitly consented through the relevant Business User.
7. Third-Party Service Providers
We share personal data with the following third-party processors solely to operate and improve the Platform. Each provider processes data under their own privacy policy and applicable data protection agreements:
Stripe (United States) — payment processing and subscription billing.
Meta / customer messaging API (Ireland / United States) — transactional messaging.
Cloudflare Workers, R2, and Queues (United States, Singapore, and global edge locations) — application hosting, networking, media storage, content delivery, and background job dispatch.
PostHog (United States / EU) — product analytics, feature adoption measurement, and dashboard usage analytics.
Google Analytics (global) — optional public marketing analytics when accepted.
Sentry (United States) — error monitoring and performance tracking.
Google and Microsoft OAuth (global) — optional account sign-in when enabled.
Better Auth — authentication layer (self-hosted within our infrastructure; no external data sharing).
We may also disclose personal data to professional advisors (accountants, lawyers), law enforcement, or regulatory authorities when required by law or to protect our legal rights.
8. Cookies & Tracking Technologies
The Platform uses cookies and similar technologies for the following purposes:
Essential cookies: required for authentication, session management, and security. These cannot be disabled.
Verification session cookies: short-lived session tokens used during loyalty verification to tie a challenge request to a follow-up verification attempt, enforce rate limits, and prevent replay or brute-force abuse.
Public website analytics: Helm public pages may use privacy-first page view records without advertising cookies, browser fingerprinting, session replay, or heatmaps. Session references, where used for merchant site reporting, are pseudonymous and rotate.
Optional public-page analytics: If you accept optional analytics on Helm-owned marketing, pricing, help, or educational pages, Google Analytics may use cookies or local storage to measure page views, campaign attribution, and manual conversion events. If you decline, optional Google Analytics is not enabled on those public pages.
Authenticated dashboard analytics: When Business Users create an account, sign in, or use the merchant dashboard, Helm uses bounded product analytics to measure feature adoption, support product operations, debug product issues, protect rollout state, and improve the Platform. Dashboard analytics can be associated with a logged-in Business User account and site, but we do not use advertising pixels, session replay, heatmaps, or unrestricted autocapture for this purpose.
Error tracking: Sentry may use cookies or local storage to correlate error events within a session.
Verification-related session tokens are retained only for the short period needed to complete the challenge flow and rate-limit enforcement.
We do not use advertising or remarketing cookies. You can manage or delete cookies through your browser settings. Disabling essential cookies may impair Platform functionality.
9. Cross-Border Data Transfers
Your personal data may be transferred to and processed in countries outside Malaysia, including Singapore and the United States, where our third-party service providers operate. Under Section 129 of the PDPA 2010, we ensure that any such transfer is subject to appropriate safeguards, including:
Data processing agreements with each provider requiring them to protect your data to a standard comparable to the PDPA.
Providers certified under recognised frameworks (for example, SOC 2 and ISO 27001) or subject to equivalent data protection laws.
10. Data Retention
We retain personal data only for as long as reasonably necessary for the purposes below, unless a longer period is required by law, payment-network rules, tax obligations, disputes, security investigations, or an active merchant instruction. The schedule below is our operational target; some records may be deleted, anonymised, or aggregated earlier.
Active account data: retained for as long as your account remains active and for up to 90 days after account closure or deactivation to allow reactivation.
Customer-facing records: bookings, orders, waitlist entries, events, form submissions, CRM records, gift cards, loyalty records, reviews, support tickets, and merchant-created notes are retained while the Business User account is active and during the post-termination export window, unless the Business User deletes them earlier or law requires longer retention.
Billing and transaction records: retained for 7 years to comply with Malaysian tax and accounting requirements (Income Tax Act 1967, Section 82).
Verification phone numbers and challenge records: encrypted or pseudonymised where appropriate and retained for up to 90 days after the verification flow to enforce rate limits, detect abuse, and satisfy security auditing obligations, unless a security investigation requires longer retention.
Verification attempt logs: retained for up to 90 days for security review and then deleted or anonymised unless an active investigation requires longer retention.
Analytics and usage data: retained in identifiable form for up to 24 months for product analytics, rollout measurement, support, abuse prevention, and billing operations, then aggregated, anonymised, or deleted according to provider settings and internal retention jobs.
Error and security logs: retained for up to 12 months to debug incidents, protect the Platform, and satisfy audit obligations; logs are scrubbed to avoid raw emails, phone numbers, message bodies, notes, tokens, and payment secrets.
Email message records: retained for up to 24 months for service delivery, merchant history, abuse prevention, and dispute resolution, then deleted or anonymised according to merchant instructions and internal retention jobs unless law or payment disputes require longer retention.
Closure or deactivation is distinct from permanent deletion. When you request permanent deletion, we will delete or export customer-facing data within 30 days, while certain operational, legal, billing, or audit records may be retained according to the schedule in this Privacy Policy.
11. Data Security
We implement technical and organisational measures to protect your data, including:
Encryption in transit (TLS 1.2+) and at rest (AES-256 for databases).
Role-based access controls and principle of least privilege.
Secure credential storage (hashed passwords, encrypted API keys).
Regular security reviews and dependency updates.
Infrastructure hosted on SOC 2 and ISO 27001 certified platforms.
Encryption or access controls around verification data and security logs.
No system is 100% secure. While we take reasonable and industry-standard precautions, we cannot guarantee absolute security. If you discover a security vulnerability, please report it responsibly to support@gethelm.asia.
12. Data Breach Notification
In the event of a personal data breach that is likely to cause significant harm to affected individuals, we will:
Notify the relevant authorities as required by law.
Notify affected individuals without undue delay where required by applicable law, via email, dashboard notification, or another appropriate channel, describing the nature of the breach, the data involved, and the steps we are taking.
Take immediate steps to contain and remediate the breach.
Business Users are responsible for notifying their own End-Users where the breach involves End-User data processed on the Business User’s behalf.
13. Your Rights
Depending on where you live and your relationship to Helm or a Business User, you may have the right to:
Access: request a copy of the personal data we hold about you.
Correction: request correction of inaccurate or incomplete personal data.
Deletion: request deletion of your personal data, subject to merchant instructions, legal retention obligations, payment records, security records, and other lawful exceptions.
Withdraw consent: withdraw consent for non-essential processing at any time, without affecting the lawfulness of processing before withdrawal.
Data portability: request an export of your data in a structured, machine-readable format (JSON or CSV) where applicable law or our product tooling supports it.
Restrict or object to processing: request that we limit or stop certain processing where applicable law gives you that right.
Complaint: lodge a complaint with the Department of Personal Data Protection Malaysia (JPDP) if you believe your rights have been violated.
To exercise any of these rights, contact us at support@gethelm.asia. We will respond within 21 days. We may request identity verification before processing your request.
14. Bahasa Malaysia PDPA Notice Summary
Notis ringkas ini disediakan untuk subjek data di Malaysia. Helm mengumpul dan memproses data peribadi seperti nama, emel, nombor telefon, butiran perniagaan, butiran pelanggan, tempahan, pesanan, bayaran, mesej perkhidmatan, data penggunaan, dan rekod sokongan untuk menyediakan Platform, mengesahkan akaun, memproses transaksi, menghantar komunikasi perkhidmatan, mencegah penyalahgunaan, memenuhi kewajipan undang-undang, dan menyokong pengguna.
Data boleh didedahkan kepada penyedia perkhidmatan seperti pemproses bayaran, penyedia mesej, hos awan, analitik, pemantauan ralat, emel transaksi, penasihat profesional, pihak berkuasa, atau peniaga yang menggunakan Helm. Anda boleh meminta akses, pembetulan, penarikan persetujuan bagi pemprosesan tidak penting, atau membuat pertanyaan melalui support@gethelm.asia. Jika maklumat wajib tidak diberikan, sesetengah fungsi Platform mungkin tidak dapat disediakan.
15. Children's Data
The Platform is not directed at individuals under 18 years of age. We do not knowingly collect personal data from children. If we become aware that we have inadvertently collected data from a child under 18, we will delete it promptly. If you believe a child has provided us with personal data, please contact us at support@gethelm.asia.
16. Changes to This Policy
We may update this Privacy Policy from time to time. When we make material changes, we will:
Update the "Last updated" date at the top of this page.
Notify you via email or a prominent notice on the Platform at least 14 days before the changes take effect.
Continued use of the Platform after the effective date of changes constitutes acceptance of the updated policy. If you do not agree with the changes, you may close your account.
17. Contact Us
For any questions, concerns, or data requests related to this Privacy Policy:
Khidmat Tech Sdn. Bhd. (doing business as Helm) A 3 3, Plaza Bukit Jalil (Aurora Place), No. 1, Persiaran Jalil 1, Bandar Bukit Jalil, 57000 Kuala Lumpur, Malaysia. Privacy enquiries: support@gethelm.asia Phone: +6012-430 7349