Privacy Policy
This policy explains what data Helpdash Ltd ("Helpdash", "we", "us") collects when you use helpdash.io or any Helpdash-hosted workspace, why we collect it, how long we keep it, and the rights you have over it. We aim for plain English — if anything below is unclear, email privacy@helpdash.io and a human will respond within one business day.
1. Who the controller is
For the marketing site (helpdash.io), Helpdash Ltd, registered in England & Wales, is the data controller. For data inside a customer’s workspace, the customer is the controller and Helpdash is the data processor under the Data Processing Addendum signed at account creation.
2. What we collect
On the marketing site we collect minimal anonymised analytics (page path, referrer, country at the country level, device class) using a first-party endpoint — no third-party trackers, no cross-site cookies. We do not run advertising pixels.
When you contact us we receive the data you put in the form (name, email, company, the message itself) plus a timestamp and the originating IP. When you create an account we collect your name, email, password (hashed with bcrypt), workspace slug, and any optional billing details. Inside a workspace, we store the operational data your team enters — tickets, replies, attachments, articles, audit events, automation rules, CSAT responses.
3. Why we use it
Marketing analytics: to understand which pages help and which don’t. Contact form: to reply. Account data: to authenticate you, scope your workspace, and bill you. Workspace data: to run the helpdesk product on your team’s behalf as a processor.
4. Lawful bases (GDPR)
Performance of contract (running the product you signed up for), legitimate interests (basic analytics and product improvement, minimised and anonymised), and consent (for non-essential cookies and the marketing newsletter — both opt-in, both withdrawable from any page footer).
5. Where data is hosted
Marketing site: Cloudflare CDN, EU edge. Production workspaces: AWS Frankfurt (eu-central-1) by default. UK (London) and US (Virginia) regions are available on Pro and above; dedicated single-tenant deployments on Enterprise can run in customer-supplied VPC, including on-prem.
6. How long we keep it
Marketing analytics: 13 months, then aggregated. Contact-form messages: 24 months from last reply. Workspace data: as long as the workspace is active, plus 30 days after cancellation for export. After 30 days, data is permanently deleted unless a longer retention is requested in writing. Audit logs are retained 13 months by default and can be streamed to your own S3 bucket for longer retention.
7. Sub-processors
We use AWS (hosting), Cloudflare (CDN + WAF), Resend (transactional email), Stripe (payments), and Sentry (error reporting, EU region, PII scrubbed). The current sub-processor list with regions and DPAs is at trust.helpdash.io. We notify customers 30 days before adding or replacing any sub-processor.
8. Your rights
You have the right to access, rectify, erase, restrict, port, and object to processing of your personal data. Marketing-site requests: email privacy@helpdash.io. Workspace data: contact the workspace admin (we’re the processor; they’re the controller). We respond within 30 days, usually within 7.
9. Security
Transport is TLS 1.3 (HTTPS-only, HSTS). Data at rest is AES-256. Passwords are bcrypt-hashed. Access to production is SSO-only with MFA enforced. Every privileged action is recorded in a tamper-evident audit log. Independent penetration tests run yearly; reports available under NDA from trust.helpdash.io.
10. Changes to this policy
We notify active workspace admins by email 30 days before any material change. The previous version stays accessible at /legal/privacy/archive.
11. Contact
Helpdash Ltd, London, England & Wales. Privacy: privacy@helpdash.io. Lead supervisory authority: the UK Information Commissioner’s Office (ICO).