Privacy Policy

Last updated: May 2026

Helm IQ is a customer-relationship platform built for M&A advisory firms. We hold sensitive deal information on behalf of every firm that uses us, and we treat that responsibility as the foundation of the product, not an afterthought.

This page explains exactly what we collect, how we use it, who else sees it, and how to get it back or delete it. If anything here is unclear, write us at jack@saltcreekadvisory.com and we'll answer in plain English.

1. What we collect

Account & firm data

• Your name, email address, and bcrypt-hashed password.
• Two-factor (TOTP) secret, encrypted at rest with AES-256-GCM.
• Your firm's name, optional logo, and per-org settings.
• Membership role within your firm (owner / admin / member / viewer).

CRM data you put in

• Contacts, companies, and deals you create or import.
• Notes, tasks, and meeting transcripts (when you turn on the meeting bot).
• Email content sent through Helm IQ's sequencing engine, plus delivery metadata (opens, clicks, replies, bounces).
• Call recordings and transcripts (when you turn on call recording with consent).

This is your firm's data. It is logically isolated from every other firm on the platform via per-row organizationId scoping enforced on every API route. We never use it to train AI models, sell to third parties, or include it in marketing.

Integration tokens

• Gmail / Outlook OAuth refresh tokens, encrypted at rest. Used to send and read email under your authorization. Scopes are limited to what each feature needs.
• Google Calendar / Microsoft Calendar OAuth refresh tokens, encrypted at rest. Used to read free/busy and create events.
• InvenAPI key (when you connect one), encrypted at rest. Used only to call Inven's public API on your behalf.
• Twilio account credentials (when configured), encrypted at rest.
• Slack webhook URLs (when configured), encrypted at rest.
• DocuSign / Zoom OAuth tokens (when configured), encrypted at rest.

Operational data

• Request paths, response codes, IP addresses, and error stacks. Used for debugging and abuse prevention. Retained roughly 90 days, then deleted.
• Audit log of every mutation on deals, contacts, members, and integration keys. Retained for the life of the account for compliance review.

2. How we use it

• To operate the Service: render your dashboard, send your email, run the cron jobs that move deals forward.
• To send transactional email — verification, password reset, team invites, daily summaries — only ever to addresses you have given us.
• To improve the Service in aggregate, anonymized form (e.g., median time to first deal email after signup).
• We do not sell, rent, or share your data with third parties for advertising. There is no third-party tracking on the authenticated app.

3. AI providers and sub-processors

AI features (call summaries, contact intel, draft emails, sequence generation, task suggestions) are powered by Anthropic Claude and OpenAI GPT. When you use these features, the relevant content is sent to the provider per their respective privacy terms.

Both providers have committed in their API terms that data sent through the API is not used to train their models.

Other sub-processors:

• Neon — managed Postgres database (US-East).
• Vercel — application hosting and edge network.
• Twilio — voice calls, SMS, and number provisioning.
• Stripe — payment processing. We never see your card number.
• Resend / Postmark — transactional email delivery, when configured.
• Cloudflare R2 — call-recording object storage, when configured.

4. Security

• All traffic is served over TLS.
• Passwords are stored as bcrypt hashes (never plaintext, never reversible).
• Two-factor TOTP secrets and integration OAuth tokens are encrypted at rest with AES-256-GCM. Backup codes are stored as SHA-256 hashes.
• Multi-tenant data isolation is enforced server-side on every API route via organizationId scoping. There is no client-trusted org parameter.
• Auth endpoints are rate-limited per IP to prevent brute-force attacks.
• An immutable audit log captures all mutations to deals, contacts, members, and integration credentials.
• 2FA is offered to every user and can be enforced at the firm level.

5. Your rights

• Access — export every record on your account at any time from Settings → Data.
• Correction — edit or delete any field directly in the app.
• Portability — CSV and JSON exports cover contacts, companies, deals, notes, tasks, and audit log.
• Deletion — request full account deletion at jack@saltcreekadvisory.com. We process within 30 days and confirm by email.
• Restriction — disable any AI feature in Settings without deleting your data.

6. Data retention

We keep your data while your account is active. On termination we retain it for 30 days (in case you reactivate) and then permanently delete it.

Audit logs may be retained beyond that window per applicable financial-services compliance requirements (typically up to seven years for dealing-record retention) but are stored separately from your live data.

7. International transfers

Data is stored in United States data centers. If you sign up from outside the US you consent to this transfer. Region-specific hosting is available on request for enterprise customers — write us at jack@saltcreekadvisory.com.

8. Children

Helm IQ is a B2B product for investment professionals. It is not intended for anyone under 18 and we do not knowingly collect their data.

9. Changes to this policy

Material changes will be announced by email to firm owners 30 days before they take effect. Non-material edits (typo fixes, clarifications) take effect immediately and bump the “Last updated” date at the top.

10. Contact

Privacy questions, deletion requests, or anything else: jack@saltcreekadvisory.com.

For everything else, including sales and support: jack@saltcreekadvisory.com.

This document is a plain-English summary of our actual practices, not legal advice. If you need a counter-signed Data Processing Agreement (DPA) for enterprise procurement, write to jack@saltcreekadvisory.com.