Privacy Policy
Version: 1.0 Effective date: 2026-04-23 Supersedes: (initial version) Full change history: see §14 Change history at the bottom of this page.
⚠️ REVIEW-BEFORE-PUBLIC GATE — this draft was written to be comprehensive and PDPA-aware but has not yet been reviewed by a Singapore-qualified lawyer. Schedule a 30-minute legal review before making this page public or before first paying customer. See
docs/ops/pdpa-compliance-notes.mdfor the factual source material anddocs/ops/deployment-log.mdCheckpoint 8 entry for the review-gate status.
1. Who we are
Helmself is a corporate secretarial document-generation service for Singapore-registered companies, operated by Suupur Pte. Ltd. (UEN: [to be filled by lawyer during review]), registered in Singapore.
- Website: helmself.com
- Support: support@helmself.com
- Data Protection Officer: dpo@helmself.com
This policy describes what personal data Helmself collects, why, who it's shared with, and your rights under the Singapore Personal Data Protection Act 2012 ("PDPA").
2. What personal data we collect
| Category | Examples | Source |
|---|---|---|
| Account identifiers | email address, Google account ID, password hash (if using email/password sign-in in future), session token | Sign-up via Google OAuth |
| Company metadata | UEN, company name, registered address | Data you enter |
| Director particulars | names, NRIC or FIN or passport number, addresses | Data you enter |
| Shareholder particulars | names, shareholdings, addresses | Data you enter |
| Billing information | Stripe customer ID, card-type and last-4 digits (via Stripe), subscription history | Stripe processing on your payment |
| Generated documents | board resolutions, shareholder resolutions (DOCX + PDF) containing the director / shareholder details above | Produced by the service for your use |
| Email activity | reminder-email send timestamps, open / click events (if you don't disable tracking) | Your interaction with our emails |
| Access logs | IP address, user agent, request URLs, timestamps | Your use of the service (server logs) |
Sensitive personal data — we collect director and shareholder NRIC / FIN / passport numbers because these are required by Singapore company law to be stated on board resolutions and shareholder resolutions. These numbers are held as text fields in our database and appear in the documents we generate for you. We do not share these with any third party beyond the subprocessors listed in section 5.
3. Why we collect it (purpose limitation — PDPA s.13)
We use your data only for the purposes stated here:
- Generate documents — the director / shareholder / company data you enter is used to produce the board resolutions, shareholder resolutions, and other corporate secretarial documents you request.
- Maintain your account and subscription — authentication, billing, account management, customer support.
- Send transactional email — reminder emails before anniversary renewals, confirmation emails, payment receipts.
- Comply with our legal obligations — retaining invoices and transaction records as required by Singapore accounting and tax law.
- Improve the service — aggregate, anonymised analytics (which features are used, where users drop off) to improve product and user experience.
We do not sell your personal data. We do not use it for advertising. We do not share it with third parties other than the subprocessors listed in section 5.
4. Legal basis for processing
Under PDPA, we process your data based on:
- Consent — you explicitly agree to this Privacy Policy when signing up.
- Performance of contract — we need your data to provide the service you've signed up for (generating your resolutions, managing your subscription).
- Legal obligation — retention of billing records and responses to lawful requests from regulators.
- Legitimate interest — aggregate product analytics (section 9), security monitoring, and fraud prevention, balanced against your reasonable privacy expectations.
5. Subprocessors (who we share data with)
We use the following third-party services to operate Helmself. Each one has a Data Processing Agreement with us that requires them to process your data only on our instructions and with comparable protections to those required by PDPA.
| Subprocessor | Purpose | Data processed | Location |
|---|---|---|---|
| Supabase, Inc. | Database, authentication, file storage | All customer data | Singapore (AWS ap-southeast-1) |
| Vercel, Inc. | Web application hosting | Request logs, environment configuration | Singapore (runtime) and United States (build-time) |
| Fly.io, Inc. | Document-generation service hosting | Transient document content during generation (not persisted) | Singapore |
| Stripe Singapore Pte. Ltd. | Payment processing | Card details, billing address, subscription records | Singapore and APAC region |
| Resend, Inc. | Transactional email delivery | Recipient email addresses, subject lines, HTML content | Japan (AWS ap-northeast-1) |
| Functional Software, Inc. (Sentry) | Error monitoring | Exception stack traces, request metadata with personal identifiers scrubbed | European Union (Frankfurt) |
| PostHog, Inc. | Product analytics | Aggregated event data (sign-ins, checkouts); no personal identifiers beyond an opaque user identifier | European Union (Cloud EU) |
| Better Stack s.r.o. | Uptime monitoring | HTTP probe logs; no personal data | European Union (Czech Republic) |
| Cloudflare, Inc. | DNS management and DDoS protection | DNS queries | Global edge network (Singapore point-of-presence serves Singapore users) |
| Google LLC | OAuth sign-in provider and Workspace email for administrative accounts | Your Google account email address and OAuth tokens | United States |
An updated subprocessor list is available on request at support@helmself.com.
6. Cross-border data transfers
Your personal data is primarily stored in Singapore at our database and application servers. Some supporting services (section 5) process data in other jurisdictions:
- Japan (Resend) — transactional email content
- European Union (Sentry, PostHog, Better Stack) — error tracking, analytics, uptime monitoring
- United States (Vercel build-time, Google) — deployment artefacts, OAuth
We have entered into Data Processing Agreements with each of these providers. These agreements include contractual clauses requiring each provider to provide a comparable standard of protection to the PDPA standard. Under PDPA section 26, cross-border transfers are permitted where recipients provide such comparable protection.
7. How long we keep your data (retention)
- Active account data — retained while you have an active account and for 30 days after account deletion to support billing reconciliation.
- Generated documents — retained in your account for as long as the account is active. After deletion, documents are removed within 30 days.
- Billing records — retained for five years after transaction date, as required by Singapore tax and accounting law. Retained in both our database (redacted after account deletion) and in Stripe's records.
- Access logs — retained for 30 days then deleted.
- Sentry error data — retained for 90 days per Sentry default; includes PII-scrubbed stack traces.
- PostHog analytics — retained for 12 months; contains no personal identifiers beyond an opaque user identifier.
8. Your rights under PDPA
You have the following rights:
- Access — request a copy of the personal data we hold about you.
- Correction — request correction of inaccurate personal data (most fields are editable directly in the app).
- Withdrawal of consent — withdraw consent to our processing, which may end your ability to use the service.
- Deletion — request deletion of your account and personal data.
- Portability — export your data (documents, resolutions, metadata) via the in-app export feature or on request.
To exercise any of these rights, email support@helmself.com with subject PDPA: Access Request, PDPA: Deletion Request, or similar. We will acknowledge your request within 7 days and respond within 30 days (the PDPA statutory timeline).
Identity verification may be required — for account-related requests, responses are sent only to the email address on file.
9. Product analytics and cookies
We use PostHog (EU Cloud) to track aggregated product usage — which features are used, where users encounter errors, how long signup takes. This analytics is server-side only — we do not set tracking cookies in your browser. Events are associated with an opaque user identifier, not your name, email address, or other personal information.
We do not use advertising cookies, third-party tracking pixels, or cross-site tracking.
Essential cookies are used for session management (keeping you signed in). These are set by the Supabase authentication system and are required for the service to function.
10. Security
We take reasonable steps to protect your personal data:
- TLS 1.2+ encryption in transit on all endpoints
- Database encryption at rest (Supabase-managed)
- Row-level security policies ensuring you can only access your own data
- Principle of least privilege on internal access
- Error monitoring with PII scrubbing enabled by default
- Incident response procedures for suspected breaches
No system is perfectly secure. In the event of a suspected breach, we will notify the Personal Data Protection Commission of Singapore and affected users within 72 hours of discovery, as required by PDPA.
11. Children's data
Helmself is for Singapore-registered companies and their authorised representatives. It is not directed at children under 18. If you believe a child has provided us personal data, contact support@helmself.com and we will delete it.
12. Changes to this policy
We may update this policy to reflect changes in our services, subprocessors, or legal obligations.
Material changes — including changes to data retention, user rights, dispute resolution, or adding/removing subprocessors — will be notified to you by email (to the address on your account) at least 14 days before taking effect, with a link to the new version and a human-readable summary of what changed.
Non-material changes — typos, formatting improvements, clarifications that don't alter the legal meaning — are made without notice but are still recorded in our internal git history.
Continued use of Helmself after a policy change takes effect constitutes acceptance of the new policy. If you do not agree to a material change, you may request deletion of your account (see section 8) before the new policy takes effect.
Every version of this policy is tracked in our version-control system; prior versions are retrievable on request at support@helmself.com.
13. How to contact us
- General inquiries: support@helmself.com
- Data Protection Officer: dpo@helmself.com
- Postal address: [Suupur Pte. Ltd. — address to be filled by lawyer during review]
You may also lodge complaints with the Personal Data Protection Commission of Singapore if you believe we have mishandled your personal data. See pdpc.gov.sg for their complaint process.
14. Change history
This log records every material change to this policy since initial publication. Non-material edits (typos, formatting) are tracked in our internal version-control system but not listed here.
| Version | Effective date | Summary of changes |
|---|---|---|
| 1.0 | 2026-04-23 | Initial publication. |