Helpnode

Privacy Policy

Last updated: April 15, 2026

§ 1. Controller and Contact

  1. The controller of your personal data is New Ventures Filip Wawer, conducting business activity under the firm name New Ventures Filip Wawer, with permanent place of business at ul. Tuwima 48/11, 90-021 Łódź, Poland, entered in the Central Register and Information on Economic Activity (CEIDG), holding Tax ID (NIP): 7272800385, Statistical Number (REGON): 364138860 (hereinafter: "Controller" or "we").
  2. The Controller operates the "Helpnode" application at https://helpnode.io (hereinafter: "Application" or "Service").
  3. Contact in matters relating to personal data:
  4. e-mail: [email protected],
  5. postal mail: ul. Tuwima 48/11, 90-021 Łódź, Poland.
  6. The Controller has not appointed a Data Protection Officer (DPO). Contact in data protection matters may be made directly via the addresses indicated in sec. 3 above.
  7. This Privacy Policy (hereinafter: "Policy") applies to personal data processed by the Controller in connection with the provision of the Service, the operation of the helpnode.io website, and related marketing and analytics activities.

§ 2. Key Terms

Capitalised terms used in this Policy that are not defined herein have the meanings assigned in the Terms of Service available at https://helpnode.io/legal/terms. In particular:

  1. GDPR — Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation),
  2. Data Subject / you — the natural person whose personal data is processed, in particular a Customer, a User, a visitor to the Application's website, or a recipient of marketing communications,
  3. Processing — any operation performed on personal data within the meaning of Article 4(2) GDPR.

§ 3. Categories of Personal Data We Process

Depending on how you interact with us, we may process the following categories of your personal data:

  1. Account data — e-mail address, password (in hashed form), first name (where provided), profile picture (where provided via OAuth), workspace name, role within the workspace,
  2. Authentication data (OAuth) — identifier, e-mail, and basic profile data received from Google or GitHub when you register or log in via these providers,
  3. Billing data — billing address, company name, Tax ID (VAT ID / NIP), payment method tokens (we do not store full card numbers — they are handled by Stripe), invoice history,
  4. Customer Content — documentation content, files, metadata, and any other materials you upload or create in the Application, including personal data you may choose to include in such content,
  5. AI query data — queries submitted to the Reader AI feature and the relevant excerpts of documentation sent to AI providers to generate the response,
  6. Technical data — IP address, browser type and version, operating system, device type, session identifiers, referrer URL, interaction logs, error reports,
  7. Marketing and analytics data — cookie identifiers, advertising identifiers, pages visited, events triggered on the website, traffic sources, conversion data, audience segments,
  8. Communication data — content of correspondence with us (e-mails, support tickets, feedback), subscription status for marketing e-mails,
  9. Cookie-based data — as described in § 8 of this Policy.

§ 4. Sources of Personal Data

We obtain your personal data:

  1. directly from you — when you register an Account, configure your workspace, create Customer Content, make a payment, contact us, or subscribe to marketing communications,
  2. from OAuth providers — Google or GitHub, when you choose to log in via these providers,
  3. from our payment operator — Stripe, which confirms payment status and shares limited billing information,
  4. automatically — by means of cookies and similar technologies used on helpnode.io and within the Application (see § 8),
  5. from advertising and analytics platforms — Google (GA4, Google Ads), Meta (Facebook/Instagram Ads), TikTok Ads — regarding interactions with our advertising campaigns and conversions,
  6. from publicly available sources — such as CEIDG or KRS, for verification of business customers.

§ 5. Purposes and Legal Bases of Processing

# — Purpose — Legal basis (GDPR) — Data categories

1 — Providing the Service (creating and maintaining the Account, enabling the use of the Application, synchronising with Git) — Art. 6(1)(b) — performance of a contract — Account data, OAuth data, Customer Content

2 — Processing payments and issuing invoices — Art. 6(1)(b) — performance of a contract; Art. 6(1)(c) — legal obligation (tax law, accounting law) — Billing data

3 — Providing the Reader AI feature — Art. 6(1)(b) — performance of a contract — AI query data, Customer Content

4 — Handling complaints, requests, and out-of-court dispute resolution — Art. 6(1)(b) — performance of a contract; Art. 6(1)(c) — legal obligation (Consumer Rights Act, DSA) — Account data, communication data

5 — Handling DSA notice-and-action reports and appeals — Art. 6(1)(c) — legal obligation (DSA); Art. 6(1)(f) — legitimate interest — Communication data, Customer Content, reporter data

6 — Ensuring security of the Service, fraud prevention, abuse detection, rate limiting — Art. 6(1)(f) — legitimate interest (security of the Service) — Technical data, Account data

7 — Establishment, exercise, and defence of legal claims — Art. 6(1)(f) — legitimate interest — All relevant data

8 — Analytics (understanding how users interact with the website and the Application via Google Analytics 4) — Art. 6(1)(a) — consent (via cookie banner) — Marketing and analytics data, technical data

9 — Online advertising and retargeting via Google Ads, Meta Ads (Facebook/Instagram), and TikTok Ads — Art. 6(1)(a) — consent (via cookie banner) — Marketing and analytics data, technical data

10 — Conversion measurement and attribution across advertising platforms — Art. 6(1)(a) — consent — Marketing and analytics data

11 — Sending marketing communications (newsletter, product updates, promotional offers) — Art. 6(1)(a) — consent; Art. 10 of the Polish Act on the Provision of Electronic Services; Art. 398 of the Polish Electronic Communications Law — E-mail address, communication preferences

12 — Direct marketing to existing customers concerning our own similar services — Art. 6(1)(f) — legitimate interest (with the right to object) — E-mail address

13 — Complying with obligations under DSA, AI Act, tax law, and accounting law — Art. 6(1)(c) — legal obligation — All relevant data

14 — Tailoring content and improving the Service (aggregated statistics, product decisions) — Art. 6(1)(f) — legitimate interest — Aggregated technical and marketing data

§ 6. Recipients of Personal Data

Your personal data may be disclosed to:

  1. Processors acting on our instructions — pursuant to data processing agreements concluded under Article 28 GDPR:
  2. Stripe Payments Europe, Ltd. (Ireland / USA) — payment processing, fraud prevention, invoicing,
  3. OpenAI, L.L.C. (USA) — processing of Reader AI queries (without use of data for training, pursuant to OpenAI API terms for business customers),
  4. Google LLC / Google Ireland Ltd. (USA / Ireland) — processing of Reader AI queries via Gemini API, Google Analytics 4, Google Ads, Google Workspace (if used for internal operations),
  5. Meta Platforms Ireland Ltd. (Ireland / USA) — Meta Ads, Meta Pixel, Conversions API (Facebook, Instagram),
  6. TikTok Technology Ltd. (Ireland / USA / Singapore) — TikTok Ads, TikTok Pixel, Events API,
  7. Resend, Inc. (USA) — transactional and marketing e-mail delivery,
  8. GitHub, Inc. (USA) — OAuth authentication; for customers using Git synchronisation — access to repositories as authorised by you,
  9. Cloudflare, Inc. (USA) — content delivery network, DDoS protection, edge caching,
  10. hosting provider — provider of the virtual private server on which the Application runs (EU-based),
  11. providers of technical infrastructure (PostgreSQL, Redis) — self-hosted on the above-mentioned VPS,
  12. Independent controllers — in specific situations:
  13. providers of advertising platforms (Google, Meta, TikTok) when they act as independent controllers for their own platform-level operations (audience building across customers, fraud prevention on the platform),
  14. legal, tax, and accounting advisors — where retained for specific matters,
  15. Public authorities — where required by law (e.g. tax authorities, courts, law enforcement), pursuant to Art. 6(1)(c) GDPR,
  16. Acquirers or successors — in the event of a transaction involving the Controller's business (e.g. sale, merger), subject to appropriate confidentiality and data protection safeguards.

An up-to-date list of key processors is maintained by the Controller and may be requested via [email protected].

§ 7. Transfers of Personal Data Outside the EEA

Some of the processors listed in § 6 are established outside the European Economic Area, in particular in the United States. In such cases, the transfer of personal data takes place on the basis of:

  1. an adequacy decision of the European Commission — for transfers to the USA to recipients certified under the EU-U.S. Data Privacy Framework (Google, Meta, Stripe are certified; verify current status of each recipient),
  2. Standard Contractual Clauses (SCC) adopted by the European Commission — where an adequacy decision does not apply,
  3. additional supplementary measures (e.g. encryption, pseudonymisation) where required following a transfer impact assessment.

You may request a copy of the safeguards applied to transfers of your personal data by contacting us at [email protected].

§ 8. Cookies and Similar Technologies

  1. The Application and the helpnode.io website use cookies and similar technologies (local storage, session storage, pixels, SDKs).
  2. We distinguish the following categories of cookies:

Category — Purpose — Legal basis — Consent required

Strictly necessary — Login, session management, security, load balancing, preserving cookie consent state — Art. 6(1)(f) GDPR — legitimate interest; Art. 173 of the Polish Electronic Communications Law (exemption from consent) — No

Functional — Remembering user preferences (e.g. UI language, theme, workspace) — Art. 6(1)(a) GDPR — consent — Yes

Analytics — Google Analytics 4 — measurement of traffic, user behaviour, conversions — Art. 6(1)(a) GDPR — consent — Yes

Advertising / marketing — Google Ads, Meta Pixel, TikTok Pixel — retargeting, conversion measurement, audience building — Art. 6(1)(a) GDPR — consent — Yes

3. You can manage cookie consent: 1) via the cookie banner displayed on your first visit, and at any later time via the "Cookie settings" link in the footer of the website, 2) through your browser settings (blocking or deleting cookies), 3) via opt-out mechanisms provided by specific platforms: - Google Analytics: https://tools.google.com/dlpage/gaoptout, - Google Ads: https://adssettings.google.com, - Meta Ads: https://www.facebook.com/adpreferences, - TikTok Ads: https://www.tiktok.com/legal/page/row/privacy-policy/en (ad settings within your TikTok account), - Network-level opt-out: https://www.youronlinechoices.eu. 4. Withdrawal of consent does not affect the lawfulness of processing carried out before the withdrawal.

§ 9. Retention Periods

We retain personal data only as long as necessary for the purpose of processing:

  1. Account data and Customer Content — for the duration of the Agreement and for 90 days after its termination, unless you explicitly request earlier deletion (as set out in § 4 sec. 15 of the Terms of Service),
  2. Billing data and invoices — for 5 years from the end of the calendar year in which the tax obligation arose (pursuant to the Polish Tax Ordinance and Accounting Act),
  3. AI query data — transient processing only; queries and responses are not permanently stored beyond what is necessary to return the result to you; logs for debugging are retained for up to 30 days,
  4. Technical data and security logs — up to 12 months, unless required longer for investigation of security incidents,
  5. Analytics data (GA4) — default retention period configured in GA4 (typically 14 months), subject to the consent you provided,
  6. Advertising platform data — according to retention periods of the respective platforms (Google Ads, Meta, TikTok); aggregated conversion data may be retained longer,
  7. Marketing consent data — until you withdraw consent or for 3 years from your last interaction,
  8. Correspondence and complaint records — for 3 years (default limitation period for business claims) or 6 years (limitation period for consumer claims), whichever applies,
  9. Data necessary for the establishment, exercise, or defence of legal claims — until the expiry of the relevant limitation period,
  10. Reports and appeals under DSA — for 6 months after the decision is made, unless a longer period is required by law.

After the retention period expires, data is deleted or effectively anonymised.

§ 10. Your Rights

Under the GDPR, you have the following rights:

  1. Right of access (Art. 15 GDPR) — to obtain confirmation whether we process your personal data and to receive a copy of that data,
  2. Right to rectification (Art. 16 GDPR) — to have inaccurate personal data corrected or incomplete data completed,
  3. Right to erasure ("right to be forgotten", Art. 17 GDPR) — to have your personal data deleted where one of the grounds specified in the GDPR applies,
  4. Right to restriction of processing (Art. 18 GDPR),
  5. Right to data portability (Art. 20 GDPR) — to receive the personal data you provided to us in a structured, commonly used, and machine-readable format, and to transmit that data to another controller,
  6. Right to object (Art. 21 GDPR) — at any time, on grounds relating to your particular situation, to processing based on our legitimate interest (Art. 6(1)(f)); the right to object to processing for direct marketing purposes is absolute and does not require justification,
  7. Right to withdraw consent (Art. 7(3) GDPR) — at any time, without affecting the lawfulness of processing carried out before the withdrawal, with respect to processing based on your consent,
  8. Right not to be subject to automated decision-making (Art. 22 GDPR) — see § 11 below,
  9. Right to lodge a complaint with a supervisory authority — in Poland: the President of the Personal Data Protection Office (Prezes Urzędu Ochrony Danych Osobowych), ul. Stawki 2, 00-193 Warsaw, https://uodo.gov.pl.

To exercise your rights, contact us at [email protected]. We will respond without undue delay, and in any event within one month of receipt of the request (this period may be extended by a further two months where necessary, given the complexity and number of requests).

§ 11. Automated Decision-Making and Profiling

  1. We do not make decisions based solely on automated processing, including profiling, that produce legal effects concerning you or similarly significantly affect you (Art. 22 GDPR).
  2. We perform limited profiling for the following non-significant purposes:
  3. marketing and advertising (audience segmentation, retargeting) — on the basis of your consent,
  4. security (detection of anomalous login attempts, rate limiting) — on the basis of our legitimate interest.
  5. Reader AI processes Customer Content and queries solely to generate a conversational response and does not make decisions about you or other persons.

§ 12. Marketing Communications

  1. We send marketing e-mails (newsletter, product updates, promotions) only to persons who have given their consent to such communications, pursuant to:
  2. Art. 6(1)(a) GDPR — consent to processing for marketing purposes,
  3. Art. 10 of the Polish Act on the Provision of Electronic Services — consent to sending commercial information by electronic means,
  4. Art. 398 of the Polish Electronic Communications Law — consent to use of terminal equipment for direct marketing.
  5. You can withdraw consent to marketing communications at any time:
  6. via the unsubscribe link included in every marketing e-mail,
  7. by contacting us at [email protected],
  8. in the Account settings, if you are a registered Customer.
  9. In the case of existing Customers, we may send direct marketing communications regarding our own similar services on the basis of our legitimate interest (Art. 6(1)(f) GDPR), with the right to object at any time.

§ 13. Security of Personal Data

  1. We apply technical and organisational measures appropriate to the risk, in particular:
  2. encryption of data in transit (TLS/SSL) and at rest where applicable,
  3. hashing of passwords using industry-standard algorithms (bcrypt),
  4. strict access controls and the principle of least privilege,
  5. regular backups,
  6. monitoring and logging of security-relevant events,
  7. rate limiting and anti-abuse mechanisms,
  8. regular updates of software dependencies.
  9. Despite the measures applied, no method of transmission or storage is 100% secure. You are responsible for keeping your Account credentials confidential.
  10. In the event of a personal data breach likely to result in a high risk to your rights and freedoms, we will notify you without undue delay, pursuant to Art. 34 GDPR.

§ 14. Data Relating to Children

The Service is not directed at persons under the age of 16. We do not knowingly collect personal data of children under 16 without verifiable parental consent. If you believe that a child has provided us with personal data without such consent, please contact us at [email protected] and we will take appropriate steps to delete such data.

§ 15. Third-Party Content and Links

The Application may contain links to third-party websites and services (e.g. documentation of our customers, third-party APIs, AI provider terms). This Policy does not apply to the processing of personal data by those third parties. We recommend reviewing the privacy policies of services you visit through such links.

§ 16. Changes to the Privacy Policy

  1. We may update this Policy from time to time, in particular where necessary to reflect changes in legislation, the technical functioning of the Service, or the scope of processing activities.
  2. The amended Policy shall enter into force on the date of its publication in the Application, unless a later date is indicated. For significant changes, we will notify you by e-mail or by a prominent notice in the Application at least 14 days before the change takes effect.
  3. Agreements concluded before the change are governed by the version of the Policy in force at the time of the change, insofar as this does not conflict with mandatory legal provisions.

§ 17. Final Provisions

  1. The current version of the Policy is in force from 15 April 2026.
  2. This Policy is governed by the laws of the Republic of Poland and the GDPR.
  3. In matters not regulated in the Policy, the provisions of generally applicable law shall apply, including the GDPR, the Polish Personal Data Protection Act of 10 May 2018, the Polish Act on the Provision of Electronic Services, and the Polish Electronic Communications Law.