Privacy Policy

This Privacy Policy explains how Evith LLC, a Wyoming limited liability company with registered office at 30 N Gould St, Ste R, Sheridan, WY 82801, USA (“Helptal”, “we”, “us”), collects, uses, shares, retains, and protects personal data when you visit our marketing website at helptal.com, sign up for a Helptal account, install our chat widget, or otherwise use the Helptal service (collectively, the “Service”).

Our two roles. (1) When you create a Helptal account, we are the controller of personal data about you and your Agents. (2) When your Workspace receives messages, profile information, or other data from your End Users (a customer of your business interacting with your support team via Helptal), you are the controller of that data and we are the processor acting on your written instructions. If you are an End User trying to exercise rights over your personal data inside someone’s Workspace, please contact that business directly — we will help them respond.

1.1 Account and billing information. When you sign up, we collect your name, email address, password (stored only as a salted hash), workspace name and slug, role, time zone, locale, profile photo (if you upload one), and billing details. Card numbers are processed and stored by our PCI-DSS compliant payment processor; we receive only a tokenised reference, the brand, the last four digits, and the expiry date so we can display your method on file. We also collect the IP address used at sign-up for fraud prevention.

1.2 Workspace content. Tickets, replies, internal notes, knowledge-base articles, automation rules, custom fields, tags, macros, saved views, attachments, recordings of bot conversations, appointment bookings, and similar content created inside your Workspace. This includes personal data about your own End Users that you choose to store (their email addresses, names, message content, custom-field values, optional metadata supplied through customer SSO).

1.3 End User data collected through your widget or portal. When an End User starts a chat or opens a ticket, we may receive their email address and name (where they provide them), the IP address from which they connected, the country derived from that IP, the page URL they were on, the referrer URL, browser User-Agent string, and any custom fields you have configured. End-User data is held inside your Workspace as Customer Data; we are the processor.

1.4 Usage and device data. Pages you visit on helptal.com and inside the product, features you use, search queries inside your Workspace, approximate location derived from IP, browser and OS strings, device type, language, timestamps of activity, performance and error logs, and similar telemetry. We collect this for security, abuse prevention, debugging, capacity planning, and product analytics.

1.5 Communications with us. Messages you send to support@, sales@, privacy@, security@, or [email protected]; surveys; sales calls (we do not record calls without notice); and social-media interactions.

1.6 Cookies and similar technologies. See Section 9.

1.7 Information from third parties. If you authenticate via a federated identity provider (e.g., Google, Microsoft, Okta, or a SAML IdP) or connect an integration, that provider may share with us your name, email, profile photo, and the scopes you authorise. If you respond to our advertising, advertising partners may share that you clicked through. We treat that information consistently with this Policy.

We use personal data to: (a) provide, operate, maintain, and improve the Service; (b) authenticate users, secure accounts, and prevent fraud, spam, and abuse; (c) bill you, recover unpaid amounts, and detect chargeback fraud; (d) communicate with you about service updates, security advisories, billing matters, and (with consent or where permitted by law) product news, tips, and offers; (e) provide and improve customer support; (f) generate aggregated, de-identified analytics that help us understand product usage and reliability; (g) comply with legal obligations, respond to lawful requests, and enforce our Terms; and (h) with your consent, conduct user research and beta programmes.

What we do not do. We do not sell personal data. We do not share personal data with third parties for their independent marketing. We do not use the content of your tickets, chats, or knowledge base to train AI models, and our AI sub-processors are contractually prohibited from doing so on data we route to them. We do not use Customer Data to target advertising.

Where the GDPR (or the UK GDPR) applies, we rely on the following legal bases:

Performance of a contract — to provide the Service you have signed up for, manage your Account, and process payments.
Legitimate interests — to keep the Service secure, prevent abuse, debug, improve the product, communicate with existing business customers about similar products and offerings, and pursue legal claims. We balance these interests against your rights and freedoms and will not rely on this basis where it is overridden by your interests.
Legal obligation — to keep tax and accounting records, respond to lawful requests from authorities, and comply with court orders.
Consent — for optional marketing emails to prospects, non-essential cookies on the marketing site, and any optional AI features that you opt into. You may withdraw consent at any time without affecting processing carried out before withdrawal.
Vital interests — in rare cases, to protect a person from harm.

When we process personal data as a processor on your behalf (End-User content inside your Workspace), our legal basis is your written instructions under the DPA. You are responsible for ensuring you have a lawful basis to direct that processing.

We engage vetted third-party service providers (“sub-processors”) to help us operate the Service. They process personal data on our written instructions, under confidentiality, only as needed to perform their function, and under contractual data-protection terms substantially similar to those described in this Policy. They are bound by purpose-limitation, security, and breach-notification commitments.

The categories of sub-processors we use include:

Cloud hosting, database, caching, and object storage — compute, managed Postgres, managed cache, and object storage for file attachments, all located in Singapore.
Edge networking — CDN, DDoS protection, TLS termination, and DNS provider (United States legal entity, global edge points-of-presence).
Email infrastructure — outbound transactional email delivery and inbound parsing for ticket creation (United States).
Payment processing — PCI-DSS compliant payment processors that handle cardholder data on their own infrastructure (United States and Taiwan); we never receive raw card numbers.
AI inference — only when AI features are enabled by a Workspace administrator (United States), contractually prohibited from training models on data we route to them.
Product analytics and error monitoring — privacy-respecting providers configured to drop IP addresses and personal-data identifiers from event payloads.
Customer support tooling — we may use Helptal’s own platform to handle support tickets from our own customers.

Current list. The named sub-processor list, with legal entity, primary location, and processing purpose, is published at helptal.com/subprocessors and is incorporated into our DPA. We will notify business customers at least thirty (30) days before adding or replacing a sub-processor that processes Workspace content, by email and / or in-product notice. If you object on reasonable data-protection grounds, you may terminate the affected Subscription as your sole remedy and we will refund prepaid fees for the unused portion of the term.

Other disclosures. We may disclose personal data (a) in response to lawful, properly-scoped requests from law enforcement or regulators — we challenge requests we consider over-broad and notify customers where legally permitted; (b) to protect the rights, property, or safety of Helptal, our customers, or others, including to investigate fraud or abuse; (c) to professional advisors (lawyers, auditors, accountants) under confidentiality; and (d) in connection with a merger, acquisition, restructuring, or sale of all or substantially all of our assets, in which case the acquirer must honour this Policy and you will be notified at least thirty (30) days in advance.

We publish a transparency report on request summarising governmental data requests for the prior reporting period.

Where Customer Data is stored. The application infrastructure that holds Workspace content is hosted in Singapore. Encrypted database backups are stored in the same region.

Sub-processors in other regions. A small number of sub-processors operate outside Singapore in the ordinary course of providing the Service: the edge network and DDoS layer (United States legal entity, global edge points-of-presence), the email delivery and inbound parsing provider (United States), AI inference providers used only when an administrator enables AI features (United States), and payment processors (United States and Taiwan). These providers process the categories of personal data needed for their function and no more. The current list, with locations and processing purposes, is incorporated into our DPA and published at helptal.com/subprocessors.

Transfer mechanisms. When personal data of EU, EEA, UK, or Swiss residents is transferred outside their region (whether to Singapore, the United States, or elsewhere), we rely on one or more of:

(a) European Commission adequacy decisions where available;
(b) EU Standard Contractual Clauses (2021) and the corresponding UK International Data Transfer Addendum and Swiss adequacy provisions, in each case supplemented by appropriate technical, organisational, and contractual safeguards (encryption in transit, encryption at rest, access controls, transparency about lawful access, and the right to challenge over-broad requests);
(c) derogations under Article 49 GDPR (e.g., explicit consent, necessary for contract performance) where applicable.

Our DPA (available on request from [email protected]) incorporates the SCCs and addenda described above and lists the active sub-processors.

Account data. Retained for as long as your Account is active.

Workspace content (Customer Data). Retained for as long as the relevant ticket / article / record is kept inside your Workspace. After you cancel your Subscription, Workspace content is retained for up to thirty (30) days to allow reactivation and self-service export, after which it is deleted from production systems within a further thirty (30) days. Encrypted backups containing residual copies are rotated out within ninety (90) days of cancellation.

Invoices and tax records. Retained for as long as required by U.S. federal and applicable state tax and accounting law (currently up to seven years).

Security and access logs. Retained for up to twelve (12) months; longer for any logs relevant to an unresolved investigation or legal hold.

Marketing prospect data. Until you opt out, plus thirty (30) days to honour suppression-list maintenance.

De-identified aggregate analytics. Indefinitely. These data sets cannot reasonably be linked back to an identifiable person.

Notwithstanding the above, we may retain personal data longer where required by law, court order, regulatory request, or to establish, exercise, or defend legal claims.

We implement administrative, technical, and physical safeguards that are commercially reasonable for a SaaS provider of our size and that align with industry frameworks. These include:

Encryption. Industry-standard transport encryption for all data in transit and strong symmetric encryption at rest for database backups, file attachments, and credential secrets.
Authentication. Salted password hashing using a modern, memory-hard algorithm; optional two-factor authentication; SSO via OIDC and SAML on supported plans; short-lived bearer tokens for API and real-time connections.
Multi-tenant isolation. Customer data is segregated at the database row level using policies enforced by the database engine; cross-tenant access requires explicit privilege escalation that is logged and auditable.
Network and infrastructure. Edge-layer DDoS mitigation, automated dependency-vulnerability scanning, hardened server images, least-privilege IAM, and segregated production and staging environments.
Access controls. Production access is restricted to a small number of authorised engineers using SSO and 2FA, with audit logging.
Vulnerability management. Regular internal security reviews, third-party penetration testing on a recurring cadence, and a coordinated disclosure programme — send reports to [email protected].
Incident response. Documented procedures for triage, containment, eradication, recovery, and customer notification. In the event of a personal-data breach affecting your Workspace, we will notify you without undue delay (and in any case within seventy-two (72) hours of confirmation where required by law) and assist with your own notification obligations.

No security measure is perfect. Please use a strong, unique password, enable two-factor authentication, and let us know at [email protected] about any suspected vulnerability or unauthorised access.

Depending on your location, you may have the following rights with respect to personal data we hold about you as a controller:

(a) Access — request a copy of the personal data we hold about you and information about how we process it;
(b) Rectification — correct inaccurate or incomplete data;
(c) Erasure / deletion — request deletion in certain circumstances;
(d) Restriction — ask us to limit our processing while a request is being investigated;
(e) Objection — object to processing based on legitimate interests, including profiling;
(f) Portability — receive your data in a structured, commonly-used, machine-readable format and transmit it to another controller;
(g) Withdraw consent — at any time without affecting prior processing;
(h) Lodge a complaint — with your local data-protection supervisory authority (e.g., in the EU, the authority of your habitual residence).

To exercise these rights for data we hold about you as a Helptal account holder, email [email protected] from the address on file or use the in-product privacy tools available to administrators. We may need to verify your identity before acting on a request. We will respond within thirty (30) days; if the request is complex, we may extend by up to two further months and will notify you of the extension.

If your personal data sits inside a Helptal Workspace as End-User content, the operator of that Workspace is the controller. Direct your request to them; we will assist them in responding within a reasonable time.

California residents (CCPA / CPRA). California residents have rights to know, to delete, to correct, to opt out of sale or sharing (we do not sell or share personal information for cross-context behavioural advertising), and to limit use of sensitive personal information. We do not engage in discriminatory practices against residents who exercise rights. Authorised agents may submit requests on your behalf with verifiable authorisation. To exercise California rights, email [email protected] with the subject “CCPA Request”.

Other U.S. state privacy laws. Where similar rights are afforded under Virginia, Colorado, Connecticut, Utah, Texas, Oregon, or other state privacy statutes, we honour them on substantively the same terms.

We use a small number of cookies and related technologies (local storage, session storage, web beacons). Categories:

Strictly necessary — keep you signed in, preserve workspace preferences, set CSRF and anti-fraud tokens, remember your locale and theme. These cannot be disabled without breaking the Service.
Functional — remember UI preferences like collapsed sidebars, dismissed banners, and chat-widget state.
Analytics — understand how the marketing site is used. We use privacy-respecting providers configured to anonymise IP addresses and not to share data with third parties for advertising.
Marketing — only with your consent, to attribute marketing campaigns.

You can manage cookies through your browser settings or, on the marketing site, through the cookie banner. Disabling strictly necessary cookies may prevent the Service from functioning. We honour the Global Privacy Control signal as an opt-out of sale or sharing for visitors covered by U.S. state privacy laws.

The Service performs automated processing on Workspace content (e.g., suggesting tags, scoring sentiment, routing to a group based on rules you configure, generating draft replies). These processes assist your Agents but do not produce legal or similarly significant effects on End Users unless you have configured an automation that does so. Where automated processing might produce such effects, we recommend you provide notice to your End Users and offer a human review pathway. Automated rules can be reviewed, modified, or disabled by Workspace administrators at any time.

If you are a business customer subject to the GDPR, UK GDPR, or similar laws and require a signed Data Processing Addendum reflecting our role as processor of End-User data, email [email protected]. Our DPA (a) incorporates the EU Standard Contractual Clauses and UK / Swiss addenda, (b) lists the categories of personal data and processing, (c) lists current sub-processors, (d) describes our technical and organisational measures, and (e) commits us to assist with data-subject requests and breach notifications.

The Service is intended for use by businesses and is not directed to children under sixteen (16) (or any higher age of digital consent in your jurisdiction). We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, email [email protected] and we will delete it. We rely on you, as the operator of your Workspace, to ensure your support interactions with children comply with COPPA, GDPR Article 8, and other applicable laws.

Because there is no industry consensus on how to respond to Do-Not-Track browser signals, we do not respond to them. We do honour the Global Privacy Control signal as described in Section 9.

If you are a customer, we may send you transactional and service messages (billing, security advisories, product updates that materially affect your use) regardless of marketing preferences. Promotional emails are sent only where permitted by law and you can opt out at any time using the unsubscribe link in each message or by emailing [email protected]. Opting out of marketing does not affect transactional messages.

Our marketing site, knowledge base, and the Service contain links to third-party websites and apps. We are not responsible for their privacy practices. Please review their policies before providing personal data.

We may update this Privacy Policy from time to time. Material changes will be announced by email and / or in-product notice at least thirty (30) days before they take effect; non-material updates (typographical fixes, clarifications) may take effect immediately on posting. The “Last updated” date at the top of this page reflects the current version. The current version is always available at helptal.com/privacy.html.

Evith LLC
30 N Gould St, Ste R, Sheridan, WY 82801, USA

General privacy enquiries: [email protected]
Security incidents and vulnerabilities: [email protected]
Legal notices: [email protected]

EU and UK customers may also contact our representative arrangements through [email protected] — we will route to the appropriate party.