Last Updated: July 7, 2025
Helmit GmbH ("Helmit", "we" or "us"), located at Am Jägereck 3, 85635 Höhenkirchen-Siegertsbrunn, Germany, is committed to respecting and protecting your privacy. This Privacy Policy explains our practices regarding the collection, use, and processing of personal data through the Helmit parental control application and related services (the "Helmit App" or "Service"). This Privacy Policy forms part of our Terms of Service.
Intended Use and Children's Privacy: The Helmit App is designed for use by parents or legal guardians in a household setting, and not by children themselves. The app is installed on the parent's device; children do not install any software on their own devices. We do not knowingly collect personal information directly from children under the age of 13, in compliance with the U.S. Children's Online Privacy Protection Act (COPPA). If your child is above the age of digital consent in your country (16 in many EU countries, or a lower age if applicable by local law), you are responsible for informing them that their communications are being monitored and obtaining any necessary consent or authorization. By using Helmit, you represent that you have the legal authority to monitor your child's activities and, where required, you have obtained the child's consent or informed them appropriately. Helmit is not intended for use by children, and any data about a child is only processed as instructed by the parent or guardian.
Summary of Our Data Processing: Helmit processes two broad categories of personal data:
(1) Parent Account and Contact Data – information about the parent or guardian who registers for and uses the Helmit App. We use this data to create and manage your account, provide customer support, communicate with you, and deliver the Service to you.
(2) Child Monitoring and Usage Data – information collected from or about your child's use of connected social media accounts (the "monitored child" and "monitored accounts") as configured by you in the Helmit App. This includes communications content and related data from the child's social media, as well as analysis results (alerts) generated by Helmit's on-device AI. This data is processed on your behalf to provide the parental control and monitoring features. Helmit emphasizes local processing: the content of your child's messages and social media activities is analyzed and stored locally on your device to protect your family's privacy, and is not transmitted to Helmit's servers or third parties (except as necessary for you to receive alerts or use optional features, as explained below). You, as the parent/user, are solely responsible for how you configure and use Helmit and for the personal data you choose to monitor and store using our App. You can adjust the settings at any time to limit or erase data collected in the app, as described in this Policy.
Both Helmit and you (the parent) agree to comply with this Privacy Policy and applicable law in handling personal data. If you have any questions, you can contact us using the information at the end of this Policy.
Data Controller: For the parent account data and any cloud-based data associated with Helmit, Helmit GmbH acts as the "Data Controller" under the EU General Data Protection Regulation (GDPR). You can contact us with privacy inquiries or requests at privacy@helmit.org or at the postal address provided above. For child monitoring data that remains on your device, you as the parent are considered the primary party responsible (akin to a data controller) for that content, and Helmit processes such data on your behalf as a service provider (data processor) to deliver the intended parental control functions. In practice, this means Helmit does not actively access or use your child's monitored content outside your device; we simply provide the tools for you to process it. Helmit GmbH is responsible for safeguarding any personal data that does reach our systems (such as your account info or alert notifications), as detailed in this Policy.
We collect and process the following categories of personal data in order to provide the Helmit Service:
Parent Account and Registration Data:
When you create a Helmit account, we collect personal data about you, the parent or guardian. This includes your name, email address, and phone number provided during registration. This information is necessary to set up your account, identify you as the account holder, and communicate with you.
Child Profile Data:
You can create a profile for each child you are monitoring. We record which social media platforms (e.g. WhatsApp, Instagram, Discord, Snapchat, YouTube, TikTok, etc.) you have connected for each child and the connection status (e.g. connected or not connected).
Social Media and Communications Data (Monitored Content):
Once you connect a child's social media or messaging accounts through Helmit, the app will retrieve content from those accounts for monitoring purposes. This can include the text of messages and chat conversations, images, videos, or other media shared, audio recordings or voice notes, and files or links sent or received. All raw social media content and communications are stored locally on the parent's device and not transmitted to Helmit's servers for analysis. The Helmit App uses an on-device engine to analyze this data for potential risks (see "Analysis and Alerts" below). Important: Because this data may include personal information about your child and others (such as the child's friends who are chat participants), it should be handled carefully. Helmit does not sell or share the content of your child's communications with any third-party for their own use, and we do not ourselves ever see or upload this content to our servers. It remains on your device unless you choose to share it (for example, if you include a snippet in a feedback submission to us, as described later).
Analysis and Alert Data:
Helmit uses artificial intelligence (AI) models running locally on your device to analyze your child's monitored communications in real time. The purpose of this analysis is to detect potential dangers or policy violations such as cyberbullying, hate speech, online grooming, explicit or inappropriate content, self-harm or mental health risks, and other threats to the child's well-being. When the AI analysis finds something that matches the defined threat categories, the Helmit App will generate an alert for you. The collection of alert data enables the Helmit App to present you with a concise report of issues needing your attention. Alerts are stored on your device. You have the ability to delete alerts from the app interface (for example, after resolving an issue, you can remove that alert record).
App Usage and Analytics Data:
In order to improve the Helmit App and ensure it is working properly, we collect certain usage analytics and technical information. This includes event logs and metrics about how you use the app. We also collect basic device information such as your device's operating system. These data help us provide technical support and understand the context of any issues. Analytics data is focused on app performance and feature usage; it does not include the content of your child's messages.
Sources of Data:
The parent account data is provided directly by you during registration. Usage data is collected automatically by the app's analytics component. If you provide feedback or contact support, we may also collect any additional information you choose to share at that time (such as screenshots or descriptions of a problem).
We use the collected personal data for the following purposes, in accordance with the legal bases allowed by applicable data protection laws (including GDPR):
Providing and Improving the Service:
First and foremost, we process all categories of data listed above to operate Helmit and deliver its features to you. This includes using parent account data to create and authenticate your account, and using child profile and social media data to perform the monitoring and alert functions as described. The legal basis for these processing activities is the performance of a contract – when you accept our Terms of Service and use Helmit, we enter into a contract to provide you with the parental control service, and we must process certain data to fulfill that contract (Art. 6(1)(b) GDPR). We also process data to maintain and improve the Service – this may be based on our legitimate interests (Art. 6(1)(f) GDPR) in ensuring our app is effective, safe, and user-friendly.
Threat Detection and Alerts:
A core purpose of Helmit is to detect potential dangers to your child and notify you. We use the child's social media communications data to algorithmically determine if any content is harmful or falls into risk categories (cyberbullying, etc.), and we generate alert notifications for the parent based on this analysis. The purpose is to empower you to protect your child from online harms. Under GDPR, this processing of the child's data is based on the parent's legitimate interest in safeguarding the child's welfare, combined with the parent's capacity as legal guardian to consent on the child's behalf where consent is required.
Account Management and User Communications:
We use your account data (name, email, phone) to manage our relationship with you as a customer. This includes sending administrative emails or messages related to your use of Helmit, such as verification emails, password resets, service updates, and important security or privacy notices. We may also use your contact information to respond to support requests or inquiries you send us. The legal basis for these communications is performance of contract (to keep you informed about the service you are using) or compliance with legal obligations.
Notifications (Email/SMS Alerts):
If you enable email or SMS notifications for alerts, we will use your provided email address and/or phone number to send you alert summaries when a high-severity issue is detected. This processing (sending you alerts) is part of delivering the service you signed up for (contractual necessity) and/or based on your consent/choice since you choose whether to enable such notifications. If you prefer not to receive notifications through a certain channel, you can disable them in the app settings at any time.
Analytics and Improvement:
We use the app usage and analytics data to understand how Helmit is used and to improve performance and features. For instance, we analyze which features are most popular or where users encounter difficulties, so we can enhance the user experience. This processing is based on our legitimate interest in improving our product and ensuring a high-quality user experience (Art. 6(1)(f) GDPR).
Security and Fraud Prevention:
We may process certain data as necessary to maintain the security of the Helmit App and our users. This can include using log information and identifiers to detect and prevent malicious activity, securing accounts (e.g., multi-factor authentication using your email or phone), and enforcing our Terms of Service. This processing is based on legitimate interests (protecting the service and our users) and compliance with legal obligations related to data security.
Legal Compliance:
Where required, we will process and/or disclose personal data to comply with legal obligations, law enforcement requests, or court orders. For example, if we are obliged to retain certain information for tax or accounting purposes, or if we must respond to a lawful request by authorities, we will do so. Such processing is based on Art. 6(1)(c) GDPR (legal obligation). We will notify you of any such disclosure when permitted by law.
Helmit's general approach is to minimize sharing of personal data. We do not disclose your or your child's information to third-party companies for their own marketing or business purposes. However, we do rely on a few trusted third-party service providers (sub-processors) to help us operate the Helmit Service. We share data with such providers strictly on a "need to know" basis and pursuant to data protection agreements. Key categories of recipients include:
Analytics Provider (PostHog):
We use PostHog, a product analytics service, to collect and analyze app usage data. Our PostHog instance is hosted in the European Union (https://eu.i.posthog.com), meaning usage data is sent to EU-based servers for processing, for GDPR compliance. PostHog acts as our data processor, and we have an agreement in place to ensure they protect the data.
SMS Notification Service (Infobip):
We integrate with Infobip to send SMS text messages to parents who opt to receive alerts via SMS. Infobip will receive the parent's phone number and the content of the alert notification (which, as described, contains a short alert summary). Infobip uses this information solely to transmit the SMS to you. If you disable SMS notifications, we stop sending your data to Infobip.
Email Delivery Service (Resend):
Similarly, we use a service called Resend to send email notifications and other service emails (including alert emails and feedback messages). If you opt to receive email alerts, Resend will process your email address and the content of the alert email (which might include the alert type, child name, and a brief description of the issue). Resend acts on our behalf to deliver these emails and does not use your information for any other purpose.
Cloud Database (Supabase):
The Helmit App primarily stores data locally on your device. However, we use Supabase for minimal data (registration info) and possibly to facilitate account login across devices or future sync features. We do not upload your child's communications, alerts, or other sensitive data to Supabase – it's mainly for account credentials. Supabase, as a processor, is obligated to protect your data and not to access it except as needed to maintain the service.
Legal and Safety Disclosures:
We may disclose certain data to third parties outside of our service providers if necessary to comply with a legal obligation, to protect our rights or the safety of users, or to enforce our terms. For instance, if we are compelled by a valid legal order to produce information (and such order is applicable to us), we will comply after verifying its legitimacy.
Local Data Storage:
Most of the data Helmit processes (including your child's monitored messages, alerts, and profiles) is stored locally on your device's storage in an application database. By keeping the sensitive data on your device, we limit exposure of that data to the cloud. You have full control over this data store: it resides with you, and if you wish to delete all such data, you can do so by deleting your account or uninstalling the app.
Security Measures:
Helmit takes the security of your data seriously. We have implemented a variety of technical and organizational measures to protect personal data against unauthorized access, alteration, loss, or misuse. These measures include access controls, encryption in transit, and secure coding practices:
Breach Notification:
In the unlikely event of a data breach affecting your personal data, we will act promptly to contain and investigate the issue. We will also notify you and the relevant authorities as required by law. If your email is on file, we will notify you electronically without undue delay, providing information on the nature of the breach and steps we are taking.
Retention Periods:
We will retain personal data only for as long as necessary to fulfill the purposes described in this Policy, unless a longer retention period is required or permitted by law. In practice, because Helmit is a user-installed app, much of the data (child communications, alerts, etc.) will reside on your device indefinitely until you choose to delete it.
Account Data:
We retain your account information while your Helmit account is active. If you choose to delete your Helmit account, we will delete your personal account data (name, email, phone) from our active databases. Generally, if you cancel your account, we aim to remove or anonymize your personal data from our systems within 30 days, except where retention is legally mandated.
Child Monitoring Data:
All message content and related data that you have collected via the Helmit App is stored locally and not on Helmit's servers. Thus, we do not have a separate retention policy for that data on our side – it remains under your control. Please note that if you uninstall the Helmit App without deleting your account or child profiles first, the data files on your device might remain in the system.
Your Deletion Rights:
You have the right to request deletion of your personal data (see "Your Rights" below). If you request that we delete data we hold on our servers (like your account information), we will do so (except to the extent we are required to keep it, as explained).
As a user of Helmit in the European Union (or in other jurisdictions with similar data protection laws), you have certain rights regarding your personal data. Helmit is committed to upholding these rights. You have the right to:
To exercise any of your rights, you may contact us at privacy@helmit.org. We may need to ask for certain information to verify your identity and ensure that the person making the request is actually you. We will respond to your request as soon as possible, and at the latest within the timeframe required by law (typically one month).
Helmit is developed and offered by a company in Germany, and we primarily store data in Germany or the European Union. However, some of our third-party service providers operate internationally. Whenever personal data is transferred out of the European Economic Area (EEA) to a country that is not deemed to have "adequate" data protection by the EU, we will ensure appropriate safeguards are in place. These may include:
If you have questions about international data transfers or want to obtain a copy of the relevant safeguards, you can contact us at any time. Currently, our known data locations are: Germany/EU (primary systems, PostHog EU, Infobip EU infrastructure), and potentially United States (Resend email service, Supabase backup, depending on configuration). All such transfers are safeguarded as described.
We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or for other operational reasons. When we update the policy, we will change the "Last Updated" date at the top. If the changes are significant, we will provide a more prominent notice – for example, by emailing you (if we have your email) or by showing an in-app notification. We encourage you to review this Policy periodically to stay informed about how we are protecting your data.
If we propose to use your personal data for a new purpose not originally outlined in this Policy, we will obtain the necessary consent or provide you with an opportunity to opt out, as required by law. Your continued use of Helmit after the effective date of an updated Privacy Policy will constitute your acceptance of the changes, to the extent permitted by law.
If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:
Data Controller: Helmit GmbH
Address: Am Jägereck 3, 85635 Höhenkirchen-Siegertsbrunn, Germany
Email: privacy@helmit.org
We will do our best to address your inquiry promptly and thoroughly. If you contact us to exercise your privacy rights, please include sufficient information for us to verify your identity (for example, contacting us from your registered email address) and to process your request.
Thank you for trusting Helmit with your family's digital safety. We are dedicated to protecting your privacy and your children's privacy while providing you with the tools to keep them safe online.
