TheHelpFlow
TheHelpFlow

Platform

AI Support Assistant Omnichannel Inbox Live Chat Automation Builder Analytics & CSAT Knowledge Base

Company

Features Enterprise Pricing Customers Blog About Contact
Book a demo Get started
Legal

Privacy Policy

We believe privacy is a right, not a feature. This policy explains exactly what data we collect, why we need it, and how we protect it.

Last updated: January 15, 2026  ·  Effective: January 15, 2026

1. Who We Are

TheHelpFlow, Inc. ("TheHelpFlow", "we", "our", or "us") is a Delaware corporation headquartered at 340 Pine Street, Suite 800, San Francisco, CA 94104, USA. We operate the TheHelpFlow customer support platform, including the web application, APIs, browser extensions, mobile applications, and related websites (collectively, the "Service").

TheHelpFlow is the data controller for personal data collected from visitors to our marketing website and prospective customers. For personal data processed on behalf of our customers using the Service (such as their end-customers' support ticket content), TheHelpFlow acts as a data processor and our customers are the controllers.

If you have questions about this policy, contact our Data Protection Officer at support@thehelpflow.com or at the address above.

2. Data We Collect

2.1 Information you provide directly

  • Account registration: name, work email address, company name, job title, and a password (stored as a bcrypt hash).
  • Billing information: credit/debit card details (collected and tokenised by Stripe — we never store raw card numbers), billing address, and VAT number where applicable.
  • Contact and support forms: any information you voluntarily submit when contacting us, including messages, attachments, and feedback.
  • Profile settings: avatar photo, notification preferences, and other optional profile fields.

2.2 Information collected automatically

  • Usage data: pages visited, features used, clicks, searches, and interaction events within the Service.
  • Device and browser data: IP address, browser type and version, operating system, screen resolution, language settings, and referring URL.
  • Log data: server logs recording API calls, timestamps, error events, and response times.
  • Cookies and similar technologies: see Section 5.

2.3 Customer-submitted data (service data)

When you use TheHelpFlow, you and your team members may upload or transmit content including customer conversations, contact details, notes, attachments, and help center articles. This "service data" belongs to you; we process it only on your instructions as described in our Data Processing Agreement.

3. How We Use Your Data

We use personal data only for the purposes for which it was collected or for compatible purposes:

  • Providing the Service: delivering, maintaining, and improving the features you pay for.
  • Account management: user authentication, password resets, and team administration.
  • Billing and payments: processing subscriptions, issuing invoices, and handling refunds.
  • Customer support: responding to your support tickets, bug reports, and feedback.
  • Security and fraud prevention: detecting, investigating, and preventing unauthorised access or abuse.
  • Product analytics: understanding how features are used so we can prioritise improvements. Analytics are aggregated and anonymised before use for roadmap decisions.
  • Marketing communications: sending product updates and occasional promotional emails — only with your consent or where permitted by applicable law, and always with an unsubscribe link.
  • Legal compliance: meeting our obligations under applicable laws, responding to lawful requests, and enforcing our Terms.

4. Legal Basis for Processing (GDPR)

For individuals in the European Economic Area (EEA), the UK, and Switzerland, we rely on the following legal bases:

  • Contract performance (Art. 6(1)(b)) — processing necessary to provide the Service.
  • Legitimate interests (Art. 6(1)(f)) — product analytics, security monitoring, and preventing fraud, where our interests do not override your rights.
  • Legal obligation (Art. 6(1)(c)) — compliance with laws such as tax, audit, and data protection regulations.
  • Consent (Art. 6(1)(a)) — marketing emails and non-essential cookies, which you may withdraw at any time.

5. Cookies & Tracking Technologies

We use the following categories of cookies and similar technologies on our marketing website and within the Service:

  • Strictly necessary: session cookies, CSRF tokens, and authentication tokens required for the Service to function. These cannot be disabled.
  • Functional: preference cookies that remember your UI settings (theme, language, timezone).
  • Analytics: first-party analytics (using our own infrastructure) and, with consent, third-party tools (e.g. PostHog) to understand feature usage and website traffic.
  • Marketing: with consent only — conversion tracking pixels to measure the effectiveness of our advertising campaigns.

You can manage your cookie preferences via the cookie banner on your first visit or at any time through Settings → Privacy. Most browsers also allow you to block or delete cookies; see your browser's help documentation for instructions.

6. Data Sharing & Third Parties

We do not sell, rent, or trade your personal data. We share data with third parties only in the following limited circumstances:

  • Service providers (sub-processors): AWS (cloud infrastructure), Stripe (payments), Postmark (transactional email), Twilio (SMS/voice), Cloudflare (CDN/DDoS protection), and others listed in our Sub-Processor List. Each is bound by data processing agreements.
  • Business transfers: if TheHelpFlow is acquired or merges, personal data may be transferred as part of that transaction. You will be notified in advance.
  • Legal requirements: we may disclose data if required by law, court order, or to protect the rights and safety of TheHelpFlow, our users, or the public. We will challenge overly broad requests.
  • With your consent: for any other purpose not listed here.

7. International Data Transfers

TheHelpFlow operates globally. If you are based in the EEA, UK, or Switzerland, your data may be transferred to and processed in the United States or other countries that may not provide the same level of data protection as your home country.

We safeguard international transfers using Standard Contractual Clauses (SCCs) approved by the European Commission, or equivalent transfer mechanisms for the UK and Switzerland. A copy of our SCCs is available on request. Enterprise customers may request EU data residency to avoid international transfers entirely.

8. Data Retention

We retain personal data only as long as necessary for the purposes described in this policy:

  • Active accounts: data is retained for the duration of your subscription.
  • Closed accounts: account data is retained for 60 days after cancellation, then permanently deleted within a further 30 days (including backups).
  • Financial records: billing data is retained for 7 years to comply with tax and accounting laws.
  • Server logs: retained for 90 days for security and debugging purposes, then automatically purged.
  • Marketing consent records: retained indefinitely as proof of consent, but linked data is anonymised once no longer needed.

9. Your Privacy Rights

Depending on your location, you may have the following rights regarding your personal data:

  • Access: request a copy of the personal data we hold about you.
  • Rectification: correct inaccurate or incomplete data.
  • Erasure ("right to be forgotten"): request deletion of your personal data where we have no overriding legal obligation to retain it.
  • Portability: receive your data in a structured, machine-readable format.
  • Restriction: ask us to pause processing while you contest accuracy or our legal basis.
  • Objection: object to processing based on legitimate interests, including profiling for direct marketing.
  • Withdraw consent: at any time, where processing is based on consent.
  • CCPA rights (California residents): right to know, right to delete, right to opt out of sale (we do not sell data), and right to non-discrimination.

To exercise any of these rights, email support@thehelpflow.com. We will respond within 30 days. You also have the right to lodge a complaint with your local data protection authority (e.g. the ICO in the UK, or your national EU supervisory authority).

10. Security

We implement industry-standard technical and organisational measures to protect your data: AES-256 encryption at rest, TLS 1.2+ in transit, regular penetration testing, SOC 2 Type II certification, role-based access controls, and comprehensive audit logging. See our Security page for full details. No method of transmission or storage is 100% secure, and we cannot guarantee absolute security.

11. Children's Privacy

TheHelpFlow is not directed at children under 16 years of age. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, contact support@thehelpflow.com and we will delete it promptly.

12. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by email (to your registered address) at least 14 days before the change takes effect, and by updating the "Last updated" date above. Continued use of the Service after the effective date constitutes acceptance of the revised policy.

13. Contact & DPO

For privacy-related questions, data subject requests, or to reach our Data Protection Officer:

  • Email: support@thehelpflow.com
  • Post: Data Protection Officer, TheHelpFlow Inc., 340 Pine Street, Suite 800, San Francisco, CA 94104, USA
  • EU Representative: TheHelpFlow EU Ltd., 1 Canada Square, Level 39, London E14 5AB, United Kingdom

Related: Terms of Service · Security