Privacy Policy

Effective date: 21 April 2026

Helm ("we", "us", "our") operates the Helm mobile application and the helmfit.com website (collectively, the "Service"). This Privacy Policy explains what information we collect, how we use it, and the choices you have.

Helm is a fitness tracking tool, not a medical service. We do not provide medical advice, diagnosis, or treatment, and we do not collect or process clinical health data. See our Terms of Service for the full health and fitness disclaimer.

Data Controller

The data controller responsible for your personal data is:

Helm
Email: helmfitness@outlook.com

If you have any questions or concerns about how your data is processed, please contact us at the email address above.

EU representative. Helm is operated from the United Kingdom. We do not currently process personal data of individuals in the European Union on a scale that we consider to require the appointment of a representative under Article 27 of the EU GDPR. We keep this position under review and will appoint a representative if the scope and scale of our processing change. EU and EEA residents remain able to contact us directly at the email address above for any data-protection matter.

Data Protection Officer. We are not required to appoint a Data Protection Officer under Article 37 GDPR, because we are a small-scale controller that does not carry out large-scale monitoring of individuals or large-scale processing of special category data.

1. Information We Collect

Account information. When you create an account, we collect your name, email address, and password. Your password is hashed by our authentication provider and is never stored in plain text.

Profile information. During onboarding you provide your biological sex, bodyweight, preferred unit system, and training focus. This information is used solely to personalise the app experience.

Fitness data. Workout logs, run sessions (including GPS route data for outdoor runs), nutrition entries, body measurements, bodyweight history, progress photo metadata, custom exercises, saved meals, and workout templates are stored in your account.

Subscription information. If you subscribe to Full Sail (our paid tier), subscription status, purchase receipts, and a device identifier (IDFV on iOS, a vendor-supplied identifier on Android) are processed by RevenueCat on our behalf to validate your subscription and enable access across your devices. Your payment details (card number, billing address) are handled entirely by Apple (iOS) or Google (Android) and are never received or stored by us.

Device-local data. Certain data never leaves your device: in-progress workout and run drafts, draft food entries, theme preferences, and progress photo image files. These are stored in on-device storage and are not transmitted to our servers.

Providing data is required to use the Service. Providing your account information is a requirement for creating and using an account on Helm. You are not obliged to provide it, but if you choose not to, you will not be able to sign up, sync your data across devices, or access Full Sail features.

2. Device Permissions

To deliver its features, Helm asks for the following device permissions. You can decline or revoke any of them in your device settings; declining a permission disables the related feature but does not otherwise prevent you from using the rest of the Service.

• Location (when in use and in background). Used to record GPS routes during outdoor cardio sessions. Background location is only active while a run is in progress, so the route keeps recording when the screen is locked.
• Camera. Used to scan food barcodes for calorie tracking, and to capture progress photos.
• Photo library. Used to import existing progress photos from your device.

Helm does not request access to your contacts, health records (Apple Health / Google Fit), calendar, microphone for recording, motion & fitness sensors, or notifications. We do not send push notifications. If we add push notifications in the future, we will update this policy and request your system-level permission before sending any.

3. How Your Data Is Stored

Your fitness data is stored in two places:

• On your device in local storage, which serves as the primary, fast-access copy.
• In the cloud via Supabase, a hosted PostgreSQL database secured with row-level security policies. Each user can only read and write their own data. Data is transmitted over HTTPS/TLS encryption in transit and encrypted at rest by the hosting provider.

Cloud sync ensures your data persists across devices and survives app reinstallation. It is an integral part of the account system.

Subscription status is stored by RevenueCat, our subscription management provider, keyed to an anonymous subscriber identifier so that your Full Sail entitlement is recognised on each of your devices.

4. How We Use Your Information

We use the information we collect to:

• Provide, maintain, and improve the Service
• Authenticate your identity and secure your account
• Sync your fitness data across your devices
• Personalise the app based on your profile and training focus
• Process and validate your Full Sail subscription, including restoring purchases on new devices

5. Legal Basis for Processing (GDPR)

If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, we process your personal data on the following legal bases:

• Performance of a contract (Article 6(1)(b) GDPR) -Processing your account information, profile data, fitness data, and subscription status is necessary to provide the Service you signed up for.
• Legitimate interest (Article 6(1)(f) GDPR) -We process limited technical data to maintain the security and integrity of the Service. Our legitimate interests do not override your fundamental rights; we do not use your data for profiling, marketing, or advertising.

Fitness data is not processed as health data. Helm tracks performance metrics such as bodyweight, body measurements, workouts, runs, and nutrition for self-directed fitness use. We do not interpret this data medically, do not provide diagnostic outputs, and do not combine it with medical history or clinical information. We therefore treat it as ordinary personal data under Article 6 GDPR, not as data concerning health under Article 9. If the scope of the Service ever changes in a way that requires Article 9 treatment, we will update this policy and obtain explicit consent from you before processing.

6. What We Do Not Do

• We do not sell, rent, license, or share your personal data with third parties for their own purposes.
• We do not include advertising SDKs, ad networks, or targeted advertising of any kind.
• We do not include behavioural analytics SDKs. We do not track which screens you visit, how often you work out, or any behavioural data. (RevenueCat, our subscription provider, collects limited SDK telemetry such as app version, OS version, and device model as part of processing your subscription.)
• We do not include crash reporting, performance monitoring, or diagnostic SDKs. We do not receive crash logs, hang rates, energy-use data, or any other technical telemetry from your device.
• We do not send marketing emails or newsletters.
• We do not use your data to train machine learning models.
• We do not profile you or create marketing segments from your data.

7. Third-Party Services

The Service integrates with the following third-party services:

• Supabase (authentication and database hosting) -processes your account credentials and stores your synced fitness data. Governed by the Supabase Privacy Policy.
• RevenueCat (subscription management) -processes subscription status, purchase receipts, and a device identifier to validate your Full Sail entitlement and enable cross-device access. Governed by the RevenueCat Privacy Policy.
• Apple App Store (iOS) and Google Play (Android) -when you subscribe, the payment transaction is processed directly by Apple or Google. Your payment card and billing details are never received by us. Governed by Apple's and Google's respective privacy policies.
• OpenFreeMap -provides map tiles during cardio tracking. Tile requests include the map viewport region being viewed; no account data is shared.
• USDA FoodData Central -used to look up nutritional information for foods. No personal data is sent; only food search queries.
• Open Food Facts -used for barcode-based food lookups. Only the barcode number is sent; no personal data.

We do not share your personal information with any of these services beyond what is necessary for the features described above. All processors listed above are contractually or via their published privacy terms required to provide equivalent levels of data protection and confidentiality, including — where data is transferred from the EEA or UK to a country without an adequacy decision — through the standard contractual clauses approved by the European Commission and the UK Information Commissioner's Office.

8. Website

The helmfit.com website is a static marketing and information site. It does not use cookies, analytics, tracking pixels, fingerprinting, or any other tracking technologies. It does not collect personal information from visitors. No account can be created on the website itself; accounts are created only in the mobile app.

9. Data Retention

Account and fitness data. We retain your data for as long as your account is active. If you delete your account, all associated data in our cloud database is permanently and irreversibly deleted, typically within 30 days.

Database backups. Our hosting provider (Supabase) maintains automated database backups on a rolling window (typically up to 7 days). Your deleted data is overwritten in backups on the same rolling schedule.

Subscription records. Subscription and purchase records held by RevenueCat, Apple, or Google may be retained by those providers in accordance with their own policies and with applicable financial-records and tax law. In the United Kingdom, VAT and tax records are generally required to be retained for six years.

Local data. Data stored on your device can be removed by uninstalling the app or clearing app storage.

10. Data Export and Deletion

You can export all of your data at any time from the Account screen in the app, in JSON and CSV formats. You can delete your account and all associated cloud data at any time from the Account screen. Account deletion is permanent and cannot be undone. Since a copy of your data also exists locally, uninstalling the app removes the local copy. If you wish to cancel a Full Sail subscription, you must also do so through your Apple ID or Google Play account subscriptions (see our Terms of Service for details).

11. Data Security

We take reasonable measures to protect your data, including:

• HTTPS/TLS encryption for all data in transit
• Encryption at rest provided by our database hosting provider
• Row-level security policies ensuring users can only access their own data
• Hashed password storage (passwords are never stored in plain text)
• No storage of payment card details -all billing is handled by Apple or Google

No system is perfectly secure. While we strive to protect your data, we cannot guarantee absolute security. If we become aware of a data breach that affects your personal information, we will notify affected users promptly and, where required, notify the relevant supervisory authority within 72 hours.

12. Children's Privacy and Age Requirements

The Service is not directed at children under the age of 13. We do not knowingly collect personal information from children under 13. If you are located in a jurisdiction where the minimum age for processing personal data is higher (for example, 16 in certain EU member states under Article 8 of the GDPR), you must meet that age requirement or have verifiable parental consent. If you believe a child has created an account, please contact us and we will take steps to delete the information and terminate the account.

13. International Data Transfers

Your data is processed and stored by Supabase and RevenueCat on cloud infrastructure which may be located outside your country of residence. Where data is transferred from the EEA, UK, or Switzerland to a country that has not received an adequacy decision, we rely on appropriate safeguards as required by applicable data protection law, including the standard contractual clauses approved by the European Commission and the UK International Data Transfer Addendum. By using the Service, you acknowledge that your data may be processed in jurisdictions with different data protection standards.

14. Your Rights

All users have the right to:

• Access all personal data we hold about you (via in-app data export)
• Request correction of inaccurate data
• Request deletion of your account and all associated data
• Export your data in a portable format (JSON, CSV)

EEA, UK, and Swiss residents additionally have the right under the GDPR and UK GDPR to:

• Object to processing based on legitimate interest
• Restrict certain processing of your data
• Withdraw consent at any time (where processing is based on consent)
• Lodge a complaint with your local supervisory authority (for example, the Information Commissioner's Office (ICO) in the UK, or the Data Protection Commission (DPC) in Ireland)

To exercise any of these rights, use the in-app data management tools or contact us at the email address below.

15. California Residents (CCPA/CPRA)

If you are a California resident, the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA) provide you with additional rights regarding your personal information.

Categories of personal information we collect, sources, and business purposes:

• Identifiers -name, email address, account ID, and a device identifier used by our subscription provider. Collected directly from you at signup and from your device. Used to authenticate you and keep your data in sync.
• Characteristics of protected classifications -biological sex, provided voluntarily during onboarding. Used to personalise calculations such as strength-to-bodyweight coefficients.
• Geolocation data -GPS coordinates collected during outdoor runs. Collected only while the run tracking feature is actively in use. Used to record the route for the current and past runs you choose to save.
• Health and fitness information -workout logs, nutrition data, body measurements, bodyweight. Collected directly from you. Used to display your training history, progress, and trends.
• Commercial information -Full Sail subscription status and purchase history. Collected from Apple/Google via RevenueCat. Used to validate your entitlement to paid features.

We disclose these categories only to the third-party service providers listed in Section 7, for the specific business purposes described there.

We do not:

• Sell your personal information to third parties, as defined by the CCPA
• Share your personal information for cross-context behavioural advertising
• Use or disclose sensitive personal information for purposes other than providing the Service

Your rights under CCPA/CPRA:

• Right to know -You may request a description of the personal information we have collected about you
• Right to delete -You may request deletion of your personal information
• Right to correct -You may request correction of inaccurate personal information
• Right to opt-out of sale/sharing -We do not sell or share your data, so no opt-out is necessary
• Right to non-discrimination -We will not discriminate against you for exercising any of these rights

To exercise these rights, use the in-app tools (export, delete account) or contact us at the email address below. We will respond to verifiable consumer requests within 45 days.

16. Changes to This Policy

We may update this Privacy Policy from time to time. If we make material changes, we will notify you through the app or on our website and update the effective date above. Continued use of the Service after changes constitutes acceptance of the updated policy.

17. Contact Us

If you have questions about this Privacy Policy or your data, please contact us at helmfitness@outlook.com.