Privacy Policy

Effective Date: 27.3.2026
Last Updated: 27.3.2026

This Privacy Policy describes how Duer Oy (business ID: 3471255-9) ("Duer", "we", "us", "our") processes personal data in connection with the Helmi service, including related websites, applications, and connected functionality (the "Service").

1. Scope and Controller

This Privacy Policy applies to personal data processed when you browse or otherwise use the Service, including public websites and pre-account website features, create an account, submit an early access or waitlist application, subscribe to changelog or product update emails, purchase a subscription, upload or generate content through the Service, contact support, or otherwise interact with us in relation to the Service.

For personal data relating to account management, billing, customer communications, and general operation of the Service, Duer Oy is generally the data controller unless otherwise stated in a separate agreement or required by applicable law.

If you use the Service on behalf of an organization, that organization may act as the data controller for personal data included in User Content, and Duer may process such data on the organization's behalf where applicable. Further details may be set out in a separate data processing agreement.

2. Sources of Personal Data

We may obtain personal data:

Directly from you when you browse the website, create an account, submit an early access or waitlist application, subscribe to changelog or product update emails, contact us, upload content, submit prompts, or otherwise use the Service
Automatically from your use of the Service, including through service logs, usage records, browser or device events, technical events, browser storage state, and security events
From payment and billing providers in connection with subscriptions, invoices, and payment events
From connected third-party services where you choose to import, connect, or interact with content from those services
From device integrations, operating system permissions, and local device interactions that you initiate, such as selecting media from your photo library, saving exported media to your device, or using app features that rely on local storage or caching
From service providers and infrastructure providers involved in operating, supporting, and securing the Service

3. Categories of Personal Data We May Process

Depending on how you use the Service, we may process the following categories of personal data:

Account and identity data, such as your name, email address, login identifiers, user ID, and account settings
Pre-account website interaction data, such as information submitted through public website forms, early access or waitlist applications, onboarding or product-fit survey answers, and related timestamps or application status data
Billing and subscription data, such as subscription tier, billing period dates, invoices, payment status, customer identifiers, subscription identifiers, pricing or plan metadata received from payment providers, and, where applicable, platform or transaction metadata received from billing channels used for your purchase
Email subscription and communications preference data, such as changelog subscription status, opt-in records, unsubscribe status, suppression records, and related timestamps
User Content, to the extent it contains personal data, including uploaded or imported media, selected photos or videos, prompts, text, metadata, imported content, and related materials
Generated outputs and project data, such as exported videos, AI-generated summaries, suggestions, edits, titles, and other user-facing outputs made available through the Service
Content and usage metadata, such as timestamps, content type, source, status, token usage, credit usage, model usage, reference IDs, project or content relationships, and feature usage information
Technical and device data, such as log entries, session information, IP-derived technical information, browser or device details, cookie or browser storage state, local cache or sync state, referrer or campaign data where applicable, and error or security event data
Support and communications data, such as messages sent to support or other communications with us
Compliance and enforcement data, such as records relevant to fraud prevention, abuse prevention, legal compliance, complaints, and dispute handling

4. Purposes and Legal Bases

4.1 Purposes of Processing

We may process personal data for the following purposes:

Operating the public website and pre-account website features
Providing, maintaining, and improving the Service
Authenticating users and securing accounts
Receiving, reviewing, and managing early access or waitlist applications
Evaluating product fit, onboarding readiness, and beta program prioritization
Processing subscriptions, payments, credits, invoices, and billing-related events across the applicable billing channel
Sending changelog, product, or service update emails where you have subscribed or where such communications are otherwise permitted by applicable law
Maintaining unsubscribe, opt-out, and suppression records so communication preferences are respected
Generating requested outputs and enabling user-facing export features
Supporting imports, uploads, project workflows, media analysis features, and synchronization across the Service
Enabling conversational AI assistance, video analysis, and user-initiated edit assistance features
Enabling user-initiated media selection from device libraries and saving exported media back to the device where such features are provided
Operating browser storage, session continuity, preference memory, and other website functionality features
Preventing abuse, fraud, unauthorized access, and misuse of the Service
Monitoring performance, reliability, and security
Communicating with users about the Service, support matters, billing, and updates
Complying with legal obligations
Establishing, exercising, or defending legal claims

4.2 Legal Bases

Where required under applicable law, we rely on one or more of the following legal bases:

Performance of a contract
Taking steps at your request before entering into a contract
Compliance with a legal obligation
Legitimate interests, such as operating and improving the Service, securing accounts and infrastructure, preventing fraud and misuse, performing service analytics, handling customer communications, reconciling billing and payments, and protecting our legal rights
Consent, where consent is required

Where we rely on legitimate interests, you have the right to object to such processing as described in Section 8.

Depending on the context, we may rely on different legal bases for different Service features. For example, we may process early access or waitlist application data based on legitimate interests and/or steps taken at your request before entering into a contract, use technical and security data for fraud prevention and service protection based on legitimate interests, use strictly necessary cookies or browser storage to operate website features, and rely on consent for changelog or product update emails and for non-essential cookies or similar technologies where consent is required by law.

5. Sharing and Recipients

We may share personal data with the following categories of recipients where necessary to operate the Service or comply with law:

Cloud infrastructure, storage, authentication, and backend service providers
Payment, billing, and subscription management providers
AI processing providers used to deliver Service features
Email delivery, communications, and messaging service providers used for transactional or subscription communications
Analytics, monitoring, logging, and security service providers
Professional advisers, auditors, insurers, and legal counsel
Competent authorities, regulators, courts, or law enforcement where required by law or necessary to protect rights, safety, or the Service
Corporate transaction counterparties and their advisers in connection with a merger, financing, reorganization, or sale of business assets, subject to appropriate confidentiality measures

These recipients may process personal data on our behalf or, in some cases, as independent controllers under their own terms and privacy notices. The specific providers we use may change from time to time as the Service evolves, and references to named providers in this Privacy Policy are intended to improve transparency rather than to serve as an exhaustive list of all vendors we may engage.

6. International Transfers

Personal data may be processed outside your country of residence, including outside the European Economic Area, where this is necessary to provide the Service.

This may include transfers connected with cloud infrastructure, authentication, billing, customer support, security operations, or AI processing features that rely on third-party providers operating in multiple jurisdictions, including the United States and other countries outside the EEA.

Depending on the feature used, some processing may occur within the EEA while other processing may involve providers operating outside the EEA. Where required, we use appropriate safeguards for such transfers, such as Standard Contractual Clauses or other lawful transfer mechanisms recognized under applicable law.

7. Retention

We retain personal data only for as long as necessary for the purposes described in this Privacy Policy, unless a longer retention period is required or permitted by law.

In general:

Account data is retained for as long as your account remains active and for a reasonable period thereafter to manage the relationship, maintain records, and resolve disputes
Early access and waitlist application data may be retained for as long as reasonably necessary to review applications, operate the beta or onboarding process, follow up with applicants, maintain records of decisions, and protect the Service against abuse or duplicate submissions
Billing and payment-related records may be retained for as long as required by accounting, tax, audit, and other applicable legal obligations
Changelog and product update subscription data may be retained while the relevant subscription remains active and for a reasonable period thereafter to process the subscription, manage delivery issues, and maintain relevant records
Unsubscribe, opt-out, and suppression records may be retained for longer than active subscription records where reasonably necessary to ensure communication preferences continue to be respected and that previously unsubscribed addresses are not unintentionally re-added to future sends
User Content and generated outputs are generally retained until deleted by you, removed in connection with account closure, or no longer needed for the Service, subject to applicable law and backup cycles
Usage, technical, and security logs may be retained for as long as reasonably necessary for service operation, troubleshooting, fraud prevention, financial reconciliation, analytics, and security
Browser storage, local device data, caches, and synchronization state may persist on your browser or device until removed by you, cleared by the app or browser, replaced through normal application behavior, or removed through applicable account or data deletion workflows
Support communications and complaint records may be retained for as long as necessary to handle the matter and for a reasonable period thereafter

When personal data is no longer needed, we may delete it, anonymize it, or retain limited records where reasonably necessary for security, compliance, dispute resolution, enforcement, backup integrity, local synchronization integrity, or legal recordkeeping purposes.

8. Your Rights

Subject to applicable law, you may have the right to:

Access personal data concerning you
Request correction of inaccurate personal data
Request deletion of personal data
Request restriction of processing
Object to certain processing
Request portability of certain personal data
Withdraw consent where processing is based on consent
Lodge a complaint with a supervisory authority

We will assess requests in accordance with applicable law. Some rights are limited and may not apply in all situations.

Where we send changelog or other product update emails based on consent, you may also withdraw that consent at any time. Once such communications are enabled, we expect to provide an unsubscribe mechanism in the relevant messages or through other contact channels we make available.

Where required by applicable law, we will respond to rights requests without undue delay and within the time required by law, subject to any lawful extensions or limitations.

To exercise your rights, you may contact us through the support or contact channels made available on our website or in the Service. We may request information necessary to verify your identity before processing a request. We may also refuse or limit a request where permitted by applicable law, including where the request is manifestly unfounded, excessive, would adversely affect the rights of others, or would require disclosure of protected confidential information beyond what the law requires.

If you believe that our processing of your personal data violates applicable law, you also have the right to lodge a complaint with the Finnish Data Protection Ombudsman (Tietosuojavaltuutetun toimisto). More information is available at www.tietosuoja.fi.

9. Exports, Access Requests, and Internal Information

The Service may provide features that allow you to export certain User Content and user-facing outputs, such as videos and other materials made available to you in the Service.

Your rights under applicable data protection law do not automatically mean that we must disclose all internal data, systems, or analysis connected to your use of the Service.

Except as required by applicable law, access and portability rights do not obligate us to disclose:

Internal systems, infrastructure, or security information
Source materials, intermediate processing data, or internal workflow data
Internal analysis data, scoring, heuristics, or quality-control information
Trade secrets, confidential business information, or other proprietary methods
Information whose disclosure would adversely affect the rights and freedoms of other persons

Where required by law, we will provide access to personal data relating to you and, where applicable, data portability in a manner that takes into account our legal obligations and legitimate rights, including protection of confidential business information and the rights of others.

10. Automated Processing and AI Features

The Service uses AI systems and other automated processing tools to support user-requested workflows, including conversational assistance, video analysis, and edit assistance features that may combine AI and media analysis technologies.

When you use these features, prompts, uploaded or imported content, generated outputs, and related metadata may be processed by Duer and by third-party AI providers engaged by us to provide the requested functionality. This processing may be necessary, for example, to:

Generate responses in chat or other conversational workflows
Analyze media content and related project context
Suggest, plan, or apply user-initiated edits or other content workflow actions
Improve reliability, safety, abuse prevention, and feature operation within the Service

We do not use your User Content or generated outputs to train our own AI models. When engaging third-party AI providers, we use commercially reasonable efforts to select providers, service tiers, or configurations that prohibit the use of your data for training their foundational models. These providers may nonetheless process your data as necessary to deliver the requested feature, subject to their applicable legal and contractual obligations.

AI-related processing may involve providers operating in multiple jurisdictions, including outside the EEA. See Section 6 for more information on international transfers and safeguards.

These features are designed to assist you in creating, editing, organizing, or analyzing content. They do not make automated decisions that produce legal effects or similarly significant effects concerning you. In particular, AI-assisted video edits or workflow actions triggered from your prompts are treated as user-initiated assistive product behavior rather than legally significant automated decision-making.

11. Deletion Requests

You may request deletion of your personal data, subject to applicable law. This right is part of the rights described in Section 8.

Deletion does not necessarily require immediate removal of all related internal records where retention is reasonably necessary for legal compliance, security, fraud prevention, dispute resolution, enforcement, backup integrity, or other legitimate purposes permitted by law.

12. Children

The Service is not intended for children under the minimum age specified in our Terms of Service. If we become aware that personal data has been collected from a child in violation of applicable law or our service rules, we may delete the data, suspend the account, or take other appropriate action.

13. Cookies, Local Storage, and Similar Technologies

If you access the Service through a website or web application, we may use cookies, browser storage, or similar technologies that are necessary to operate the Service, maintain sessions, preserve navigation state, remember preferences, improve performance, and measure usage. This may include, for example, browser session storage or similar mechanisms used to support website functionality.

If you use a mobile or desktop application, the Service may also use local device storage, caches, saved preferences, synchronization state, or similar technologies to support app functionality, performance, offline continuity, exports, and security.

Cookies We Use

Necessary cookies — These cookies are required for the Service to function and cannot be disabled.

| Cookie | Provider | Purpose | Duration | |---|---|---|---| | __session | Helmi (first-party) | Maintains your authenticated session | Session | | cookie_consent | Helmi (first-party) | Stores your cookie consent preferences | 1 year |

Analytics cookies — These cookies help us understand how visitors use the Service so we can improve it. They are only set after you grant consent.

| Cookie | Provider | Purpose | Duration | |---|---|---|---| | _ga | Google Analytics | Distinguishes unique users | 2 years | | _ga_<container-id> | Google Analytics | Maintains session state | 2 years |

We use Google Analytics 4 to collect aggregated, anonymized usage data such as page views, session duration, and general geographic region. Google Analytics processes this data on our behalf under its data processing terms. You can learn more about how Google uses data at policies.google.com/technologies/partner-sites.

Where required by applicable law, we will request consent before using non-essential cookies or similar technologies. You can manage your cookie preferences at any time through the cookie settings link available in the website footer. This Privacy Policy is intended to serve as the primary source of information about the cookies, browser storage, and similar technologies we use in connection with the Service.

14. Security

We implement reasonable technical and organizational measures designed to protect personal data against unauthorized access, loss, misuse, or alteration. No method of transmission or storage is completely secure.

Where required by applicable law, we will notify the relevant supervisory authority and affected individuals of certain personal data breaches within the time required by law.

15. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. Material changes may be communicated through the Service, by email, or by other appropriate means.

16. Contact

If you have questions about this Privacy Policy or wish to exercise your rights, you may contact us using the details below:

Duer Oy
Metsänhoitajankatu 4 d 45
00790 Helsinki, Finland
Business ID: 3471255-9

General contact: hello@helmi.ai
Privacy contact: privacy@helmi.ai

This Privacy Policy was last updated on 27.3.2026.