Helmwart

Legal

Privacy Policy

Effective date: 2026-06-11

What we collect

We collect only what is necessary to run the service:

  • Account data. Your email address and a password hash, stored by Supabase. We never see your plaintext password.
  • Subscription state. Whether you are on the Free or Pro plan, your current billing period, and payment status, provided by Stripe. We never receive or store card numbers, CVV codes, or full payment details.
  • Diagrams and shares. Threat models, canvas diagrams, and public share snapshots you explicitly save to Helmwart's cloud storage.
  • AI assist usage counts. A count of requests you send to AI assist, used to enforce plan limits.
  • No ad trackers. We do not use third-party advertising networks, tracking pixels, or behavioral analytics services.

How we use it

Data collected is used only to provide, maintain, and improve the service you signed up for: authenticating your account, delivering cloud-saved diagrams, enforcing plan limits, and processing billing. We do not use your diagram content to train models. We do not sell your data to third parties.

Processors and sub-services

Running Helmwart requires sharing certain data with the following services:

  • Supabase. Authentication and database. Stores your email, password hash, diagrams, and share records. Data is stored in the region selected for your project.
  • Stripe. Payment processing. Receives your payment details directly; we receive only your subscription status. Stripe's privacy policy governs their use of payment data.
  • Vercel. Application hosting. Processes HTTP requests and serves the Helmwart application. Access logs are retained according to Vercel's data retention policy.
  • Cloudflare. Two distinct roles: Turnstile (bot detection on sign-up forms, processes IP address and browser signals to generate a challenge token) and Pages (delivery of pre-rendered audio files).
  • Anthropic (AI assist). When you explicitly submit content to the AI assist feature, that content is sent to Anthropic's API for processing. Submission is always opt-in and triggered by your action. Do not submit credentials or confidential data.

localStorage

Helmwart uses your browser's localStorage to save diagram state and UI preferences (such as theme and accent colour) locally on your device. This data does not leave your browser except when you explicitly save a diagram to the cloud. localStorage is not used for tracking or advertising.

Data retention

Account data, diagrams, shares, and usage records are retained for as long as your account is active. Deleting your account removes your profile, all cloud-saved diagrams, public share records, and AI assist usage rows. Stripe may retain billing records independently for their legal and compliance obligations.

Your rights

You can access, export, or delete your data at any time. To delete your account and all associated data, use the in-product account deletion option or contact us at support@helmwart.com. If you are located in the EU or UK, you also have the right to rectification, restriction of processing, and to lodge a complaint with your supervisory authority. We will respond to data requests within 30 days.

No sale of data

We do not sell, rent, or trade your personal data to any third party for their marketing purposes, now or in the future.

Contact

Privacy questions or data requests: support@helmwart.com