Privacy Policy

1. Information We Collect

Account Information

When you create an account, we collect:

• Full name
• Email address
• Company name
• Password (hashed using Argon2id — we never store plaintext passwords)

Customer Data You Store in the Service

As an account holder, you store content and data within the Service, including:

• Knowledge base articles and other content you upload to train the AI
• Conversation history between your end-users and the chat widget
• End-user identity information you pass to us via the widget's identify API (e.g., user ID, name, email) — see our Customer Identity documentation
• Property and team configuration

End-User Data Collected by the Chat Widget

When an end-user interacts with the HelpPilot chat widget on a website operated by one of our customers, we collect the messages they send, basic browser and device metadata, and any identity information the host site provides through the widget's identify API. We process this data on behalf of our customer (the website operator) to deliver the chat experience.

Usage and Device Information

We automatically collect certain technical information when you access the Service:

• Browser type and version
• Operating system
• IP address
• Pages visited and features used in the dashboard
• Date and time of access

Cookies and Local Storage

The dashboard uses httpOnly secure cookies for authentication (access and refresh tokens). These are strictly functional and required for the Service to operate. The chat widget stores a non-identifying device identifier in the visitor's browser (via local storage) so a returning visitor can resume an in-progress conversation. We do not use advertising cookies or third-party tracking cookies.

2. How We Use Your Information

We use the information we collect to:

• Provide, operate, and maintain the Service
• Generate AI responses to end-user chat messages, using your knowledge base content as grounding context
• Authenticate your identity and secure your account
• Send transactional email about your account, security, and support requests
• Improve and develop the Service
• Comply with legal obligations
• Detect, prevent, and address fraud, spam, and abuse

We do not use your Customer Data or end-user messages to train AI models, and we do not allow our AI sub-processors to train their models on your data either.

3. Our Role Under Privacy Laws

We act in two different capacities depending on whose data we're handling:

• Data Controller — for the personal information of our direct customers (account holders): the people who sign up for and administer a HelpPilot account.
• Data Processor / Service Provider — for personal information of end-users that our customers route through the chat widget. In that case our customer is the controller, and we process the data on their behalf and under their instructions.

4. How We Share Your Information

We do not sell your personal information. We share information only with the sub-processors and parties described below.

Sub-Processors

• Amazon Web Services (AWS) — Our cloud infrastructure provider. All Service infrastructure is hosted in the AWS US West (Oregon, us-west-2) region, including managed Aurora MySQL databases, S3 object storage, EC2 compute, and OpenSearch for vector search. We also use AWS Simple Email Service (SES) to send transactional email.
• Anthropic, PBC — Our large language model provider. Conversation messages and relevant knowledge base content are sent to Anthropic's Claude API so the AI can generate responses. Anthropic does not train its models on data submitted through the API.
• OpenAI, L.L.C. — Our text embeddings provider. When you upload knowledge base content, we send it to OpenAI's embeddings API to generate vector representations used for semantic search. OpenAI does not train its models on data submitted through the API.
• Cloudflare, Inc. — We use Cloudflare Turnstile to protect signup and other forms from automated abuse. Turnstile receives limited browser and challenge metadata to assess whether a request is likely from a human.

Legal Requirements

We may disclose your information if required to do so by law, in response to valid legal process (such as a subpoena, court order, or lawful government request), or when we believe disclosure is necessary to protect our rights, your safety, or the safety of others.

Business Transfers

If Aztec Software, LLC is involved in a merger, acquisition, or sale of assets, your personal information may be transferred as part of that transaction. We will notify you of any such change.

5. Data Storage and Security

We take the security of your data seriously and implement appropriate technical and organizational measures:

• All data is hosted on Amazon Web Services (AWS) in the US West (Oregon, us-west-2) region.
• Data is encrypted in transit using TLS.
• Passwords are hashed using Argon2id with per-user salts.
• Dashboard authentication uses short-lived access tokens and rotating refresh tokens stored in httpOnly secure cookies.
• Tenant data is isolated via row-level multi-tenant scoping in our databases — every query is bound to a single account context.
• The chat widget authenticates end-users using a device identifier combined with an HMAC signature to prevent impersonation.

While we strive to protect your personal information, no method of transmission or storage is 100% secure. We cannot guarantee absolute security.

6. International Data Transfers

Our infrastructure is hosted in the United States. Our AI and embeddings sub-processors process data in the United States as well. If you access the Service from outside the United States, you understand that your information will be transferred to, stored in, and processed in the United States, which may have different data protection laws than your jurisdiction.

7. Data Retention

We retain your personal information for as long as your account is active or as needed to provide the Service. Upon account termination, we will delete or anonymize your data and your end-users' conversation history within 90 days, unless retention is required by law or for legitimate business purposes (such as resolving disputes or enforcing our agreements).

You may also request earlier deletion at any time by emailing privacy@helppilot.io .

8. Your Rights (California Residents — CCPA)

If you are a California resident, the California Consumer Privacy Act (CCPA) gives you specific rights regarding your personal information:

• Right to Know — You may request that we disclose the categories and specific pieces of personal information we have collected about you.
• Right to Delete — You may request deletion of your personal information, subject to certain exceptions.
• Right to Correct — You may request that we correct inaccurate personal information.
• Right to Opt-Out of Sale or Sharing — We do not sell or share personal information for cross-context behavioral advertising, so there is nothing to opt out of.
• Right to Non-Discrimination — We will not discriminate against you for exercising any of your CCPA rights.

To exercise any of these rights, email privacy@helppilot.io . We will respond to verifiable consumer requests within 45 days.

9. Canadian Users (PIPEDA)

If you are located in Canada, we handle your personal information in accordance with the Personal Information Protection and Electronic Documents Act (PIPEDA) and applicable provincial privacy legislation. You have the right to access, correct, and request deletion of your personal information. To exercise these rights, email privacy@helppilot.io .

10. European, UK, and Swiss Users (GDPR / UK GDPR / FADP)

If you are located in the European Economic Area (EEA), the United Kingdom, or Switzerland, the General Data Protection Regulation (GDPR), UK GDPR, and Swiss Federal Act on Data Protection (FADP) give you additional rights regarding your personal information.

Legal Bases for Processing

We rely on the following legal bases under Article 6 of the GDPR:

• Contract — to provide the Service to you under our Terms of Service and to administer your account.
• Legitimate interests — to secure the Service, prevent fraud and abuse, and improve our product, where those interests are not overridden by your fundamental rights.
• Legal obligation — to comply with applicable law.
• Consent — for specific purposes where required (you may withdraw consent at any time without affecting prior processing).

Your Rights

Subject to applicable law, you have the right to:

• Access — request a copy of the personal information we hold about you.
• Rectification — ask us to correct inaccurate or incomplete data.
• Erasure — ask us to delete your personal information ("right to be forgotten").
• Restriction — ask us to limit how we process your personal information.
• Portability — receive your personal information in a structured, commonly used, machine-readable format and transmit it to another controller.
• Object — object to processing based on legitimate interests, including any direct marketing (we do not engage in direct marketing without consent).
• Withdraw consent — where processing is based on consent, you may withdraw it at any time.
• Automated decision-making — although the Service uses AI to generate responses to chat messages, we do not use solely automated processing to make decisions that produce legal or similarly significant effects about you.

To exercise any of these rights, email privacy@helppilot.io . We will respond within one month, extendable by up to two further months for complex or numerous requests, with notice to you.

International Data Transfers

Your personal information is transferred to and processed in the United States by us and by our sub-processors (AWS, Anthropic, OpenAI, and Cloudflare). Where we transfer personal information out of the EEA, UK, or Switzerland, we rely on appropriate safeguards as required by Chapter V of the GDPR, including the European Commission's Standard Contractual Clauses (SCCs), the UK International Data Transfer Addendum, and — where applicable — the EU-US, UK-US Extension, and Swiss-US Data Privacy Framework certifications held by our sub-processors. You may request a copy of the safeguards applicable to a specific transfer by emailing privacy@helppilot.io .

Controller and Processor Roles

For account holders, Aztec Software, LLC is the controller of your personal information. For end-user data that our customers route through the chat widget, our customer is the controller and we act as the processor under Article 28 of the GDPR. Business customers who require a signed Data Processing Agreement (DPA), including the SCCs, may request one by emailing privacy@helppilot.io .

EU and UK Representative

[TODO: appoint and list EU and UK Article 27 representatives before serving EEA/UK residents at scale.] In the meantime, you may contact us directly with any GDPR-related questions at privacy@helppilot.io .

Right to Lodge a Complaint

You have the right to lodge a complaint with the data protection supervisory authority in your country of residence, place of work, or place of the alleged infringement. UK residents may contact the Information Commissioner's Office at ico.org.uk . We would appreciate the chance to address your concerns first — please reach out to us at the email above.

11. Children's Privacy

The Service is not directed to individuals under the age of 13, and we do not knowingly collect personal information from children under 13. If you believe a child has provided us with personal information, please contact us at privacy@helppilot.io and we will take steps to delete the information.

12. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on our website and updating the "Last updated" date above. For significant changes, we may also notify you by email. Your continued use of the Service after the effective date constitutes acceptance of the updated policy.

13. Contact Us

Questions or concerns about this Privacy Policy or our data practices? Contact us: