Helm by Shiery — Privacy Policy

Version: 1.0 Last updated: May 3, 2026 Effective date: May 3, 2026

This is a living document and may be updated as the Service evolves. We will notify you of material changes as described in Section 14.

Plain-English summary

Helm stores your productivity data primarily in your own Notion workspace. If you connect Google Calendar, Helm reads calendar events only to show them on your dashboard, sync selected major events to your Notion, and provide context to AI features that help you plan your day. Helm uses Anthropic’s Claude API for AI features; your content is not used to train AI models. We do not sell your personal information, do not use advertising cookies, and do not transfer your data to data brokers.

1. Who we are

This Privacy Policy describes how Shiery Consulting LLC, a Washington limited liability company doing business as Helm by Shiery (“Shiery,” “we,” “us,” or “our”), collects, uses, and shares information when you use the Helm productivity service (the “Service”).

We are the “data controller” for personal information collected through the Service.

2. Information we collect

Information you provide directly

• Account information. Email address, name, account ID, authentication-provider identifiers, and OAuth/integration tokens needed to connect services. We do not store your password if authentication is handled by a third-party auth provider.
• Subscription / billing information. If you subscribe to a paid plan, our payment processor (Stripe or equivalent) collects your payment method details. We do not store full payment card numbers.
• Your Content. Tasks, ideas, notes, events, shopping items, media queue entries, reference lists, quick notes, and any other content you create in Helm or sync from connected services.
• Support communications. Messages you send to support, including any information you voluntarily include.

Information collected automatically

• Usage data. Feature-level activity, screen views, interactions, performance metrics, and error logs. Used to operate, maintain, and improve the Service.
• Device and technical data. Device type, operating system, browser type, IP address, approximate location derived from IP, and similar technical identifiers.
• Cookies and similar technologies. For authentication, session management, and basic analytics. We do not use third-party advertising cookies.

Information from services you connect

When you connect a service to Helm, we receive data from that service to the extent necessary to provide the Service:

• Notion. We create and read database pages in a Notion workspace that you own. We do not access Notion content outside of the databases Helm provisions or interacts with.

• Google Calendar (optional). When you connect Google Calendar, Helm requests read-only access (calendar.readonly scope) to your calendar events. We use this access to:

  • Display today’s events on the Helm Dashboard.
  • Identify major life events (trips, weddings, anniversaries, etc.) via AI-filtered sync to your Notion Events database. Routine recurring meetings are excluded.
  • Provide calendar context to AI features (focus curation), so the AI can factor in your day’s commitments when picking your top tasks.

  We do not write to your calendar. We do not store raw Google Calendar event data in Helm-owned databases. When Calendar sync is enabled, Helm may temporarily process Google Calendar event data on Helm servers and may write selected event information to your own Notion Events database to provide the sync feature. We store your Google OAuth refresh token encrypted on our infrastructure so we can access your calendar until you disconnect Google Calendar or revoke access at https://myaccount.google.com/permissions. Revoking access immediately stops calendar fetches.

  Google API Services User Data Policy compliance. Helm’s use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements. Specifically: we do not sell Google user data, use it for advertising, transfer it to data brokers, use it for credit-worthiness determinations, or use it to train or improve generalized machine-learning or AI models. Google Calendar data is shared with Anthropic only when necessary to provide user-facing Helm AI features that you invoke (such as focus curation or calendar sync). Humans do not read Google Calendar data except with your explicit consent, for support, security, or legal reasons, or in aggregated/de-identified form for internal operations.

3. How we use your information

We use the information we collect to:

• Provide, maintain, and operate the Service.
• Personalize your experience (e.g., focus curation, worth-revisiting surfacing).
• Process subscriptions and payments.
• Communicate with you about the Service (service announcements, billing, security).
• Respond to support requests.
• Detect, prevent, and address fraud, abuse, security incidents, and technical issues.
• Comply with legal obligations.
• With your consent or as otherwise permitted by law, send marketing communications (you may opt out at any time).
• Improve the Service based on aggregated and pseudonymized usage patterns. (Pseudonymized: identifiers may be replaced with internal IDs but data could in principle be re-associated with you using additional information; we do not perform such re-association except where required to investigate a security incident or comply with legal process.)

We do not sell or rent your personal information. We do not use Your Content to train machine learning models.

4. How we share information

We share information only in the following circumstances:

• With services you connect. Data flows to and from services you authorize, under their respective privacy policies:

  • Notion: https://www.notion.so/privacy
  • Google: https://policies.google.com/privacy

• Service providers Helm uses. These providers process information on Helm’s behalf to operate, maintain, secure, or support the Service. They are bound by contractual obligations to protect your information.

  • Anthropic — Claude API for AI features (focus curation, Quick Capture enrichment, calendar event classification). Anthropic does not use data submitted through its commercial API to train models by default. Anthropic processes and retains API data according to its applicable API/commercial terms and privacy commitments. https://www.anthropic.com/privacy
  • Vercel — application hosting and request logs (URLs, status codes, headers, request metadata). https://vercel.com/legal/privacy-policy
  • Sentry — error and diagnostic tracking, including stack traces, browser/device details, and account identifiers needed to debug issues. We configure Sentry to avoid intentionally logging Your Content, but error logs may occasionally include limited content if it appears in an error context. https://sentry.io/privacy/
  • Auth provider (Clerk or equivalent) — sign-in, session management, and identity. https://clerk.com/legal/privacy
  • Database hosting (Supabase or Neon Postgres for account-level data; user content lives in the user’s own Notion workspace).
  • Stripe (if used for payments) — payment processing. https://stripe.com/privacy

• Legal and safety. When required by applicable law, legal process, or to protect the rights, property, or safety of Shiery Consulting LLC, our users, or the public.

• Business transfers. In the event of a merger, acquisition, reorganization, or sale of assets, your information may be transferred as part of that transaction, subject to your rights under this Policy.

• With your consent. When you expressly agree.

5. Data retention

We retain personal information for as long as your account is active or as needed to provide the Service. When you delete your account:

• Account data (email, authentication, subscription history) is retained for up to 90 days for fraud prevention, tax, and legal compliance, then deleted or anonymized.
• Your Content stored in your own Notion workspace remains in your workspace unless you delete it there. Helm does not control that data after you revoke access.
• Usage logs and aggregated analytics may be retained for up to 24 months in an anonymized or pseudonymized form.

You may request earlier deletion by contacting us, subject to legal retention requirements.

6. Security

We implement reasonable administrative, technical, and physical safeguards to protect your information, including:

• Encryption in transit (HTTPS / TLS).
• Encryption at rest for data stored in our infrastructure providers (Supabase / Postgres, Vercel).
• Access controls and authentication on Helm-side systems.
• Secure handling of API tokens and third-party credentials.

No method of transmission or storage is 100% secure. You are responsible for maintaining the security of your own account credentials.

If we become aware of a security incident affecting your personal information, we will notify you as required by applicable law.

7. Your rights

Depending on where you live, you may have the following rights:

United States (California — CCPA/CPRA; other states with consumer privacy laws)

• Right to know what personal information we collect, use, and disclose.
• Right to delete personal information we hold about you.
• Right to correct inaccurate personal information.
• Right to opt out of sale or sharing of personal information (we do not sell or share personal information for cross-context behavioral advertising).
• Right to limit use of sensitive personal information. Calendar event metadata that you choose to sync through Helm may incidentally include information classified as “sensitive personal information” under the CCPA/CPRA (e.g., a calendar event title that references a medical appointment or religious observance). We do not use this information for any purpose beyond providing the Helm Service to you. We do not infer characteristics about you from this information, sell or share it, or use it for advertising. You retain the right to limit our use of sensitive personal information; because our use is already limited to providing the Service you authorized, this right does not affect Helm’s operation.
• Right to non-discrimination for exercising your rights.

European Economic Area, United Kingdom, Switzerland (GDPR / UK GDPR)

• Right of access, rectification, erasure, restriction of processing, and data portability.
• Right to object to processing based on legitimate interests or for direct marketing.
• Right to withdraw consent where processing is based on consent.
• Right to lodge a complaint with a supervisory authority.

Legal bases we rely on: contract performance (providing the Service), legitimate interests (security, fraud prevention, product improvement), consent (where specifically requested), and legal obligation.

How to exercise your rights

Contact us at the address below. We will respond within the timeframes required by applicable law. We may need to verify your identity before acting on a request.

If we deny your privacy request, you may appeal by replying to our decision email with “Privacy Appeal” in the subject line. We will review the appeal and respond as required by applicable law.

8. Minimum age

The Service is intended for users 18 years of age or older. We do not knowingly collect personal information from anyone under 18. If we learn we have collected information from someone under 18, we will delete it.

If you believe someone under 18 has provided us with personal information in violation of this Policy, please contact us.

9. International data transfers

The Service is operated from the United States. If you access the Service from outside the United States, your information may be transferred to, stored, and processed in the United States, where data protection laws may differ from those in your jurisdiction. Where required, we implement appropriate safeguards such as Standard Contractual Clauses.

10. Cookies and tracking

We use cookies and similar technologies for authentication, session management, and first-party analytics. We do not use third-party advertising cookies or cross-site tracking.

All cookies we currently use are strictly necessary for the Service to function (authentication and session management). No consent banner is shown because no non-essential cookies are set. If we add analytics or other non-essential cookies in the future, EU users will be presented with a consent prompt before those cookies are set.

You can control cookies through your browser settings. Disabling cookies may impair Service functionality (e.g., you may be signed out more frequently).

11. Third-party links and services

The Service may include links or integrations with third-party websites and services. This Privacy Policy does not apply to third-party practices. Review the privacy policies of those services before providing information or authorizing access.

12. California “Shine the Light”

California residents may request, once per year, a disclosure of personal information we have shared with third parties for direct marketing purposes in the prior calendar year. We do not currently share personal information with third parties for their direct marketing. Requests may be sent to the contact address below.

13. Do Not Track

Some browsers transmit a “Do Not Track” signal. There is no common industry standard for interpreting this signal; the Service does not currently respond to DNT signals differently. We do not engage in cross-site behavioral tracking regardless of DNT status.

14. Changes to this Policy

We may update this Privacy Policy from time to time. If changes are material, we will provide reasonable notice (for example, by email or a prominent notice in the Service) before the changes take effect. The “Last updated” date at the top of this Policy indicates when it was most recently revised.

15. Contact

Shiery Consulting LLC d/b/a Helm by Shiery Bothell, WA Email: privacy@shiery.ai

For EU / UK / Swiss users: if you wish to lodge a complaint with a supervisory authority, you may do so with the data protection authority in your country of residence.