**Version:** 1.0-draft-IL
**Jurisdiction:** Illinois
**Last updated:** May 15, 2026
Helmrun ("we," "us," or "our") is committed to protecting your privacy. This Privacy Policy explains what information we collect, how we use it, who we share it with, and what rights you have regarding your personal information.
This policy applies to Illinois residents. Because Helmrun operates exclusively in Illinois at this time, Illinois law — in particular the Illinois Personal Information Protection Act (PIPA, 815 ILCS 530) — governs our privacy obligations.
When you create a Helmrun account, we collect:
When you set up your family profile, you may provide:
This data is provided by you (the adult account holder) on behalf of your household.
When you forward emails to your Helmrun address:
**We do not store email attachments.** We only process and store the text body of forwarded emails.
We read and write events to your connected Google Calendar. We store the Google access token and refresh token for your account to maintain this connection.
Email content is sent to Anthropic's Claude API for natural language processing. The extracted structured data (events, tasks, decisions) is stored in our database. We do not store the raw Claude API response beyond the parsed output.
Standard web application logs (request timestamps, error logs). We do not use third-party analytics trackers.
We use the data described above only to:
**We do not sell your personal information.** We do not use your data for advertising. We do not use data about your household members for any purpose other than providing the Service.
We share data with the following third-party service providers, each of which processes data on our behalf:
| Provider | Purpose | Privacy Policy |
|----------|---------|---------------|
| Anthropic | AI email parsing | [anthropic.com/privacy](https://www.anthropic.com/privacy) |
| Supabase | Database and authentication | [supabase.com/privacy](https://supabase.com/privacy) |
| Google | Calendar API integration | [policies.google.com/privacy](https://policies.google.com/privacy) |
| Mailgun | Inbound email relay and digest delivery | [mailgun.com/privacy-policy](https://www.mailgun.com/privacy-policy/) |
| Vercel | Application hosting | [vercel.com/legal/privacy-policy](https://vercel.com/legal/privacy-policy) |
| Stripe *(future)* | Billing and payment processing | Will be added when billing is implemented |
We do not authorize any of these providers to use your data for their own purposes beyond what is necessary to provide services to Helmrun.
**Regarding Anthropic:** Helmrun uses Anthropic's API under a commercial agreement. Per Anthropic's usage policies, API data is not used to train Anthropic's AI models. Email content processed through the API is not retained by Anthropic beyond its API response.
We retain your account data for as long as your account is active. If you delete your account, we will delete your personal data within 30 days, except where retention is required by law.
Email body text stored in our database is retained as long as the associated events remain in your calendar. You may delete events (and their associated email content) from within the application.
Under Illinois law and as a matter of our policy, you have the right to:
To exercise these rights, contact us at hello@helmrun.com. We will respond within 30 days.
Helmrun is a service for adults. You must be 18 or older to create an account. Helmrun is not directed to children under 13 and does not knowingly collect personal information directly from children under 13.
As a household scheduling tool, parents may create profile entries for their minor children (children's names, ages, activity schedules). This data is provided by and at the direction of the adult parent account holder. The child does not interact with the service, does not have an account, and does not submit personal information independently.
Our position is that this arrangement is consistent with COPPA guidance: information about children collected from their parents, at the parents' direction, in a service directed at adults, is not subject to COPPA child data collection requirements. However, we treat data about minors with heightened care: we do not share it with advertisers, we do not use it to train AI models, and we do not disclose it to third parties beyond what is necessary to provide the Service.
If you believe we have inadvertently collected information from or about a child under 13 in a manner inconsistent with this policy, contact us at hello@helmrun.com and we will take immediate steps to delete it.
We implement industry-standard security measures:
No security system is impenetrable. If we discover a breach of your personal information, we will notify you and, where required by law, the Illinois Attorney General in accordance with Illinois PIPA.
In the event of a security breach affecting your personal information, we will:
1. Notify affected individuals "in the most expedient time possible and without unreasonable delay."
2. Notify the Illinois Attorney General if the breach affects more than 500 Illinois residents.
3. Describe the nature of the breach, the categories of information affected, and steps we are taking to remediate it.
Helmrun's data is stored in Supabase's US-East (AWS us-east-1) infrastructure, located in the United States. No data is transferred to the European Union or any other jurisdiction. There is no current Illinois law requiring data residency within Illinois.
Questions about this Privacy Policy or requests to exercise your rights:
**Helmrun / Sirket Holdings**
Email: hello@helmrun.com
We may update this Privacy Policy from time to time. We will notify you of material changes by email or in-app notice. The "Last updated" date at the top reflects when this policy was last revised. Continued use of the Service after a change constitutes acceptance of the revised policy.