Privacy Policy


URL: https://heliumdev.com/privacy
Last Updated: 25 August 2018
Revision: 5

Introduction

This notice applies to all products and services that we offer. It covers how we collect, process, protect, and retain ‘personal data’. Personal data are things that can identify an individual like names, email addresses, addresses, phone numbers, ID cards/numbers, IP addresses, etc. Sometimes we will anonymize and/or aggregate this information, making it impossible to identify someone. Anonymized and/or aggregated information isn’t covered under this policy.

The audience of this policy is two-fold: we are primarily speaking to merchants who are using our services, but some of this applies to their customers as well. We’ll do our best to make it clear who were talking about in the different sections of this policy. Merchants are the ones offering paid and free products and services and customers are the individuals consuming those.

We will make updates to this policy periodically. See the “Changes to this policy” section to see how we will communicate those.

Who we are

Helium Development LLC (“Helium”, “we”, “us”, “our” in this policy) is an independent limited-liability company registered in Washington State (WA) in the United States of America (USA). We’re a software development company that builds apps and themes for merchants, primarily on the Shopify platform. We seek to create amazing experiences and opportunities that bring merchants and their customers together in order that they may both benefit equally.

How we think about data

Data is a modern form of currency. As with currency, it represents both reward and responsibility. It must be handled with care, kept safe and secure, but also be accessible and used in the right moments by the right people. We want to provide products and services that both merchants and customers trust, as they would a bank or other processor of currency.

Through our products, we offer convenience and customized experiences to a merchant’s customers. They are able to express themselves in ways that invite a more personal response from merchants. They may also need to demonstrate that they conform to a merchant’s requests and applicable laws.

We enable merchants to gather relevant information about their customers so that the merchants can refine their service, meet legal obligations, and respond to customers with more care.

We work hard to keep this information secure and accessible to only those who need it. Privacy begins and ends with security.

We act as good stewards of this data, obeying the legitimate requests of both our merchants and their customers. We want to earn our value and trust through our consistent proper handling of this information.

What data do we collect and why?

Before we dive into specific products, let’s talk about the categories of data. We’ll cover what they are in plain terms and refer to them later on. These apply to everyone, unless we say otherwise.

We will ask for your consent before using this data for a purpose other than those that are set out in this policy.

Access information

When you interact with our products and services over the Internet, information is collected. This includes the date and time of the access, IP address, general geographic location (country/region) derived from IP address, web browser version and configuration, device ID, OS version, the page being viewed, and actions taken on that page. This is recorded in access logs on our servers. For certain services, we also use Google Analytics to capture this information. In that case, the access information is transmitted directly to Google Analytics, and we can view that in an anonymized and aggregated form. In some situations, we may send this data to services such as reCAPTCHA or Stripe to decide whether a request is from a human or a robot.

This access information enables us to provide our services, understand how they are being used, as well as fight abuse and fraud directed towards them. This collection isn’t optional and is necessary for us to run our services. We limit the amount of time (typically 60 days) that we keep this data, to ensure that we aren’t holding onto it longer than necessary.

In some cases, we use access information to improve our services, by identifying access patterns where we believe the user is running into problems with our service. We look for inefficiencies to see where we can improve our services’ performance.

Cookies

A cookie is a relatively small bit of text that your web browser accepts from us when you access our services. Cookies contain preferences or perhaps a unique identifier, specific to your interaction with us. Your web browser saves these cookies and sends them to us on each following page request, until the cookie expires. Websites can’t be sure of who requested pages without persistent information like cookies.

In many cases, the cookies that we set are necessary to make sure it’s really you. We will set them after you log in and we will check them for each following interaction. In other cases, the cookies we or our partners set are for tracking or marketing purposes. You can opt in/out of those as you desire, without your service degrading.

To learn more about cookies and their roles, read Mozilla’s explanation. You can also set browser preferences on how cookies are accepted, used, and stored.

Web Storage

Just so that we’re clear, there is another technology that we use called HTML5 Web Storage (or Web Storage, for short). Web Storage is a mechanism similar to cookies to store information locally in your web browser. Web Storage isn’t transmitted back to us, unless we say so in another section.

Information you provide us

Many times you supply us with information. It might be clicking on buttons in an app, filling out a web form, responding to a survey, interacting with our support staff, and so forth. We will use this information to fulfill your requests, provided that they are lawful and legitimate.

Information from Shopify

This specifically applies to merchants: when you use our services, we communicate with Shopify through their Application Programming Interfaces (APIs) to retrieve information about your shop: things like your website address, Shopify plan, contact information, location, timezone, currency, taxable status, how your storefront is configured, and preferences. As appropriate for the service, we will ask for access to your permission to access other Shopify data, such as orders, products, or customers. You’ll be prompted about this when you install one of our apps.

We use this information to provide our services. In most cases, you installed one of our products so that we can perform actions on your behalf. Some of this allows us to personalize the experience. We will update information that is stored by Shopify in accordance with your actions within our service, the actions of your customers, and information that Shopify gives us.

Contact information

This specifically applies to merchants: you may directly or indirectly provide us with your name and an email address that forms your contact information.

We use the contact information to reach you in abnormal situations: something isn’t configured right, we’ve experienced a data breach, etc. You can’t opt out of this; it is essential that we can give you information on the status and use of our service. If we don’t have the right email address for you, make sure it is correct within Shopify’s admin.

If you allow us, we will occasionally send you emails about new products and services we offer. You can withdraw from this direct marketing, by clicking the “unsubscribe” link in the footer of the email and we won’t contact you again about those.

Derived information

Sometimes we take parts of the information that was described previously and supplement it with data from our partners or combine it in novel ways. This is derived information. Through the power of machine learning, we can deliver new insights to merchants, make recommendations to customers, recognize patterns, organize, etc. This information relies on the accuracy of the source data. We promise to oversee these processes to the best of our abilities to make sure information is accurate, useful, and respectful. We won’t try to uncover things that would be considered protected categories (political beliefs, race, sexual orientation, etc), for example.

Now that we have defined these major categories, let’s discuss how they apply to each product:

Customer Fields

Only applicable to Merchants who’ve installed Customer Fields for Shopify and their customers.

Customer Fields is our app for Shopify that allows merchants to collect preferences and other applicable information from their customers so that the merchants can offer a more personal and streamlined experience to those customers. A merchant can configure what information they want to collect and customers can provide all or some of this when visiting the merchant’s store. Merchants can organize and label this data within the app and use it as necessary for their legitimate business needs and/or legal requirements. Merchants are limited to seeing personal data on their customers only and not the customers of other merchants.

What is collected?

From merchants

Helium collects access information and cookies, as described above. Merchants provide us with data, including customer records that they wish to import, manual data entry, labels for customers, searches, and settings. Helium queries Shopify as described above to collect store information, customer records, order records, and product information.

From customers

Helium collects access information and cookies, as described above. If the customer is creating a new account, Helium will collect a password. Helium may have access to purchasing history and behavior through the merchant’s Shopify account.

Beyond that, the types of data requested will be decided by the merchant. Based on how the merchant has configured the app, this may include:

Merchants are responsible for clarifying what information is required and what is optional. They are required to gather consent in situations where they are legally obligated to. Helium may provide tools to gather consent, but we are not obligated to make sure it was gathered when legally necessary.

In GDPR terms, Helium is acting as a data processor and merchants are data controllers. Merchants are required to gather consent as necessary in clear, unambiguous, and accessible terms. When storing information with Customer Fields, merchants assert that they are aware of the laws concerning this collection and are complying with them.

Why is this collected?

Helium acts as a processor for our merchants’ needs. Merchants must have a legitimate business use case for storing this information with us. We collect and process account creation information as a convenience for merchants to set up customer accounts with Shopify. Merchants may want to directly market to their customers, as allowed by the laws that apply to them.

We collect information on merchants so that we can communicate with them as described in the “Contact information” section above. We use all of this information here in the Customer Fields section for legitimate business purposes (like improving our products), as described above.

What choices do I have around the collection of this?

If you are a customer of a merchant using Customer Fields, you’ll need to speak with them on this matter. Some information collected by a merchant may be necessary to fulfill a contract or in providing you with services or goods. They might also have legal obligations to collect information (such as verifying you are old enough to purchase alcohol). Other data will be marked as optional, so it isn’t necessary to tell the merchant or us about that.

How do I exercise my rights to this data?

If you are a subject within the European Economic Area (EEA) and an increasing number of countries, you have rights around being able to access, erase, object to, or rectify your data. Merchants are the Data Controller and are responsible for fulfilling this. We provide tools within Customer Fields to enable merchants to do this. Also, with merchant setup, customers can access this information through the merchant’s website in a self-service manner. Merchants are to verify customer identities and fulfill requests from customers, as legally required.

Helium will comply with these accesses, modifications, and erasures from merchants and/or Shopify. Erasure can be triggered by a merchant by deleting customer information in Customer Fields.

How is the data portable?

Customer Fields provides mechanisms for data export in CSV (comma-separated values) format that merchants can provide to customers wishing to access and port their data to another service. We also support API (programmatic) access to Customer Fields for service-to-service transfers.

How long is data retained?

Data is kept as long as a merchant has Customer Fields installed and is in good standing with Shopify and Helium. Non-payment or violation of Terms of Service may result in the deletion of all data after 30 days. Customer data is kept as long as customers consent to it being stored with the merchant and Helium. In the case of erasure, customer data will be removed from production systems within 3 days. Backups may still contain this data and are kept for up to 90 days before being fully deleted. Data may be kept longer in aggregated and anonymized form for statistical analysis, as is compliant with GDPR.

Meteor Mega Menus

Only applicable to Merchants who’ve installed Meteor Mega Menus for Shopify and their customers.

Meteor Mega Menus is our app for Shopify that provides merchants with drop down navigations for their store website. Meteor Mega Menus allows them to customize how those menus look and add them to their existing website. Customers interact with those menus to find the products that they are looking for.

What is collected?

From merchants

Helium collects access information and cookies, as described above. Merchants provide us with data, including configuration of the menus, settings, a storefront password (if applicable), images to show on the menus, and information about their catalog (products). Helium queries Shopify as described above to collect store information, themes installed, and navigation menus that have already been defined in the merchant’s Shopify admin.

From customers

When customers visit a web storefront that has Meteor Mega Menus installed, Helium collects access information, as described above, when that customer requests the files necessary to show the menu on the website.

Why is this collected?

Helium needs this information to be able to provide this service.

What choices do I have around the collection of this?

Most of this is essential for us to provide this service. In the case of merchants, you may choose to opt-out of our direct marketing communications by unsubscribing, as described above in the “Contact information” section.

Relatable

Only applicable to Merchants who’ve installed Relatable for Shopify and their customers.

Relatable is our app for Shopify that allows merchants to be able to define connections between different resources (products, blogs, collections, etc). Merchants create these associations within the app and then add some code to their theme to show those relationships to customers.

What is collected?

From merchants

Helium collects access information and cookies, as described above. Merchants provide us with data, including configuration of the connections between items, settings, and uploaded documents that relate to items. Helium queries Shopify as described above to collect store information, product records, articles, pages, and collections.

From customers

When customers visit a web storefront that has Relatable installed, Helium collects access information and cookies, as described above, when that customer requests the files necessary to show the menu on the website.

Why is this collected?

Helium needs this information to be able to provide this service.

What choices do I have around the collection of this?

Most of this is essential for us to provide this service. In the case of merchants, you may choose to opt-out of our direct marketing communications by unsubscribing, as described above in the “Contact information” section.

Carbon

Carbon is a Shopify theme created by Helium for merchants and their customers. The theme is currently sold through our own sales website (https://carbon.heliumdev.com).

What is collected?

From visitors to the sales website

Helium collects access information and cookies, as described above. We use tracking cookies to measure the effectiveness of our advertising campaigns.

From merchants who purchase the theme

In addition to the section about visitors, we collect information from the merchants who purchase the theme, including name, email address, physical address, any discount codes, and their Shopify website URL. Payment information is collected and processed through Stripe, one of our partners, who provides us with a transaction reference. Helium does not collect or store payment information for the purchase.

If merchants use our app to preview the theme on their store, Helium queries Shopify as described above to collect store information.

From visitors to the purchased theme

Helium collects access information, as described above.

Why is this collected?

Helium needs this information to be able to provide this service. In regards to advertising, we want to measure how applicable and effective our campaigns are to merchants.

What choices do I have around the collection of this?

Most of this is essential for us to provide this service. In the case of merchants, you may choose to disallow tracking cookies. You may also choose to opt-out of our direct marketing communications by unsubscribing, as described above in the “Contact information” section.

Our Website (heliumdev.com)

Visitors may interact with our company’s website (https://heliumdev.com) in learning more about us. We provide ways for those visitors to contact and interact with us.

What is collected?

Helium collects access information and cookies, as described above. We use tracking cookies to measure the effectiveness of our advertising campaigns.

If you fill out and submit a contact form to us, we receive those as emails. Most of the fields are optional, but include information on how we can reach you, details about your organization, and a description of the work that you are interested in having us perform. We will also validate that you are a human and not a robot via services such as reCAPTCHA.

Why is this collected?

Helium needs this information to serve this website. In regards to advertising, we want to measure how applicable and effective our campaigns are to prospective clients. When you reach out to us via our contact form, we want to know who we are working with and what your needs are.

What choices do I have around the collection of this?

Most of this is essential for us to provide this service. In the case of advertising, you may choose to disallow tracking cookies. You may also choose to not submit information via our contact form.

Measures we use to protect data

Helium is committed to protecting the data that we are entrusted with. We focus on using information technology best practices, including but not limited to:

Who has access to the data

Helium employees

Helium employees have access to data for legitimate business reasons. These include:

Our partners

We take care in choosing who we partner with. Our partners enable us to provide our services to the world and they need to align with our values and policies around data. All partners are GDPR-compliant, most through the EU-US Privacy Shield and Swiss-US Privacy Shield frameworks. Review our list of partners (also known as sub-processors).

Sharing of data

Helium is very protective of the data that we are entrusted with. Customer and merchant data is not shared outside of Helium or its partners listed above, transferred, leased, or sold.

Information may be disclosed to government authorities when we are served with a subpoena, warrant, or other legally enforceable action.

For apps like Customer Fields, sharing is also controlled by the merchants who control the data. How they choose to do this will be described in their own privacy policies, which are separate from this policy.

If Helium or one of its products or services were sold to a new owner, we may transfer existing data to that new owner. We will properly disclose this change in advance of a sale.

Changes to this policy

From time to time, we will make changes to this policy. This is a living document and will be refined as we learn more about our business, merchants, customers, industry, and government partners.

When we make minor changes to this document (editorial changes, rewording, new products), we will publish them on our website at https://heliumdev.com/privacy.

We will not reduce your rights under this policy without your consent. In addition to publishing changes here, we will email merchants to inform them of these changes and collect consent.

Ways to follow up with us

If you have questions or concerns about this, we want to talk with you. You can email us at privacy@heliumdev.com to reach us. Email is our preferred way to communicate with you.

You can send us postal mail at the following address:

Helium Development LLC
ATTN: Privacy Feedback
PO Box 2235
Gig Harbor, WA 98335

If you have attempted to work with us to resolve your issue and you are unsatisfied with the response, you have the right to reach out to our independent recourse mechanism provider (for free) to mediate the issue. Our provider is and they can be reached .