Effective Date: March 5, 2026
Controller: HelmCase (CNPJ 12.695.310/0001-57)
DPO Contact: support@helmcase.com
This Privacy Policy describes how HelmCase (“we”, “us”, “HelmCase”) collects, uses, stores, and protects personal data in compliance with the Lei Geral de Proteção de Dados (LGPD — Law 13,709/2018), the General Data Protection Regulation (GDPR — EU 2016/679), and the California Consumer Privacy Act (CCPA).
1. Data We Collect
We collect the following categories of personal data:
- Account Data: Name, email address, password (hashed), phone number, professional role
- Billing Data: Payment method (processed by Stripe — we do not store full card numbers), billing address, subscription history
- Case & Client Data: Immigration case information, visa types, document metadata, deadlines, and client personal data uploaded by Subscribers
- Usage Data: IP address, browser type, pages visited, session duration, feature usage logs
- Communication Data: Messages exchanged through the platform between attorneys and clients
2. Legal Basis for Processing
| Purpose | Legal Basis (LGPD) | Legal Basis (GDPR) |
|---|---|---|
| Service delivery | Art. 7, II — Contract performance | Art. 6(1)(b) — Contract |
| Billing & payments | Art. 7, II — Contract performance | Art. 6(1)(b) — Contract |
| Legal compliance | Art. 7, II — Legal obligation | Art. 6(1)(c) — Legal obligation |
| Security & fraud prevention | Art. 7, IX — Legitimate interest | Art. 6(1)(f) — Legitimate interest |
| Analytics & improvement | Art. 7, IX — Legitimate interest | Art. 6(1)(f) — Legitimate interest |
3. How We Use Your Data
- To provide, operate, and improve the HelmCase platform
- To process payments and manage subscriptions
- To send service notifications, billing alerts, and deadline reminders
- To respond to support requests
- To detect and prevent fraud and security incidents
- To comply with legal obligations in Brazil, the United States, and the European Union
4. Data Sharing & Third Parties
We do not sell your personal data. We may share data with:
- Stripe Inc. — Payment processing (PCI-DSS compliant)
- Hosting providers — Infrastructure and storage (data may be stored in Brazil or the United States)
- Email service providers — Transactional notifications
- Legal authorities — When required by law, court order, or government request
5. International Data Transfers
Your data may be processed in countries outside Brazil and the EU. When transferring data internationally, we apply appropriate safeguards including Standard Contractual Clauses (SCCs) and ensure equivalent levels of protection as required by LGPD Art. 33 and GDPR Chapter V.
6. Your Rights
Depending on your jurisdiction, you have the following rights:
- LGPD (Brazil): Access, correction, deletion, portability, information on sharing, revocation of consent (Art. 18)
- GDPR (EU/UK): Access, rectification, erasure, restriction, portability, objection, lodge complaint with supervisory authority
- CCPA (California): Know, delete, opt-out of sale (we do not sell data), non-discrimination
To exercise your rights, contact: support@helmcase.com. We will respond within 15 business days (LGPD), 30 days (GDPR), or 45 days (CCPA).
7. Data Retention
- Active account data: Retained for the duration of the subscription
- Post-cancellation: Retained for 30 days, then permanently deleted
- Billing records: Retained for 5 years as required by Brazilian tax law
- Audit logs: Retained for 12 months
8. Security
We implement industry-standard security measures including TLS encryption in transit, hashed passwords (bcrypt), role-based access control, audit logging, and regular security reviews. In the event of a data breach, we will notify affected users within 72 hours as required by GDPR and LGPD.
9. Cookies
We use cookies and similar technologies as described in our Cookie Policy.
10. Children’s Privacy
The Service is not directed to individuals under 18 years of age. We do not knowingly collect personal data from minors. If you believe we have inadvertently collected such data, contact us immediately.
11. Data Protection Officer (DPO)
Our DPO can be reached at: support@helmcase.com
HelmCase · R. do Retiro, 2251, Vila das Hortências, Jundiaí/SP, Brazil
12. Changes to This Policy
We may update this Privacy Policy periodically. We will notify you of material changes by email or prominent in-app notice at least 15 days before the changes take effect.