Skip to main content
HelpWin
  • Services
  • Process
  • Industries
  • Builder
  • Get Started
Legal

Privacy Policy

Effective date: April 19, 2026 (last updated: May 12, 2026)

1. Introduction

HelpWin LLC ("HelpWin," "we," "us," or "our") is a business-to-business software-as-a-service platform that builds, hosts, and manages websites and online booking systems for small service businesses such as auto repair shops, salons, and similar local businesses. HelpWin LLC is organized under the laws of Ohio and operates in the United States.

This Privacy Policy describes how we collect, use, disclose, and protect information in connection with our platform, including our website at helpwin.net, the business dashboard, the embeddable booking widget, and all related services. It applies to our B2B clients (business owners who subscribe to HelpWin) as well as end-customers of those businesses who interact with our platform by booking appointments or submitting contact forms.

By using HelpWin's services, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with these practices, please do not use our services.

2. Dual Data Model Disclosure

HelpWin operates under a dual data model. It is important to understand the distinction between the two categories of data we handle:

Client Data (B2B)

This is the information we collect directly from business owners who subscribe to HelpWin. For this data, HelpWin acts as the data controller — we determine the purposes and means of processing.

End-Customer Data

This is the information about the customers of our clients — people who book appointments, submit contact forms, or receive SMS messages through the HelpWin platform. For this data, HelpWin acts as a data processor, handling information on behalf of and under the direction of our clients. The client (the business owner) is the data controller for their end-customers' data and is responsible for maintaining their own privacy practices and disclosures to their customers.

If you are an end-customer of a business that uses HelpWin, please also refer to that business's own privacy policy for information about how they handle your data.

3. Information We Collect — B2B Clients

When you sign up for HelpWin and use our platform as a business client, we collect the following categories of information:

Account Information

  • Full name, email address, and phone number
  • Business name, physical address, and industry/trade

Billing Information

  • Subscription plan and billing history
  • Payment processing is handled entirely by Square. We never store credit card numbers, CVVs, or other payment card data on our servers. Square is PCI DSS Level 1 certified.

Website Content

  • Text, images, logos, and other media uploaded via the website builder
  • Site configuration, layout choices, and design preferences

Dashboard Activity

  • Login timestamps and session activity
  • Settings changes and configuration updates

Employee Data

  • Employee names, roles, email addresses, and phone numbers
  • Work schedules and availability
  • Dashboard access PINs (stored for dashboard access functionality and visible to HelpWin administrators for support purposes)

4. Information We Process — End-Customers

On behalf of our business clients, we process the following information about their end-customers:

Booking Data

  • Name, email address, and phone number
  • Vehicle information (year, make, model) for automotive service businesses
  • Appointment date, time, service type, and any notes provided

Contact Form Submissions

  • Name, email address, and phone number
  • Message content

SMS Data

  • Phone numbers and message content
  • Message delivery status
  • Opt-out preferences and consent records

5. How We Use Information

We use the information described above for the following purposes:

  • Provide and maintain the platform: operate the website builder, hosting, business dashboard, and booking system
  • Process bookings: create, confirm, and manage appointments on behalf of client businesses
  • Send appointment communications: deliver confirmation emails and SMS messages, appointment reminders, and status updates to end-customers
  • Process payments: facilitate subscription billing through Square
  • Generate reports: provide business analytics, booking summaries, and operational reports to clients via the dashboard
  • Send operational emails: deliver daily digests, billing notifications, and account-related messages to clients
  • Improve the platform: analyze aggregated, non-personal usage data to enhance features and fix issues

We do not sell, rent, or trade personal information to third parties for marketing purposes. We do not sell personal information under any circumstances.

6. Third-Party Service Providers (Sub-Processors)

We use the following trusted third-party service providers to operate our platform. Each provider receives only the minimum data necessary to perform its function. For the canonical list with categories of data accessed and region of operation, see /subprocessors; this page is updated whenever our sub-processor relationships change.

Supabase — Database Hosting

Our PostgreSQL database is hosted by Supabase. All client and end-customer data stored in our database resides on Supabase infrastructure in the United States. Supabase provides encryption at rest and row-level security. For details, see the Supabase Privacy Policy.

Cloudflare — Website Hosting, CDN, Edge Computing, and Bot Protection

Client websites and the HelpWin platform are deployed on Cloudflare Pages with Cloudflare Workers for backend logic. Cloudflare provides CDN delivery, DDoS protection, and bot protection through Cloudflare Turnstile (a privacy-respecting CAPTCHA used on the platform's authentication pages). Cloudflare may process technical data such as IP addresses and browser characteristics as part of delivering web content and verifying that visitors are not automated bots. For details, see the Cloudflare Privacy Policy and the Turnstile product page.

Square — Payment Processing

Subscription billing and payment processing are handled by Square, which is PCI DSS Level 1 certified. HelpWin never stores, processes, or has access to credit card numbers or payment card data. All payment information is collected and managed directly by Square. For details, see the Square Privacy Policy.

Twilio — SMS Delivery

We use Twilio as a fallback provider for delivering SMS text messages (appointment confirmations, reminders, and status updates) to end-customers. Phone numbers and message content are shared with Twilio for delivery purposes. For details, see the Twilio Privacy Policy.

Resend — Email Delivery

We use Resend to deliver transactional emails, including appointment confirmations, daily digest reports, and billing notifications. Email addresses and message content are shared with Resend for delivery purposes. For details, see the Resend Privacy Policy.

Plausible Analytics — Website Analytics

We use Plausible Analytics for privacy-respecting, cookie-free website analytics on our marketing site. Plausible does not use cookies, does not collect personal data, does not track users across websites, and is fully compliant with GDPR, CCPA, and PECR without requiring a cookie consent banner. All analytics data is aggregated and anonymous. For details, see the Plausible Data Policy.

Sentry — Application Error Tracking

We use Sentry (operated by Functional Software Inc.) for application error tracking and performance monitoring. When an error occurs in the platform, we capture technical metadata about the error, including the URL where the error occurred, a timestamp, the user agent, and the error stack trace, to diagnose and fix issues. Our Sentry integration is configured with personal-information scrubbing rules that remove identifiers (such as email addresses, phone numbers, and customer names) from error events before they are transmitted to Sentry. For details, see the Sentry Privacy Policy.

7. SMS/Text Message Practices

Types of Messages

End-customers may receive the following types of SMS text messages through our platform:

  • Appointment confirmation messages
  • Appointment reminder messages
  • Appointment status updates (e.g., vehicle ready for pickup)

Consent (TCPA + A2P 10DLC Compliance)

SMS consent is obtained at the time of booking through an explicit opt-in checkbox on the booking form. The consent language identifies the specific client business that will be sending the messages, the categories of messages to be sent (appointment confirmations, reminders, and status updates), the disclosure that message and data rates may apply, and the option to opt out by replying STOP. End-customers must affirmatively consent before any text messages are sent.

For each consent event we record: the consent timestamp (UTC), the IP address of the consenting device, a hash of the form version shown at the moment of consent (so we can reproduce exactly the disclosure language the end-customer saw), the booking record reference, and the specific client business that obtained consent. Consent is scoped per-business, not platform-wide. Consenting to receive messages from one HelpWin client does not consent the user to messages from any other client.

Outbound SMS is delivered through carrier gateways and, when registered, through Twilio. HelpWin's A2P 10DLC Brand and Campaign registration with The Campaign Registry (TCR) is in progress; carrier-gateway one-way SMS is the active delivery path in the interim. Once Brand and Campaign approval lands, HelpWin will swap to the registered Twilio path.

Frequency

End-customers will typically receive 1 to 3 text messages per appointment. Message frequency varies based on the services booked and the business's communication preferences.

Quiet Hours

Outbound non-emergency messages are sent only during 8:00 AM to 9:00 PM local recipient time, consistent with industry standard. Booking-emergency messages (e.g. an urgent reschedule from the shop) may be delivered outside these hours where the end-customer's appointment is materially affected.

Opt-Out

End-customers may opt out of SMS messages at any time by replying STOP (or any standard opt-out keyword) to any message received from the platform. Opt-out requests propagate immediately across the platform for the originating client business. The opt-out is honored within minutes of receipt and confirmed by an automated reply. Once opted out, no further text messages will be sent unless the end-customer affirmatively re-consents.

Costs

Message and data rates may apply depending on your mobile carrier and plan. HelpWin does not charge for text messages, but standard carrier rates apply.

Opt-Out Records

We maintain opt-out records indefinitely to ensure that opted-out phone numbers do not receive future messages, in compliance with the Telephone Consumer Protection Act (TCPA).

No Sharing for Third-Party Marketing

Mobile information collected for SMS communications will not be shared with or sold to third parties or affiliates for their marketing or promotional purposes. SMS data is processed solely to deliver booking-related messages on behalf of the client business that obtained consent.

8. Cookies and Local Storage

Marketing Website (helpwin.net)

Our marketing website does not use any tracking cookies. Plausible Analytics is entirely cookie-free. No cookie consent banner is required.

Business Dashboard

The dashboard uses sessionStorage to maintain login sessions. Session data is cleared automatically when the browser tab is closed and has an 8-hour inactivity timeout. This is not a tracking cookie and contains no personal information beyond authentication state.

Website Builder

The builder tool uses localStorage to auto-save site content while a client is editing. This data contains only website content (text, layout settings) and is stored locally in the client's browser.

Third-Party Tracking

We do not use any third-party tracking cookies anywhere on our platform.

9. Data Retention

We retain data for the minimum period necessary to fulfill the purposes described in this policy and to comply with legal obligations:

  • Active client accounts: retained for the duration of the active subscription
  • Booking records: 3 years after the appointment date
  • SMS logs and consent records: retained indefinitely for TCPA compliance
  • Contact form submissions: 2 years after submission
  • Billing records: 7 years per federal and state tax requirements
  • Post-termination: upon subscription cancellation, client data is available for export for 30 days, after which it is permanently deleted within 60 days

10. Data Security

We implement industry-standard security measures to protect the information we handle:

  • Encryption in transit: all data transmitted between users and our platform is encrypted using HTTPS/TLS, enforced via HTTP Strict Transport Security (HSTS)
  • Encryption at rest: database storage is encrypted at the disk level via Supabase PostgreSQL encryption
  • Row-Level Security: all database tables are protected by PostgreSQL Row-Level Security (RLS) policies, ensuring clients can only access their own data
  • Security headers: Content Security Policy (CSP), X-Content-Type-Options, X-Frame-Options, and other protective headers are enforced
  • Cybersecurity program: our internal security program is aligned to CIS Controls v8 IG1 and the Ohio Data Protection Act safe-harbor framework. The program covers detection, response, vendor review, and incident handling.
  • Vendor security review program: each named sub-processor (see /subprocessors) is reviewed on an ongoing cadence for SOC 2 / ISO 27001 status, data residency, DPA terms, and reported incidents. New sub-processors are onboarded only after this review completes.
  • Payment isolation: credit card data is never stored on our servers; all payment processing is handled by PCI DSS Level 1 certified Square
  • Employee PINs: stored for dashboard access functionality. PINs are visible to HelpWin administrators for support purposes (e.g., assisting clients who are locked out)

While we take reasonable precautions to protect your data, no method of electronic storage or transmission over the Internet is 100% secure. We cannot guarantee absolute security.

Breach Notification Commitment

If we discover a security incident affecting your personal data, we will notify you within 72 hours of becoming aware of it. Notification will be made to the email address on file for B2B clients, and where reasonably possible directly to affected end-customers, with a description of the incident, the categories of data affected, the steps we have taken in response, and recommended actions you may take. This 72-hour commitment is consistent with the GDPR Article 33 default and exceeds the "best efforts" stance that is typical in our industry. We maintain an internal detection-to-notification SLA designed to meet this commitment with margin to spare.

11. Your Privacy Rights — California Residents (CCPA/CPRA)

If you are a California resident, the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), provides you with specific rights regarding your personal information:

Your Rights

  • Right to Know: you have the right to request that we disclose what personal information we have collected about you, the categories of sources, the business purposes for collection, and the categories of third parties with whom we share it
  • Right to Delete: you have the right to request deletion of personal information we have collected from you, subject to certain exceptions
  • Right to Correct: you have the right to request correction of inaccurate personal information
  • Right to Opt-Out of Sale or Sharing: We do NOT sell or share personal information for cross-context behavioral advertising. There is no need to opt out because we never engage in these practices.
  • Right to Non-Discrimination: we will not discriminate against you for exercising any of your CCPA rights. Exercising your rights will not affect the quality or pricing of our services.

Categories of Personal Information Collected in the Prior 12 Months

Category Examples Collected
Identifiers Name, email address, phone number, mailing address Yes
Commercial Information Subscription plan, billing history, services purchased Yes
Internet/Electronic Activity Dashboard login timestamps, session activity, settings changes Yes
Professional/Employment Info Business name, industry, employee roles and schedules Yes
Vehicle Information Year, make, and model (for automotive service businesses) Yes

Categories of Sources

  • Directly from you: information provided during account registration, dashboard use, and communications
  • From client businesses: end-customer data submitted through booking widgets and contact forms
  • Automatically: login timestamps and session data collected during platform use

Business Purpose for Collection

  • Service delivery: building, hosting, and managing websites and booking systems
  • Communications: appointment confirmations, reminders, and operational notifications
  • Billing: processing subscription payments and maintaining financial records

Categories Shared with Third Parties

We share personal information only with service providers who need it to perform services on our behalf:

  • Supabase: database hosting and storage
  • Cloudflare: website hosting, CDN, security, and bot protection (Turnstile)
  • Square: payment processing
  • Twilio: SMS delivery
  • Resend: email delivery
  • Sentry: application error tracking (with personal-information scrubbing)

We do NOT sell personal information. We have not sold personal information in the preceding 12 months.

How to Submit a CCPA Request

To exercise any of your rights under the CCPA, please contact us at admin@helpwin.net with the subject line "Privacy Request." We will verify your identity within 10 business days and fulfill your request within 45 calendar days of receiving your verified request. If we need additional time, we will notify you of the reason and extension period (up to an additional 45 days).

You may also designate an authorized agent to make a request on your behalf. We may require proof of authorization before processing such requests.

12. Other State Privacy Laws

In addition to the CCPA, four additional state privacy laws expressly apply to HelpWin if you are a resident of the state in question: the Virginia Consumer Data Protection Act (VCDPA), the Colorado Privacy Act (CPA), the Utah Consumer Privacy Act (UCPA), and the Connecticut Data Privacy Act (CTDPA). Other states (including Texas, Oregon, Montana, Indiana, Tennessee, Iowa, Delaware, New Jersey, New Hampshire, Kentucky, Minnesota, Maryland, and Rhode Island) have enacted similar laws, and we extend the rights described below to residents of those states on the same terms.

Common Rights Across All Covered States

If you are a resident of any of the states named above, you have at minimum the following rights with respect to your personal data:

  • Right of Access: request confirmation of whether we process your personal data and a copy of that data
  • Right of Deletion: request deletion of personal data we have collected, subject to applicable exceptions
  • Right of Portability: request a copy of your personal data in a portable, machine-readable format where technically feasible
  • Right to Opt Out of Sale: opt out of the sale of personal data. HelpWin does not sell personal data, so there is nothing to opt out of in this respect.
  • Right to Opt Out of Targeted Advertising: opt out of the processing of personal data for targeted advertising. HelpWin does not engage in targeted advertising and does not share personal data with third parties for targeted advertising purposes.

Virginia Residents (VCDPA)

If you are a Virginia resident, you also have the right to correct inaccurate personal data that we maintain about you, and the right to opt out of profiling in furtherance of decisions that produce legal or similarly significant effects. HelpWin does not engage in such profiling. If we deny your request, you have the right to appeal our decision; appeals should be sent to admin@helpwin.net with the subject line "Privacy Request Appeal" and will receive a substantive response within 60 days. If your appeal is denied you may contact the Virginia Attorney General to submit a complaint.

Colorado Residents (CPA)

If you are a Colorado resident, you also have the right to correct inaccurate personal data, the right to opt out of profiling in furtherance of decisions that produce legal or similarly significant effects (which we do not engage in), and the right to appeal a denied request (same appeal process and 60-day response window as described above for Virginia). You may also exercise opt-out rights through a recognized Universal Opt-Out Mechanism (UOOM), including signals communicated through Global Privacy Control (GPC). We honor GPC signals where technically feasible.

Utah Residents (UCPA)

If you are a Utah resident, your rights are the access, deletion, portability, opt-out of sale, and opt-out of targeted advertising rights described above. UCPA does not require correction rights, appeal mechanisms, or profiling opt-outs, but HelpWin will reasonably accommodate correction requests from Utah residents as a matter of practice. To exercise your rights, contact us at admin@helpwin.net.

Connecticut Residents (CTDPA)

If you are a Connecticut resident, you also have the right to correct inaccurate personal data, the right to opt out of profiling in furtherance of decisions that produce legal or similarly significant effects (which we do not engage in), and the right to appeal a denied request (same appeal process and 60-day response window). Connecticut residents may also exercise opt-out rights through a recognized Universal Opt-Out Mechanism (UOOM), including Global Privacy Control signals. We honor GPC signals where technically feasible.

How to Submit a State Privacy Rights Request

To exercise any of these rights, contact us at admin@helpwin.net with the subject line "Privacy Request" and identify the state whose law you are invoking. We will verify your identity within 10 business days and respond within 45 calendar days, with one possible 45-day extension if necessary (you will be notified of the extension and the reason for it). If you are submitting a request through an authorized agent, we may require proof of authorization.

We will not discriminate against you for exercising any privacy right described in this section. Exercising your rights will not affect the quality, availability, or pricing of HelpWin's services.

13. Children's Privacy

HelpWin's services are not directed to children under the age of 13. We do not knowingly collect personal information from children under 13. If we become aware that we have inadvertently collected personal information from a child under 13, we will take steps to delete that information as promptly as possible. If you believe we have collected information from a child under 13, please contact us at admin@helpwin.net.

14. International Users

HelpWin operates entirely in the United States. All data is stored and processed within the United States using US-based infrastructure providers. If you access our platform from outside the United States, please be aware that your information will be transferred to, stored, and processed in the United States, where data protection laws may differ from those in your country of residence.

15. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, services, or legal requirements.

  • For material changes, we will notify affected users via email at least 30 days before the changes take effect.
  • The updated policy will be posted on this page with a revised effective date.
  • Prior versions of this Privacy Policy are available upon request by emailing admin@helpwin.net.

Continued use of our services after the updated policy takes effect constitutes acceptance of the revised terms.

16. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or how your data is handled, please contact us:

HelpWin LLC
Toledo, Ohio
admin@helpwin.net
helpwin.net

For CCPA or other privacy rights requests, email admin@helpwin.net with the subject line "Privacy Request."

See also our Terms of Service.

HelpWin
  • Process
  • Services
  • Contact
  • Accessibility
HelpWin · Terms of Service · Privacy Policy · Data Management · Sub-Processors · DMCA · Accessibility · © 2026 HelpWin. Professional websites for growing businesses. Toledo, Ohio.
HelpWin

We'd love to hear from you

Whether you've got a question, need a hand with your site, or just want to say hey — we're all ears. No bots, no runaround.