Helm Labs Ltd — website, consulting services, products & Atlassian Marketplace applications
Helm Labs Ltd ("Helm Labs", "we", "us", "our"), a company registered in England and Wales, is a specialist validation engineering consultancy. We provide CSA transformation, validation automation and AI governance services to life sciences organisations, and we build software products and applications that support regulated environments — including Helm Compliance, CodeCityScape, Helmic, and our Atlassian Marketplace applications such as DocDelta and Policy Pulse.
We are committed to protecting your privacy and handling your personal data in accordance with applicable data protection law, including the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018 (DPA 2018), and, where relevant, the EU GDPR and other applicable privacy standards.
This Privacy Policy explains what personal data we collect, how we use it, who we share it with, how long we keep it, and what rights you have. It applies to:
By using our website, services, products or applications, you acknowledge that you have read and understood this Privacy Policy. If you do not agree, please do not use them.
Data controller: Helm Labs Ltd is the data controller for personal data we process in connection with our website, marketing and consulting activities. For data you or your organisation put into our products and Atlassian Marketplace applications, we generally act as a data processor on your behalf (see sections 6 and 9).
You also have the right to lodge a complaint with a supervisory authority. In the UK this is the Information Commissioner's Office (ICO) — ico.org.uk. We would, however, appreciate the chance to address your concerns before you approach the ICO.
We collect and use personal data only where we have a lawful basis (e.g. contract, consent, legitimate interest, or legal obligation). The following describes the main categories of data and purposes.
Lawful basis: Legitimate interest (responding to enquiries, website operation and analytics); consent where required (e.g. non-essential cookies and marketing).
Lawful basis: Performance of a contract; legitimate interest in delivering and administering our services; legal obligation.
Lawful basis: Performance of contract; legitimate interest (security, support, product improvement); legal obligation where applicable.
Lawful basis: Performance of contract; legal obligation (tax, accounting).
When you or your organisation use our products or Atlassian Marketplace applications, you may create or upload data that contains personal data. We process this data only as a processor on your behalf to provide the service, in accordance with our Terms of Service and any data processing agreement. You (or your organisation) remain the data controller for that data; we do not use it for our own purposes except as necessary to operate and support the service, or as required by law.
We use personal data to:
We do not sell your personal data to third parties.
We may share personal data with:
We do not share your personal data with third parties for their own marketing purposes. A current list of sub-processors can be provided on request.
Our applications are distributed through the Atlassian Marketplace and run within your Atlassian environment (Jira, Confluence and/or Atlassian Cloud). How we handle data depends on how the application is architected:
| Model | How data is handled |
|---|---|
| Model A — Third-Party Ecosystem (no Helm Labs retention) | The application operates entirely within the Atlassian ecosystem. Helm Labs does not store, retain or copy your data on its own infrastructure. Any processing during operation (e.g. reading records to render a view) is transient. Your data resides within your Atlassian environment and is subject to Atlassian's data protection, security and backup policies. |
| Model B — Helm Labs Hosted (Helm Labs retention) | The application stores data on Helm Labs infrastructure. Data is encrypted in transit (TLS 1.2+) and at rest (AES-256), logically isolated per customer, backed up daily with a 30-day retention period, and accessible only to authorised users and, where operationally necessary, authorised Helm Labs personnel under confidentiality obligations. |
When you install an application, it may request scopes/permissions to read or write data within your Atlassian products. These permissions are presented at installation and are limited to what is required for the application to function. Your use of the Atlassian platform itself is governed by Atlassian's own terms and privacy policy.
Our services are hosted in the United Kingdom and/or other locations (including via cloud providers such as Amazon Web Services and, for Marketplace applications, Atlassian's cloud infrastructure). If you or your users access our services from outside the UK/EEA, your data may be transferred to and processed in the UK or other countries where we or our service providers operate.
We ensure appropriate safeguards where required by law, including transfers to countries recognised as providing an adequate level of protection (e.g. UK adequacy decisions), and standard contractual clauses (UK and/or EU) or other approved mechanisms where adequacy does not apply. Details of transfer mechanisms can be provided on request.
We retain personal data only for as long as necessary to fulfil the purposes set out in this Policy, to comply with our legal, tax and regulatory obligations, and to resolve disputes and enforce our agreements.
Retention periods depend on the type of data and purpose (e.g. account data for the duration of the subscription or engagement and a limited period afterwards; audit logs in line with our retention policy; billing data as required for tax and accounting). After the retention period, we delete or anonymise the data in accordance with our procedures. For Model A applications, retention of data within your Atlassian environment is determined by you and Atlassian.
Under the UK GDPR and applicable data protection law, you may have the right to:
To exercise any of these rights, contact us using the details in section 2. We will respond within the time limits required by applicable law (e.g. one month under the UK GDPR, subject to permitted extensions), and may need to verify your identity first. Some rights may be limited (e.g. where we must retain data for legal obligations, or where we act as a processor on behalf of your organisation — in which case we will assist the relevant data controller).
We implement appropriate technical and organisational measures to protect personal data against unauthorised access, loss, alteration or disclosure. These include access control, encryption in transit and at rest, secure cloud hosting, audit logging, and incident response procedures. No method of transmission or storage is completely secure, but we work to protect your data and to continuously improve our safeguards.
Our website uses cookies and similar technologies that are necessary for the site to function and, where you consent, to analyse usage and improve the site. You can control non-essential cookies through your browser settings or any cookie controls we provide. Where required by law, we will obtain your consent before placing non-essential cookies.
Our services are intended for businesses and organisations and are not directed at individuals under the age of 18 (or the age of majority in your jurisdiction). We do not knowingly collect personal data from children. If you believe we have collected data from a child, please contact us and we will take steps to delete it.
We may update this Privacy Policy from time to time to reflect changes in our practices, services or the law. We will post the updated policy on our website and, where appropriate, notify you. The "Last updated" date at the top indicates when the policy was last revised. We encourage you to review this policy periodically.
See also our Terms of Service and Service Level Agreement.