Privacy Policy
Last updated:
This Privacy Policy describes how PARROT PARTNERS, SOCIEDAD LIMITADA. ("Provider", "we", or "us") collects, processes, and protects personal data in connection with the Helios software-as-a-service platform ("Service") and our website at gethelios.io.
This policy is issued in compliance with Regulation (EU) 2016/679 (General Data Protection Regulation, "GDPR"), the UK General Data Protection Regulation ("UK GDPR"), Spain's Organic Law 3/2018 (LOPDGDD), and other applicable data protection legislation.
1. Data Controller
Corporate Name: PARROT PARTNERS, SOCIEDAD LIMITADA.
Tax Identification Number (CIF): B75733972
Economic Activity: Marketing and digital consulting services (CNAE 7311)
Registered Office: Calle Cristofor Colom, 4-6, 43001 Tarragona, Spain
Data Protection Contact: [email protected]
2. Scope and Roles
This Privacy Policy covers two distinct processing activities:
- Processing where we are the Data Controller (Sections 3–10): Personal data we collect directly from website visitors, platform users, and business contacts for our own purposes (account management, website analytics, communications).
- Processing where we are the Data Processor (Section 11): Business data from our clients' integrated systems (point-of-sale, booking, subscription, inventory platforms) that we process on their behalf through the Helios platform. This processing is governed by a separate Data Processing Agreement (DPA) between us and the client.
If you are a customer, employee, or contact of one of our clients and have questions about how your data is processed through Helios, please contact the relevant client directly, as they are the Data Controller for that data.
3. Data We Collect as Controller
3.1 Data Provided by You
| Category | Data Elements |
|---|---|
| Identification Data | Full name, email address, company name, professional title |
| Account Data | Authentication credentials (stored in encrypted form), account preferences, timezone and language settings |
| Communications | Correspondence, support requests, feedback submissions |
| Conversation Data | Questions submitted through the AI chat interface, AI-generated responses, and associated metadata |
3.2 Data Collected Automatically
| Category | Data Elements |
|---|---|
| Technical Data | IP address, browser type and version, device type, operating system |
| Usage Data | Pages accessed, features used, session duration, interaction patterns |
| Query Data | Database queries executed through the Service (for performance monitoring and error resolution) |
4. Purposes and Legal Bases
| Processing Purpose | Legal Basis (GDPR Article 6(1)) |
|---|---|
| Provision of the Service, including account management and AI-assisted analytics | Performance of contract (Art. 6(1)(b)) |
| Response to enquiries and provision of technical support | Performance of contract (Art. 6(1)(b)) |
| Service improvement, usage analytics, error correction, and feature development | Legitimate interest (Art. 6(1)(f)) |
| Security measures, fraud prevention, and protection of Service integrity | Legitimate interest (Art. 6(1)(f)) |
| Marketing communications (where consent obtained) | Consent (Art. 6(1)(a)) |
| Compliance with legal and regulatory obligations, including tax requirements | Legal obligation (Art. 6(1)(c)) |
Where processing is based on legitimate interest, we have conducted a balancing test to ensure that such interests are not overridden by the fundamental rights and freedoms of data subjects.
5. Data Recipients
| Recipient Category | Processing Purpose |
|---|---|
| Cloud Infrastructure Providers | Hosting, storage, compute, and database services |
| AI Service Providers | Generation of business insights through the conversational interface (see Section 9) |
| Authentication Providers | User login and access management |
| Email Service Providers | Transactional notifications and, where consented, marketing communications |
| Analytics Providers | Analysis of Service usage (aggregated and anonymised where possible) |
| Third-Party Platforms | Data extraction from platforms connected by the User (e.g. point-of-sale, booking systems) |
| Legal and Regulatory Authorities | Compliance with legal obligations and protection of legal rights |
All data processors are bound by Data Processing Agreements in accordance with Article 28 GDPR. We do not sell personal data to third parties.
6. International Data Transfers
Personal data may be transferred to recipients located outside the European Economic Area (EEA), including the United States. Such transfers are conducted in compliance with Chapter V of the GDPR and are protected by appropriate safeguards, including:
- Transfers to countries with an adequacy decision pursuant to Article 45 GDPR;
- Transfers subject to Standard Contractual Clauses adopted by the European Commission pursuant to Article 46(2)(c) GDPR; and
- Transfers to organisations certified under the EU-US Data Privacy Framework.
You may request a copy of the applicable transfer safeguards by contacting [email protected].
7. Data Retention
We retain personal data only as long as necessary to fulfil the purposes for which it was collected, or as required by applicable law. The criteria we use to determine retention periods include:
- Account and conversation data: Retained for the duration of your contractual relationship with us. Users may delete individual conversations at any time.
- Financial and billing records: Retained for the period required by applicable tax legislation.
- Technical and security logs: Retained for a limited period necessary for security monitoring, error resolution, and service improvement.
When the retention period expires, or when you terminate your account, personal data is securely deleted or irreversibly anonymised. Data processed on behalf of our clients (where we act as Processor) is handled in accordance with the applicable Data Processing Agreement.
8. Data Subject Rights
Pursuant to Articles 15–22 GDPR and Title III LOPDGDD, you are entitled to the following rights:
| Right | Description |
|---|---|
| Access (Art. 15) | Obtain confirmation of processing and access to your personal data |
| Rectification (Art. 16) | Request correction of inaccurate or incomplete personal data |
| Erasure (Art. 17) | Request deletion of your personal data where applicable grounds exist |
| Restriction (Art. 18) | Request limitation of processing in specified circumstances |
| Data Portability (Art. 20) | Receive your personal data in a structured, machine-readable format |
| Object (Art. 21) | Object to processing based on legitimate interests or direct marketing |
| Withdraw Consent | Withdraw previously granted consent at any time without affecting the lawfulness of prior processing |
Exercise of Rights
Requests should be submitted to [email protected] and must include: (i) identification of the data subject; (ii) specification of the right(s) to be exercised; and (iii) contact details for response. We shall respond within one (1) month, which may be extended by two (2) additional months for complex requests.
9. AI Processing
The Service provides AI-assisted business insights through a conversational interface. When you submit a query:
- The Service executes database queries against your connected business data.
- Query results, which may include personal data from your integrated systems, are transmitted to an AI service provider for interpretation.
- The AI service provider generates a response based on the query results.
- The conversation (your question and the AI response) is stored to provide conversation history.
We do not use your data to train AI models. We do not allow third-party AI service providers to use your data for model training. AI service providers process data only for the duration of the request. They may retain data temporarily (typically up to 30 days) for safety and abuse monitoring purposes, in accordance with their own data processing terms.
The Service does not make automated decisions producing legal effects or similarly significant effects concerning you within the meaning of Article 22 GDPR. AI-generated insights are provided as analytical support for human decision-making.
10. Cookies and Similar Technologies
The Service uses cookies and similar technologies for the following purposes:
- Strictly Necessary Cookies: Essential for authentication, session management, and security. No consent required pursuant to Article 22(2) LSSI-CE.
- Analytics Cookies: Collection of usage statistics for Service improvement. Deployed only upon obtaining valid consent.
Cookie preferences may be managed through the consent mechanism provided on the Service or through browser settings.
11. Processing on Behalf of Clients
Where the Service integrates with a client's business systems (such as point-of-sale, booking, subscription, or inventory platforms), the client is the Data Controller and we act as Data Processor. This processing is governed by a separate Data Processing Agreement between us and the client.
Data processed in this capacity may include contact information, transaction and order data, booking and appointment records, subscription and membership data, and staff records belonging to the client's customers and business contacts.
If you are a customer, employee, or contact of one of our clients and wish to exercise your data protection rights, please contact the client directly. We will assist the client in responding to your request in accordance with our obligations under the DPA.
12. Data Security
We implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including:
- Encryption of personal data in transit (TLS 1.2+) and at rest;
- Cryptographic hashing of authentication credentials;
- Role-based access control and multi-factor authentication;
- Database query validation and injection prevention;
- Tenant isolation in multi-tenant environments;
- Regular security assessments;
- Confidentiality obligations for all personnel with access to personal data.
In the event of a personal data breach likely to result in a risk to the rights and freedoms of data subjects, we shall notify the Agencia Espanola de Proteccion de Datos (AEPD) within seventy-two (72) hours and inform affected data subjects without undue delay where required by Article 34 GDPR.
13. Minimum Age
The Service is provided exclusively on a business-to-business basis and is intended for use by professionals aged eighteen (18) years or older. We do not knowingly collect or process personal data of minors.
14. Modifications to This Policy
We reserve the right to modify this Privacy Policy. Material modifications shall be communicated via email or prominent notice on the Service no less than thirty (30) days prior to the effective date. Continued use of the Service following notification constitutes acknowledgement of the modified policy.
15. Supervisory Authority
You have the right to lodge a complaint with a supervisory authority.
Spain: Agencia Espanola de Proteccion de Datos (AEPD)
C/ Jorge Juan, 6, 28001 Madrid
Website: www.aepd.es
United Kingdom: Information Commissioner's Office (ICO)
Wycliffe House, Water Lane, Wilmslow SK9 5AF
Website: www.ico.org.uk
For other EU/EEA member states, a list of supervisory authorities is available at edpb.europa.eu.
16. Contact
For enquiries regarding this Privacy Policy or the processing of personal data:
Email: [email protected]
Post: PARROT PARTNERS, S.L.
Data Protection
Calle Cristofor Colom, 4-6
43001 Tarragona, Spain