HelpWin LLC ("HelpWin," "we," "us," or "our") is a business-to-business software-as-a-service platform that builds, hosts, and manages websites and online booking systems for small service businesses such as auto repair shops, salons, and similar local businesses. HelpWin LLC is organized under the laws of Ohio and operates in the United States.
This Privacy Policy describes how we collect, use, disclose, and protect information in connection with our platform, including our website at helpwin.net, the business dashboard, the embeddable booking widget, and all related services. It applies to our B2B clients (business owners who subscribe to HelpWin) as well as end-customers of those businesses who interact with our platform by booking appointments or submitting contact forms.
By using HelpWin's services, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with these practices, please do not use our services.
HelpWin operates under a dual data model. It is important to understand the distinction between the two categories of data we handle:
This is the information we collect directly from business owners who subscribe to HelpWin. For this data, HelpWin acts as the data controller — we determine the purposes and means of processing.
This is the information about the customers of our clients — people who book appointments, submit contact forms, or receive SMS messages through the HelpWin platform. For this data, HelpWin acts as a data processor, handling information on behalf of and under the direction of our clients. The client (the business owner) is the data controller for their end-customers' data and is responsible for maintaining their own privacy practices and disclosures to their customers.
If you are an end-customer of a business that uses HelpWin, please also refer to that business's own privacy policy for information about how they handle your data.
When you sign up for HelpWin and use our platform as a business client, we collect the following categories of information:
On behalf of our business clients, we process the following information about their end-customers:
We use the information described above for the following purposes:
We do not sell, rent, or trade personal information to third parties for marketing purposes. We do not sell personal information under any circumstances.
We use the following trusted third-party service providers to operate our platform. Each provider receives only the minimum data necessary to perform its function. For the canonical list with categories of data accessed and region of operation, see /subprocessors; this page is updated whenever our sub-processor relationships change.
Our PostgreSQL database is hosted by Supabase. All client and end-customer data stored in our database resides on Supabase infrastructure in the United States. Supabase provides encryption at rest and row-level security. For details, see the Supabase Privacy Policy.
Client websites and the HelpWin platform are deployed on Cloudflare Pages with Cloudflare Workers for backend logic. Cloudflare provides CDN delivery, DDoS protection, and bot protection through Cloudflare Turnstile (a privacy-respecting CAPTCHA used on the platform's authentication pages). Cloudflare may process technical data such as IP addresses and browser characteristics as part of delivering web content and verifying that visitors are not automated bots. For details, see the Cloudflare Privacy Policy and the Turnstile product page.
Subscription billing and payment processing are handled by Square, which is PCI DSS Level 1 certified. HelpWin never stores, processes, or has access to credit card numbers or payment card data. All payment information is collected and managed directly by Square. For details, see the Square Privacy Policy.
We use Twilio as a fallback provider for delivering SMS text messages (appointment confirmations, reminders, and status updates) to end-customers. Phone numbers and message content are shared with Twilio for delivery purposes. For details, see the Twilio Privacy Policy.
We use Resend to deliver transactional emails, including appointment confirmations, daily digest reports, and billing notifications. Email addresses and message content are shared with Resend for delivery purposes. For details, see the Resend Privacy Policy.
We use Plausible Analytics for privacy-respecting, cookie-free website analytics on our marketing site. Plausible does not use cookies, does not collect personal data, does not track users across websites, and is fully compliant with GDPR, CCPA, and PECR without requiring a cookie consent banner. All analytics data is aggregated and anonymous. For details, see the Plausible Data Policy.
We use Sentry (operated by Functional Software Inc.) for application error tracking and performance monitoring. When an error occurs in the platform, we capture technical metadata about the error, including the URL where the error occurred, a timestamp, the user agent, and the error stack trace, to diagnose and fix issues. Our Sentry integration is configured with personal-information scrubbing rules that remove identifiers (such as email addresses, phone numbers, and customer names) from error events before they are transmitted to Sentry. For details, see the Sentry Privacy Policy.
End-customers may receive the following types of SMS text messages through our platform:
SMS consent is obtained at the time of booking through an explicit opt-in checkbox on the booking form. The consent language identifies the specific client business that will be sending the messages, the categories of messages to be sent (appointment confirmations, reminders, and status updates), the disclosure that message and data rates may apply, and the option to opt out by replying STOP. End-customers must affirmatively consent before any text messages are sent.
For each consent event we record: the consent timestamp (UTC), the IP address of the consenting device, a hash of the form version shown at the moment of consent (so we can reproduce exactly the disclosure language the end-customer saw), the booking record reference, and the specific client business that obtained consent. Consent is scoped per-business, not platform-wide. Consenting to receive messages from one HelpWin client does not consent the user to messages from any other client.
Outbound SMS through carrier gateways is delivered under HelpWin's A2P 10DLC registration with The Campaign Registry (TCR), with brand and campaigns registered in compliance with carrier requirements.
End-customers will typically receive 1 to 3 text messages per appointment. Message frequency varies based on the services booked and the business's communication preferences.
Outbound non-emergency messages are sent only during 8:00 AM to 9:00 PM local recipient time, consistent with industry standard. Booking-emergency messages (e.g. an urgent reschedule from the shop) may be delivered outside these hours where the end-customer's appointment is materially affected.
End-customers may opt out of SMS messages at any time by replying STOP (or any standard opt-out keyword) to any message received from the platform. Opt-out requests propagate immediately across the platform for the originating client business. The opt-out is honored within minutes of receipt and confirmed by an automated reply. Once opted out, no further text messages will be sent unless the end-customer affirmatively re-consents.
Message and data rates may apply depending on your mobile carrier and plan. HelpWin does not charge for text messages, but standard carrier rates apply.
We maintain opt-out records indefinitely to ensure that opted-out phone numbers do not receive future messages, in compliance with the Telephone Consumer Protection Act (TCPA).
Mobile information collected for SMS communications will not be shared with or sold to third parties or affiliates for their marketing or promotional purposes. SMS data is processed solely to deliver booking-related messages on behalf of the client business that obtained consent.
Our marketing website does not use any tracking cookies. Plausible Analytics is entirely cookie-free. No cookie consent banner is required.
The dashboard uses sessionStorage to maintain login sessions. Session data is cleared automatically when the browser tab is closed and has an 8-hour inactivity timeout. This is not a tracking cookie and contains no personal information beyond authentication state.
The builder tool uses localStorage to auto-save site content while a client is editing. This data contains only website content (text, layout settings) and is stored locally in the client's browser.
We do not use any third-party tracking cookies anywhere on our platform.
We retain data for the minimum period necessary to fulfill the purposes described in this policy and to comply with legal obligations:
We implement industry-standard security measures to protect the information we handle:
While we take reasonable precautions to protect your data, no method of electronic storage or transmission over the Internet is 100% secure. We cannot guarantee absolute security.
If we discover a security incident affecting your personal data, we will notify you within 72 hours of becoming aware of it. Notification will be made to the email address on file for B2B clients, and where reasonably possible directly to affected end-customers, with a description of the incident, the categories of data affected, the steps we have taken in response, and recommended actions you may take. This 72-hour commitment is consistent with the GDPR Article 33 default and exceeds the "best efforts" stance that is typical in our industry. We maintain an internal detection-to-notification SLA designed to meet this commitment with margin to spare.
If you are a California resident, the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), provides you with specific rights regarding your personal information:
| Category | Examples | Collected |
|---|---|---|
| Identifiers | Name, email address, phone number, mailing address | Yes |
| Commercial Information | Subscription plan, billing history, services purchased | Yes |
| Internet/Electronic Activity | Dashboard login timestamps, session activity, settings changes | Yes |
| Professional/Employment Info | Business name, industry, employee roles and schedules | Yes |
| Vehicle Information | Year, make, and model (for automotive service businesses) | Yes |
We share personal information only with service providers who need it to perform services on our behalf:
We do NOT sell personal information. We have not sold personal information in the preceding 12 months.
To exercise any of your rights under the CCPA, please contact us at [email protected] with the subject line "Privacy Request." We will verify your identity within 10 business days and fulfill your request within 45 calendar days of receiving your verified request. If we need additional time, we will notify you of the reason and extension period (up to an additional 45 days).
You may also designate an authorized agent to make a request on your behalf. We may require proof of authorization before processing such requests.
In addition to the CCPA, four additional state privacy laws expressly apply to HelpWin if you are a resident of the state in question: the Virginia Consumer Data Protection Act (VCDPA), the Colorado Privacy Act (CPA), the Utah Consumer Privacy Act (UCPA), and the Connecticut Data Privacy Act (CTDPA). Other states (including Texas, Oregon, Montana, Indiana, Tennessee, Iowa, Delaware, New Jersey, New Hampshire, Kentucky, Minnesota, Maryland, and Rhode Island) have enacted similar laws, and we extend the rights described below to residents of those states on the same terms.
If you are a resident of any of the states named above, you have at minimum the following rights with respect to your personal data:
If you are a Virginia resident, you also have the right to correct inaccurate personal data that we maintain about you, and the right to opt out of profiling in furtherance of decisions that produce legal or similarly significant effects. HelpWin does not engage in such profiling. If we deny your request, you have the right to appeal our decision; appeals should be sent to [email protected] with the subject line "Privacy Request Appeal" and will receive a substantive response within 60 days. If your appeal is denied you may contact the Virginia Attorney General to submit a complaint.
If you are a Colorado resident, you also have the right to correct inaccurate personal data, the right to opt out of profiling in furtherance of decisions that produce legal or similarly significant effects (which we do not engage in), and the right to appeal a denied request (same appeal process and 60-day response window as described above for Virginia). You may also exercise opt-out rights through a recognized Universal Opt-Out Mechanism (UOOM), including signals communicated through Global Privacy Control (GPC). We honor GPC signals where technically feasible.
If you are a Utah resident, your rights are the access, deletion, portability, opt-out of sale, and opt-out of targeted advertising rights described above. UCPA does not require correction rights, appeal mechanisms, or profiling opt-outs, but HelpWin will reasonably accommodate correction requests from Utah residents as a matter of practice. To exercise your rights, contact us at [email protected].
If you are a Connecticut resident, you also have the right to correct inaccurate personal data, the right to opt out of profiling in furtherance of decisions that produce legal or similarly significant effects (which we do not engage in), and the right to appeal a denied request (same appeal process and 60-day response window). Connecticut residents may also exercise opt-out rights through a recognized Universal Opt-Out Mechanism (UOOM), including Global Privacy Control signals. We honor GPC signals where technically feasible.
To exercise any of these rights, contact us at [email protected] with the subject line "Privacy Request" and identify the state whose law you are invoking. We will verify your identity within 10 business days and respond within 45 calendar days, with one possible 45-day extension if necessary (you will be notified of the extension and the reason for it). If you are submitting a request through an authorized agent, we may require proof of authorization.
We will not discriminate against you for exercising any privacy right described in this section. Exercising your rights will not affect the quality, availability, or pricing of HelpWin's services.
HelpWin's services are not directed to children under the age of 13. We do not knowingly collect personal information from children under 13. If we become aware that we have inadvertently collected personal information from a child under 13, we will take steps to delete that information as promptly as possible. If you believe we have collected information from a child under 13, please contact us at [email protected].
HelpWin operates entirely in the United States. All data is stored and processed within the United States using US-based infrastructure providers. If you access our platform from outside the United States, please be aware that your information will be transferred to, stored, and processed in the United States, where data protection laws may differ from those in your country of residence.
We may update this Privacy Policy from time to time to reflect changes in our practices, services, or legal requirements.
Continued use of our services after the updated policy takes effect constitutes acceptance of the revised terms.
If you have questions, concerns, or requests regarding this Privacy Policy or how your data is handled, please contact us:
HelpWin LLC
Toledo, Ohio
[email protected]
helpwin.net
For CCPA or other privacy rights requests, email [email protected] with the subject line "Privacy Request."
See also our Terms of Service.