Privacy Policy

Effective Date: June 27, 2026 · Version 1.1

Helmsted, Inc. ("Helmsted," "we," "our," or "us") is a Delaware corporation committed to protecting the privacy and security of the information entrusted to us. This Privacy Policy describes how we collect, use, store, and share information in connection with our platform and services (the "Services").

Helmsted provides an AI-powered operating system designed for independent registered investment advisers ("RIAs"). Our platform helps advisors orchestrate client communications, analyze financial information, automate meeting documentation, and streamline planning workflows, all from a single, communication-first workspace.

1. Scope of This Policy

This Privacy Policy applies to:

• Financial advisors and firms using Helmsted
• End clients of those advisors whose data may be processed through Helmsted
• Visitors to our website and users of our platform

Helmsted acts as a service provider (processor) on behalf of RIAs, who maintain the primary relationship with their clients and act as the data controller. Advisors determine the purposes and means of processing their client data through our platform.

2. Information We Collect

A. Information Provided Directly

• Name, email address, phone number, and professional credentials
• Firm name, CRD number, and professional affiliation
• Account login credentials
• Communications processed through the platform (messages, emails, meeting notes, call transcripts)
• Documents uploaded to the platform (e.g., tax returns, estate documents, financial statements, insurance policies)

B. Financial and Planning Data

• Assets, liabilities, income, and expenses
• Investment holdings and custodial account data
• Insurance, estate, and trust documentation
• Other financial information provided by advisors or their clients for planning purposes

C. Communication and Recording Data

• Audio recordings of calls and meetings conducted through or connected to the platform
• Transcriptions generated from recorded calls and meetings
• Automated meeting summaries, action items, and follow-up recommendations
• Email content and metadata processed through integrated email accounts

Advisors are responsible for obtaining appropriate consent from their clients and all meeting participants prior to recording calls or meetings through Helmsted, in compliance with applicable federal and state laws.

D. Automatically Collected Information

• Device and browser information
• IP address and approximate location data
• Usage data (features used, interactions, session duration, and activity patterns)

E. AI-Derived Data

• Structured data extracted from uploaded documents
• Summaries, insights, and planning considerations generated by AI systems
• Metadata and contextual relationships identified across financial data points
• Proactive alerts based on regulatory changes, market conditions, or client-specific triggers

3. How We Use Information

We use collected information to:

• Provide, operate, maintain, and improve the Services
• Process, organize, and structure financial and client data
• Generate insights, summaries, action items, and planning outputs
• Facilitate and document communication between advisors and clients
• Record and transcribe calls and meetings as directed by advisors
• Deliver proactive alerts regarding regulatory or legislative changes that may impact clients
• Maintain system security, integrity, and performance
• Comply with legal, regulatory, and compliance obligations
• Develop new features and functionality

Helmsted does not provide financial advice to end clients. All advice, recommendations, and planning decisions remain the sole responsibility of the advisor. Helmsted's AI-generated outputs are assistive in nature and are intended to support, not replace, professional judgment.

4. Data Minimization and Access Controls

Helmsted employs a task-scoped, need-to-know approach to data access. When our AI systems process a client's information:

• Only the data fields relevant to the specific task at hand are assembled and provided to the AI model
• Sensitive personal identifiers are masked at the application layer before data reaches the model
• No more data than is necessary for a given operation is ever exposed to any processing system

This principle of least-privilege access applies across the platform, ensuring that data exposure is always proportional to the task being performed.

5. AI Processing — Zero Data Retention

Helmsted holds a Zero Data Retention (ZDR) agreement with Anthropic, PBC, our AI API provider. Under this agreement, Anthropic does not retain any input or output data after an API call completes — data is processed in memory and immediately discarded. This means advisor and client data submitted for AI analysis is never stored by Anthropic and cannot be used for model training, fine-tuning, or any other purpose.

Helmsted does not use advisor or client data to train AI models. Your data is used solely to provide the Services to you. We will maintain this ZDR agreement or equivalent protections for any AI API provider we use to process advisor or client data.

6. Role of Advisors and Client Data

If you are an end client of an advisor using Helmsted:

• Your advisor controls how your data is collected, used, and processed through our platform
• Helmsted processes your data on behalf of and as directed by your advisor
• Requests regarding access to, correction of, or deletion of your data should be directed to your advisor
• Your advisor is responsible for providing you with notice about their use of Helmsted and obtaining any required consents

7. Sharing of Information

We do not sell personal information.

We may share information in the following limited circumstances:

A. With Advisors and Their Firms

Data is accessible to authorized users within the advisor's organization as configured by the firm's administrator.

B. Service Providers

We work with carefully selected third-party service providers for cloud hosting, data storage, processing infrastructure, and AI services. All service providers are bound by strict confidentiality obligations and data processing agreements. A current list of subprocessors is available from Helmsted on request. Separately, where you and your adviser approve, we make information you designate available to third-party service providers you select (such as accountants, attorneys, or insurance professionals), who then handle it under their own terms. Helmsted does not select or endorse providers.

C. Legal and Regulatory Requirements

We may disclose information to comply with applicable laws, regulations, subpoenas, court orders, or legal processes, and to support RIA regulatory obligations including SEC and state recordkeeping requirements.

D. Business Transfers

In connection with a merger, acquisition, reorganization, or sale of assets, your information may be transferred as part of that transaction. We will provide notice of any such transfer and any choices you may have regarding your information.

8. Data Retention

We retain information:

• As long as necessary to provide the Services and maintain your account
• To comply with legal, regulatory, and compliance obligations, including SEC and state RIA recordkeeping requirements, which may require retention for specified periods
• As directed by advisor firms under their data governance policies

Upon account termination, advisors may request export of their data. Certain data may be retained in backup or archival systems for compliance purposes even after deletion requests.

9. Data Portability and Exit

We believe your data belongs to you. Advisor firms may request a complete export of their data at any time in a standard, machine-readable format. Upon termination of services, we will work with you to ensure a complete and orderly transition of your data.

10. Data Security

We implement industry-standard administrative, technical, and physical safeguards to protect information, including:

• Encryption of data in transit (TLS 1.2+) and at rest (AES-256)
• Role-based access controls and multi-factor authentication
• Comprehensive audit logs and monitoring systems
• Security assessments and monitoring
• Architecture designed to support SOC 2 (certification not yet obtained)

No system can be guaranteed to be completely secure. In the event of a data breach that affects your personal information, we will notify affected parties in accordance with applicable law.

11. Your Rights and Choices

Depending on your jurisdiction, you may have the right to:

• Access your personal data held by us
• Request correction of inaccurate or incomplete data
• Request deletion of your data (subject to regulatory retention requirements)
• Restrict or object to certain processing activities
• Receive your data in a portable format

If you are a client of an advisor using Helmsted, please contact your advisor directly to exercise these rights, as they are the controller of your data.

If you are an advisor or firm, contact us at privacy@helmsted.ai to exercise your rights.

California Residents (CCPA)

California residents may have additional rights under the California Consumer Privacy Act, including the right to know what personal information is collected, the right to request deletion, and the right to opt out of the sale of personal information. We do not sell personal information. To exercise your rights, contact us at privacy@helmsted.ai.

12. AI and Automated Processing

Helmsted uses artificial intelligence to:

• Extract and structure information from uploaded documents
• Transcribe and summarize calls, meetings, and communications
• Generate insights, action items, and planning considerations
• Identify proactive planning opportunities and regulatory impacts
• Assist advisors in prioritizing client needs and follow-ups

All AI-generated outputs are assistive in nature. They are designed to augment the advisor's expertise, not replace it. Advisors should review all AI-generated content before relying on it or sharing it with clients.

AI Traceability

Every AI generation event within Helmsted is logged and traceable. Each event is recorded with its inputs, model version, and timestamp. If any AI-generated recommendation or output is ever questioned, we can reconstruct exactly what data was provided and what produced the result.

AI Outputs as Client Communications

Every document, summary, or communication generated by the platform is logged with a delivery timestamp and flagged as AI-generated. If an advisor edits AI-generated content before sending to a client, the full change history is preserved. This ensures a complete and auditable record from generation through client delivery.

13. Communication Recording Disclosures

Helmsted's platform includes functionality to record, transcribe, and analyze calls and meetings. When these features are enabled:

• Advisors are responsible for notifying all participants that a call or meeting is being recorded
• Advisors are responsible for complying with all applicable federal and state recording consent laws, including two-party consent states
• Recordings and transcriptions are stored securely and subject to the same data protection measures as all other platform data
• Recordings may be used to generate automated meeting summaries, action items, and follow-up tasks

14. Cookies and Tracking Technologies

We may use cookies and similar technologies to:

• Maintain sessions and authentication state
• Analyze platform usage and performance
• Improve user experience

We do not use cookies for third-party advertising. You can manage cookie preferences through your browser settings.

15. Third-Party Integrations

Helmsted may integrate with third-party systems, including email providers, custodians, calendar services, and other financial technology platforms. Data shared with these integrations is governed by their respective privacy policies. We encourage you to review the privacy practices of any third-party services you connect to Helmsted.

16. Children's Privacy

Helmsted is a business-to-business platform designed for use by financial professionals. It is not intended for use by individuals under the age of 13, and we do not knowingly collect personal information from children.

17. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, or legal requirements. Changes will be posted on this page with an updated "Last Updated" date. For material changes, we will provide notice through the platform or via email to registered users.

18. Contact Us

If you have questions about this Privacy Policy, our data practices, or wish to exercise your rights, please contact:

Helmsted, Inc.
Registered in Delaware
privacy@helmsted.ai