Last Updated: December 22, 2025 | Effective Date: December 22, 2025
This Privacy Policy ("Policy") describes how Helmeton Inc. ("Company," "we," "us," or "our"), operating under the brand name FirstHR, collects, uses, discloses, and protects information in connection with our human resources management platform and related services (collectively, the "Service"). By accessing or using the Service, you agree to this Policy.
"Customer" refers to the business entity or individual who creates an account and subscribes to the Service.
"End User" refers to employees, contractors, or other individuals whose personal information is processed through the Service by a Customer.
"Personal Information" means any information that identifies, relates to, or could reasonably be linked to an individual.
"Data Controller" refers to the entity that determines the purposes and means of processing Personal Information. For End User data, the Customer is the Data Controller.
"Data Processor" refers to the entity that processes data on behalf of the Data Controller. For End User data, we act as the Data Processor.
"Subprocessor" refers to third-party service providers engaged by us to assist in providing the Service.
We operate in two capacities depending on the type of data:
As Data Controller: We are the Data Controller for information we collect directly from Customers, including account registration data, billing information, and Service usage data.
As Data Processor: We act as a Data Processor for all End User data that Customers input into the Service. Customers, as employers, are the Data Controllers for their employees' Personal Information and are solely responsible for ensuring they have the legal basis to collect and process such data through our Service. We process End User data exclusively according to Customer instructions and applicable law.
When you register for the Service, we collect: name, email address, company name, phone number, billing address, and payment information (processed securely through Stripe).
Customers may input various types of employee data into the Service, which may include but is not limited to: names, contact information, employment details, compensation information, tax identification numbers (such as Social Security Numbers), benefits information, performance records, uploaded documents (such as contracts, identification documents, and certifications), photographs, and other HR-related data. We process this data solely on behalf of and under the instructions of our Customers.
We automatically collect: IP addresses, browser type and version, device information, operating system, pages visited, time spent on pages, clickstream data, error logs, and other diagnostic data.
We use essential cookies for authentication, security, and basic functionality. We use Google Analytics to collect and analyze usage data, which may involve cookies and similar tracking technologies. Google Analytics helps us understand how users interact with our Service, including pages visited, time spent, and user flows. You can control cookie preferences through your browser settings or opt out of Google Analytics by installing the Google Analytics Opt-out Browser Add-on. Disabling essential cookies may affect Service functionality.
We use collected information to: provide, maintain, and improve the Service; process transactions and send related information; send administrative notifications; respond to inquiries and provide customer support; monitor and analyze usage patterns; detect, prevent, and address technical issues and security threats; comply with legal obligations; and enforce our Terms and Conditions.
We do not sell Personal Information. We may share information with the following categories of third parties:
Subprocessors and Service Providers: We use third-party services to operate our platform, including but not limited to: Google Firebase (authentication, database, file storage, and cloud functions), Google Analytics (usage analytics and tracking), Stripe (payment processing), Vercel (hosting), and Resend (transactional email delivery). These Subprocessors process data according to their respective privacy policies and our contractual agreements. BY USING THE SERVICE, YOU AUTHORIZE US TO ENGAGE THESE AND OTHER SUBPROCESSORS AND TO ADD, REMOVE, OR REPLACE SUBPROCESSORS AT OUR DISCRETION WITHOUT PRIOR NOTICE TO YOU. A current list of Subprocessors is available upon request.
Legal Requirements: We may disclose information if required by law, court order, subpoena, or government request, or when we believe in good faith that disclosure is necessary to protect our rights, your safety, or the safety of others, investigate fraud, or respond to a government request.
Business Transfers: In connection with a merger, acquisition, bankruptcy, reorganization, or sale of assets, Personal Information may be transferred to the acquiring entity. We will notify you of any such change by posting the updated Policy on our website.
THE SERVICE RELIES ON THIRD-PARTY INFRASTRUCTURE AND SERVICES INCLUDING, BUT NOT LIMITED TO, GOOGLE FIREBASE, GOOGLE ANALYTICS, STRIPE, VERCEL, AND RESEND. WE DO NOT CONTROL AND ARE NOT RESPONSIBLE FOR THE PRIVACY PRACTICES, SECURITY MEASURES, DATA HANDLING, AVAILABILITY, OR RELIABILITY OF THESE THIRD-PARTY SERVICES. YOUR USE OF THE SERVICE IS SUBJECT TO THE TERMS AND PRIVACY POLICIES OF THESE THIRD PARTIES. WE EXPRESSLY DISCLAIM ANY AND ALL LIABILITY ARISING FROM OR RELATED TO THE ACTS, OMISSIONS, SECURITY BREACHES, OUTAGES, OR DATA LOSSES CAUSED BY ANY THIRD-PARTY SERVICE PROVIDER.
We implement commercially reasonable security measures including encryption in transit (TLS/SSL) and at rest, secure authentication protocols, access controls, and regular security assessments. However, no method of transmission over the Internet or electronic storage is 100% secure. WE DO NOT WARRANT OR GUARANTEE THE ABSOLUTE SECURITY OF YOUR DATA. YOU ACKNOWLEDGE THAT YOU PROVIDE INFORMATION AT YOUR OWN RISK AND THAT WE SHALL NOT BE LIABLE FOR ANY UNAUTHORIZED ACCESS, HACKING, DATA LOSS, OR OTHER BREACH OF SECURITY.
In the event of a confirmed data breach affecting Personal Information, we will notify affected Customers within a commercially reasonable timeframe as required by applicable law, but in no event shall we be liable for delays in notification caused by legitimate investigation needs, law enforcement requests, or circumstances beyond our reasonable control. OUR SOLE OBLIGATION IN THE EVENT OF A BREACH IS TO PROVIDE NOTIFICATION AS REQUIRED BY LAW. WE SHALL NOT BE LIABLE FOR ANY DAMAGES, LOSSES, OR CONSEQUENCES ARISING FROM A DATA BREACH IF WE HAVE IMPLEMENTED COMMERCIALLY REASONABLE SECURITY MEASURES, REGARDLESS OF THE OUTCOME. Customers are solely responsible for notifying their End Users of any breach affecting End User data.
We retain Customer account information for as long as your account is active and for a reasonable period thereafter for legal, tax, audit, and business purposes. End User data is retained according to Customer instructions and our data retention policies. Upon account termination, we will delete or anonymize your data within ninety (90) days, except where retention is required by law or for legitimate business purposes such as resolving disputes, enforcing agreements, or maintaining security and fraud prevention records. Backup copies may persist for an additional period according to our backup retention schedule.
Customers may access, update, or delete their account information through the Service dashboard or by contacting us. Customers may export their data or request account deletion at any time, subject to our data retention requirements.
End Users should direct all privacy inquiries, access requests, correction requests, and deletion requests to their employer (our Customer), as the employer is the Data Controller for employee data. We will assist Customers in responding to such requests as required by applicable law, but we have no direct relationship with End Users and no obligation to respond to End User requests directly.
If you are a California resident, you have the right to: know what Personal Information we collect, use, and disclose; request deletion of your Personal Information (subject to legal exceptions); correct inaccurate Personal Information; opt-out of the sale or sharing of Personal Information (we do not sell or share Personal Information for cross-context behavioral advertising); limit use of sensitive Personal Information; and not be discriminated against for exercising your rights. To exercise these rights, contact us using the information provided below. We will verify your identity before processing your request.
Customers acknowledge and agree that they are solely responsible for: ensuring they have the legal authority, appropriate consents, and lawful basis to collect, input, and process End User data through the Service; the accuracy, quality, integrity, and legality of all data they upload; providing appropriate and legally compliant privacy notices to their employees and End Users; responding to all End User rights requests in a timely manner; complying with all applicable federal, state, and local employment, labor, tax, and privacy laws; maintaining the confidentiality and security of their account credentials; immediately notifying us of any unauthorized access to their account; and ensuring that their use of the Service does not violate any third-party rights.
THE SERVICE IS NOT DESIGNED, INTENDED, OR CERTIFIED FOR USE WITH PROTECTED HEALTH INFORMATION ("PHI") AS DEFINED UNDER THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT ("HIPAA"). WE ARE NOT A "COVERED ENTITY" OR "BUSINESS ASSOCIATE" UNDER HIPAA AND DO NOT ENTER INTO BUSINESS ASSOCIATE AGREEMENTS. CUSTOMERS SHALL NOT INPUT, UPLOAD, OR PROCESS ANY PHI THROUGH THE SERVICE. IF YOU REQUIRE HIPAA COMPLIANCE, DO NOT USE THIS SERVICE. WE EXPRESSLY DISCLAIM ANY LIABILITY ARISING FROM THE STORAGE OR PROCESSING OF PHI THROUGH THE SERVICE.
The Service is designed exclusively for business use and is not intended for individuals under 18 years of age. We do not knowingly collect Personal Information from children under 18. If we learn that we have inadvertently collected such information, we will delete it promptly. If you believe we have collected information from a child under 18, please contact us immediately.
Our Service is hosted and operated in the United States. If you access the Service from outside the United States, you expressly understand and consent to the transfer, processing, and storage of your information in the United States, where privacy and data protection laws may be less protective than those in your jurisdiction. You waive any claims that may arise under the laws of your home jurisdiction.
Upon reasonable written request (no more than once per calendar year), we will provide Customers with documentation demonstrating our compliance with this Policy and applicable data protection requirements. Any on-site audit or inspection shall be: (a) conducted at Customer's sole expense; (b) scheduled at least thirty (30) days in advance; (c) limited to normal business hours; (d) conducted in a manner that does not disrupt our operations; (e) subject to confidentiality obligations; and (f) limited in scope to Customer's own data. We reserve the right to use an independent third-party auditor in lieu of permitting direct access to our systems or facilities.
TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, IN NO EVENT SHALL HELMETON INC., ITS OFFICERS, DIRECTORS, EMPLOYEES, AGENTS, AFFILIATES, SUCCESSORS, OR ASSIGNS BE LIABLE FOR: (A) ANY UNAUTHORIZED ACCESS TO, ALTERATION OF, LOSS, OR DESTRUCTION OF YOUR DATA; (B) ANY INDIRECT, INCIDENTAL, SPECIAL, CONSEQUENTIAL, EXEMPLARY, OR PUNITIVE DAMAGES; (C) ANY LOSS OF PROFITS, REVENUE, BUSINESS, SAVINGS, GOODWILL, OR DATA; (D) ANY DAMAGES ARISING FROM THIRD-PARTY SERVICES OR SUBPROCESSORS; OR (E) ANY MATTER BEYOND OUR REASONABLE CONTROL, REGARDLESS OF WHETHER WE HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
OUR TOTAL AGGREGATE LIABILITY FOR ALL CLAIMS ARISING FROM OR RELATED TO THIS POLICY, THE SERVICE, OR ANY DATA BREACH OR SECURITY INCIDENT, WHETHER ARISING FROM CONTRACT, TORT, STRICT LIABILITY, OR ANY OTHER LEGAL THEORY, SHALL NOT EXCEED FIFTY THOUSAND DOLLARS ($50,000.00) IN THE AGGREGATE FOR ALL CLAIMS BY ALL PARTIES COMBINED. THIS AGGREGATE CAP APPLIES REGARDLESS OF THE NUMBER OF CLAIMS, CLAIMANTS, OR TRANSACTIONS, AND SHALL BE THE MAXIMUM TOTAL AMOUNT RECOVERABLE FROM US UNDER ANY CIRCUMSTANCES.
YOU ACKNOWLEDGE THAT THIS LIMITATION OF LIABILITY IS AN ESSENTIAL ELEMENT OF THE AGREEMENT BETWEEN YOU AND US, AND THAT WE WOULD NOT PROVIDE THE SERVICE WITHOUT THESE LIMITATIONS.
You agree to indemnify, defend, and hold harmless Helmeton Inc. and its officers, directors, employees, agents, affiliates, successors, and assigns from and against any and all claims, demands, actions, damages, losses, liabilities, judgments, settlements, costs, and expenses (including reasonable attorneys' fees and legal costs) arising from or related to: (a) your use or misuse of the Service; (b) your violation of this Policy, our Terms and Conditions, or any applicable law or regulation; (c) your violation of any third-party rights, including but not limited to End User privacy rights, intellectual property rights, or employment law obligations; (d) any data you upload, transmit, or process through the Service; (e) your failure to obtain necessary consents or provide required notices; (f) any dispute between you and your End Users; or (g) any claim that your use of the Service caused damage to a third party. This indemnification obligation shall survive termination of your account and this Policy.
Informal Resolution: Before initiating any formal dispute proceedings, you agree to first contact us at support@firsthr.app and attempt to resolve any dispute informally for at least thirty (30) days.
Binding Arbitration: If informal resolution is unsuccessful, any dispute, controversy, or claim arising out of or relating to this Policy, including its formation, interpretation, breach, or termination, shall be finally resolved by binding arbitration administered by the American Arbitration Association ("AAA") in accordance with its Commercial Arbitration Rules. The arbitration shall be conducted by a single arbitrator in Wilmington, Delaware (or another location mutually agreed upon). The arbitrator's decision shall be final and binding, and judgment on the award may be entered in any court of competent jurisdiction.
CLASS ACTION WAIVER: YOU AGREE THAT ANY DISPUTE RESOLUTION PROCEEDINGS WILL BE CONDUCTED ONLY ON AN INDIVIDUAL BASIS AND NOT IN A CLASS, CONSOLIDATED, OR REPRESENTATIVE ACTION. YOU EXPRESSLY WAIVE ANY RIGHT TO PARTICIPATE IN A CLASS ACTION LAWSUIT OR CLASS-WIDE ARBITRATION AGAINST US. If this class action waiver is found to be unenforceable, then the entirety of this arbitration provision shall be null and void.
Exceptions: Notwithstanding the foregoing, either party may seek injunctive or other equitable relief in a court of competent jurisdiction to prevent the actual or threatened infringement or misappropriation of intellectual property rights.
This Policy and any disputes arising hereunder shall be governed by and construed in accordance with the laws of the State of Delaware, United States, without regard to its conflict of laws principles. To the extent that arbitration is inapplicable or unenforceable, you consent to the exclusive jurisdiction and venue of the state and federal courts located in New Castle County, Delaware, and waive any objections based on inconvenient forum. You also waive any right to a jury trial in any litigation arising from or related to this Policy.
We reserve the right to modify this Policy at any time in our sole discretion. We will notify you of changes by posting the updated Policy on our website and updating the "Last Updated" date. For material changes, we may also provide notice via email to the address associated with your account. Changes become effective immediately upon posting unless otherwise stated. Your continued use of the Service after any changes constitutes your binding acceptance of the updated Policy. If you do not agree to any changes, your sole remedy is to discontinue use of the Service and terminate your account.
If any provision of this Policy is held to be invalid, illegal, or unenforceable by a court or arbitrator of competent jurisdiction, such provision shall be modified to the minimum extent necessary to make it valid and enforceable, or if modification is not possible, shall be severed from this Policy. The invalidity of any provision shall not affect the validity or enforceability of any other provision, and all remaining provisions shall continue in full force and effect.
This Policy, together with our Terms and Conditions and any other agreements expressly incorporated by reference, constitutes the entire agreement between you and Helmeton Inc. regarding the subject matter hereof and supersedes all prior or contemporaneous communications, representations, or agreements, whether oral or written.
Our failure to enforce any provision of this Policy shall not constitute a waiver of that provision or any other provision. Any waiver must be in writing and signed by an authorized representative of Helmeton Inc. to be effective.
If you have questions about this Policy, wish to exercise your privacy rights, or need to report a privacy concern, please contact us at:
Helmeton Inc. (d/b/a FirstHR)
Email: support@firsthr.app
We will respond to verified requests within the timeframes required by applicable law.