Skip to content
HelpingHands
Back to home

Privacy Policy

Data processing via the HelpingHands platform

Effective: 20 April 2026 Version 1.6 Published by VDGT Consultancy BV

1. Data Controller and DPO

VDGT Consultancy BV (hereinafter: "we"), CBE 1004820426, is the data controller within the meaning of the GDPR (Regulation (EU) 2016/679) for all personal data processed via HelpingHands. VDGT Consultancy BV has not appointed a formal Data Protection Officer (Art. 37 GDPR does not currently require one given our scale of processing). For privacy inquiries, data-subject-rights requests and any data protection matter, the contact point is: [email protected]. Lead supervisory authority: Data Protection Authority (APD/GBA) — gegevensbeschermingsautoriteit.be

2. About the platform

HelpingHands is a mobile marketplace (iOS/Android) for video help sessions, operated by VDGT Consultancy BV. Offered to residents of the European Economic Area (EEA: the 27 EU member states plus Iceland, Liechtenstein and Norway).

3. What data do we process?

3.1 Account data

  • Email address, first name, last name;
  • Profile photo (optional — base64 in PostgreSQL);
  • Bio, catchphrase, language preference, spoken languages;
  • Account type and business data (business helpers: CBE, VAT, name, address, billing email);
  • Timestamp and version of the Terms you last accepted;
  • Account status information (suspension reason, scheduled deletion date).

3.2 Authentication

  • Password (hashed — never readable);
  • Google or Apple account ID (social login).

3.3 Financial data

  • IBAN and account holder name (for Stripe Connect onboarding);
  • Transaction amounts and Stripe PaymentIntent IDs (no card data);
  • Payout transfer IDs.

3.4 Platform activity

  • Help requests, helper responses, reviews, tips, badges, session quality surveys;
  • Support tickets and replies (message body, author, timestamps);
  • Blocks and abuse reports you submit or that are submitted against you (user IDs, timestamp, category, optional reason);
  • Your helper skills (category, subcategory, self-declared skill level).

3.5 Technical and operational data

  • FCM device token (push notifications — no location data, no tracking);
  • Notification preferences.

3.5.1 Operational logging (security and fault diagnosis)

For the security, stability and fault diagnosis of the platform, operational logs are maintained. This covers three layers:

  • Custom application logs via OpenObserve Cloud (eu1-api.openobserve.ai, EU region per our deployment configuration): contain only user IDs (integers), action descriptions and error messages — no email addresses, names or other direct personal identifiers. Retained for a maximum of 90 days.
  • Serverpod session logs (framework level): the backend framework automatically processes session and authentication data for internal fault diagnosis. Retained per the framework default.
  • nginx ingress access logs (reverse proxy): contain IP addresses, request paths and HTTP status codes. No account data. Retained for a maximum of 30 days.

Legal basis for all operational logging: legitimate interest (Art. 6.1.f GDPR) — necessary for platform security, fraud prevention and technical continuity. No user profiles are built from log data and the data is not used for marketing purposes.

4. Legal bases and purposes

  • Performance of contract (Art. 6.1.b GDPR): account management, sessions, payments;
  • Legitimate interest (Art. 6.1.f GDPR): security, fraud prevention, push notifications, operational logging (see Art. 3.5.1);
  • Legal obligation (Art. 6.1.c GDPR): financial retention obligation of at least 7 years under Belgian bookkeeping law (Art. III.86 Code of Economic Law);
  • Consent (Art. 6.1.a GDPR): optional profile content, marketing.

5. Retention periods

  • Account data: until deletion + 30-day grace period;
  • Transaction data: at least 7 years (Belgian bookkeeping obligation, Art. III.86 Code of Economic Law); longer where required by applicable law;
  • Help request descriptions: anonymised upon deletion;
  • Server logs: max. 90 days (custom) / 30 days (framework/proxy);
  • Data exports: expire after 48 hours.

6. Processors and data transfers

6.1 Processors

  • Stripe, Inc. (US) — payments and Stripe Connect. Transfer on the basis of SCCs and EU-US Data Privacy Framework (DPF). Stripe DPA applies;
  • Google LLC / Firebase (US) — FCM push notifications only. Transfer on the basis of SCCs and DPF. Google DPA applies;
  • Agora, Inc. — video calling via server-side tokens; no PII transferred;
  • AWS SES (eu-west-1) — transactional emails. Processing in EU. AWS DPA + SCCs;
  • OpenObserve Cloud (eu1-api.openobserve.ai, EU region per our deployment configuration) — operational log aggregation. Logs contain user IDs and IP addresses, no email addresses or names;
  • Amazon Web Services, Inc. (eu-west-1) — encrypted database backups (PITR) and help-request photo storage via S3. Data stays within the EU region. AWS DPA applies.

6.2 No analytics or advertising

HelpingHands uses no analytics SDKs, tracking pixels or advertising networks.

6.3 Summary of transfers outside the EEA

Only to processors that comply with: an adequacy decision, SCCs, or the EU-US Data Privacy Framework (DPF).

7. Your rights

  • Access (Art. 15 GDPR): Settings → Download my data;
  • Rectification (Art. 16 GDPR): via Settings;
  • Erasure (Art. 17 GDPR): Settings → Delete account (30-day grace period);
  • Portability (Art. 20 GDPR): JSON export;
  • Restriction (Art. 18) and objection (Art. 21): via [email protected].

For requests that cannot be processed directly through your account (e.g. objection, restriction, or access on behalf of someone else), we may verify your identity before releasing, rectifying or erasing data. Confirmation from the email address linked to your account is usually sufficient; in case of doubt we may request a copy of a valid ID document (you may redact the national register number and photo).

You may withdraw a previously given consent at any time via [email protected] or the app settings. Withdrawal does not affect the lawfulness of processing carried out before the withdrawal. After withdrawal, certain features that rely on that consent may no longer be available to you.

Requests answered within 30 days.

8. Automated decision-making

Matching algorithms for help requests and helpers. No decisions with legal effects without human intervention.

9. Security

  • HTTPS via nginx ingress + cert-manager (TLS 1.2+);
  • Passwords hashed; Stripe PCI DSS; export tokens 64 characters, valid 48h;
  • Webhook HMAC-SHA256 + replay protection; PostgreSQL PITR backups to S3 (EU, 30 days).

10. Complaint to the supervisory authority

Data Protection Authority (APD/GBA) — gegevensbeschermingsautoriteit.be — complaint form: https://www.gegevensbeschermingsautoriteit.be/burger/acties/klacht-indienen

11. Changes

Material changes notified by email. Most recent version: https://app.helping-hands.world/legal/privacy_en.pdf

12. Contact

VDGT Consultancy BV — CBE 1004820426 — [email protected]