Privacy Policy

Draft v0.1 · Last updated: TODO: set on publish · Effective: TODO: set on publish

1. Who we are

Helion Global LLP ("Helion", "we", "us", "our") is a Limited Liability Partnership registered in Rajkot, Gujarat, India. We manufacture and supply precision-machined and forged components to industrial buyers.

This Privacy Policy explains what personal information we collect through helionglobal.net (the "Site"), why we collect it, how we use and protect it, and the choices you have about it.

Helion's registered office and full LLP identification number will be printed in the Contact section below. TODO: confirm LLPIN, registered address, and authorised signatory details with the MCA filing.

2. What information we collect

2.1 Information you give us directly

When you submit the inquiry form on the Site, we ask you for:

Your name — so we can address you when we reply.
Your email address — to send our response and any quotation.
Your phone number — for follow-up calls or WhatsApp messages if you prefer voice contact.
Your message — the description of the part, quantity, specification, or question you want a response on.
Optionally: your company name and the specific product you are interested in.

These fields are the only personal data the Site asks you to submit.

2.2 Information we collect automatically

When you visit the Site, our hosting provider (Cloudflare) automatically receives technical information that is standard for web traffic:

Your IP address, browser type and version, operating system, device type.
Pages you visit, the page that referred you to us, the date and time of your visit.

This information is processed by Cloudflare under its own privacy policy to deliver the Site, prevent abuse, and detect attacks. Helion does not personally identify individual visitors from this data.

If you submit the inquiry form, your IP address and browser user agent are stored alongside your inquiry record. We use this only to investigate spam or abuse reports.

2.3 Cookies and similar technologies

See our separate Cookie Policy. In short: we use the minimum number of cookies needed to make the Site work and to keep authenticated administrators signed in to the back-office. We do not use third-party advertising cookies.

3. Why we use your information (lawful basis)

Purpose	Lawful basis (GDPR-style)	How long we keep it
Reply to your inquiry, prepare a quotation, follow up on a quote.	Performance of a request you made (pre-contract).	Active inquiries: until closed. Closed inquiries: TODO: 24 months for audit then deleted.
Send order confirmations, shipping notifications, and quality certificates when you place an order.	Performance of contract.	As long as required by tax and accounting law (India: typically 8 years).
Detect spam, abuse, or fraudulent submissions to the inquiry form.	Our legitimate interest in keeping the Site usable.	IP + user-agent kept with the inquiry record.
Legal compliance (tax, export, anti-money-laundering checks for relevant transactions).	Legal obligation.	As required by law.

TODO: lawyer to verify the lawful-basis mapping under the DPDP Act 2023, which uses "consent" and "legitimate uses" rather than the GDPR six-basis model.

4. Who we share information with

We share personal information only with the parties below and only as needed for the purposes above:

Our hosting and infrastructure providers: Cloudflare (CDN and DNS, USA-headquartered), Supabase (database hosting, USA-headquartered with our project in Mumbai, India), Resend (transactional email, USA-headquartered). Each is contractually bound to process data only on our instructions.
Our shipping carriers when you place an order — they need your name, delivery address, and phone for delivery.
Banks and tax authorities when an order results in a payment or where law requires disclosure.
Legal authorities when compelled by valid legal process.

We do not sell personal information. We do not share it with advertisers or data brokers.

5. International transfers

Some of the providers listed above are headquartered outside India. When personal information leaves India, we rely on:

The provider's compliance certifications (SOC 2 Type II, ISO 27001 where applicable).
Standard contractual clauses where the destination is the EU/UK or covered by GDPR.
The DPDP Act 2023 cross-border-transfer mechanism once specific rules are notified by the government. TODO: track DPDP cross-border-transfer rules at notification.

6. How we protect your information

Technical and organisational measures we apply:

HTTPS on every page; HSTS with one-year preload requested.
A Content-Security-Policy restricting where scripts, styles, fonts, and images can be loaded from.
Database row-level security: only authenticated administrators with the explicit "admin" role can read or modify inquiries; the public-facing form can only insert new inquiries, not read existing ones.
Multi-factor authentication (TOTP) required for the administrator account that can read inquiry data.
An immutable audit log that records every administrative read or write of customer data.
Daily backups to a separate region; quarterly restore drills.

No system is perfect. If we become aware of a security incident affecting your personal information, we will notify you and the appropriate regulator within the timelines required by applicable law (DPDP Act 2023: as prescribed; GDPR: within 72 hours).

7. Your rights

You can ask us to:

Access the personal information we hold about you.
Correct information that is inaccurate or incomplete.
Erase information we no longer need a lawful basis to keep.
Restrict or object to certain processing.
Withdraw consent where we relied on consent (this does not affect processing already carried out).
Receive a copy of the personal information you provided to us, in a portable format.
Complain to a supervisory authority. In India that is the Data Protection Board under the DPDP Act 2023.

To exercise any of these rights, email privacy@helionglobal.net. We respond within 30 days. TODO: confirm DPDP-mandated response-time once rules notified.

8. Children

The Site is a business-to-business commercial site. It is not directed at children, and we do not knowingly collect personal information from anyone under 18 years of age.

9. Changes to this Policy

We will update this page when we change how we handle personal information. The "Last updated" date at the top will change. Material changes will be flagged at the top of the page for at least 30 days.

10. Contact

Privacy questions, requests, and complaints:

Helion Global LLP
Rajkot, Gujarat, India
TODO: full registered address + LLPIN
Email: privacy@helionglobal.net