Helios

Privacy Policy

Effective from 11.05.2026. Last updated 11.05.2026.

Contents

Who we are
What data we collect
Why we collect it
Legal basis
Third-party processors
Storage and retention
Security
Your rights
Children
International transfers
Changes to this policy
Contact

1. Who we are

Helios (the “Service”, “we”, “us”) is a mobile and web StarPoints loyalty platform offering bonus points (SP), prize draws, a referral programme and the ability to exchange SP at partner vendors. The operator of the Service is the data controller responsible for processing personal data under applicable law.

2. What data we collect

2.1. Account & registration

Name — as provided in the registration form;
Phone number — used as the primary identifier and to deliver OTP codes;
Email — optional, used for notifications and as an alternative OTP channel;
Password — stored only as a bcrypt hash; we never see your plaintext password;
Interface language;
Country (if selected).

2.2. Device information

Device identifier (UUID, Android ID, iOS identifierForVendor) — to bind a single account to a single device;
Device type (ios / android);
FCM token issued by Firebase Cloud Messaging — to deliver push notifications;
IP address and User-Agent — recorded on every login attempt for security auditing.

2.3. In-app activity

StarPoints (SP) transactions: credits, debits, reasons, expiry dates;
Redemption history at partner vendors: vendor, product, SP spent;
Daily check-ins and streaks;
Spin & Win and Lucky Draw entries and won prizes;
Referral programme: who invited you and whom you invited;
Service requests (name, phone, email, request details);
Support tickets and ticket conversations;
Product and category view history — for personalised recommendations.

2.4. Technical and audit data

Login attempts: timestamp, IP, rejection reason (wrong password, deactivated, device mismatch, etc.);
Server request logs;
OTP code lifetime and status (we store the hash only, not the code itself).

3. Why we collect it

Identification and authentication, fraud prevention;
Crediting and redeeming StarPoints, balance and ledger maintenance;
Push notifications (SP credited, redemption status, marketing — opt-out available);
SMS / WhatsApp / email delivery of OTP codes and service messages;
Referral programme and prize draws;
Support and service requests;
Analytics and product improvement;
Legal compliance and defence of the Service’s rights in disputes.

4. Legal basis

Contract performance — processing needed to provide the Service to you (account creation, SP, vendor redemptions);
Consent — for marketing pushes and additional notification channels. You can withdraw your consent at any time from app settings;
Legitimate interest — account security (login audit, device binding), abuse prevention;
Legal obligation — where required by applicable law.

5. Third-party processors

We share the minimum data necessary with the following processors:

Google Firebase Cloud Messaging — FCM tokens and push notification content for delivery;
SMS providers (including MessageBird) — phone number and OTP code;
WhatsApp Business API — phone number and OTP code, if WhatsApp is the chosen channel;
SMTP / email provider — email address and message body;
Backblaze B2 — images and files you upload (avatars, banners, etc.);
Partner vendors — when you redeem SP, the vendor receives your Account ID, Transaction ID and a verification code to confirm the transaction;
OpenAI — used only by administrators for interface auto-translation; your personal data is not sent there.

We do not sell your personal data and do not share it for advertising or any other commercial purposes unrelated to the Helios Service.

6. Storage and retention

Account data — for as long as your account is active; after deletion — for the period required by law for financial and tax reporting;
OTP codes — up to 5 minutes (then the hash is deleted or expires);
Session tokens — up to 30 days (mobile) or 1 day (admin panel);
Login attempt log — kept for security auditing;
SP transactions — for the full term of the loyalty programme plus an archival period.

7. Security

Passwords stored as bcrypt hashes with cost=12;
HTTPS / TLS encryption for all connections;
One account is bound to one device; switching devices requires support confirmation;
Sanctum tokens with limited lifetime and scoped abilities;
Audit log of login attempts with rejection reason and IP;
Rate limiting on sensitive endpoints.

8. Your rights

Subject to applicable law you have the right to:

Request a copy of your personal data;
Request correction of inaccurate data;
Request deletion of your account and associated data (other than information we are required by law to retain);
Object to processing or restrict it;
Withdraw consent for marketing notifications — via the app settings or by emailing our contact address;
Lodge a complaint with a data protection supervisory authority.

9. Children

The Service is not intended for individuals under 16 years of age. We do not knowingly collect data from minors. If you are a parent or guardian and discover that your child has provided us with data, please contact us — we will remove it.

10. International transfers

Some of our processors (Firebase, OpenAI, Backblaze) are located outside Kazakhstan. Data transfers rely on standard contractual clauses and other legal mechanisms ensuring an adequate level of protection.

11. Changes to this policy

We may update this policy. For material changes we will notify you through the app or by email before the changes take effect. The last-updated date is shown at the top of this document.

12. Contact

Helios — support

Email: admin@helios.app

For data-protection requests, please use the subject line “Privacy”.