Helica
Back to Helica

Legal

Privacy Policy

Effective: 2026-05-02 (DRAFT)

[INSERT FINAL POLICY]— this page is a placeholder layout pending lawyer review. Final policy text will replace this content before public launch. Do not rely on this draft for any compliance purpose.

[INSERT FINAL PRIVACY POLICY]— the structure below mirrors the policy framework we intend to ship at public launch, pending review by our healthcare-privacy counsel. The substantive commitments described are real and binding (we operate under them today); the legally precise language will replace this draft.

Overview

This Privacy Policy describes how Helica, Inc. (“Helica,” “we,” “us”) collects, uses, stores, and protects information when you use the Helica services (the “Service”). Your genetic information receives the highest level of protection we can offer under applicable U.S. law, including HIPAA-grade security practices, even when your DNA-only data is not technically classified as Protected Health Information under HIPAA.

Information we collect

  • Account information. Email address, password (hashed), payment method on file (handled by Stripe; we never store full card numbers).
  • Genetic data. The DNA file you upload (e.g. genome_*.txt, VCF, BAM, CRAM) and the variant calls our pipeline derives from it.
  • Conversation history. Questions you ask the Helica chat and the answers we return (used to improve the Service and provide your account history).
  • Usage data. Standard server logs (IP, user agent, request times) for security and reliability.

How we use your information

  • To run our pharmacogenomic, structural-variant, HLA, and polygenic risk pipelines on your genome and surface findings to you.
  • To re-run those pipelines quarterly against the latest ClinVar, CPIC, and PGS Catalog releases (this is your reanalysis subscription).
  • To provide the conversational interface and generate PCP handoff PDFs.
  • To bill you for paid subscriptions and respond to your support requests.
  • To detect, investigate, and prevent fraud, abuse, and security incidents.

Sharing & third parties

We do not share, rent, or sell your genetic data. We do not run targeted advertising against your variants. We do not share data with researchers or pharmaceutical companies absent your explicit, granular, revocable opt-in.

We share limited operational data with vetted infrastructure providers (cloud hosting, payment processing, email delivery) under signed Data Processing Agreements and BAAs where applicable. A current list of these subprocessors will appear at /legal/subprocessors at launch.

We will not transfer customer genetic data as part of an asset sale, merger, or acquisition without giving every affected customer at least 60 days’ written notice and a one-click export-and-delete option. This commitment will be in our Terms of Service.

Security

  • Genetic files are encrypted at rest using industry-standard AES-256 encryption.
  • Access to genetic data is logged and limited under principle-of-least-privilege controls.
  • We never store your raw uploaded file in plaintext.
  • Production infrastructure runs on BAA-eligible HIPAA-aligned cloud providers.

Retention & deletion

You can delete your data at any time from your account settings. Deletion removes your raw file, your variant calls, your conversation history, and your account record from our active systems. Encrypted backups roll off within 30 days. After cancellation without explicit deletion, your data remains accessible read-only to you for 30 days, then is deleted automatically.

Your rights

Depending on where you live, you may have rights under California (CCPA/CPRA), Illinois (GIPA), Washington (My Health My Data), Virginia (CDPA), and other state privacy laws. You can exercise these rights at any time by emailing privacy@helica.health. Rights typically include access to your data, deletion of your data, correction of inaccurate data, and opt-out of any non-essential data processing.

GINA disclosure

The Genetic Information Nondiscrimination Act (GINA) is a federal law. It prohibits health insurers and employers from discriminating against you based on genetic information.

GINA does not cover life insurance, disability insurance, or long-term-care insurance. Carriers in those product lines can lawfully ask whether you have undergone genetic testing and use the results in underwriting. Some states (Florida, California, others) have passed additional protections; rules vary.

We disclose this on signup so you can decide what to share with which insurer. We will never share your genetic information with any insurer ourselves.

HIPAA practices

DNA-only data uploaded directly by a consumer is not always classified as Protected Health Information under HIPAA. We treat it as if it were. Our infrastructure runs on BAA-eligible cloud providers, our access controls are HIPAA-aligned, and our breach notification practices follow the HIPAA Breach Notification Rule timelines.

Contact

Questions about this Privacy Policy or how we handle your data: privacy@helica.health.