Skip to content
Helixir Genomicshelixirgenomics

Privacy

Your genome is yours.

What we collect, where it lives, for how long, and how to ask us to remove it. Written in plain language because the alternative is unworthy of the material.

Notice v1.0 · Effective 2026-05-29

  1. 01

    Your data is yours

    Your genome, your bloodwork, your questionnaire, all of it remains your property. We act as a steward, not an owner.

    We never sell your data, and we never share it for advertising or research. To produce your analysis we rely on a small set of named sub-processors (listed in section 03), each bound by a signed Data Processing Agreement and permitted to process your data only to deliver the service to you. We never use your data to train machine-learning models, neither ours nor anyone else's.

  2. 02

    What we collect, and why

    We collect only what is needed to prepare your analysis, in three categories.

    • IdentityYour name and email, to address your analysis and reply to you personally. Your shipping address, only if you order our saliva kit.
    • Application contextThe areas you ask us to analyse, the DNA situation you describe, any notes you leave on the questionnaire. Used to scope the proposal.
    • Health & genetic informationYour DNA file (when you upload one), any bloodwork PDF or photograph you share, the deeper profile you may fill at /study/profile. Used solely to interpret and write the Longevity Essential Analysis you requested.
  3. 03

    Where it is stored

    All personal data is encrypted at rest and in motion using industry-standard ciphers (AES-256 for storage; TLS 1.2+ for transport). We rely on the named sub-processors below, each under a signed Data Processing Agreement, and only to deliver your analysis, never for advertising or research:

    • SupabaseDatabase (US East region). Stores your application record, profile answers, status timeline, internal notes. Row-level security limits each row to the email it belongs to.
    • MailgunTransactional email infrastructure (EU region for our domain). Used to send and receive messages with you. Email content is retained on Mailgun servers for a limited window per their default policy.
    • VercelApplication hosting and Vercel Blob storage (US). The site you read these words on, plus short-lived storage of any DNA or bloodwork file you upload through /apply (purged once the operator's mailbox holds the record).
    • SelfDecodeGenetic analysis engine (United States). Your genotype is processed by SelfDecode to produce the variant-level analysis your Longevity Essential Analysis is built from; if you order our saliva kit, your name, shipping address, email and phone are also shared so the kit can be sent and your sample genotyped. This is the most sensitive data we handle, covered by a Data Processing Agreement, and is never used by SelfDecode for advertising, research, or model training.
    • MapboxAddress autocomplete (United States), used only if you choose the saliva-kit option. The shipping address you type is sent to Mapbox to suggest a valid postal address. No genetic or health data is ever sent to Mapbox.
  4. 04

    How long we keep it

    Active client data is retained for the duration of the assessment plus the periods below. Each starts the day your analysis is delivered.

    • Genetic data (DNA files, polygenic results)Up to 7 years, unless you request earlier deletion. We keep this period because clients often write back years later asking for re-interpretation as the science moves.
    • Bloodwork and profile responsesUp to 5 years, unless you request earlier deletion.
    • Application + email correspondenceUp to 3 years for our records, then archived or deleted.
    • Audit log (who-sent-what)Retained indefinitely as required by California Civil Code §56.18 for the audit of genetic-data access events.
  5. 05

    Your rights

    You may, at any time and for any reason, exercise the following rights. We will respond within five working days, and never charge a fee.

    • AccessReceive a copy of all data we hold about you, in a portable format (JSON + the original DNA file we received).
    • CorrectionAsk us to correct anything inaccurate, a misspelled name, a wrong area selection, an outdated bloodwork value.
    • DeletionAsk us to remove all your data from our systems. We comply within five working days. The printed analysis you received remains yours; we cannot retrieve the printed copy.
    • PortabilityReceive your data in a structured, machine-readable format so you can take it elsewhere.
    • Restriction & objectionPause our processing of your data, or object to specific uses, while we work through any concern you raise.
  6. 06

    How to ask

    Send a single email to privacy@helixirgenomics.com from the address on file. State which right you wish to exercise, access, correction, deletion, portability, restriction, or objection. We treat every such request personally.

    Withdrawal is total. Your DNA file, your bloodwork, your questionnaire and profile responses, every derived analysis and every email exchanged, all removed from our systems on confirmation.

  7. 07

    Genetic data, additional disclosures

    Genetic information receives extra protection under California Civil Code §56.18 (the Genetic Information Privacy Act, also known as CGIPA or SB 41), as well as analogous laws in Florida (FGIPA), Maryland, Tennessee and Utah. We honour these protections regardless of where you live.

    Specifically: we will never disclose your genetic data to any insurer, employer, school, or marketing partner. We will not transfer your genetic data outside the United States without your written consent. We will not use your genetic data for any purpose other than the assessment you commissioned. If any of these conditions ever change, we will notify you in advance and ask for written agreement before processing one more line of your DNA under the new terms.

  8. 08

    Cookies, analytics, and the public site

    The public site does not place any third-party advertising or tracking cookies on your device. We use privacy-respecting analytics that do not identify you personally. Sign-in uses one cookie set by Supabase to remember your session on /my-account; it expires on sign-out.

  9. 09

    Security

    Encryption at rest (AES-256) and in motion (TLS 1.2+). Row-level security on every database table. Access restricted to the named genomics scientist performing your assessment and to operational staff strictly on a need-to-know basis. Every access to your genetic data is logged.

    If we ever experience a security incident affecting your data, we will notify you and the relevant authorities in accordance with applicable breach-notification laws (state-by-state in the US, the GDPR-mandated 72-hour window in the EU).

  10. 10

    Contact

    For any privacy concern, write to privacy@helixirgenomics.com. We treat every message personally.

    Helixir Health, LLC, California, United States.

Material changes to this notice are announced to every active client by email at least 14 days before taking effect. If you do not wish to continue under the revised terms, the deletion right in §05 stands.