Trust

Privacy Policy

Last updated: March 4, 2026

Draft. This is a draft policy for pre-launch and should be reviewed by legal counsel before publication.

Overview

This Privacy Policy explains how HELIX Security ("HELIX," "we," "us") collects, uses, shares, and protects information when you visit our website, create an account, or use the HELIX platform (the "Service"). HELIX is an autonomous offensive-security operator: you authorize and scope an engagement, and the platform conducts it on your behalf.

Because the Service exists to test the security of systems you own or are authorized to test, we take particular care with the data generated during an engagement. This policy describes both the ordinary personal data we handle as a SaaS provider and the engagement data and evidence the platform produces.

Information we collect

We collect the following categories of information:

  • Account information. Name, work email address, organization, role, authentication credentials, and billing details you provide when you register or subscribe.
  • Usage information. Log data, device and browser metadata, IP address, feature interactions, and diagnostic information generated as you use the Service, so we can operate, secure, and improve it.
  • Engagement configuration. The targets, scope definitions, allow-lists, scan-mode settings, schedules, and integration credentials you supply to configure an engagement. You are responsible for ensuring you are authorized to test the targets you provide.

Engagement data & evidence handling

When the platform runs an engagement, it generates engagement data: HTTP traces, reproducers, proofs-of-concept, findings, and a triaged report. Some of this material may incidentally contain personal data present in the systems under test.

  • Scope. The agent operates only within the in-scope allow-list you define. Out-of-scope assets are blocked at the call boundary.
  • Reproducers. Evidence is truncated to the minimum needed to prove exploitability. We aim to capture only what corroborates a finding, not bulk exports of your data.
  • Isolation. Engagements run in isolated execution environments with no cross-tenant access. Findings and proofs-of-concept are accessible only to authenticated members of your organization.
  • Retention. Engagement data is retained according to the schedule below and your account settings, and is deleted on request or at the end of the applicable retention period.

How we use information

We use the information we collect to provide and operate the Service, run and report on the engagements you authorize, authenticate users, process payments, provide support, secure the platform and detect abuse, comply with legal obligations, and communicate with you about your account and material changes to the Service.

We do not sell personal data. We do not use the contents of your engagement data to train third-party models, and we do not share your findings with other customers.

Where the GDPR or similar laws apply, we rely on the following legal bases: performance of a contract to provide the Service you have signed up for; legitimate interests in securing, maintaining, and improving the Service; consent where required, for example for certain analytics or marketing communications; and compliance with legal obligations to which we are subject. Where we rely on consent, you may withdraw it at any time.

Sub-processors

We rely on a limited set of vetted sub-processors to deliver the Service. These include cloud hosting and infrastructure providers that run our application and store data, and large language model (LLM) providers whose models power the reasoning behind the agent.

We enter into data-processing agreements with our sub-processors and require appropriate safeguards. A current list of sub-processors is available on request to enterprise customers, and we will provide reasonable notice of material changes to that list.

Data retention

We retain account information for as long as your account is active and for a reasonable period afterward to meet legal, accounting, and security obligations. Engagement data and evidence are retained for the period configured for your account, after which they are deleted or anonymized. You may request earlier deletion of engagement data, subject to any overriding legal retention requirements.

Security

We protect data with encryption in transit (TLS) and at rest (AES-256), isolated execution environments, strict tenant separation, role-based access controls, and a full immutable audit log of platform activity. Our security program is being built toward SOC 2 Type II and ISO 27001; security documentation is available under NDA for enterprise evaluations. For more detail, see our Security page.

International data transfers

HELIX operates from Argentina and uses infrastructure and sub-processors that may be located in other countries, including the United States and the European Union. Where we transfer personal data across borders, we rely on appropriate safeguards such as Standard Contractual Clauses or equivalent mechanisms to ensure your data remains protected.

Your rights

Depending on your jurisdiction, you may have the right to access the personal data we hold about you, request correction or deletion, request a portable copy of your data, object to or restrict certain processing, and withdraw consent. To exercise these rights, contact us using the details below. We will respond within the timeframe required by applicable law and may need to verify your identity first.

Cookies & analytics

Our website uses strictly necessary cookies to operate, and, where permitted, privacy-respecting analytics to understand aggregate usage and improve the site. We do not use cookies for cross-site advertising. You can control non-essential cookies through your browser settings or any consent controls we provide.

Children's privacy

The Service is intended for businesses and is not directed to children. We do not knowingly collect personal data from anyone under the age of 16. If you believe a child has provided us with personal data, please contact us and we will delete it.

Changes to this policy

We may update this policy from time to time to reflect changes in our practices or for legal reasons. When we make material changes, we will update the date at the top of this page and, where appropriate, notify you through the Service or by email. Your continued use of the Service after an update constitutes acceptance of the revised policy.

Contact

If you have questions about this policy or how we handle your data, contact us at hello@helixsecurity.app. For security matters or vulnerability reports, please use hello@helixsecurity.app.