HelixAI ("we," "us," "our," or "Company") is a multi-tenant B2B Software-as-a-Service (SaaS) platform that provides AI-powered marketing content generation and optimization services. This Privacy Policy describes how HelixAI collects, uses, discloses, and safeguards information about you when you use our platform, including our website, application, and services (collectively, the "Services").
This Privacy Policy applies to all users of HelixAI, including account holders ("End Users"), tenant administrators, and individuals who may interact with our Services. HelixAI offers three service tiers: Free, Pro, and Enterprise. Data handling practices may vary slightly by tier, as noted throughout this policy.
Please read this Privacy Policy carefully. If you do not agree with our policies and practices, please do not use our Services. By accessing and using HelixAI, you acknowledge that you have read, understood, and agree to be bound by all the terms of this Privacy Policy.
HelixAI collects the following information at the individual user level:
HelixAI collects the following information at the tenant (organization) level:
HelixAI maintains comprehensive audit logs that capture the following information for security and compliance purposes:
Audit logs are time-partitioned by month in our PostgreSQL database to optimize query performance and data management.
We collect information in the following ways:
HelixAI uses the collected information for the following purposes:
HelixAI uses the following cookies to maintain functionality and security. All cookies are first-party cookies; we do not use third-party tracking, analytics, or advertising cookies.
CSRF (Cross-Site Request Forgery) tokens are generated per session with a 1-hour expiration. These tokens are validated on all state-changing requests (POST, PUT, DELETE) to prevent unauthorized actions.
Since HelixAI only uses essential, first-party cookies necessary for authentication and security, we do not require explicit cookie consent. However, users may disable cookies in their browser settings, which may limit functionality.
HelixAI does not implement third-party tracking cookies, analytics cookies, or advertising cookies. We do not use Google Analytics, Facebook Pixel, or similar third-party tracking mechanisms on our platform.
HelixAI shares certain information with third-party service providers to deliver our Services. All third-party services are bound by confidentiality agreements.
User prompts, content inputs, and generated content are sent to Anthropic's Claude API for AI processing. This includes marketing copy, blog posts, SEO optimization requests, and Sage AI chat conversations. Anthropic processes this data according to their privacy policy and data retention practices. We recommend reviewing Anthropic's privacy documentation for details on how your data is handled.
Payment information, including billing email and subscription details, is shared with Stripe for payment processing. Credit card information is never stored on HelixAI servers; Stripe handles all payment data. Stripe's privacy policy governs the handling of payment-related information.
Enterprise tier customers may optionally enable LoRA (Low-Rank Adaptation) model hosting through Together AI. If enabled, certain content and fine-tuning data is shared with Together AI according to your configuration. This is optional and is only activated with explicit tenant consent.
HelixAI may disclose user information to law enforcement agencies, government authorities, or other third parties when required by law, legal process, or government request. In cases of suspected child exploitation or other crimes, we will cooperate with law enforcement and may share relevant data including email addresses, IP addresses, User-Agent strings, and content accessed in violation of our policies.
If HelixAI is acquired, merges with another entity, declares bankruptcy, or undergoes a change of control, your information may be transferred as part of the transaction. We will provide notice of any such change and any choices you may have regarding your data.
HelixAI currently maintains user data and audit logs on an indefinite basis. However, we recognize the importance of appropriate data retention periods and are actively developing a comprehensive data retention policy.
We are implementing the following retention policy to balance regulatory compliance and user privacy:
When you request deletion of your account or a tenant is terminated, we will delete associated personal data within 30 days, except where retention is required by law or for legitimate security purposes. Deletion of audit logs and violation data may be subject to legal holds and law enforcement requests.
Depending on your location and applicable law, you may have certain rights regarding your personal data.
You have the right to request and obtain a copy of the personal data HelixAI holds about you. To exercise this right, contact us at david@helixai.media with your request.
You may request correction of inaccurate or incomplete personal data. You can update certain information (name, email, password) directly through your account settings. For other corrections, contact our privacy team.
You may request deletion of your account and associated personal data, subject to legal and regulatory requirements. Some data, such as audit logs for compliance purposes, may not be deleted immediately.
You have the right to obtain your personal data in a structured, commonly used, machine-readable format. HelixAI will provide your data in JSON or CSV format upon request.
You may opt-out of non-essential communications, including marketing emails and optional analytics. You cannot opt-out of essential service communications or security alerts.
To exercise any of these rights, please submit a written request to david@helixai.media. Include sufficient information to identify your account and the specific right you are exercising. We will respond to your request within 30 days and may request verification of your identity before processing.
For users in the European Union, United Kingdom, and other jurisdictions with GDPR or similar regulations, the following terms apply:
HelixAI processes personal data under the following lawful bases under GDPR Article 6:
HelixAI has appointed a Data Protection Officer (DPO) to oversee compliance with GDPR. To contact our DPO regarding privacy concerns, email david@helixai.media.
HelixAI's servers and operations are located in the United States. When processing data of individuals in the EU, UK, or other jurisdictions, such processing constitutes an international data transfer. HelixAI relies on Standard Contractual Clauses (SCCs) and appropriate safeguards to ensure adequate protection of your data. By using HelixAI, you consent to such transfers.
In addition to the rights described in Section 7, you have the following GDPR-specific rights:
To exercise GDPR rights, contact our DPO at david@helixai.media or our privacy team at david@helixai.media.
For users in California, the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA) apply.
Under CCPA, HelixAI collects the following categories of personal information:
HelixAI does not sell personal information as defined by CCPA. HelixAI shares personal information with service providers (Anthropic, Stripe, and optionally Together AI) necessary to provide Services. This sharing is not considered a "sale" under CCPA.
You have the right to request what personal information HelixAI has collected about you and how it is used. Submit a verified consumer request to david@helixai.media.
You have the right to request deletion of personal information collected about you, subject to exceptions for legal obligations and service delivery.
You have the right to request correction of inaccurate personal information held by HelixAI.
You have the right to opt-out of the sharing of your personal information with service providers for their own purposes. Note that opting out may limit your ability to use certain features.
HelixAI will not discriminate against you for exercising your CCPA rights. You will not be denied service, charged different prices, or subjected to different quality of service based on your privacy choices.
To exercise CCPA rights, submit a verified consumer request to david@helixai.media. Include your name, email, account username, and specific request. We will verify your identity and respond within 45 days.
HelixAI's Services are not intended for individuals under the age of 18. We do not knowingly collect personal information from children under 18. If we become aware that a user is under 18, we will immediately delete their account and associated personal data. By using HelixAI, you represent that you are at least 18 years of age.
If you believe HelixAI is collecting data from a minor, please contact us immediately at david@helixai.media.
HelixAI has zero tolerance for child exploitation. Our content moderation system actively monitors for attempts to generate child sexual abuse material (CSAM) or other exploitative content. Any such attempts are immediately logged, the account is suspended, and law enforcement is notified.
HelixAI implements comprehensive security measures to protect your data from unauthorized access, alteration, disclosure, and destruction.
User passwords are hashed using PBKDF2-HMAC-SHA256 with 600,000 iterations and unique cryptographic salt per user. Passwords are never stored in plaintext and cannot be recovered by HelixAI staff.
All communication between your device and HelixAI servers is encrypted using HTTPS/TLS 1.2 or higher. We enforce HTTPS on all connections; unencrypted HTTP requests are automatically redirected.
API keys are hashed before storage and cannot be recovered in plaintext. Each API key has associated scopes and rate limit configurations to minimize the impact of key compromise.
All state-changing requests are protected against Cross-Site Request Forgery (CSRF) attacks through token validation and same-site cookie policies.
HelixAI implements the following security headers to protect against common web vulnerabilities:
HelixAI implements per-IP and per-session rate limiting to prevent brute-force attacks, abuse, and denial-of-service (DoS) attacks. Excessive requests may result in temporary IP blocking.
Each tenant operates in a logically isolated environment with a separate PostgreSQL database. Shared authentication is managed in a separate database with row-level tenant scoping to prevent cross-tenant data access.
While HelixAI implements comprehensive security measures, no system is completely secure. We cannot guarantee absolute security of your information. You are responsible for maintaining the confidentiality of your passwords and account credentials.
In the event of a data breach that compromises the confidentiality, integrity, or availability of personal data, HelixAI will take the following actions:
Upon discovery of a breach, we will immediately investigate the scope and nature of the breach, contain it to prevent further unauthorized access, preserve evidence for forensic analysis, and engage cybersecurity experts if necessary.
We will notify affected users within 72 hours of discovering a breach that materially compromises personal data. Notification will include a description of what data was compromised, the date of the breach, likely impact, recommended protective actions, and incident response contact information.
HelixAI will notify relevant data protection authorities as required by law, including the ICO (UK), DPA (EU member states), and state attorneys general (US) within applicable timeframes.
In breaches involving financial information, HelixAI may offer credit monitoring and fraud protection services to affected individuals.
HelixAI employs automated and manual content moderation to enforce our terms of service and prevent illegal activities, particularly child exploitation.
HelixAI monitors user-generated prompts, content generation requests, and chat interactions for:
When a violation is detected, HelixAI records the following information in our violations log: user email address, IP address, User-Agent string, content flagged, matched policy terms, timestamp, tenant name and ID, and severity classification. This information is retained for law enforcement purposes and may be disclosed to authorities. Violations involving child exploitation receive a CRITICAL severity classification and are immediately reported to the National Center for Missing and Exploited Children (NCMEC) and law enforcement.
Violations logs and associated moderation data are retained indefinitely to support law enforcement investigations, legal proceedings, and regulatory compliance. These logs may be shared with law enforcement upon request with or without a warrant, depending on the circumstances and applicable law.
If you have questions, concerns, or requests regarding this Privacy Policy or HelixAI's data practices, please contact us:
HelixAI, Inc.
Privacy Team: david@helixai.media
Data Protection Officer: david@helixai.media
Support: david@helixai.media
HelixAI reserves the right to modify this Privacy Policy at any time. Material changes will be communicated to users via email or prominent notice on the platform at least 30 days before taking effect. Your continued use of HelixAI after changes become effective constitutes your acceptance of the updated Privacy Policy.
Privacy Policy Version 1.0. This Privacy Policy is part of the HelixAI legal framework and should be read in conjunction with our Terms of Service, Acceptable Use Policy, and Cookie Policy.