Our commitment
Your genetic data is not like other personal information. A raw DNA file can reveal health predispositions, ancestry, family relationships, and biological characteristics that are unique to you and, in part, shared by your biological relatives. We treat this data with a level of care that reflects its extraordinary sensitivity.
helixXY is built on three foundational principles: privacy-first design (data minimization and isolation are built into the architecture, not bolted on afterward), zero monetization of genetic data (we have no business model that depends on selling or sharing your data), and full compliance with LGPD (Brazil's Lei Geral de Proteção de Dados) and GDPR (the EU's General Data Protection Regulation).
Technical security
AES-256 encryption at rest
Your raw genetic file and all derived data are encrypted at rest using AES-256, the same encryption standard used by banks, defense agencies, and major healthcare systems worldwide. Encryption keys are managed through hardware security modules (HSMs) and are rotated on a scheduled basis.
TLS 1.3 for all data transfers
Every byte of data transmitted between your device and helixXY servers uses TLS 1.3 encryption — the current industry gold standard for in-transit protection. No data ever travels over an unencrypted connection, including your raw file during upload.
Isolated encrypted genetic file storage
Your raw DNA file is stored in a segregated, encrypted storage environment that is physically and logically separate from your account identity and profile data. This means your genetic file cannot be directly linked to your personal information even within our infrastructure.
Strict access controls
Only you and any shares you explicitly authorize can access your genetic data and reports. Internally, access to production systems is restricted to a minimal set of authorized engineers, requires multi-factor authentication, and every access event is logged and audited. No employee can access your genetic file without a traceable support justification.
Regular third-party security audits
helixXY undergoes independent penetration testing and security audits on a regular schedule. Our infrastructure operates on cloud providers certified to ISO 27001 and SOC 2 Type II. Audit findings are tracked to full remediation, with critical issues addressed immediately.
helixXY uses a zero-knowledge architecture for genetic file storage. Your raw data file is encrypted with keys that are not accessible to our internal engineering team during normal operations. Even our own staff cannot read the contents of your uploaded file.
What data we collect
We collect only what is necessary to provide the service:
- Account information: Your email address and name, used to manage your account and communicate with you.
- Your raw DNA file: The file you upload from your genetic testing lab. This is stored encrypted and used solely to generate your personalized reports.
- Usage analytics: Anonymized, aggregated data about how features are used across the platform — never linked to individual users.
- Report preferences: Which reports you've saved, shared, or flagged, used to personalize your dashboard experience.
What we do not collect:
- Precise geolocation data
- Biometric identifiers beyond your uploaded genetic file
- Financial or payment data (payments are handled by a PCI-compliant third-party processor; we never see your card details)
- Browsing history or behavioral tracking data outside of helixXY
Do we share your data?
No. Your genetic data is never sold, rented, or shared with any third party for any commercial purpose. This is an unconditional commitment, not a policy subject to future revision. Specifically:
- We do not share data with insurance companies or use your data in ways that could affect your insurability
- We do not share data with employers
- We do not share data with pharmaceutical companies or research institutions without your explicit, separately obtained, opt-in consent
- We do not share data with advertising platforms or data brokers
- Research programs, if offered, are always optional, clearly labeled, and require a standalone consent step — they are never bundled into the standard terms of service
Be cautious of third-party apps that ask for access to your helixXY data. helixXY will never ask you for your lab login credentials (23andMe, Genera, AncestryDNA, etc.). If any service asks for those credentials claiming to "connect" to helixXY, do not proceed — it is not an authorized integration.
Your rights under LGPD and GDPR
Depending on your country of residence, you are entitled to the following rights under applicable privacy law. helixXY honors these rights for all users regardless of jurisdiction:
- Right to access: Request a complete export of all personal data we hold about you, delivered in a structured, readable format.
- Right to rectification: Request correction of any inaccurate or incomplete personal information associated with your account.
- Right to deletion (Right to be forgotten): Request permanent deletion of all your data — including your raw genetic file, all generated reports, and account information — at any time.
- Right to portability: Receive your data in a machine-readable format (JSON or CSV) that you can take to another service.
- Right to object: Object to specific types of processing of your personal data, including any use for research or analytics purposes.
- Right to withdraw consent: Withdraw any consent you have previously given at any time. Withdrawal does not affect the lawfulness of processing that occurred before the withdrawal.
To exercise any of these rights, contact our Data Protection Officer at privacy@helixxy.com. We respond to all data rights requests within 30 days.
How to delete your data
Open Account Settings
Sign in to your helixXY account, click your profile icon in the top-right corner, and select Account Settings.
Navigate to Privacy
Click the Privacy tab within your account settings. This page gives you a complete view of the data we hold about you.
Click "Delete Genetic Data"
To delete only your raw DNA file and reports while keeping your account, click Delete Genetic Data. To delete everything including your account, click Delete Account.
Confirm with your password
Enter your account password to confirm. Deletion is immediate and irreversible. All data specified in the deletion request is permanently removed from active systems within 30 days and from all backups within 90 days.
Data retention
- Active account: Your data is retained for as long as your account is active, enabling automatic report updates as new science is published.
- Deleted account or genetic data: All data is permanently purged from active systems within 30 days of deletion request confirmation.
- Encrypted backups: Backup systems are purged within 90 days of the deletion request. During this period, the data remains inaccessible and encrypted — it cannot be used for any processing.