Effective Date: March 26, 2026

Last Updated: March 26, 2026

Version: 1.0

1. Introduction and Scope

Welcome to Helixa Health (\"Helixa Health,\" \"we,\" \"us,\" or \"our\"). Helixa Health is an artificial intelligence-powered health and genomics platform that enables users to upload, analyze, and receive educational insights based on their genetic and health data.

This Privacy Policy describes how Helixa Health collects, uses, stores, discloses, and protects your personal information, including sensitive categories such as genetic data, health records, and biometric identifiers. By creating an account or using any Helixa Health service, you acknowledge that you have read, understood, and agree to be bound by this Privacy Policy.

Important: Helixa Health does not establish a provider-patient or physician-patient relationship with any user. Helixa Health is not a covered entity or business associate under the Health Insurance Portability and Accountability Act (HIPAA). When you upload health data to Helixa Health, you do so voluntarily and outside the HIPAA framework. Notwithstanding this status, Helixa Health implements security safeguards that align with HIPAA's administrative, technical, and physical standards as described in Section 7 below.

2. Information We Collect

2.1 Account Information

When you register for an account, we collect your name, email address, login credentials (stored using salted, hashed encryption), and multi-factor authentication details.

2.2 Health and Genetic Information (User-Provided)

At your sole discretion, you may choose to upload any of the following:

• Genetic test files (e.g., VCF, SNP, CSV formats)
• Electronic health records, lab results, and diagnostic reports
• Medication and supplement lists
• Family medical history
• Lifestyle and behavioral health data (e.g., smoking status, alcohol use)
• Self-reported symptom data

You control what data you upload. We do not obtain health or genetic data from third-party sources. All health and genetic information in your account is provided directly by you.

2.3 Technical and Usage Data

We automatically collect limited technical data to maintain system security and performance, including device type, browser type, IP address (anonymized after 30 days), log activity, and timestamped system interactions. We do not use tracking cookies for advertising. Any cookies deployed are strictly functional or security-related.

3. How We Use Your Information

We use your information for the following purposes and no others:

• Authenticating and securing your account
• Analyzing your uploaded health and genetic data to generate personalized educational insights
• Providing health and wellness recommendations for informational purposes only
• Improving system performance, reliability, and safety
• Maintaining audit logs and security records as required by law
• Communicating with you regarding account activity, policy changes, or security incidents

We do not:

• Sell, rent, lease, or trade your personal data, genetic data, or health data to any third party
• Share your data with employers, insurers (health, life, disability, or long-term care), or data brokers
• Use your data for targeted advertising, profiling for marketing purposes, or behavioral tracking
• Use your genetic data for actuarial, underwriting, or employment-related decisions

4. AI-Powered Analysis and Disclaimer of Medical Advice

Helixa Health uses artificial intelligence and machine learning models to analyze the data you provide and generate health-related insights.

Critical Disclaimer: All AI-generated outputs are educational and informational only. They do not constitute medical advice, clinical diagnosis, treatment recommendations, or professional health guidance. Helixa Health does not practice medicine, and no output from the platform should be interpreted as a substitute for the judgment of a licensed healthcare provider.

No Provider-Patient Relationship: Use of Helixa Health does not create a physician-patient, therapist-patient, or any other clinical relationship between you and Helixa Health, its affiliates, or its personnel.

Duty to Seek Professional Care: You should always consult a licensed healthcare professional before making any medical decisions, changing medications, or altering treatment plans based on information obtained through Helixa Health. If you are experiencing a medical emergency, call 911 or your local emergency services immediately.

AI-generated content is logged for quality assurance and safety review. You may request deletion of AI-generated content associated with your account at any time (see Section 10).

5. Genetic Data Protections

5.1 Federal Protections Under GINA

The Genetic Information Nondiscrimination Act (GINA) prohibits the use of genetic information in decisions related to health insurance coverage and employment. Helixa Health does not disclose genetic data to health insurers or employers and restricts internal access to genetic fields through role-based access controls.

Important Limitation: GINA does not cover life insurance, disability insurance, or long-term care insurance. Users should be aware that protections under GINA are limited to the health insurance and employment contexts. Helixa Health will not voluntarily disclose your genetic data to any insurer or employer, but we cannot guarantee protection beyond the scope of applicable law.

5.2 State Genetic Privacy Laws

Several states maintain genetic privacy statutes that may provide additional protections beyond GINA. These include, but are not limited to:

• Illinois Genetic Information Privacy Act (GIPA), which requires informed written consent before the collection, use, or disclosure of genetic information
• California Genetic Information Privacy Act (CalGINA) and the California Privacy Rights Act (CPRA), which classify genetic data as sensitive personal information subject to heightened protections
• Other state-specific genetic privacy statutes as they may be enacted or amended

Helixa Health is committed to complying with applicable state genetic privacy laws. If you reside in a jurisdiction with specific genetic privacy protections, you may have additional rights as described in Section 10.

6. California Privacy Rights (CCPA/CPRA)

If you are a California resident, the California Consumer Privacy Act as amended by the California Privacy Rights Act (collectively, \"CPRA\") provides you with specific rights regarding your personal information.

Sensitive Personal Information: Helixa Health processes genetic data, health data, and biometric identifiers, all of which are classified as sensitive personal information under CPRA. We process sensitive personal information only for the purposes described in this Privacy Policy and as permitted under CPRA.

Your California Rights:

• Right to Know: You may request disclosure of the categories and specific pieces of personal information we have collected about you
• Right to Delete: You may request deletion of your personal information, subject to certain legal exceptions
• Right to Correct: You may request correction of inaccurate personal information
• Right to Limit Use of Sensitive Personal Information: You may direct us to limit our use of your sensitive personal information to purposes necessary to provide the services you have requested
• Right to Opt-Out of Sale or Sharing: We do not sell or share your personal information as defined under CPRA. However, you may submit an opt-out request at any time

To exercise any of these rights, contact us at [Insert Email Address] or use the controls available in your account dashboard. We will respond within 45 days as required by law. We will not discriminate against you for exercising your CPRA rights.

Do Not Sell or Share My Personal Information: Helixa Health does not sell or share personal information as those terms are defined under the CPRA. We do not participate in cross-context behavioral advertising.

7. Data Storage, Security, and Technical Safeguards

Helixa Health implements administrative, technical, and physical safeguards designed to protect the confidentiality, integrity, and availability of your data. While Helixa Health is not a HIPAA-covered entity (see Section 1), we align our security practices with the HIPAA Security Rule as a benchmark standard. These safeguards include:

• Encryption in transit using TLS 1.2 or higher
• Encryption at rest using AES-256
• Role-based access control (RBAC) with least-privilege principles
• Multi-factor authentication (MFA) for all user accounts and administrative access
• Comprehensive audit logging of all access to sensitive data, including timestamped records of who accessed what data and when
• Pseudonymization of health and genetic data during AI processing
• Logical separation of identifiable user data from AI vector databases and analytical processing systems
• Regular vulnerability assessments and penetration testing
• Incident response protocols with defined escalation procedures

All protected endpoints require verified authentication tokens. We conduct periodic security audits and update our safeguards in response to emerging threats.

No Security Guarantee: While we implement commercially reasonable security measures, no method of electronic storage or transmission is 100% secure. We cannot guarantee absolute security of your data. In the event of a breach, we will follow the notification procedures described in Section 12.

8. Third-Party Services and Data Processing

Helixa Health integrates with a limited number of third-party services to support platform functionality. These categories include:

• Identity and authentication providers (for secure login)
• Cloud infrastructure providers (for encrypted data storage and processing)
• Medical knowledge APIs (e.g., ClinVar, OMIM, for reference data used in analysis)
• Supplement and wellness marketplaces (optional purchase links only; no health data transmitted)

Data Processing Agreements: We maintain data processing agreements (DPAs) with all subprocessors who access, store, or process personal data on our behalf. These DPAs require subprocessors to implement security safeguards no less protective than our own and to process data only as instructed by Helixa Health.

No Transmission of PII to Reference APIs: When querying medical knowledge APIs, we transmit only de-identified genetic variants or clinical identifiers. We do not transmit your name, account information, or other personally identifiable information to these services.

A list of categories of subprocessors is available upon request by contacting [Insert Email Address].

9. International Data Transfers

Helixa Health stores and processes data primarily in the United States. If you access Helixa Health from outside the United States, your information may be transferred to, stored in, and processed in the United States, where data protection laws may differ from those in your jurisdiction.

For users in the European Economic Area (EEA), United Kingdom, or Switzerland, we rely on the following mechanisms to ensure adequate protection of transferred data:

• EU-U.S. Data Privacy Framework (DPF) certification, where applicable
• Standard Contractual Clauses (SCCs) approved by the European Commission
• Any successor frameworks recognized by applicable data protection authorities

By using Helixa Health, you consent to the transfer of your data as described in this section. If you do not consent, you should not use the platform.

10. Your Rights

Depending on your jurisdiction, you may have some or all of the following rights with respect to your personal information:

• Right to Access: Request a copy of the personal data we hold about you
• Right to Portability: Receive your data in a structured, commonly used, machine-readable format
• Right to Correction: Request correction of inaccurate or incomplete data
• Right to Deletion: Request deletion of your personal data, including genetic files, health records, and AI-generated content (“Right to be Forgotten”)
• Right to Withdraw Consent: Withdraw consent for AI processing or data analysis at any time, without affecting the lawfulness of processing performed before withdrawal
• Right to Restrict Processing: Request that we restrict processing of your data in certain circumstances
• Right to Object: Object to processing of your data where we rely on legitimate interests as a legal basis
• Right to Lodge a Complaint: Lodge a complaint with a supervisory authority in your jurisdiction

You can exercise most of these rights through your account dashboard. For requests that cannot be completed through the dashboard, contact us at [Insert Email Address]. We will verify your identity before processing any request and will respond within the timeframe required by applicable law (generally 30–45 days).

10.1 Consent Mechanism

Helixa Health obtains consent through an affirmative opt-in process at the time of account creation. Before uploading any health or genetic data, you will be presented with a clear disclosure describing the types of data we collect, the purposes for which we use it, and your rights. Consent is recorded with a timestamp in our system. You may withdraw consent at any time through your account settings or by contacting us directly. Withdrawal of consent will halt future processing but will not affect the lawfulness of processing carried out before withdrawal.

11. Data Retention

We retain personal data only for as long as necessary to fulfill the purposes described in this Privacy Policy, comply with legal obligations, and resolve disputes. Specific retention periods are as follows:

• Account information: Retained for as long as your account is active, plus 30 days after account deletion to facilitate account recovery requests
• Genetic and health data: Deleted within 30 days of your deletion request. Residual copies in encrypted backups are purged within 90 days
• AI-generated insights: Retained for as long as your account is active. Deleted within 30 days of your deletion request or account closure
• Audit and security logs: Retained for a minimum of 12 months and a maximum of 36 months, as required for regulatory compliance and security investigations
• Technical and usage data: Anonymized after 30 days; anonymized aggregates may be retained indefinitely for system performance analysis
• Encrypted backups: Maintained for disaster recovery purposes and purged on a rolling 90-day cycle

Where retention is required by law (e.g., tax, regulatory, or litigation obligations), we will retain the minimum data necessary for the minimum period required.

12. Breach Notification

In the event of a data breach that compromises the security, confidentiality, or integrity of your personal information, Helixa Health will:

• Investigate the incident promptly and implement containment measures
• Notify affected users via email and in-app notification within 72 hours of confirming the breach, consistent with GDPR requirements and no later than applicable U.S. state law deadlines (typically 30–60 days)
• Notify relevant regulatory and supervisory authorities as required by applicable law, including but not limited to state attorneys general and data protection authorities
• Provide a description of the nature of the breach, the categories of data affected, the approximate number of individuals affected, and the measures taken or proposed to address the breach
• Implement corrective measures and conduct a post-incident review

We maintain an incident response plan that is reviewed and tested at least annually.

13. Children's Privacy

Helixa Health is not intended for use by individuals under the age of 18. We do not knowingly collect personal information from children under 18 without verified parental or guardian consent.

If a parent or guardian uploads genetic or health data of a minor (under 18) to Helixa Health, the parent or guardian represents and warrants that they have legal authority to consent to such upload on behalf of the minor. Data pertaining to minors is subject to the same protections described in this Privacy Policy, with additional restrictions on processing as required by applicable law.

If we discover that we have collected personal information from a minor without appropriate consent, we will delete such information promptly. To report a concern, contact us at [Insert Email Address].

For users under the age of 13, the Children's Online Privacy Protection Act (COPPA) imposes additional requirements. Helixa Health does not knowingly collect data from children under 13 and will implement verifiable parental consent mechanisms if such collection becomes necessary.

14. Limitation of Liability

IMPORTANT — PLEASE READ CAREFULLY: TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, HELIXA HEALTH, ITS OFFICERS, DIRECTORS, EMPLOYEES, AGENTS, AFFILIATES, AND LICENSORS SHALL NOT BE LIABLE FOR ANY INDIRECT, INCIDENTAL, SPECIAL, CONSEQUENTIAL, OR PUNITIVE DAMAGES, INCLUDING BUT NOT LIMITED TO DAMAGES FOR LOSS OF PROFITS, GOODWILL, DATA, OR OTHER INTANGIBLE LOSSES, ARISING OUT OF OR RELATED TO YOUR USE OF OR INABILITY TO USE THE PLATFORM.

WITHOUT LIMITING THE FOREGOING, HELIXA HEALTH'S TOTAL CUMULATIVE LIABILITY TO YOU FOR ALL CLAIMS ARISING OUT OF OR RELATED TO THIS PRIVACY POLICY OR YOUR USE OF THE PLATFORM SHALL NOT EXCEED THE GREATER OF (A) THE TOTAL FEES PAID BY YOU TO HELIXA HEALTH IN THE TWELVE (12) MONTHS PRECEDING THE CLAIM, OR (B) ONE HUNDRED DOLLARS ($100.00).

HELIXA HEALTH DOES NOT WARRANT THAT AI-GENERATED INSIGHTS ARE ACCURATE, COMPLETE, OR SUITABLE FOR ANY PARTICULAR PURPOSE. YOU ACKNOWLEDGE THAT AI MODELS MAY PRODUCE ERRORS, HALLUCINATIONS, OR INCOMPLETE ANALYSES, AND YOU ASSUME ALL RISK ASSOCIATED WITH RELIANCE ON AI-GENERATED OUTPUTS.

15. Indemnification

You agree to indemnify, defend, and hold harmless Helixa Health, its officers, directors, employees, agents, and affiliates from and against any and all claims, liabilities, damages, losses, costs, and expenses (including reasonable attorneys' fees) arising out of or related to: (a) your use of the platform; (b) any medical, health, or lifestyle decision you make based on AI-generated content; (c) your breach of this Privacy Policy; or (d) your violation of any applicable law or regulation.

16. Governing Law, Jurisdiction, and Dispute Resolution

16.1 Governing Law

This Privacy Policy and any dispute arising out of or related to it shall be governed by and construed in accordance with the laws of the State of [Insert State], without regard to its conflict of laws principles.

16.2 Mandatory Arbitration

Any dispute, claim, or controversy arising out of or relating to this Privacy Policy or your use of Helixa Health, including the determination of the scope or applicability of this agreement to arbitrate, shall be resolved through binding arbitration administered by the American Arbitration Association (“AAA”) under its Commercial Arbitration Rules. The arbitration shall take place in [Insert City, State]. Judgment on the arbitration award may be entered in any court having jurisdiction.

16.3 Class Action Waiver

YOU AGREE THAT ANY DISPUTE RESOLUTION PROCEEDINGS WILL BE CONDUCTED ONLY ON AN INDIVIDUAL BASIS AND NOT IN A CLASS, CONSOLIDATED, OR REPRESENTATIVE ACTION. If for any reason a claim proceeds in court rather than in arbitration, you and Helixa Health each waive any right to a jury trial.

16.4 Forum Selection

To the extent that arbitration is not applicable or is found unenforceable, you agree that any litigation shall be filed exclusively in the state or federal courts located in [Insert County], [Insert State], and you consent to the personal jurisdiction of such courts.

17. Updates to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or for other operational reasons.

• Material Changes: If we make material changes to this Privacy Policy, we will notify you via in-app notification and email at least 30 days before the changes take effect. Your continued use of Helixa Health after the effective date constitutes acceptance of the updated policy.
• Non-Material Changes: Minor clarifications or formatting changes may be made without prior notice. All changes will be reflected in the “Last Updated” date at the top of this document.

We encourage you to review this Privacy Policy periodically.

18. Severability

If any provision of this Privacy Policy is found to be invalid, illegal, or unenforceable by a court of competent jurisdiction, the remaining provisions shall continue in full force and effect. The invalid provision shall be modified to the minimum extent necessary to make it valid and enforceable while preserving its original intent.

19. Entire Agreement

This Privacy Policy, together with the Helixa Health Terms of Service [Insert Link], constitutes the entire agreement between you and Helixa Health with respect to the subject matter hereof and supersedes all prior or contemporaneous communications, representations, or agreements, whether oral or written.