Privacy Policy

For personal data collected through our website (account registration, contact forms, demo requests), Helena Bioinformatics acts as the data controller.

For genomic data (VCF files, variant data, phenotype information) uploaded by partner laboratories for analysis, the laboratory is the data controller and Helena Bioinformatics acts as the data processor. The relationship is governed by a Data Processing Agreement (DPA) executed with each partner.

Helena Bioinformatics EOOD
Sofia, Bulgaria
Contact: privacy@helena.bio

We process the following categories of data:

Account Data: name, email address, organization name, role, and authentication credentials. Collected directly from users during registration. Legal basis: contractual necessity (GDPR Article 6(1)(b)).

Genomic Data (Special Category): VCF files containing genetic variant information, associated phenotype terms (HPO codes), and clinical annotations. This constitutes special category data under GDPR Article 9. Legal basis: explicit consent of the data subject or processing necessary for healthcare provision (Article 9(2)(h)), as determined by the data controller (the laboratory). We process genomic data exclusively on instruction from the data controller under a DPA.

Usage Data: IP addresses, browser type, pages visited, and session duration. Collected automatically for security monitoring and service improvement. Legal basis: legitimate interest (Article 6(1)(f)).

We process personal data for the following purposes: providing and maintaining the Helix Insight platform, including variant annotation, ACMG classification, phenotype matching, and literature analysis; authenticating users and managing access control; communicating with users about their accounts and platform updates; responding to demo requests and support inquiries; security monitoring, fraud prevention, and audit logging; and complying with legal obligations.

Genomic data is processed solely for the purpose of providing variant analysis services as instructed by the data controller (laboratory). We do not use genomic data for marketing, profiling, automated decision-making, or any purpose beyond the contracted analysis services.

All data is processed and stored on dedicated servers located in Helsinki, Finland (Hetzner Online GmbH), within the European Union. No personal or genomic data is transferred outside the EU/EEA.

We implement the following technical and organizational measures: TLS 1.3 encryption for all data in transit; AES-256 encryption for data at rest; role-based access control with principle of least privilege; complete audit trails for all data access and processing operations; network isolation with firewall rules restricting access to authorized services; regular security assessments and vulnerability monitoring; and bcrypt password hashing for authentication credentials.

Genomic data: retained for the duration specified in the DPA with each laboratory partner. Default retention period is 90 days after analysis completion, after which data is automatically and permanently deleted. Laboratories may request immediate deletion at any time.

Account data: retained for the duration of the active account and for 12 months following account closure for audit purposes.

Audit logs: retained for 24 months to comply with regulatory requirements and then permanently deleted.

Under GDPR, individuals have the following rights regarding their personal data: the right of access (Article 15), the right to rectification (Article 16), the right to erasure (Article 17), the right to restriction of processing (Article 18), the right to data portability (Article 20), and the right to object (Article 21).

For genomic data where the laboratory is the data controller, data subject requests should be directed to the laboratory. We will assist the laboratory in fulfilling such requests in accordance with our DPA.

To exercise your rights regarding account data, contact us at privacy@helena.bio. We will respond within 30 days.

We use the following sub-processors:

Hetzner Online GmbH (Gunzenhausen, Germany) for dedicated server infrastructure located in Helsinki, Finland. Hetzner processes data solely for hosting purposes and maintains ISO 27001 certification.

Vercel Inc. (San Francisco, USA) for hosting our marketing website and application frontend. Vercel processes only usage data (no genomic data). Data processing is covered by Standard Contractual Clauses.

We will notify data controllers of any intended changes to sub-processors, providing the opportunity to object.

In the event of a personal data breach, we will notify the relevant data controller without undue delay and no later than 24 hours after becoming aware of the breach. Where required, we will notify the Bulgarian Commission for Personal Data Protection (CPDP) within 72 hours in accordance with GDPR Article 33.

Our platform uses only essential cookies required for authentication and session management. We do not use advertising cookies, tracking cookies, or third-party analytics. No cookie consent banner is required as we use only strictly necessary cookies exempt under the ePrivacy Directive.

We may update this Privacy Policy to reflect changes in our practices or applicable law. Material changes will be communicated to registered users via email. The "Last updated" date at the top indicates the most recent revision.

For any data protection inquiries, contact our Data Protection Officer at privacy@helena.bio.

You have the right to lodge a complaint with the Bulgarian Commission for Personal Data Protection (CPDP): 2 Prof. Tsvetan Lazarov Blvd., Sofia 1592, Bulgaria, kzld@cpdp.bg, www.cpdp.bg.