Helix-TTD Privacy Policy

Template:TOC right

Version

v1.0

Effective

2025-10-16

Maintainer

Stephen Hope

Summary (Plain Language)

We collect only what we need to run Helix-TTD (accounts, security, API usage, and optional uploads you provide). We minimize personal data, prefer hashed/receipt-based evidence, and store tamper-evident proofs at: https://helixprojectai.com/schemas . You control your credentials and your uploads. You can request access, correction, or deletion—subject to technical/legal limits.

Scope

This policy covers all Helix-TTD services we operate (APIs, dashboards, vector search gateways, proof/receipt hosting at /schemas) and any official client tools we distribute.

Who we are

Helix-TTD is operated by Helix AI Innovations Inc. (Canada). Contact: [insert privacy email] for privacy inquiries and data rights requests.

What we collect

1) Account & Access

Display name, email, non-transferable login/API credentials and scopes

Access tier, tenant ID, and time-boxed tokens (TTL)

2) Operational & Security Logs

IP address, user agent, timestamps, request metadata (endpoint, status, latency)

Authentication events (success/failure), key issuance/rotation, rate-limit triggers

Minimal necessary error traces

3) User-Provided Content (Optional)

Documents, prompts, files, and vectors you intentionally upload for processing

Associated metadata you provide (e.g., consent_ref, source, labels)

4) Proof Artifacts (Audit)

Hashes, Merkle roots, timestamps, signature material, and receipt JSON published to /schemas

These artifacts are tamper-evident and typically contain no plain-text personal data; they reference content via hashes and IDs

Why we collect it (Purposes)

Provide and secure the service (authentication, authorization, abuse prevention)

Generate verifiable audit receipts (our “TTD” layer) to uphold integrity and accountability

Diagnose reliability/performance, improve developer experience

Provide support and investigate incidents

Comply with legal obligations (security, fraud prevention, recordkeeping)

Legal bases (Canada & similar frameworks)

Consent (you sign up, upload content, or provide consent refs)

Contractual necessity (we must process to deliver the service you requested)

Legitimate interests (security, anti-abuse, service analytics, auditability)

Legal compliance (where applicable)

How we process & store

Data minimization: default to hashes/receipts over raw content where feasible

Isolation: per-tenant collections (e.g., user_mark) private by default; commons are curated, public-read

Encryption: in transit (TLS) and at rest (where supported by underlying services)

Proofs: public receipts at /schemas prove integrity without exposing sensitive content

Region: primary hosting in Canada (see your infrastructure notes; update if this changes)

Sharing & third parties

We do not sell personal data. We may share limited data with:

Infrastructure/security providers strictly to operate the service (under agreements)

Investigations (security incidents, fraud) and where required by law

Public proof hosting at /schemas (hashes and receipts only)

Cookies & telemetry

Session/auth cookies for dashboards (essential)

Minimal analytics on service health and usage patterns (aggregate where possible)

Data retention

Operational logs: short default retention (e.g., 30–90 days) unless needed for security or legal holds

Proof receipts: retained long-term as part of the public audit trail at /schemas

User uploads: retained while your account or project is active, or until you delete them (subject to dependency constraints, e.g., receipts)

Your choices & rights

Access & Portability: request a copy of your account data and submitted uploads (reasonable export format)

Correction: ask us to fix inaccuracies

Deletion: request deletion of personal data we control (subject to technical/legal limits; note that public audit receipts are immutable but are not supposed to reveal personal data)

Consent controls: provide or update consent_ref for processing you initiate

To exercise rights, contact: [insert privacy email]. We’ll verify your identity and respond within a reasonable time.

Children’s privacy

Helix-TTD is for adults and professional pilots. We do not knowingly collect personal data from children. Proposed youth/education pilots will run in a verified sandbox with additional safeguards and governance approvals.

Security

We apply layered security: strong auth, scoped tokens, per-tenant isolation, network segmentation, rate-limiting, and continuous monitoring. No system is perfectly secure; we maintain incident response procedures and notify as required.

International data transfers

If data moves across borders, we use appropriate safeguards (contractual clauses, jurisdictional controls). Contact us for current hosting/transfer details.

Links to other resources

Helix resources may link to third-party sites or tools. Their privacy practices are their own; review their policies.

Changes to this policy

We may update this policy to reflect changes in law or our services. Material changes will be posted here with a new Effective date. Continued use after the effective date means you accept the updated policy.

Contact

Privacy inquiries and data rights: [insert privacy email]

Security reports: [insert security email or VRP link]

Appendices

A) Proof Receipts at /schemas

Public JSON receipts include: proof ID, artifact hash(es), timestamps, signature references, and verification status.

Receipts avoid plain-text personal data; they reference content through cryptographic identifiers.

Example path: https://helixprojectai.com/schemas/<year>/<proof_id>.json

B) Data Inventory (high level)

 Subject: Helix-TTD Data Request — [Access/Correction/Deletion] Identity: [Name, email, account ID] Scope: [Describe the data/action you want] Notes: [Optional context to help us locate the data]