← Back to Helios
Privacy Policy
Last updated: April 3, 2026 · Version 2.0
Helios ("we," "our," or "us") operates the Helios mobile application and related backend services (collectively, the "Service"). This Privacy Policy explains how we collect, use, disclose, store, and protect your information, including sensitive health data. Please read this policy carefully before using Helios.
Health Data Notice: Helios processes sensitive health information including medical conditions, medications, family history, and biometric data. This data is transmitted to third-party AI services for processing. By using Helios, you provide explicit consent for the collection and processing of this health data as described below. Helios is NOT a HIPAA-covered entity — see Section 14 for details.
1. Data Controller
Helios is the data controller for your personal information under applicable data protection laws, including the EU General Data Protection Regulation (GDPR) and the UK GDPR.
Contact: support@my-helios.app
2. Information We Collect
2.1 Account Information
- Email address
- Authentication credentials (via Apple Sign-In or Google Sign-In; we do not store your password)
- Account creation date
2.2 Profile and Health Data (Collected During Onboarding)
During the onboarding process, we collect:
- Demographics: Gender, date of birth, height, weight
- Current mood state
- Health conditions: Diabetes, heart disease, hypertension, asthma, arthritis, anxiety/depression, thyroid disorders, GERD, and custom conditions you provide
- Current medications: Names of medications and supplements
- Family medical history: Heart disease, cancer, diabetes, hypertension, stroke, Alzheimer's/dementia, mental health conditions
- Health concerns: Sleep quality, energy levels, weight management, stress/anxiety, chronic pain, and custom concerns
- Lifestyle information: Activity level, average sleep hours, lifestyle type (student, office work, remote work, etc.), barriers to health goals
- Health goals: Short-term goals, long-term goals, goal timelines, goal-specific details
- Wearable device types: Apple Watch, Fitbit, Garmin, Oura Ring, Whoop, etc.
2.3 Chat and Conversation Data
- Messages: All messages you send to and receive from Helios AI, including text content and any attachments
- AI-Extracted Memories: Facts and health data points extracted from your conversations by our AI system, stored with semantic vector embeddings for retrieval
- Healthspaces: Isolated health contexts you create, along with associated chats and memories
2.4 Apple HealthKit Data
If you grant permission, we access Apple HealthKit data including: step count, heart rate, heart rate variability, blood pressure, respiratory rate, oxygen saturation, sleep data, workout data, body measurements, activity metrics, and other available health samples.
Important: Raw Apple HealthKit data accessed via the HealthKit API is processed locally on your device and is never transmitted to our servers or any third party. However, if you voluntarily share health metrics (such as heart rate, blood pressure, or other readings) in your chat conversations, that information will be processed by our AI services as described in Section 5. The distinction is: HealthKit API data stays on your device; health information you type into chat is processed like any other message.
2.5 Agent Mode Data (Browser Automation)
When you use Agent Mode for tasks like appointment booking or shopping:
- Screenshots of web pages (analyzed by AI for navigation)
- URLs visited and navigation activity logs
- Form data entered on your behalf
- Login credentials you provide (encrypted with AES-256-GCM, held in memory only during the active session, never persisted to disk or database)
2.6 Payment and Subscription Data
- Subscription tier and status (managed via RevenueCat)
- Payment transaction records (processed by Stripe; we do not store credit card numbers)
- Purchase tracking information (order numbers, tracking numbers, delivery status)
2.7 Device and Usage Data
- Device type, operating system version
- App interactions and feature usage patterns
- Error logs and crash reports (if Sentry error tracking is enabled)
3. How We Use Your Information
- Provide personalized health insights: Analyze your health data using AI to deliver contextual wellness guidance
- Power AI conversations: Process your messages and health context through AI models to generate responses
- Extract and store health memories: Use AI to identify important health facts from conversations for future reference
- Facilitate agent tasks: Automate web-based tasks (appointment booking, shopping) on your behalf
- Process payments: Manage subscriptions and purchase transactions
- Track deliveries: Monitor shipment status for purchases made through Agent Mode
- Improve our services: Analyze aggregated, anonymized usage patterns to enhance the app
- Communicate: Send service-related notifications and respond to support requests
- Comply with legal obligations: Respond to lawful requests from authorities
4. Legal Basis for Processing (GDPR)
We process your data under the following legal bases:
- Explicit Consent (Article 9(2)(a)): For processing health data (special category data). You provide this consent during onboarding. You may withdraw consent at any time.
- Contract Performance (Article 6(1)(b)): To provide the Service you have subscribed to.
- Legitimate Interests (Article 6(1)(f)): For service security, fraud prevention, and service improvement using anonymized data.
- Legal Obligation (Article 6(1)(c)): To comply with applicable laws and regulations.
5. Third-Party Data Processors
Your data is processed by the following third-party service providers, each bound by data processing agreements:
| Provider |
Purpose |
Data Shared |
Location |
| xAI (Grok) |
AI chat processing, reasoning, memory extraction |
Message content, health context |
USA |
| VoyageAI |
Semantic vector embeddings for memory retrieval |
Text content for embedding |
USA |
| OpenRouter |
Vision AI for agent mode screenshot analysis |
Screenshots during agent sessions |
USA |
| Supabase |
Database hosting and authentication |
All stored user data |
USA |
| Railway |
Application server hosting |
All data in transit through the backend |
USA |
| Stripe |
Payment processing |
Payment amounts, transaction metadata |
USA |
| RevenueCat |
Subscription management |
Subscription status, app user ID |
USA |
| AfterShip |
Purchase/shipment tracking |
Tracking numbers, carrier info |
USA |
| Sentry (optional) |
Error tracking and monitoring |
Error logs, stack traces |
USA |
We do not sell, rent, or trade your personal information or health data to any third party.
Your personal health data is NOT used to train third-party AI models. Aggregated, anonymized usage patterns may be used to improve our service.
6. Data Security
- Encryption in transit: TLS 1.3 for all data transmission
- Encryption at rest: AES-256 for stored data
- Agent mode credentials: AES-256-GCM encryption, held in memory only, cleared on session end
- Access controls: Row Level Security (RLS) policies enforce user data isolation at the database level
- Audit logging: Security-relevant events are logged for compliance monitoring
- Authentication: OAuth 2.0 via Apple and Google; JWT-based session management
No system is completely secure. While we implement industry-standard protections, we cannot guarantee absolute security of your data.
7. Data Retention and Deletion
- Active accounts: Data is retained for as long as your account is active and needed to provide services.
- Messages and memories: Persist until you delete the associated chat, healthspace, or account.
- Agent mode credentials: Held in memory only during active sessions; automatically cleared after 30 minutes of inactivity or session completion. Never persisted to disk.
- Account deletion: All personal data is permanently deleted within 30 days of account deletion. Backup copies are purged within 90 days.
- Anonymized data: Aggregated, anonymized data that cannot identify you may be retained for analytics.
- Legal holds: Data may be retained longer if required by law or legal proceedings.
8. Your Rights
8.1 GDPR Rights (EU/EEA/UK Residents)
Under the GDPR, you have the right to:
- Access (Article 15): Request a copy of your personal data
- Rectification (Article 16): Request correction of inaccurate data
- Erasure (Article 17): Request deletion of your data ("right to be forgotten")
- Restriction (Article 18): Request restriction of processing
- Data Portability (Article 20): Receive your data in a structured, machine-readable format
- Object (Article 21): Object to processing based on legitimate interests
- Withdraw Consent: Withdraw consent for health data processing at any time without affecting lawfulness of prior processing
- Lodge Complaint: File a complaint with your local supervisory authority
We respond to all rights requests within 30 days. Exercise your rights via Settings in the app, or email support@my-helios.app.
8.2 CCPA/CPRA Rights (California Residents)
Under the California Consumer Privacy Act and California Privacy Rights Act, California residents have the right to:
- Know: What personal information is collected, used, and shared
- Delete: Request deletion of personal information
- Correct: Request correction of inaccurate personal information
- Opt-Out of Sale: We do not sell personal information
- Non-Discrimination: We will not discriminate against you for exercising your rights
- Limit Use of Sensitive Personal Information: Request that we limit use of sensitive personal information (including health data) to what is necessary to provide the Service
8.3 Washington My Health My Data Act (Washington Residents)
Washington state residents have additional rights regarding consumer health data, including the right to:
- Know whether their health data is being collected, shared, or sold
- Withdraw consent for the collection and sharing of health data
- Request deletion of health data
We collect health data only with your affirmative consent. We do not sell health data. We do not use geofencing around healthcare facilities.
8.4 Other State Privacy Laws
Residents of Connecticut, Colorado, Virginia, Utah, Oregon, Texas, Montana, and other states with consumer privacy laws may have additional rights similar to those described above. Contact us to exercise any applicable rights.
9. International Data Transfers
Your data is transferred to and processed in the United States. For transfers from the EU/EEA/UK, we rely on:
- Standard Contractual Clauses (SCCs) approved by the European Commission
- Adequacy decisions where applicable
- Your explicit consent for the transfer of health data
10. Age Requirements
Minimum Age: You must be at least 13 years old to use Helios.
Users aged 13–17 must have a parent or legal guardian who has reviewed and consented to these terms on their behalf.
In the EU/EEA, users under the age of digital consent in their member state (typically 16, but varies from 13–16) must have parental consent.
We do not knowingly collect data from children under 13. If we discover that we have collected data from a child under 13, we will promptly delete it.
If you believe a child under 13 has provided us with personal information, contact us immediately at support@my-helios.app.
11. Cookies and Tracking Technologies
The Helios mobile app does not use browser cookies. We may collect device identifiers and usage analytics as described in Section 2.7. We do not use third-party advertising trackers or sell data for advertising purposes.
12. Automated Decision-Making
Helios uses AI to analyze your health data and generate insights. This constitutes automated processing but does NOT constitute automated decision-making with legal or similarly significant effects under GDPR Article 22. All AI outputs are informational suggestions only — no health decisions are made automatically on your behalf.
13. Data Breach Notification
In the event of a data breach involving your personal data, we will:
- Notify the relevant supervisory authority within 72 hours where required by GDPR
- Notify affected users without undue delay if the breach is likely to result in high risk to rights and freedoms
- Document all breaches in our internal breach register
14. HIPAA Disclaimer
Helios is a consumer wellness and health education application. We are NOT a healthcare provider, health plan, or healthcare clearinghouse, and therefore are NOT a HIPAA-covered entity. We are not subject to the Health Insurance Portability and Accountability Act (HIPAA).
While we implement security practices that align with HIPAA standards (encryption, access controls, audit logging), this does not constitute HIPAA compliance. If you require HIPAA-compliant health services, consult your healthcare provider.
15. Changes to This Policy
We may update this Privacy Policy from time to time. When we make material changes:
- We will update the "Last Updated" date and version number
- We will notify you via in-app notice or email
- For material changes to health data processing, we may request renewed consent
Continued use of the Service after notification constitutes acceptance of the updated policy.
16. Contact Us
For questions about this Privacy Policy, to exercise your data rights, or to file a complaint:
Email: support@my-helios.app