Helix Extract

by Helix Systems LLC

Privacy Policy

Last Updated: February 21, 2026

1. Introduction

Helix Systems LLC ("we," "our," or "us") operates Helix Extract, an AI-powered browser extension for document data extraction. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our service.

2. Information We Collect

Account Information

  • Name (first and last)
  • Email address
  • Password (encrypted) — for direct registration only
  • Account creation date
  • Login timestamps

Google OAuth Information

If you choose to sign in with Google, we receive the following information from Google:

  • Your Google account email address
  • Your name (profile pictures are not stored)
  • A unique Google account identifier

We do not receive or store your Google password. Google OAuth uses secure token-based authentication.

Usage Data

  • Document processing requests (metadata only, not document content)
  • Token usage statistics
  • Number of extraction requests, pages processed, and feature usage within the extension
  • IP address and browser user-agent (collected for security and fraud prevention)

Document Data

Important: We do not collect, store, or share the content of your uploaded documents. Your document data is:

  • Processed securely via AWS Bedrock AI for data extraction only
  • Never stored on our servers beyond the brief processing window
  • Never shared with third parties or used for any other purpose
  • Encrypted in transit and during processing

3. Browser Extension Permissions

The Helix Extract browser extension requests the following permissions to function. We follow a minimal-permission model: broad website access is optional and only requested in the moment you need it, not at install time:

  • Active Tab: Allows the extension to interact with the current webpage when you click the extension icon. We only access the tab you're actively using and only when you initiate an action.
  • Optional: Access to the current website (requested at fill time): When you click "Fill Form," the extension requests permission to access that specific website — and only that website — so it can inject the form-fill script. This permission is optional and granted per-site: Chrome will prompt you to approve access the first time you fill a form on each domain. We do not use this permission to read, collect, or transmit webpage content. No data from third-party websites is sent to our servers.
  • Scripting: Enables the extension to inject the form-fill script into web pages and to extract document content from documents (PDFs, Word documents, and images) for processing.
  • Storage: Stores your authentication token, extension preferences, and a local activity log (last 100 actions) on your device. This data never leaves your browser.
  • Side Panel: Displays the Helix Extract interface in Chrome's side panel for easier access.
  • Identity: Reserved for secure Google OAuth sign-in flows. When you sign in with Google, a secure browser popup handles authentication — your Google credentials are never passed to or stored by the extension.

What we do NOT collect:

  • We do not collect or store your browsing history
  • We do not track which websites you visit
  • We do not read or transmit third-party webpage content — the per-site permission granted at fill time is used solely to inject the form-fill script when you initiate it
  • We do not access webpage content unless you explicitly initiate a document extraction or form fill
  • We do not run in the background or monitor your activity

4. How We Use Your Information

  • To provide and maintain Helix Extract services
  • To process your documents using AI
  • To manage your account and subscription
  • To send service-related communications (account updates, billing, security notices, and new feature announcements)
  • To improve our services and develop new features
  • To ensure security and prevent fraud
  • To comply with legal obligations

5. Data Storage and Security

Your data security is our top priority. We implement enterprise-grade security measures:

  • End-to-End Encryption: All data is encrypted in transit (TLS 1.3) and at rest (AES-256)
  • Secure AWS Infrastructure: All processing occurs within AWS's secure infrastructure in US-EAST-1
  • Zero Data Retention: Your uploaded document content is processed in memory and immediately discarded. For multi-page documents requiring layout analysis, content is temporarily stored in encrypted S3 storage during processing and automatically deleted upon completion.
  • Data Isolation: Your document data never escapes our secure processing pipeline and is never accessible to Helix staff
  • Access Controls: Strict role-based access to account data only
  • Security Logging: AWS CloudWatch logging and error alerting

6. Data Sharing and Disclosure

We do not sell, share, or disclose your uploaded document content to any third parties. Your document data remains completely private and secure.

For essential service operations, we use:

  • AWS Bedrock: AI processing of your documents occurs entirely within AWS's secure infrastructure. Your document content is encrypted, processed, and immediately discarded—it is never stored, logged, or used for model training.
  • AWS (Hosting): Secure cloud infrastructure for our application
  • Stripe: Payment processing (they never see your document content)

We may disclose account information (not document content) only when:

  • Legal Requirements: When required by law or to protect our rights
  • Business Transfers: In connection with mergers or acquisitions

7. Your Rights

You have the following rights regarding your data:

  • Access: Request a copy of your personal data
  • Correction: Update inaccurate information
  • Deletion: Request deletion of your account and data
  • Opt-Out: Unsubscribe from marketing communications

To exercise these rights, contact us at privacy@discoverhelix.com

8. California Privacy Rights (CCPA/CPRA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA):

Categories of Personal Information Collected

  • Identifiers: Email address, name, Google account ID
  • Commercial Information: Subscription and payment history
  • Internet Activity: Extension usage statistics, login timestamps

Your California Rights

  • Right to Know: Request what personal information we have collected about you
  • Right to Delete: Request deletion of your personal information
  • Right to Correct: Request correction of inaccurate personal information
  • Right to Opt-Out: Opt out of the sale or sharing of personal information
  • Right to Non-Discrimination: We will not discriminate against you for exercising your privacy rights

We do not sell your personal information. We do not share your personal information for cross-context behavioral advertising. To exercise your California privacy rights, contact us at privacy@discoverhelix.com.

9. European Privacy Rights (GDPR)

If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, you have additional rights under the General Data Protection Regulation (GDPR):

Legal Basis for Processing

  • Contract Performance: Processing your documents and managing your account is necessary to provide the service you requested
  • Legitimate Interests: Improving our services, ensuring security, and preventing fraud
  • Consent: Marketing communications (which you can withdraw at any time)
  • Legal Obligation: Compliance with applicable laws

Your GDPR Rights

  • Access: Obtain a copy of your personal data
  • Rectification: Correct inaccurate or incomplete data
  • Erasure: Request deletion of your personal data ("right to be forgotten")
  • Restriction: Request restriction of processing in certain circumstances
  • Data Portability: Receive your data in a structured, machine-readable format
  • Object: Object to processing based on legitimate interests
  • Withdraw Consent: Withdraw consent at any time where processing is based on consent

Right to Lodge a Complaint: You have the right to lodge a complaint with a supervisory authority in your country of residence if you believe our processing of your personal data violates applicable law.

To exercise your GDPR rights, contact us at privacy@discoverhelix.com.

10. Cookies, Tracking, and Analytics

Cookies

We use essential cookies for authentication and session management only. We do not use third-party advertising cookies or trackers.

Analytics

We may use Google Analytics on our website to collect anonymized usage statistics such as page views and visit frequency. Google Analytics uses cookies to collect this data. You can opt out of Google Analytics by using browser privacy settings or the Google Analytics Opt-out Browser Add-on. We do not use analytics tracking within the browser extension itself. We also collect basic, anonymized usage metrics (such as total API requests and error rates) to maintain service reliability. These metrics cannot be used to identify individual users or track browsing behavior.

11. Third-Party Services

  • AWS Bedrock: Secure AI processing of document content within AWS infrastructure - your data never leaves the secure AWS environment and is not used for model training
  • AWS Textract: Document text and layout analysis for the verification feature - processes documents to detect text locations, then immediately discards them
  • Resend: Email delivery
  • Stripe: Payment processing
  • Google OAuth: Optional authentication

These services operate under strict data protection agreements. Your uploaded document content is only processed by AWS Bedrock and AWS Textract and is never shared with other third-party services.

12. Data Retention

  • Account Data: Retained while your account is active
  • Document Content: Temporarily stored in encrypted S3 storage during processing and automatically deleted upon completion. A safety expiry ensures deletion even in edge cases.
  • Extracted Results: Available in your browser session; we do not retain extraction results on our servers
  • Audit Logs: Usage metadata (not document content) retained for 30 days for security purposes

13. Children's Privacy

Helix Extract is not intended for users under 18. We do not knowingly collect information from children. If you believe we have collected data from a minor, contact us immediately.

14. International Users

Our services are hosted in the United States. By using Helix Extract, you consent to the transfer of your data to the US. We comply with applicable data protection laws.

15. Changes to This Policy

We may update this Privacy Policy periodically. We will notify you of significant changes via email or through the service. Continued use constitutes acceptance of the updated policy.

16. Contact Us

For privacy-related questions or concerns:

Email: privacy@discoverhelix.com

Company: Helix Systems LLC