Helix Extract

by Helix Systems LLC

Privacy Policy

Last Updated: February 24, 2026

1. Introduction

Helix Systems LLC ("we," "our," or "us") operates Helix Extract, an AI-powered browser extension for document data extraction. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our service.

2. Information We Collect

Account Information

  • Name (first and last)
  • Email address
  • Password (encrypted) — for direct registration only
  • Account creation date
  • Login timestamps

Google OAuth Information

If you choose to sign in with Google, we receive the following information from Google:

  • Your Google account email address
  • Your name (profile pictures are not stored)
  • A unique Google account identifier

We do not receive or store your Google password. Google OAuth uses secure token-based authentication.

Usage Data

  • Document processing requests (metadata only, not document content)
  • Token usage statistics
  • Number of extraction requests, pages processed, and feature usage within the extension
  • IP address and browser user-agent (collected for security and fraud prevention)

Document Data

Important: We do not collect, store, or share the content of your uploaded documents. Your document data is:

  • Processed via AWS Textract (for OCR and layout analysis) and Claude via Amazon Bedrock (for AI field extraction) — never stored beyond the brief processing window
  • Deleted from our servers immediately upon processing completion; a safety expiry window ensures deletion even in unexpected edge cases
  • Never shared with third parties or used for any other purpose, including AI model training
  • Encrypted in transit (TLS 1.3) and at rest (AES-256) during any temporary processing storage

3. Browser Extension Permissions

The Helix Extract browser extension requests the following permissions to function. We follow a minimal-permission model: broad website access is optional and only requested in the moment you need it, not at install time:

  • Active Tab: Allows the extension to interact with the current webpage when you click the extension icon. We only access the tab you're actively using and only when you initiate an action.
  • Optional: Access to the current website (requested at fill time): When you click "Fill Form," the extension requests permission to access that specific website — and only that website — so it can inject the form-fill script. This permission is optional and granted per-site: Chrome will prompt you to approve access the first time you fill a form on each domain. We do not use this permission to read, collect, or transmit webpage content. No data from third-party websites is sent to our servers.
  • Scripting: Enables the extension to inject the form-fill script into web pages and to extract document content from documents (PDFs, Word documents, and images) for processing.
  • Storage: Stores your authentication token, extension preferences, and a local activity log (last 100 actions) on your device. This data never leaves your browser.
  • Side Panel: Displays the Helix Extract interface in Chrome's side panel for easier access.
  • Identity: Reserved for secure Google OAuth sign-in flows. When you sign in with Google, a secure browser popup handles authentication — your Google credentials are never passed to or stored by the extension.

What we do NOT collect:

  • We do not collect or store your browsing history
  • We do not track which websites you visit
  • We do not read or transmit third-party webpage content — the per-site permission granted at fill time is used solely to inject the form-fill script when you initiate it
  • We do not access webpage content unless you explicitly initiate a document extraction or form fill
  • We do not run in the background or monitor your activity

4. How We Use Your Information

  • To provide and maintain Helix Extract services
  • To process your documents using AI
  • To manage your account and subscription
  • To send service-related communications (account updates, billing, security notices, and new feature announcements)
  • To improve our services and develop new features
  • To ensure security and prevent fraud
  • To comply with legal obligations

5. Data Storage and Security

Your data security is our top priority. We implement enterprise-grade security measures:

  • Encryption in Transit and at Rest: All data is encrypted in transit (TLS 1.3) and at rest (AES-256)
  • Secure AWS Infrastructure: All processing occurs within AWS's secure infrastructure in US-EAST-1
  • Zero Data Retention: Your uploaded document content is processed in memory and immediately discarded. For multi-page documents requiring layout analysis, content is temporarily stored in encrypted S3 storage during processing and automatically deleted upon completion.
  • Data Isolation: Your document data never escapes our secure processing pipeline and is never accessible to Helix staff
  • Access Controls: Strict role-based access to account data only
  • Security Logging: AWS CloudWatch logging and error alerting

6. Data Sharing and Disclosure

We do not sell, share, or disclose your uploaded document content to any third parties. Your document data remains completely private and secure.

For essential service operations, we use:

  • AWS Textract & Amazon Bedrock: Document OCR and AI processing occur entirely within AWS's secure infrastructure. Your document content is encrypted, processed, and immediately discarded—it is never stored, logged, or used for model training.
  • AWS (Backend Infrastructure): Secure cloud infrastructure (ECS, RDS, S3) for our application backend, hosted in us-east-1
  • Vercel: Hosts our website (discoverhelix.com). Vercel may collect standard web server logs (IP addresses, request paths, timestamps) as part of normal hosting operations.
  • Stripe: Payment processing (they never see your document content)

We may disclose account information (not document content) only when:

  • Legal Requirements: When required by law or to protect our rights
  • Business Transfers: In connection with mergers or acquisitions

7. Your Rights

You have the following rights regarding your data:

  • Access: Request a copy of your personal data
  • Correction: Update inaccurate information
  • Deletion: Request deletion of your account and data
  • Opt-Out: Unsubscribe from marketing communications

To exercise these rights, contact us at privacy@discoverhelix.com

8. California Privacy Rights (CCPA/CPRA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA):

Categories of Personal Information Collected

  • Identifiers: Email address, name, Google account ID
  • Commercial Information: Subscription and payment history
  • Internet Activity: Extension usage statistics, login timestamps

Your California Rights

  • Right to Know: Request what personal information we have collected about you
  • Right to Delete: Request deletion of your personal information
  • Right to Correct: Request correction of inaccurate personal information
  • Right to Opt-Out: Opt out of the sale or sharing of personal information
  • Right to Non-Discrimination: We will not discriminate against you for exercising your privacy rights

We do not sell your personal information. We do not share your personal information for cross-context behavioral advertising. To exercise your California privacy rights, contact us at privacy@discoverhelix.com.

9. European Privacy Rights (GDPR)

If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, you have additional rights under the General Data Protection Regulation (GDPR):

Legal Basis for Processing

  • Contract Performance: Processing your documents and managing your account is necessary to provide the service you requested
  • Legitimate Interests: Improving our services, ensuring security, and preventing fraud
  • Consent: Marketing communications (which you can withdraw at any time)
  • Legal Obligation: Compliance with applicable laws

Your GDPR Rights

  • Access: Obtain a copy of your personal data
  • Rectification: Correct inaccurate or incomplete data
  • Erasure: Request deletion of your personal data ("right to be forgotten")
  • Restriction: Request restriction of processing in certain circumstances
  • Data Portability: Receive your data in a structured, machine-readable format
  • Object: Object to processing based on legitimate interests
  • Withdraw Consent: Withdraw consent at any time where processing is based on consent

Right to Lodge a Complaint: You have the right to lodge a complaint with a supervisory authority in your country of residence if you believe our processing of your personal data violates applicable law.

To exercise your GDPR rights, contact us at privacy@discoverhelix.com.

10. Cookies, Tracking, and Analytics

Cookies

We use essential cookies for authentication and session management only. We do not use third-party advertising cookies or trackers.

Analytics

We may use Google Analytics on our website to collect anonymized usage statistics such as page views and visit frequency. Google Analytics uses cookies to collect this data. You can opt out of Google Analytics by using browser privacy settings or the Google Analytics Opt-out Browser Add-on. We do not use analytics tracking within the browser extension itself. We also collect basic, anonymized usage metrics (such as total API requests and error rates) to maintain service reliability. These metrics cannot be used to identify individual users or track browsing behavior.

11. Third-Party Services

  • AWS Textract: Document OCR and layout analysis — processes your documents to extract text and bounding-box coordinates, then immediately discards them. Used for all document extractions and the "Verify Data" highlight feature.
  • Amazon Bedrock (Claude): AI field extraction — maps extracted text to the form fields you specified. Your document content is processed in-session and never used for model training.
  • Amazon SES (Simple Email Service): Transactional email delivery (account verification, billing notices, password resets)
  • Amazon S3 & RDS: Temporary document staging (S3, deleted on completion) and account/billing data storage (RDS PostgreSQL), both within AWS us-east-1
  • Stripe: Payment processing. Stripe handles all payment card data — we never see or store your card details. Stripe retains payment records per their own privacy policy and regulatory requirements.
  • Google OAuth: Optional sign-in. We receive only your email, name, and Google account identifier — never your Google password.
  • Vercel: Website hosting for discoverhelix.com. Vercel may collect standard server logs as part of normal hosting operations.

These services operate under strict data protection agreements. Your uploaded document content is only processed by AWS Textract and Amazon Bedrock, and is never shared with other third-party services.

12. Data Retention

  • Account Data: Retained while your account is active. Includes name, email, login timestamps, and account settings. Deleted upon account deletion request.
  • Document Content: Temporarily staged in encrypted S3 storage during processing and automatically deleted immediately upon completion. A safety expiry window ensures deletion even if processing is interrupted. The extracted field values (results) are returned to your browser only — we do not retain extraction results on our servers.
  • Billing & Token History: Token transaction records (usage counts, page counts, model used, Stripe payment references) are retained while your account is active for billing accuracy and dispute resolution. These records contain usage metadata only — never document content.
  • Security Audit Logs: Security events (login attempts, IP addresses, user-agent strings, API actions) are retained in our secure database for fraud prevention and compliance purposes. We review these logs periodically and purge records that are no longer needed.
  • Consent Records: Timestamps of your acceptance of this Privacy Policy and Terms of Service are retained as required for legal compliance.
  • Deleted Accounts: Upon account deletion, your personal data (name, email, password hash, OAuth identifiers) is removed. Anonymized or aggregated billing records may be retained for accounting purposes.

13. Children's Privacy

Helix Extract is not intended for users under 18. We do not knowingly collect information from children. If you believe we have collected data from a minor, contact us immediately.

14. International Users

Our services are hosted in the United States. By using Helix Extract, you consent to the transfer of your data to the US. We comply with applicable data protection laws.

15. Changes to This Policy

We may update this Privacy Policy periodically. We will notify you of significant changes via email or through the service. Continued use constitutes acceptance of the updated policy.

16. Contact Us

For privacy-related questions or concerns:

Email: privacy@discoverhelix.com

Company: Helix Systems LLC