Legal

Privacy Policy

Last updated: 1 March 2026 · Data controller: HelixGate Technologies Limited · Applies to: helixgate.io and all HelixGate platform instances

This policy explains how HelixGate Technologies Limited ("HelixGate", "we", "us") collects, uses, and protects personal data. We are committed to compliance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

1. Who we are

HelixGate Technologies Limited is a company registered in England and Wales. We are the data controller for personal data processed through our website (helixgate.io) and the HelixGate platform.

For questions about this policy or to exercise your data rights, contact us at [email protected].

2. What data we collect

2.1 Website visitors

Contact form submissions: name, email address, company name, role, and message content when you submit an enquiry or demo request.
Email correspondence: any personal data you include when emailing us.
Technical data: IP address, browser type, and pages visited, collected via server logs for security and performance purposes.

2.2 Platform customers (tenants)

When your organisation uses the HelixGate platform, we process data on your behalf as a data processor. The categories of data processed include:

User accounts: name, email address, hashed passwords, assigned roles.
Platform content: services, ADRs, business cases, suppliers, contracts, and any other data your team enters into the platform.
Audit logs: user actions, timestamps, IP addresses, and session data for compliance and security purposes.
Platform settings and configuration.

Your organisation is the data controller for all data entered into your HelixGate instance. Our processing is governed by the Data Processing Agreement (DPA) in our Terms of Service.

3. How we use your data

Purpose	Lawful basis
Responding to enquiries and demo requests	Legitimate interests
Providing and operating the HelixGate platform	Contract performance
Security monitoring, fraud prevention, and audit logging	Legitimate interests (security and compliance)
Complying with legal obligations	Legal obligation
Sending product updates to customers	Legitimate interests or consent

4. Data sharing

We do not sell your personal data. We share personal data only in the following circumstances:

Cloud infrastructure providers: Your data is hosted in UK/EU regions. Our infrastructure provider acts as a sub-processor under a Data Processing Agreement.
Legal requirements: Where required by law, court order, or regulatory authority in the United Kingdom.
Business transfers: In the event of a merger or acquisition, with appropriate data protection safeguards.

We do not transfer personal data outside the United Kingdom or the European Economic Area without appropriate safeguards.

5. Data retention

Contact enquiries: Retained for 2 years from last contact, then deleted unless a contractual relationship follows.
Platform customer data: Retained for the duration of the contract plus 90 days, after which it is securely deleted. Audit logs may be retained for up to 7 years for compliance purposes.
Security logs: Retained for 12 months.

6. Your rights under UK GDPR

If you are located in the UK or EEA, you have the following rights:

Right of access: Request a copy of the personal data we hold about you.
Right to rectification: Request correction of inaccurate or incomplete data.
Right to erasure: Request deletion of your personal data.
Right to restrict processing: Request that we limit how we process your data.
Right to data portability: Receive your data in a structured, machine-readable format.
Right to object: Object to processing based on legitimate interests.
Right to withdraw consent: Where processing is based on consent, you may withdraw it at any time.

To exercise any of these rights, email [email protected]. We will respond within 30 days. You also have the right to lodge a complaint with the UK Information Commissioner's Office (ICO) at ico.org.uk.

7. Security

We implement appropriate technical and organisational measures to protect your personal data, including AES-256 encryption at rest, TLS 1.3 in transit, physically isolated per-customer environments, and role-based access controls. See our Security page for full details.

8. Cookies

Our website does not use tracking cookies, advertising cookies, or analytics cookies. We use session storage within the platform solely for authentication purposes. This policy will be updated if this changes.

9. Changes to this policy

We may update this policy from time to time. Material changes will be communicated to customers by email. The "last updated" date at the top of this page reflects the most recent revision.

10. Contact

Email: [email protected]
Post: HelixGate Technologies Limited, United Kingdom