Privacy Policy
Last updated: July 5, 2026
Scope & Deployment Model
HelixFlow (“we,” “us,” or “our”) provides laboratory execution software for biotech teams. This Privacy Policy describes how we handle information when you use the HelixFlow Cloud Tier — our fully managed SaaS deployment hosted on Supabase PostgreSQL database infrastructure.
Under this model, your organization's scientific workflow data resides in tenant-isolated infrastructure provisioned for your workspace. HelixFlow operates the application layer; your proprietary records remain logically and cryptographically bounded within your tenant perimeter.
Data Isolation & Operator Blindness
We do not mix tenant data. Isolation is enforced at the database layer through PostgreSQL Row-Level Security (RLS) firewalls that scope every query to the authenticated user's organization and role context.
- Tenant separation: Each organization receives a logically isolated data plane. Cross-tenant reads and writes are blocked at the database policy layer — not merely at the application UI.
- Operator blindness: HelixFlow platform operators and internal systems do not routinely access, inspect, or aggregate proprietary scientific data, experiment execution records, protocol definitions, or inventory specifications stored within your workspace.
- No commingling: We do not blend your laboratory records with those of other customers for analytics, model training, or product development purposes.
What We Collect Centrally
HelixFlow maintains a narrow central telemetry surface. We process only the minimum metadata required to authenticate users, route them to the correct workspace, and audit license utilization.
- Account authentication metadata: When you sign in via Google OAuth, we receive baseline identity signals — such as your name, email address, and Google account identifier — solely to provision your session and associate you with your organization's workspace.
- Seat utilization telemetry: Aggregated signals indicating active user seats within a licensed organization, used for contract compliance and capacity planning. This does not include the contents of experiments, protocols, or inventory records.
- Login events: Timestamped authentication events (sign-in, sign-out, session refresh) retained for security monitoring and license auditing. Login telemetry does not capture bench-level activity or scientific payloads.
- Anonymized platform telemetry: Aggregated, de-identified behavioral signals — such as feature utilization frequency and computation processing counts (e.g., calculator and layout tool invocations). Telemetry records are stripped of scientific data and proprietary inputs. They do not contain compound identifiers, genomic sequences, plate layouts, protocol text, inventory specifications, or any other tenant research content.
HelixFlow strictly enforces cryptographic multi-tenant separation via PostgreSQL Row-Level Security (RLS). Platform telemetry is collected only from event metadata scoped to your organization's workspace boundary and is never enriched with the contents of your experiments, protocols, or inventory. Platform super-administrators and internal operators cannot view, analyze, or access proprietary tenant data — including compound names, genomic sequences, plate layouts, or any other research assets stored within your workspace.
We do not sell personal information. We do not use your data for unrelated advertising, behavioral profiling, or third-party marketing lists.
Scientific Data Processed Within Your Workspace
Experiment schedules, step execution records, inventory coordinates, instrument bookings, and compliance-oriented report artifacts are stored and processed exclusively within your tenant's isolated Supabase PostgreSQL database. This data is entered by your organization's authorized users and governed by your internal access policies as enforced through HelixFlow role-based permissions and RLS.
- Experiment and protocol orchestration records
- Step-level scheduling, assignments, and execution timestamps
- Spatial inventory metadata and relocation audit logs
- Instrument booking and resource allocation data
- Report integrity seals and deviation registers generated at experiment completion
Infrastructure & Subprocessors
The HelixFlow Cloud Tier runs on industry-standard managed infrastructure providers bound by contractual confidentiality and data-processing obligations. Our primary database host does not receive independent access to your proprietary scientific payloads beyond what is technically required to operate the platform.
- Supabase PostgreSQL: Primary relational datastore with RLS-enforced tenant isolation.
Data Retention & Security
We retain tenant scientific data for as long as your organization maintains an active workspace, unless a shorter retention period is specified in your agreement or required by law. Central authentication and license telemetry is retained for the minimum period necessary for security auditing and contractual compliance.
- Encryption in transit (TLS) and at rest for database volumes
- Role-based access controls enforced at both application and database layers
- Engine-level immutability triggers that permanently lock completed experiment headers and run steps against downstream modification or deletion
Your Choices & Organization Controls
- Organization administrators may provision, suspend, or revoke user access within their workspace.
- You may disconnect Google Calendar integration at any time through your Google account permissions or by contacting your workspace administrator.
- Data export and workspace termination procedures are governed by your service agreement. Contact us for organization-level data handling requests.
Contact
For privacy-related inquiries, data processing questions, or procurement documentation requests, contact Support, Helix Bridge Labs (support@helixbridgelabs.com).
HelixFlow Google API Data Disclosure
HelixFlow's use and transfer of information received from Google APIs to any other app will adhere to Google Web User Data Policy, including the Limited Use requirements.
We request access to your Google Calendar scopes solely to facilitate automated step-level laboratory execution scheduling. Our system calculates hands-on labor milestones and parses passive holds (such as incubation and storage steps) to plot resource allocations directly onto your personal calendar. We do not sell, trade, or transfer your calendar data to third-party data brokers or external analytics providers.