Legal

Privacy Policy

Last updated · 5 May 2026

Helix Security Limited (\u201cHelix\u201d, \u201cwe\u201d, \u201cus\u201d) is committed to protecting personal data. This policy explains what we collect, why, and your rights under the UK GDPR and the Data Protection Act 2018.

1. Who we are

Helix Security Limited is a company registered in England & Wales. We are registered with the UK Information Commissioner's Office (registration ZA829102). Our Data Protection Officer can be reached at dpo@helixsecure.co.uk.

2. What this policy covers

This policy applies to (a) visitors to helixsecure.co.uk, (b) administrators of the Helix control plane, and (c) end-users of mobile banking apps that integrate the Helix SDK, where Helix acts as a data processor for the customer bank.

3. The structural privacy answer

The Helix SDK analyses behavioural-biometric signal on the user's device. Raw sensor data, keystrokes and gestures do not leave the handset. What is transmitted to the Helix control plane is a structured risk score, decision metadata, and pseudonymous identifiers — never the underlying biometric features themselves.

4. Personal data we process

  • Workspace administrators — name, work email, company, hashed password, audit log entries.
  • End-users (as processor) — pseudonymous user identifier, device identifier, risk scores, application context. No raw behavioural-biometric data.
  • Marketing visitors — IP address, browser metadata, and cookie identifiers (see our cookie policy).

5. Lawful bases

  • Contract — to provide the Helix service to workspace customers.
  • Legitimate interests — to secure our service, prevent abuse, and improve our product.
  • Consent — for non-essential cookies and direct marketing.
  • Legal obligation — to retain financial records and respond to lawful requests.

6. Where data is stored

All control-plane data is stored in AWS eu-west-2 (London). Backups remain in-region. We do not transfer personal data outside the UK without an appropriate UK International Data Transfer Agreement (IDTA) in place.

7. Sub-processors

Our current sub-processors are listed on our trust centre. We notify customers of any change with at least 30 days' notice.

8. Retention

  • Workspace account data — for the life of the contract plus 7 years (financial records).
  • Risk events — 13 months by default, configurable per tenant.
  • Marketing analytics — 14 months.
  • Audit logs — 24 months.

9. Your rights

Under UK GDPR you have the right to access, rectify, erase, restrict, object to processing, and to data portability. To exercise these rights contact dpo@helixsecure.co.uk. We respond within one calendar month. You also have the right to complain to the ICO.

10. Contact

Helix Security Limited, London, United Kingdom · dpo@helixsecure.co.uk