Privacy notice
Plain English: what Helix collects, who else sees it, how long we keep it, and how to ask for a copy or have it deleted.
Who we are
Helix is an FRCA exam-prep tool built by a UK anaesthetic trainee. For data-protection purposes, the controller is the operator of helixdoctors.com. Get in touch at doctor-team-bba1399bb1e2@intake.linear.app.
What we collect, and why
We deliberately collect as little as we can. Everything here is either needed to make the product work, to keep it stable, or to understand which features are actually being used.
| Data | Why | How long we keep it |
|---|---|---|
| Your email address | So you can sign in and we can reach you about your account. | Until you delete your account. |
| Profile details you give us (training grade, exam target, preferences) | To pick the right questions and pacing for you. | Until you delete your account or change them. |
| Study activity (questions answered, scores, time spent, CRQs and viva transcripts you submit for marking) | To show your progress, drive spaced repetition, and improve the product. | Until you delete your account. |
| Prompts and content you send to the AI tutor / marker / coach | Routed to Google to generate a response. We do not use your content to train models. | Sent to the AI provider per request; we store the resulting conversation against your account so you can revisit it. |
| Usage analytics (pages viewed, features clicked, device and browser type, approximate location from IP) | To understand which features matter and where users get stuck. | Up to 12 months in PostHog before automatic deletion. |
| Crash and error reports | To fix bugs quickly. | Up to 90 days in Sentry before automatic deletion. |
| Cookies and similar storage (session cookie, analytics identifier) | To keep you signed in and to attribute analytics events. | Session cookie expires on sign-out; analytics ID up to 12 months. |
Who else processes your data
We use a small number of third-party services to run Helix. Each one only ever sees the data it needs to do its job.
- Supabase — sign-in, accounts, and the database that stores your profile, progress, and conversations.
- Vercel — hosting and request delivery.
- Google (Gemini) — generates AI responses for the tutor, CRQ marker, viva coach, and interview coach. Prompts you send are forwarded to Google per request.
- PostHog — product analytics.
- Sentry — error and crash reporting.
- Upstash — rate-limit counters to stop runaway usage. Stores only a short-lived per-user counter, no content.
Some of these process data outside the UK or EU (notably Google in the US). Where that happens we rely on the UK addendum to the EU Standard Contractual Clauses to keep the transfer lawful.
Marketing
We don't do marketing email. The only emails you'll get are operational: magic-link sign-in, occasional account or product-status notices.
Your rights
Under UK GDPR you can ask us to: show you what we hold about you, correct it, delete it, export it in a portable format, or object to a particular use. Email doctor-team-bba1399bb1e2@intake.linear.appand we will respond within 30 days. You can also complain to the UK Information Commissioner's Office at ico.org.uk.
Security
Sessions are cookie-based and signed by Supabase. Data is encrypted in transit (HTTPS) and at rest. Admin access to production data is restricted to the maintainer.
Children
Helix is for medical professionals. It is not intended for anyone under 18 and we do not knowingly collect data from under-18s.
Changes
If we change anything material we'll update the date at the top and, for substantial changes, surface a notice in-app the next time you sign in.