Privacy Policy

Effective Date: April 1, 2026

Helio LLC ("Helio," "we," "us," or "our") is committed to protecting the privacy and security of your personal information. This Privacy Policy explains how we collect, use, store, share, and protect information when you use our biospecimen marketplace platform, including findhelio.com, heliorewards.com, and all related services (the "Service").

Because our platform handles health-related data, we hold ourselves to the highest standards of data protection. This policy describes not just what data we collect, but the specific architectural safeguards we have built to keep your information secure.

1. Information We Collect

1.1 Information from Donors

• Identity Information: Full name, email address, phone number, date of birth, mailing address
• Health Profile Data: Current and historical health conditions, medications, diagnoses, relevant medical history, lifestyle factors (smoking status, alcohol use), and demographic data (age, sex, ethnicity) that may be relevant to specimen research value
• Payment Information: Bank account details for direct deposit, PayPal address, or other payment method information necessary to process compensation
• Account Activity: Donation history, scheduling records, communication logs, and platform usage data

1.2 Information from Researchers

• Organizational Information: Institution or company name, department, research focus areas, and institutional credentials
• Contact Information: Name, professional email address, phone number, and mailing address of authorized representatives
• Research Details: Specimen requests, study descriptions, IRB approval documentation, and specific specimen requirements
• Billing Information: Payment method details, billing address, and invoicing information processed through Stripe

1.3 Information Collected Automatically

• Device and Browser Data: IP address, browser type and version, operating system, and device identifiers
• Usage Data: Pages visited, features used, time spent on the Service, and referral sources
• Authentication Data: Login timestamps, session identifiers, and authentication tokens

2. How We Use Your Information

We use the information we collect for the following purposes:

• Specimen Matching: Using anonymized health profile data to match Donors with Researcher specimen requests via our AI-powered matching system
• Account Management: Creating and maintaining your account, verifying your identity, and communicating with you about your account
• Payment Processing: Processing Donor compensation payments and Researcher invoices through our payment partner Stripe
• Communication: Sending donation opportunity notifications, appointment reminders, payment confirmations, and service-related updates via Resend (our email service provider)
• Platform Improvement: Analyzing usage patterns to improve matching accuracy, user experience, and Service functionality
• Legal Compliance: Meeting legal, regulatory, and compliance obligations, including HIPAA requirements
• Safety and Security: Detecting, preventing, and responding to fraud, abuse, and security incidents

We do not sell your personal information. We do not use your health data for advertising or marketing purposes.

3. Three-Tier Data Architecture

Tier 1: Identity Vault

Your personally identifiable information (PII) — name, email, phone, date of birth, address, payment details — is stored in a secured, encrypted Identity Vault. This vault is isolated from all research-related data. Access to the Identity Vault is restricted to authenticated system operations required for account management and payment processing. Researchers never have access to the Identity Vault.

Tier 2: Research Profiles

Your health conditions, demographic data, and specimen-relevant characteristics are stored as anonymized Research Profiles. These profiles contain no names, contact information, or other directly identifying data. Research Profiles are what Researchers see during the matching process. A Researcher viewing a matched profile might see "Female, age 35-40, Type 2 Diabetes, non-smoker" — but never your name, email, or any information that could identify you personally.

Tier 3: Helio ID (The Bridge)

Your Helio ID is a unique, randomly generated identifier that serves as the sole link between your Identity Vault record and your Research Profile. The Helio ID is the only connection point between who you are and what your health profile contains. This separation means that even in the unlikely event of a data breach affecting one tier, the exposed data alone cannot be used to identify a specific individual and their health information.

This architecture is not a future plan — it is the foundational design of the Helio platform. Every data operation respects these tier boundaries.

4. HIPAA Compliance and Health Data Protection

Although Helio is a marketplace platform and not a covered entity under HIPAA in the traditional sense (we do not provide healthcare services), we voluntarily adopt HIPAA-aligned safeguards because we believe your health data deserves the highest level of protection regardless of regulatory classification.

Our HIPAA-aligned practices include:

• Encryption at Rest and in Transit: All health data is encrypted using AES-256 encryption at rest and TLS 1.3 in transit
• Access Controls: Role-based access controls limit who can access each data tier. Health profile data access is logged and audited
• Data Minimization: We collect only the health information necessary for specimen matching. We do not request or store complete medical records
• De-identification: Research Profiles are de-identified in accordance with HIPAA Safe Harbor standards — all 18 HIPAA identifiers are removed or generalized before any data is shared with Researchers
• Breach Notification: In the event of a data breach involving health information, we will notify affected users within 72 hours and provide guidance on protective measures

5. Data Sharing

5.1 What We Share with Researchers

When a Researcher's specimen request matches your health profile, the Researcher receives your anonymized Research Profile (Tier 2 data only). This includes health conditions, demographic ranges, and specimen-relevant characteristics. Your personally identifiable information (name, contact details, date of birth, exact age) is never shared with Researchers.

5.2 What We Share with Collection Facilities

When you schedule a specimen donation, we share your name, contact information, and appointment details with the approved collection facility to coordinate your visit. Collection facilities are bound by their own HIPAA obligations and by contractual data protection agreements with Helio.

5.3 Third-Party Service Providers

We use the following third-party services to operate the platform. Each provider processes only the minimum data necessary for their function:

• Cloudflare: Website hosting, CDN, and DDoS protection. Processes IP addresses and request metadata. Cloudflare Privacy Policy
• Stripe: Payment processing for Donor compensation and Researcher invoicing. Processes payment method details and transaction amounts. Stripe Privacy Policy
• Resend: Transactional email delivery for account notifications, donation opportunities, and appointment reminders. Processes email addresses and message content. Resend Privacy Policy

5.4 Legal Disclosures

We may disclose your information if required by law, regulation, legal process, or governmental request. We may also disclose information if we believe in good faith that disclosure is necessary to protect the rights, property, or safety of Helio, our users, or the public.

6. Data Retention and Deletion

6.1 Active Accounts

We retain your data for as long as your account is active and as needed to provide the Service. Health profile data is retained to enable ongoing matching and to maintain the integrity of historical donation records.

6.2 Account Deletion

You may request deletion of your account at any time by contacting [email protected]. Upon receiving a verified deletion request:

• Your Identity Vault record (Tier 1) will be purged within 30 days
• Your Research Profile (Tier 2) will be permanently anonymized — any remaining data points that could theoretically contribute to re-identification will be removed or generalized
• Your Helio ID mapping will be destroyed, permanently severing the link between your identity and research data
• Payment records will be retained for 7 years as required by tax and financial regulations, but will be disassociated from your profile

6.3 Inactive Accounts

Accounts with no activity for 24 consecutive months may be flagged for review. We will notify you by email before taking any action on an inactive account.

7. Cookies and Tracking

Helio uses minimal cookies, limited to those strictly necessary for the operation of the Service:

• Authentication Cookies: Used to maintain your logged-in session and verify your identity across page loads. These are session cookies that expire when you close your browser or after a defined inactivity period.
• Security Cookies: Used to support security features such as CSRF protection and rate limiting.

We do not use advertising cookies, tracking pixels, or third-party analytics cookies. We do not participate in cross-site tracking or behavioral advertising networks.

8. Children's Privacy

The Service is not intended for individuals under 18 years of age. We do not knowingly collect personal information from anyone under 18. If you are a parent or guardian and believe your child has provided personal information to Helio, contact us at [email protected] and we will promptly delete such information.

9. California and State Privacy Rights

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA):

• Right to Know: You may request a summary of the categories and specific pieces of personal information we have collected about you in the past 12 months
• Right to Delete: You may request deletion of your personal information, subject to certain legal exceptions
• Right to Correct: You may request correction of inaccurate personal information
• Right to Opt-Out of Sale: Helio does not sell personal information. There is nothing to opt out of
• Right to Non-Discrimination: We will not discriminate against you for exercising your privacy rights
• Right to Limit Use of Sensitive Personal Information: You may request that we limit our use of sensitive personal information (including health data) to what is necessary to provide the Service

Residents of other states with consumer privacy laws (including Virginia, Colorado, Connecticut, Utah, and others) may have similar rights under their respective state laws. To exercise any privacy right, contact [email protected]. We will respond within 45 days.

10. Data Security

We implement commercially reasonable technical, administrative, and physical safeguards to protect your information, including:

• End-to-end encryption of data in transit (TLS 1.3)
• AES-256 encryption of data at rest
• Role-based access controls with principle of least privilege
• Regular security assessments and penetration testing
• Employee access logging and audit trails
• Multi-factor authentication for administrative access

No method of transmission or storage is 100% secure. While we strive to protect your information, we cannot guarantee absolute security. If you become aware of a security vulnerability, please report it to [email protected].

11. International Users

The Service is currently available only to users in the United States. Your data is processed and stored within the United States. If we expand internationally, this policy will be updated to address applicable international data protection requirements, including GDPR compliance for European users.

12. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other operational factors. If we make material changes, we will notify you by email at least 30 days before the changes take effect and post a prominent notice on the Service.

The "Effective Date" at the top of this page indicates when the policy was last revised. We encourage you to review this policy periodically.

13. Contact Information

For questions, concerns, or requests related to this Privacy Policy or your personal data, contact us at:

Helio LLC
Email: [email protected]
Website: findhelio.com

For data deletion requests, please include "Data Deletion Request" in your subject line and the email address associated with your account.

Last updated: April 1, 2026