Privacy Policy

Effective Date: April 1, 2026

Helio LLC ("Helio," "we," "us," or "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, store, share, and protect your information when you use Helio Rewards, including heliorewards.com and all related services (the "Service").

Your health data is sensitive. We built our entire platform around that fact. This policy describes not just what we collect, but the specific architecture we designed to keep your identity separate from your health information at every level.

1. Information We Collect

1.1 Information You Provide

Identity Information: Full name, email address, phone number, date of birth, and mailing address
Health Profile Data: Current and historical health conditions (e.g., diabetes, autoimmune disorders, cardiovascular conditions), medications, diagnoses, relevant medical history, and lifestyle factors (smoking status, alcohol use) that affect specimen research value
Demographic Data: Age, sex, and ethnicity — used for specimen matching, as many research studies require specimens from specific demographic profiles
Payment Information: Bank account details for direct deposit, PayPal address, or other payment method information to process your compensation

1.2 Information Collected Automatically

Device and Browser Data: IP address, browser type and version, operating system, and device identifiers
Usage Data: Pages visited, features used, time spent on the Service, and how you arrived at our site
Authentication Data: Login timestamps, session identifiers, and authentication tokens

2. How We Use Your Information

Specimen Matching: Your anonymized health profile is matched against researcher specimen requests using our AI-powered matching system. This is the core function of the Service
Account Management: Creating your account, verifying your identity, and communicating with you about your account status
Compensation Processing: Issuing payments for completed donations through our payment partner Stripe
Donation Opportunities: Notifying you when your health profile matches a new paid donation opportunity
Appointment Coordination: Scheduling specimen collection at approved facilities near you, including sending reminders via Resend (our email provider)
Service Improvement: Analyzing usage patterns to improve matching accuracy and the donor experience
Legal Compliance: Meeting legal, regulatory, and compliance obligations
Security: Detecting and preventing fraud, abuse, and unauthorized access

We do not sell your personal information. We do not use your health data for advertising. We do not share your identity with researchers.

3. How We Protect Your Data: Three-Tier Architecture

Your identity and your health data are never stored together. This is the most important thing to understand about how Helio works. We deliberately separate your data into three isolated tiers so that no single breach, no single employee, no single system can connect your name to your health conditions.

Tier 1: Identity Vault

Your personally identifiable information — name, email, phone, date of birth, address, payment details — lives in a secured, encrypted Identity Vault. This vault is completely isolated from all research and health data. Researchers cannot access the Identity Vault. The Identity Vault is used only for account management, communication, and payment processing.

Tier 2: Research Profiles

Your health conditions, demographic ranges, and specimen-relevant characteristics are stored as an anonymized Research Profile. This profile contains no names, email addresses, phone numbers, dates of birth, addresses, or other directly identifying information.

When a researcher is looking for donors with specific health profiles, they see entries like "Female, age 35-40, Type 2 Diabetes, non-smoker, BMI 28-32." They never see your name. They never see your contact information. They never see anything that tells them who you are.

Tier 3: Helio ID (The Bridge)

Your Helio ID is a randomly generated identifier — the only link between your Identity Vault and your Research Profile. It exists in a separate, secured system. This means:

If someone accessed the Identity Vault, they would see names and contact info — but no health data
If someone accessed Research Profiles, they would see health conditions — but no names or contact info
Only the Helio ID system connects the two, and it is secured with the highest level of access controls

This is not a future plan. This is how the platform is built today.

4. HIPAA and Health Data Protection

Your health data deserves the highest protection available, regardless of whether it is technically classified as Protected Health Information (PHI) under HIPAA. Helio voluntarily adopts HIPAA-aligned safeguards because it is the right thing to do. Our practices include:

Encryption: All health data is encrypted using AES-256 at rest and TLS 1.3 in transit
Access Controls: Role-based access limits who can access each data tier. All access to health data is logged and auditable
Data Minimization: We collect only the health information needed for specimen matching. We do not request or store complete medical records
De-identification: Research Profiles follow HIPAA Safe Harbor de-identification standards — all 18 HIPAA identifiers are removed or generalized
Breach Notification: If a data breach affects your health information, we will notify you within 72 hours with details on what happened and what steps to take

5. Who Sees Your Data

5.1 Researchers

Researchers see your anonymized Research Profile only — health conditions, demographic ranges, and specimen-relevant data. They never see your name, email, phone number, date of birth, address, or any information that could identify you personally.

5.2 Collection Facilities

When you schedule a donation, we share your name, contact information, and appointment details with the approved collection facility to coordinate your visit. These facilities are bound by their own HIPAA obligations and by contractual data protection agreements with Helio.

5.3 Third-Party Service Providers

We use a small number of trusted services to run the platform. Each receives only the minimum data needed for their specific function:

Cloudflare: Hosts our website and provides security (DDoS protection, CDN). Processes IP addresses and request data. Privacy Policy
Stripe: Processes your compensation payments. Receives your payment method details and transaction amounts. Privacy Policy
Resend: Sends transactional emails (opportunity notifications, appointment reminders, payment confirmations). Receives your email address and message content. Privacy Policy

None of these providers receive your health profile data.

5.4 Legal Requirements

We may disclose information if required by law, regulation, legal process, or governmental request. We may also disclose information to protect the rights, property, or safety of Helio, our users, or the public.

6. Deleting Your Data

6.1 How to Delete Your Account

You can request deletion of your account at any time by emailing [email protected] with the subject line "Account Deletion Request." Include the email address associated with your account.

6.2 What Happens When You Delete

When we process your deletion request:

Within 30 days: Your Identity Vault record (name, email, phone, address) is permanently purged
Immediately: Your Helio ID mapping is destroyed — the link between your identity and your health data is permanently severed
Research Profile: Any remaining data points that could theoretically contribute to re-identification are removed or generalized. The fully anonymized profile may be retained for aggregate statistical purposes only
Payment records: Retained for 7 years as required by tax and financial regulations, but disassociated from your profile
Pending compensation: Any earned but unpaid compensation will still be processed before deletion is finalized

6.3 Inactive Accounts

If your account has no activity for 24 consecutive months, we may flag it for review. We will notify you by email before taking any action.

7. Cookies

We use the minimum cookies necessary to operate the Service:

Authentication Cookies: Keep you logged in during your session. Expire when you close your browser or after a set inactivity period
Security Cookies: Protect against cross-site request forgery (CSRF) and support rate limiting

That is it. We do not use advertising cookies, tracking pixels, social media trackers, or third-party analytics. We do not participate in cross-site tracking or behavioral advertising.

8. Children's Privacy

Helio Rewards is for adults 18 and older. We do not knowingly collect information from anyone under 18. If you are a parent or guardian and believe your child has provided information to Helio, contact us at [email protected] and we will delete it promptly.

9. Your Privacy Rights

9.1 California Residents (CCPA/CPRA)

If you live in California, you have additional rights:

Right to Know: Request a summary of personal information we have collected about you in the past 12 months
Right to Delete: Request deletion of your personal information
Right to Correct: Request correction of inaccurate information
Right to Opt-Out of Sale: We do not sell personal information, so there is nothing to opt out of
Right to Non-Discrimination: We will not treat you differently for exercising your privacy rights
Right to Limit Sensitive Data Use: Request that we limit use of sensitive personal information (including health data) to what is necessary for the Service

9.2 Other States

If you live in Virginia, Colorado, Connecticut, Utah, or another state with consumer privacy laws, you may have similar rights under your state's law.

9.3 Exercising Your Rights

To make a privacy request, email [email protected]. We will verify your identity and respond within 45 days.

10. Data Security

We implement strong technical, administrative, and physical safeguards:

End-to-end encryption in transit (TLS 1.3) and at rest (AES-256)
Role-based access controls with principle of least privilege
Regular security assessments
Access logging and audit trails for all health data queries
Multi-factor authentication for administrative access
Three-tier data separation (described above) as a structural security measure

No system is 100% secure. If you discover a security vulnerability, please report it to [email protected].

11. International Users

Helio Rewards is currently available only in the United States. Your data is processed and stored in the United States. If we expand internationally, this policy will be updated to address applicable data protection laws, including GDPR for European users.

12. Changes to This Policy

We may update this Privacy Policy to reflect changes in our practices, technology, or legal requirements. Material changes will be communicated by email at least 30 days before taking effect, with a prominent notice on the Service.

The "Effective Date" at the top of this page shows when the policy was last revised. We encourage you to review this policy periodically.

13. Contact Us

Questions about this Privacy Policy or your data? Reach us at:

Helio LLC
Email: [email protected]
Website: heliorewards.com

For data deletion requests, use the subject line "Account Deletion Request" and include the email address on your account.

Last updated: April 1, 2026