Skip to content

Privacy Policy

Effective 2026-04-21. Last updated 2026-04-21.

This Privacy Policy describes how Helix Stax LLC ("Helix Stax," "we," "us") collects, uses, and protects personal information when you visit our website, engage our services, or make a payment.

We are a Virginia limited liability company. Our registered address is in Hampton Roads, Virginia. Contact: [email protected].

1. Information We Collect

Information you provide. Business contact details (name, email, phone, company, billing address) when you sign a contract, request an assessment, or subscribe to communications.

Payment information. Handled directly by Stripe (see Section 4). We do not store card numbers, CVV codes, or bank account numbers on our servers.

Client infrastructure data. When we manage client systems under a signed contract, we may process log data, IP addresses, performance metrics, and configuration data. For this data, we act as a processor; the client is the controller. Handling is governed by the client's signed contract and, where applicable, a Business Associate Agreement or Data Processing Agreement.

Website analytics. Privacy-respecting product analytics on helixstax.com (page views, clicks, referrer, device type), plus session replay with all form inputs masked and error diagnostics. Analytics runs by default; you can opt out anytime from the cookie notice. No cross-site tracking, no advertising cookies. See Section 10.

2. How We Use Your Information

  • Deliver the services you engaged us for
  • Process payments and manage invoices
  • Respond to inquiries and support requests
  • Send transactional communications (receipts, invoices, engagement updates)
  • Maintain security, detect fraud, and respond to incidents
  • Comply with legal obligations, regulatory audits, and lawful requests

We do not sell your personal information. We do not use your information for targeted advertising.

3. How We Share Your Information

We share personal information only with the third parties required to run our business. The full list of processors we use and what each one handles is available on request.

Current categories of recipients:

  • Payment processor: Stripe Inc. (see Section 4)
  • Infrastructure providers: Hetzner Cloud, Cloudflare, Backblaze B2 (encrypted hosting, edge security, backups)
  • Email and communication: Google Workspace (business email), Rocket.Chat (internal team communications on our own infrastructure)
  • Legal and accounting: attorneys, accountants, tax authorities, where disclosure is necessary for legal compliance or to enforce our rights

We do not share your information with any third party for their own marketing purposes.

4. Payments and Stripe

We use Stripe Inc. to process payments. When you pay an invoice or purchase a service, your payment information (card number, CVV, expiration date, bank account details) is collected directly by Stripe and never stored on Helix Stax servers.

What Stripe receives from us: your name, email address, billing address, purchase amount, and a description of what you purchased. Stripe also collects your IP address and device fingerprint to detect fraud.

What Helix Stax receives from Stripe: confirmation of payment, last four digits of the payment method, country of the issuing bank, and any dispute or refund status. We use this information for accounting, tax reporting, and customer support.

Stripe's privacy practices are governed by their own Privacy Policy. Stripe is certified to PCI DSS Level 1.

EU and UK customers: we have signed Stripe's Data Processing Agreement. Stripe acts as our processor for payment data under UK GDPR and EU GDPR, with appropriate safeguards for cross-border transfers including Standard Contractual Clauses.

5. Data Retention

Customer records (name, company, engagement history, invoices): kept for the duration of the relationship and for seven years after the last engagement ends, to meet tax and accounting requirements.

Payment records held by Stripe: retained by Stripe according to their compliance obligations, typically seven years for tax and regulatory purposes. See Stripe's Privacy Policy.

Client infrastructure data we process as a processor: retained per the client's contract and deletion instructions.

Website analytics: aggregated and retained for up to 24 months, then deleted.

Marketing communications: retained until you unsubscribe, then minimally retained to honor your opt-out request.

6. Security

Data at rest is encrypted with AES-256. Data in transit is protected with TLS 1.3. Backups are stored in Backblaze B2 with Object Lock enabled. Access to client data is restricted to personnel who need it for their work.

In the event of a security breach involving personal data, we will notify affected individuals and, where required, regulatory authorities within the timeframes required by applicable law (72 hours under GDPR, and within state-law timeframes for US residents).

7. Your Rights

UK and EU residents (UK GDPR and EU GDPR)

You have the right to:

  • Access. Request a copy of the personal data we hold about you.
  • Rectification. Correct inaccurate or incomplete data.
  • Erasure. Request deletion of your personal data, subject to legal retention requirements.
  • Portability. Receive your data in a structured, machine-readable format.
  • Restriction. Ask us to limit how we use your data.
  • Objection. Object to processing based on legitimate interests or for direct marketing.
  • Withdraw consent. Where processing is based on consent, withdraw it at any time.
  • Lodge a complaint. UK residents can contact the Information Commissioner's Office (ico.org.uk). EU residents can contact their national data protection authority.

To exercise any of these rights, email [email protected]. We will respond within 30 days.

Virginia residents (VCDPA)

Virginia residents can request access to, correction of, deletion of, and portability of personal data. You can also opt out of processing for targeted advertising, sale, or profiling (we do not engage in any of these).

California residents (CCPA)

California residents have the right to know what we collect, request deletion, and opt out of sale or sharing (we do not sell or share personal information). You can exercise these rights without discrimination.

How to exercise your rights: email [email protected] with your request. We may need to verify your identity before responding.

8. International Transfers

Helix Stax is based in the United States. Data you provide is processed in the US and may be transferred to service providers in other countries (Stripe in the US, Hetzner in Germany and the US, Cloudflare globally, Backblaze in the US).

For transfers from the UK or EU, we rely on Standard Contractual Clauses and the relevant data processing agreements with our providers. On request, we can share the specific safeguards in place.

9. HIPAA

Helix Stax is not a healthcare provider. When we work with clients who are Covered Entities under HIPAA, we act as a Business Associate. Handling of Protected Health Information is governed by a signed Business Associate Agreement with the Covered Entity. We do not use PHI for marketing or any purpose outside the BAA.

10. Cookies and Analytics

We use a minimal set of cookies required for the site to function (session management, theme preference). We do not use advertising cookies and we do not sell or share your data with ad networks. Stripe's checkout pages may set their own cookies to detect fraud and maintain session state.

Product analytics. We use PostHog for privacy-respecting product analytics (page views, usage, masked session replay, error diagnostics) so we can make the site better. Analytics runs by default. You can opt out anytime by clicking Opt out on the cookie notice, which stops collection immediately and keeps it off on future visits. We don't sell your data.

What we collect: usage events such as page views and clicks (autocapture), referrer, approximate location derived from IP, and device and browser type. Person profiles are created only for identified users; anonymous visitors are not profiled. We do not use this data for advertising and we do not sell it.

Session replay. We also record session replays — your mouse movement, clicks, scrolling, and navigation through the site — so we can see where the experience trips people up and fix it. To protect your privacy, every form input is masked: anything you type into a field (name, email, message, and any other text you enter) is hidden before the replay leaves your browser, so we never capture personal or sensitive data you provide. We also collect error and exception diagnostics (what broke, and the technical context around it) purely for debugging. This is all part of the same analytics; opting out from the cookie notice stops it.

Where it goes: events are sent to PostHog's US cloud (us.i.posthog.com). PostHog acts as our processor under a data processing agreement.

How to opt out: click Opt out on the cookie notice. This stops collection immediately and keeps analytics off on future visits (your choice is stored in helix-consent). You can also block cookies for this site in your browser settings. Opting out stops further collection; it does not retroactively delete events already gathered, which you can request we remove by emailing [email protected].

11. Children

Our services are for businesses. We do not knowingly collect information from anyone under 16. If you believe a child has provided us information, contact us and we will delete it.

12. Changes to This Policy

We may update this Policy. Material changes will be posted on this page with a new "Last updated" date. If the change is significant and affects how we handle existing client data, we will notify affected clients by email.

13. Contact

Privacy questions, requests, or complaints:

Email: [email protected]
Helix Stax LLC
Hampton Roads, Virginia
United States