Who owns my medical data on myHelix?

You do. Every record you upload belongs to you. We never sell, license or share data without your explicit consent. You can export or delete your entire history at any time.

Is myHelix DPDP Act 2023 compliant?

Yes. Data is stored in Mumbai (ap-south-1). We have a named Grievance Officer (Dr Anil Bhatt, Founder), append-only consent ledger, and 30-day data deletion guarantee.

How does the AI brief work?

Upload prescriptions, labs, or scans. Our AI extracts diagnoses, medications, lab values with citations to source documents. Doctor sees a 60-second brief instead of reading 100 pages.

How much does myHelix cost?

Family plan: ₹999/month or ₹9,999/year. Premium concierge: ₹2,999/month. NRI Family: ₹4,999/month. Doctor seat: ₹15,000/month. Hospital whitelabel: ₹50,000/month.

Is myHelix a substitute for a doctor?

No. The AI brief is a structured summary for clinician review only. Every clinical decision must be made by your licensed doctor after reviewing original records.

Effective date: 15 May 2026

Privacy Policy

myHelix is a patient-owned medical-memory platform. Your health data belongs to you. This policy explains what we collect, why, and how we protect it under the Digital Personal Data Protection Act 2023 (DPDP) of India.

1. Who we are

myHelix (the "Platform", "we", "us") is operated by the entity hosting myhelix.cloud. The Platform stores patient-owned medical records and provides AI-assisted clinical brief generation to authorised clinicians. Founder and Data Controller responsible officer: Dr Anil Bhatt.

2. What we collect

We collect only what is necessary to serve you:

Identity: name, email, mobile, date of birth, gender, blood group, ABHA ID (optional), preferred language.
Medical records you upload: prescriptions, lab reports, imaging, discharge summaries — as PDFs or images.
Extracted health facts: diagnoses, medications, lab values, allergies — parsed by AI from your records, with citations back to the source document.
Care team links: doctors and hospitals you choose to grant access to, plus the scope and duration of that access.
Usage telemetry: login times, page paths, error logs — used to keep the service running. No third-party tracking pixels.
Payment metadata: if you subscribe to a paid plan, we record subscription tier and billing status. We do not store card numbers.

We do not collect data we do not need. We do not profile you for advertising.

3. Why we collect it (lawful purpose)

To build a longitudinal medical record across your doctors and hospitals.
To generate an AI clinical brief that the doctor you authorise can read in 60 seconds.
To enforce row-level security so only you and people you authorise can see your records.
To maintain an append-only audit log for legal and clinical accountability.
To send you transactional notifications (OTP, consent grants, share-link openings).

4. Your rights under DPDP Act 2023

You have the right to:

Access — see every record we hold about you, downloadable as a single archive.
Correct — fix any inaccurate or incomplete personal data.
Erase — delete your account and all linked records within 30 days of request, unless retention is required by law.
Withdraw consent — revoke any care-team grant at any time, taking effect immediately.
Nominate — designate someone to exercise your rights on your behalf in case of death or incapacity.
Grievance redressal — file a complaint with our Grievance Officer (see Section 10) and, if unresolved, escalate to the Data Protection Board of India.

5. Who we share data with (only with your consent)

Doctors and hospitals you explicitly add to your care team. You set the scope (full access · last 90 days · summary only) and you can revoke at any time.
Specific record share links you generate — one-time, signed, time-limited URLs.
Sub-processors who help operate the Platform: Supabase (database, hosted in Mumbai region), Vercel (web hosting, Mumbai edge), Anthropic (AI inference for brief generation, US region), Google Cloud (OCR for medical PDFs, Mumbai region). Each has signed appropriate data-processing agreements. None of them have human access to your medical data.
Legal compulsion — only on receipt of a valid Indian court or regulatory order.

6. Where your data lives

All primary data (database, file storage, authentication) is hosted in Mumbai, India (ap-south-1 region)via Supabase. We do not transfer your data outside India for storage. Transient AI inference (when you ask for an AI brief) sends a redacted context to Anthropic Claude in the United States; no data is retained by Anthropic per their zero-retention agreement.

7. How long we keep your data

Active account: as long as you use the service.
After deletion request: erased within 30 days, except where Indian law requires longer retention (e.g. audit logs for tax, statutory medical record retention).
Audit logs: append-only for 7 years (NABH and DPDP audit requirement).
Anonymised statistical data: indefinite (cannot identify you).

8. How we protect your data

HTTPS / TLS encryption for all traffic.
Row-Level Security at the database — your records cannot be queried by anyone who is not authorised.
Encrypted at rest in Supabase managed Postgres.
Append-only consent ledger and audit log — cannot be modified or deleted, even by us.
Two-factor authentication available on all accounts.
Service-role keys never leave the server. Patient records cannot be accessed via the public API without authorisation.

9. Children and consent

Children below 18 must be enrolled by a parent or legal guardian. The primary account holder grants and revokes consent on behalf of the child until the child turns 18, after which control of the account transfers to them.

10. Grievance Officer (DPDP Act 2023 Section 10)

Dr Anil Bhatt

Grievance Officer, myHelix

Email: bhatt@myhelix.cloud

Support: hello@myhelix.cloud

WhatsApp: +91-XXXXX-XXXXX

Acknowledgement within 24 hours. Resolution within 30 days. If unresolved, you may escalate to the Data Protection Board of India.

11. Changes to this policy

We will notify you by email and in-app banner before any material change. Continued use after the effective date of changes constitutes acceptance. The full version history of this policy is preserved in our public source repository.