Privacy Policy

Last updated: April 2026

1. Who we are

Helvy (“we”, “us”, “our”) provides home blood testing and personalised health recommendations. We are the data controller for your personal data. Contact us at privacy@helvy.co.uk.

2. What data we collect

We collect the following categories of personal data:

  • Identity data: Name, date of birth, gender.
  • Contact data: Email address, delivery address, phone number.
  • Payment data: Processed securely by Stripe. We do not store card details.
  • Health data (Special Category): Blood test results, biomarker values, health questionnaire responses. This is UK GDPR Special Category Data (Article 9) and receives the highest level of protection.
  • Usage data: Pages visited, features used, device information. Collected via PostHog (EU-hosted) and anonymised where possible.

3. How we use your data

  • To process and fulfil your blood test order
  • To deliver your results and personalised health recommendations
  • To communicate with you about your order and results
  • To improve our service and user experience (anonymised analytics)
  • To comply with legal and regulatory obligations

4. Legal basis for processing

  • Contract: Processing your order and delivering results.
  • Explicit consent: Processing your health data (Special Category Data requires explicit consent under Article 9(2)(a) UK GDPR).
  • Legitimate interest: Improving our services, fraud prevention, marketing to existing customers.

5. How we protect your data

  • All data encrypted in transit (TLS 1.3) and at rest
  • Health data stored in EU-region databases (Supabase, London region)
  • Analytics processed in EU region (PostHog EU)
  • Access to health data restricted to authorised personnel only
  • Regular security audits and vulnerability testing
  • We never share individual health data with third parties for marketing

6. Who we share data with

  • Laboratory partner: UKAS-accredited NHS laboratory that analyses your blood sample. They receive your sample and de-identified data necessary for processing.
  • Medical reviewer: GMC-registered doctor who reviews your results. They see your results in a clinical context.
  • Stripe: Payment processing. Stripe is PCI DSS Level 1 compliant.
  • Royal Mail: Kit delivery and sample return.
  • We do not sell your data. We do not share your health data with employers, insurers, or advertisers.

7. Your rights

Under UK GDPR, you have the right to:

  • Access your personal data
  • Rectify inaccurate data
  • Erase your data (“right to be forgotten”)
  • Restrict processing
  • Port your data to another provider
  • Withdraw consent for health data processing
  • Object to processing based on legitimate interest

To exercise any of these rights, email privacy@helvy.co.uk. We will respond within 30 days.

8. Data retention

  • Health data: Retained for 10 years (in line with NHS medical records guidance)
  • Account data: Retained while your account is active, plus 2 years
  • Analytics data: 2 years, then anonymised
  • Payment records: 7 years (UK tax requirements)

9. Cookies

We use essential cookies for authentication and site functionality. We use PostHog (EU-hosted) for analytics. We do not use third-party advertising cookies. For partner attribution, we use a first-party httpOnly cookie that records which referral link you used.

10. Changes to this policy

We may update this policy from time to time. We will notify you of any material changes by email or through a notice on our website.

11. Contact and complaints

For privacy queries: privacy@helvy.co.uk

If you are not satisfied with our response, you have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk.