helvy.co.uk

Privacy Policy

Last updated: May 2026

1. Who we are

Helvy is a trading name of Delta Lab Health Limited, a company registered in England & Wales (company no. 16984251) with registered office at 71-75 Shelton Street, London WC2H 9JQ. We provide home blood testing and personalised health recommendations.

We are the data controller for your personal data. Contact us at privacy@helvy.co.uk. ICO data protection registration is pending; once issued the registration number will appear here.

2. What data we collect

We collect the following categories of personal data:

  • Identity data: Name, date of birth, gender.
  • Contact data: Email address, delivery address, phone number.
  • Payment data: Processed securely by Stripe. We do not store card details.
  • Health data (Special Category): Blood test results, biomarker values, health questionnaire responses. This is UK GDPR Special Category Data (Article 9) and receives the highest level of protection.
  • Usage data: Pages visited, features used, device information. Collected via PostHog (EU-hosted) and anonymised where possible.

3. How we use your data

  • To process and fulfil your blood test order
  • To deliver your results and personalised health recommendations
  • To communicate with you about your order and results
  • To improve our service and user experience (anonymised analytics)
  • To comply with legal and regulatory obligations

4. Legal basis for processing

  • Article 6(1)(b) UK GDPR — Contract: Processing necessary to perform our contract with you (delivering your kit, analysing your sample, returning your results).
  • Article 9(2)(a) UK GDPR — Explicit consent: Processing of your health data (Special Category Data) is based on your explicit consent, which you may withdraw at any time without affecting the lawfulness of prior processing.
  • Article 6(1)(f) UK GDPR — Legitimate interest: Improving our service, fraud prevention, and marketing to existing customers under the soft opt-in exemption (PECR Reg 22(3)).
  • Article 6(1)(c) UK GDPR — Legal obligation: Retention of order and tax records as required by UK law.

5. How we protect your data

  • All data encrypted in transit (TLS 1.3) and at rest
  • Health data stored in EU-region databases (Supabase, London region)
  • Analytics processed in EU region (PostHog EU)
  • Access to health data restricted to authorised personnel only
  • Regular security audits and vulnerability testing
  • We never share individual health data with third parties for marketing

6. Who we share data with

We use the following third-party processors. Each is bound by a UK GDPR data processing agreement and processes only the data necessary for the stated purpose.

  • Our laboratory partner (UK): Analyses your blood sample at UKAS ISO 15189-accredited UK laboratories. Receives the identity, address, and sample data necessary for processing. Their clinician panel also provides critical-finding escalation per ISO 15189 protocol.
  • Supabase (EU — Frankfurt): Hosts your account and health data on EU servers. SOC 2 Type II certified.
  • Stripe (US, UK Standard Contractual Clauses): Payment processing. PCI DSS Level 1. We do not store card details.
  • Resend (US, UK SCCs): Transactional email delivery (order confirmations, results notifications). Receives email address + transactional context only — no health data in email bodies or subject lines.
  • PostHog (EU — Frankfurt): Privacy-respecting product analytics. Pseudonymised via Supabase UUIDs; no PII or biomarker values transmitted.
  • Royal Mail (UK): Kit delivery and sample return.
  • Your GP (your choice): If you choose to share your results with your GP, you control the disclosure. We do not share results with your GP automatically.

We do not sell your data. We do not share your health data with employers, insurers, or advertisers, ever.

7. Your rights

Under UK GDPR, you have the right to:

  • Access your personal data
  • Rectify inaccurate data
  • Erase your data (“right to be forgotten”)
  • Restrict processing
  • Port your data to another provider
  • Withdraw consent for health data processing
  • Object to processing based on legitimate interest

To exercise any of these rights, email privacy@helvy.co.uk. We will respond within 30 days.

8. Data retention

  • Health data: Retained for 10 years (in line with NHS medical records guidance)
  • Account data: Retained while your account is active, plus 2 years
  • Analytics data: 2 years, then anonymised
  • Payment records: 7 years (UK tax requirements)

9. Cookies

We use essential cookies for authentication and site functionality. We use PostHog (EU-hosted) for analytics. We do not use third-party advertising cookies. For partner attribution, we use a first-party httpOnly cookie that records which referral link you used.

10. Children

Helvy is not intended for, marketed to, or available to anyone under 18. We do not knowingly collect personal data from under-18s. If you are aware that a child has provided us with personal data, please contact privacy@helvy.co.ukand we will erase it.

11. Changes to this policy

We may update this policy from time to time. We will notify you of any material changes by email or through a notice on our website.

12. Contact and complaints

For privacy queries: privacy@helvy.co.uk

If you are not satisfied with our response, you have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk.