Privacy notice
Plain English: what Helix collects, who else sees it, how long we keep it, and how to ask for a copy or have it deleted.
Who we are
Helix is an FRCA exam-prep tool built by a UK anaesthetic trainee. For data-protection purposes, the controller is the operator of helixfrca.com. Get in touch at hi@helixdoctors.com.
What we collect, and why
We deliberately collect as little as we can. Everything here is either needed to make the product work, to keep it stable, or to understand which features are actually being used.
| Data | Why | How long we keep it |
|---|---|---|
| Your email address | So you can sign in and we can reach you about your account. | Until you delete your account. |
| Profile details you give us (training grade, exam target, preferences) | To pick the right questions and pacing for you. | Until you delete your account or change them. |
| Whether you've opted into marketing email | So we only send updates to people who asked for them, and can show consent was given. | Until you opt out or delete your account. |
| Study activity (questions answered, scores, time spent, CRQs and viva transcripts you submit for marking) | To show your progress, drive spaced repetition, and improve the product. | Until you delete your account. |
| Leaderboard name (only if you choose to add one) | Shown on the public leaderboard beside your rolling 30-day score. You appear anonymously by default; adding a name is opt-in and reversible at any time. | Until you remove your name, hide yourself from the board, or delete your account. |
| Prompts and content you send to the AI tutor / marker / coach | Routed to Google to generate a response. We do not use your content to train models. | Sent to the AI provider per request; we store the resulting conversation against your account so you can revisit it. |
| Usage analytics (pages viewed, features clicked, device and browser type, approximate location from IP) | To understand which features matter and where users get stuck. | Up to 12 months in PostHog before automatic deletion. |
| Crash and error reports | To fix bugs quickly. | Up to 90 days in Sentry before automatic deletion. |
| Cookies and similar storage (session cookie, analytics identifier) | To keep you signed in and to attribute analytics events. | Session cookie expires on sign-out; analytics ID up to 12 months. |
Who else processes your data
We use a small number of third-party services to run Helix. Each one only ever sees the data it needs to do its job.
- Supabase — sign-in, accounts, and the database that stores your profile, progress, and conversations.
- Vercel — hosting and request delivery.
- Google (Gemini) — generates AI responses for the tutor, CRQ marker, viva coach, and interview coach. Prompts you send are forwarded to Google per request.
- PostHog — product analytics.
- Sentry — error and crash reporting.
- Upstash — rate-limit counters to stop runaway usage. Stores only a short-lived per-user counter, no content.
Some of these process data outside the UK or EU (notably Google in the US). Where that happens we rely on the UK addendum to the EU Standard Contractual Clauses to keep the transfer lawful.
Marketing
We'll only send marketing email if you opt in. There's a checkbox when you sign up, and a toggle under Settings → Email updates you can change at any time.
If you opt in, it's occasional product news and exam tips, written by doctors. A few times a term at most. Every email has an unsubscribe link, and switching the toggle off stops it immediately.
Everything else we send is operational, and you get it regardless because it's needed to run your account: magic-link sign-in and the occasional account or product-status notice.
Your rights
Under UK GDPR you can ask us to: show you what we hold about you, correct it, delete it, export it in a portable format, or object to a particular use. Email hi@helixdoctors.comand we will respond within 30 days. You can also complain to the UK Information Commissioner's Office at ico.org.uk.
Security
Sessions are cookie-based and signed by Supabase. Data is encrypted in transit (HTTPS) and at rest. Admin access to production data is restricted to the maintainer.
Under-18s
Most of Helix is for doctors and medical professionals, who are adults. Some parts, such as UCAT preparation, are for people applying to study medicine, who are often 16 or 17.
If you are under 18 you are welcome to use those parts. We build them to be appropriate for under-18s, following the UK Information Commissioner's Age Appropriate Design Code.
In practice that means we collect only the data a feature needs to work, keep your account private by default, and never profile you or use nudges designed to keep you on the app or push you to spend. You can ask us to delete everything we hold about you at any time by emailing hi@helixdoctors.com.
Helix is not intended for children under 13, and we do not knowingly collect data from anyone under 13.
Changes
If we change anything material we'll update the date at the top and, for substantial changes, surface a notice in-app the next time you sign in.