Legal
Privacy Policy
Last updated: May 21, 2026
Data controller
The controller responsible for personal data on this website is Praveen, Am Kesselpfuhl, 13437 Berlin, Germany — full details in our Impressum. We process personal data in accordance with the EU General Data Protection Regulation (GDPR) and the German TTDSG.
Legal bases for processing
We rely on the following GDPR Article 6 bases:
- Contract (Art. 6(1)(b)) — to provide the API service you request.
- Legitimate interest (Art. 6(1)(f)) — security, abuse prevention, and basic operation.
- Consent (Art. 6(1)(a)) — analytics cookies and newsletter signup; you may withdraw consent at any time.
- Legal obligation (Art. 6(1)(c)) — where retention is required by law.
1. What we collect
We collect the minimum data needed to operate the service:
- Account info: your email address (via RapidAPI) and API key identifier.
- Request metadata: timestamp, endpoint, response code, latency, and approximate region (city-level, from IP).
- Billing data: handled entirely by RapidAPI / Stripe. We never see your card.
2. What we do NOT collect
- We do not log request bodies (your input text, prompts, URLs, images).
- We do not log response bodies (the data we return to you).
- We do not sell, rent, or share your data with third parties for advertising.
- We do not track you across other websites.
3. Why we collect metadata
Request metadata is used solely to (a) bill correctly, (b) detect abuse and prevent fraud, (c) debug outages, and (d) compute aggregate analytics like total API calls per region. Metadata is retained for 30 days and then deleted.
4. Third-party services
We rely on a small set of trusted infrastructure providers:
- RapidAPI — authentication, billing, request routing
- Railway — API server hosting (US region)
- Vercel — website hosting and edge CDN
- Cloudflare — DNS and email routing
- Brevo — newsletter delivery (only if you subscribe)
- Google Analytics — anonymous website analytics (only loaded if you accept cookies)
Some providers (e.g. Google, Vercel, Railway) process data in the United States. Such transfers are covered by EU Standard Contractual Clauses and/or the EU–US Data Privacy Framework. Each provider has its own privacy practices.
Analytics & newsletter
Analytics: we use Google Analytics 4 to understand aggregate, anonymous traffic. It is loaded only after you click "Accept" on the cookie banner. If you decline, no analytics cookies are set. You can change your choice by clearing site data.
Newsletter: if you submit your email to our newsletter, we store it with Brevo to send you updates. We act on your consent, and every email includes a one-click unsubscribe link. You can unsubscribe at any time.
5. Your rights (GDPR / CCPA)
You can at any time:
- Access the data we hold about you
- Correct inaccurate data
- Delete your account and all associated metadata
- Export your data in a portable format (JSON)
- Object to specific processing activities
- Withdraw consent at any time (e.g. analytics, newsletter)
- Lodge a complaint with a data-protection supervisory authority — in our case the Berlin Commissioner for Data Protection and Freedom of Information (Berliner Beauftragte für Datenschutz und Informationsfreiheit)
Email privacy@helix-api.comand we'll respond within 30 days.
6. Cookies
We use strictly necessary storage for basic site function (e.g. your cookie choice and theme preference) — these require no consent.
We also offer one optional analytics cookie (Google Analytics). It is set only if you click "Accept" on the cookie banner. If you decline or ignore the banner, no analytics cookie is set. We use no advertising or cross-site tracking cookies.
7. Security
All traffic is encrypted with TLS 1.3. API keys are stored as hashed, salted secrets. Internal access is limited to a small operations team and audited. We'll notify affected users within 72 hours of any data breach.
8. Children
Helix-API is not directed at children under 16. We do not knowingly collect data from minors.
9. Changes to this policy
Material changes will be announced 30 days in advance via email and posted in our changelog.
10. Contact
Privacy questions: privacy@helix-api.com
Security disclosures: security@helix-api.com