Documentation / Data and Privacy / Data Retention

Data Retention

Helix Insight follows the principle of data minimization: we process only what is necessary and retain data only for as long as required. This page describes what data is kept, for how long, and how deletion works.

Retention by Data Type

Uploaded VCF FilesRetained for re-analysis capability

The parsed variant data from the uploaded VCF file is retained on the server to enable re-processing without requiring the laboratory to upload the file again. This supports iterative analysis with updated parameters, new HPO terms, or updated reference databases. Data is deleted when the laboratory deletes the analysis session or upon termination of the service agreement.

Analysis ResultsDuration specified in service agreement

Classified variants, ACMG evidence, phenotype match scores, screening tiers, and literature evidence are retained as a structured database (DuckDB) for the duration agreed with the laboratory. This allows geneticists to return to previous cases for review without re-processing.

Clinical Profile DataRetained alongside analysis results

Patient phenotype (HPO terms), demographics (age, sex, ethnicity when provided), and clinical context are stored alongside the analysis results. These are deleted when the analysis session is deleted.

Literature Search ResultsRetained alongside analysis results

Ranked literature publications with relevance scores and evidence categories are stored as part of the session output. Deleted with the session.

Session MetadataRetained for audit purposes

Processing timestamps, pipeline parameters, database versions used, and quality metrics are retained for audit trail compliance. These contain no genomic data.

Account DataDuration of the service agreement

User name, email, organization, and role are retained while the account is active. Deleted within 30 days of account termination or on request.

Usage DataMaximum 12 months

IP addresses, session logs, and page views are retained for security monitoring for up to 12 months, then automatically purged.

Deletion Mechanisms

Automatic Deletion

VCF files are automatically deleted after processing completes. Analysis sessions that exceed the agreed retention period are automatically purged. No manual intervention is required.

On-Demand Deletion

The laboratory (data controller) can request deletion of any analysis session at any time. Helena Bioinformatics will delete all associated data (results, clinical profile, literature evidence, metadata) within 30 days and certify the deletion in writing.

Data Subject Erasure (Article 17)

Data subjects (patients) can exercise their right to erasure through the data controller (laboratory). Helena Bioinformatics assists in fulfilling these requests. Deletion may be subject to legal retention requirements (e.g., clinical record-keeping obligations under national legislation).

Termination Deletion

Upon termination of the service agreement, all personal data is either returned to the data controller or securely deleted within 30 days, at the controller's election. Deletion is certified in writing per the DPA.

What Is NOT Retained

Patient names, dates of birth, or national identification numbers (never received)

Original VCF files after processing (automatically deleted)

Raw sequencing data (FASTQ, BAM -- not accepted by the platform)

Intermediate processing files (temporary and deleted after each pipeline stage)

Audit Trail

Every deletion event is logged in the audit trail: what was deleted, when, by whom (or automatically), and the reason. Audit logs themselves are retained for the minimum period required by applicable legislation and do not contain genomic data.