Documentation / Data and Privacy / Data Retention
Data Retention
Helix Insight follows the principle of data minimization: we process only what is necessary and retain data only for as long as required. This page describes what data is kept, for how long, and how deletion works.
Retention by Data Type
The parsed variant data from the uploaded VCF file is retained on the server to enable re-processing without requiring the laboratory to upload the file again. This supports iterative analysis with updated parameters, new HPO terms, or updated reference databases. Data is deleted when the laboratory deletes the analysis session or upon termination of the service agreement.
Classified variants, ACMG evidence, phenotype match scores, screening tiers, and literature evidence are retained as a structured database (DuckDB) for the duration agreed with the laboratory. This allows geneticists to return to previous cases for review without re-processing.
Patient phenotype (HPO terms), demographics (age, sex, ethnicity when provided), and clinical context are stored alongside the analysis results. These are deleted when the analysis session is deleted.
Ranked literature publications with relevance scores and evidence categories are stored as part of the session output. Deleted with the session.
Processing timestamps, pipeline parameters, database versions used, and quality metrics are retained for audit trail compliance. These contain no genomic data.
User name, email, organization, and role are retained while the account is active. Deleted within 30 days of account termination or on request.
IP addresses, session logs, and page views are retained for security monitoring for up to 12 months, then automatically purged.
Deletion Mechanisms
Automatic Deletion
VCF files are automatically deleted after processing completes. Analysis sessions that exceed the agreed retention period are automatically purged. No manual intervention is required.
On-Demand Deletion
The laboratory (data controller) can request deletion of any analysis session at any time. Helena Bioinformatics will delete all associated data (results, clinical profile, literature evidence, metadata) within 30 days and certify the deletion in writing.
Data Subject Erasure (Article 17)
Data subjects (patients) can exercise their right to erasure through the data controller (laboratory). Helena Bioinformatics assists in fulfilling these requests. Deletion may be subject to legal retention requirements (e.g., clinical record-keeping obligations under national legislation).
Termination Deletion
Upon termination of the service agreement, all personal data is either returned to the data controller or securely deleted within 30 days, at the controller's election. Deletion is certified in writing per the DPA.
What Is NOT Retained
Patient names, dates of birth, or national identification numbers (never received)
Original VCF files after processing (automatically deleted)
Raw sequencing data (FASTQ, BAM -- not accepted by the platform)
Intermediate processing files (temporary and deleted after each pipeline stage)
Audit Trail
Every deletion event is logged in the audit trail: what was deleted, when, by whom (or automatically), and the reason. Audit logs themselves are retained for the minimum period required by applicable legislation and do not contain genomic data.