Privacy Policy

Last updated: March 12, 2026

1. Introduction

HELSI (“we”, “our”, or “us”) is an AI-powered nutrition intelligence platform designed to help people with diabetes make safe and informed food decisions. We are committed to protecting your privacy and handling your personal data — including health-related data — with the utmost care.

This Privacy Policy explains what data we collect, why we collect it, how we use and protect it, and your rights regarding your personal information. This policy applies to our website at helsi.ai and any associated services (collectively, the “Service”).

2. Data Controller

The data controller responsible for your personal data is HELSI. For any privacy-related inquiries, you may contact us at: privacy@helsi.ai.

3. Data We Collect

We may collect the following categories of data:

3.1 Personal Information

  • Email address (provided when joining the waitlist or creating an account)
  • Name (if provided during registration)
  • Account credentials

3.2 Health-Related Data

When you use our Service, we may collect and process health-related information, which is considered sensitive data under GDPR (Article 9) and similar regulations. This includes:

  • Blood sugar / glucose measurements
  • Insulin-to-carbohydrate ratios and correction factors
  • Insulin dose logs
  • Diabetes type (Type 1, Type 2, prediabetic)
  • Food intake and meal journal entries
  • Nutritional data from scanned food products
  • Glycemic index and glycemic load calculations

We will always request your explicit consent before collecting any health-related data. You may withdraw this consent at any time.

3.3 Technical Data

  • IP address, browser type, operating system
  • Device identifiers
  • Usage analytics (pages visited, features used, session duration)
  • Cookies and similar tracking technologies

3.4 Waitlist Data

If you sign up for our waitlist, we collect your email address through Google Forms. This data is stored in Google's infrastructure and is subject to Google's Privacy Policy in addition to this policy.

4. How We Use Your Data

We process your data for the following purposes:

  • Service delivery: To provide nutritional analysis, glycemic calculations, insulin dose estimations, and food journaling features.
  • Personalisation: To tailor glycemic impact assessments and insulin calculations to your personal medical coefficients.
  • Communication: To send you product updates, launch notifications, and support responses (only with your consent for marketing communications).
  • Safety and improvement: To improve the accuracy of our AI algorithms, enhance user experience, and ensure platform security.
  • Legal compliance: To comply with applicable laws and regulations.

5. Legal Basis for Processing (GDPR)

We process your data based on the following legal grounds:

  • Explicit consent (Article 6(1)(a) and Article 9(2)(a) GDPR) — for health-related data and marketing communications.
  • Performance of a contract (Article 6(1)(b)) — to provide the Service you have requested.
  • Legitimate interest (Article 6(1)(f)) — for analytics, security, and service improvement, where your rights do not override our interests.
  • Legal obligation (Article 6(1)(c)) — when required by law.

6. Data Sharing and Third Parties

We do not sell your personal or health data. We may share data with:

  • Nutritional data providers (e.g., Open Food Facts, USDA) — we send product barcodes to retrieve nutritional data. No personal information is shared in these requests.
  • Hosting and infrastructure providers (e.g., Vercel, cloud databases) — who process data on our behalf under strict data processing agreements.
  • Google Forms / Google Workspace — for waitlist email collection.
  • Analytics providers — anonymised or pseudonymised usage data for service improvement.
  • Law enforcement — only when legally required.

All third-party processors are contractually obligated to protect your data and process it only for the specified purposes.

7. Data Retention

  • Account data: Retained for the duration of your account. Deleted within 30 days of account closure upon request.
  • Health data: Retained only as long as necessary for the Service. You may request deletion at any time.
  • Waitlist emails: Retained until the product launches or you request removal.
  • Analytics data: Retained in anonymised form for up to 24 months.

8. Your Rights

Under GDPR and applicable data protection laws, you have the right to:

  • Access — Request a copy of your personal data.
  • Rectification — Correct inaccurate or incomplete data.
  • Erasure — Request deletion of your data (“right to be forgotten”).
  • Restriction — Restrict processing of your data.
  • Data portability — Receive your data in a structured, machine-readable format.
  • Objection — Object to processing based on legitimate interest.
  • Withdraw consent — At any time, without affecting the lawfulness of prior processing.

To exercise any of these rights, contact us at privacy@helsi.ai. We will respond within 30 days.

9. Data Security

We implement appropriate technical and organisational measures to protect your data, including:

  • Encryption of data in transit (TLS/SSL) and at rest
  • Access controls and authentication
  • Regular security assessments
  • Data minimisation — we only collect what is necessary
  • Privacy by design and by default principles

Health-related data is processed with additional safeguards in accordance with the sensitivity of such information.

10. Cookies

Our website may use essential cookies for functionality and optional analytics cookies to understand how users interact with our Service. You can manage cookie preferences through your browser settings. We will request your consent before setting non-essential cookies.

11. International Data Transfers

Your data may be processed in countries outside your country of residence. Where data is transferred outside the European Economic Area (EEA), we ensure appropriate safeguards are in place, such as Standard Contractual Clauses (SCCs) or adequacy decisions.

12. Children's Privacy

HELSI is not intended for use by children under 16 years of age. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us and we will delete it promptly.

13. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of significant changes by posting a notice on our website or sending an email. The “Last updated” date at the top reflects the most recent revision.

14. Contact Us

If you have questions about this Privacy Policy or wish to exercise your data rights, please contact us:

  • Email: privacy@helsi.ai
  • Website: helsi.ai

You also have the right to lodge a complaint with your local data protection supervisory authority.