Privacy Policy

EFFECTIVE · 20 APRIL 2026 · VERSION ONE

Helixar Technologies ("Helixar", "we", "us") is a Personal Information Controller and Personal Information Processor under the Republic of the Philippines. This Privacy Policy explains how we collect, use, store, share, and protect personal information in accordance with Republic Act No. 10173 (the Data Privacy Act of 2012), its Implementing Rules and Regulations, and the issuances of the National Privacy Commission (NPC).

1 · Who we are

Helixar Technologies is a software-as-a-service provider of a post-operation asset management platform for Renewable Energy Developers and Operators ("Operators") and their end-users ("End-Users") in the Philippines. When an Operator uses Helixar to manage its workspace, Helixar acts as a Personal Information Processor with respect to data the Operator uploads. When you visit our website, apply for a demo, or apply for access, Helixar acts as a Personal Information Controller with respect to that interaction.

2 · Information we collect

2.1 Information you provide

• Demo / access requests: full name, work email, company name, company TIN (for operator applications), mobile number, company type, portfolio size, capacity, site types, ERC / DOE registrations, message content.
• End-user requests: full name, email, company (if any), user category, operator name, site reference.
• Authentication: Google account identifier, display name, profile email (via Google Sign-In).
• Workspace data: for Operators, the site, equipment, contract, billing, permit, maintenance, and ESG records you enter into your workspace - which may contain personal data about your own clients and counterparties.

2.2 Information collected automatically

• IP address, device type, browser, operating system, referral URL, timestamps.
• Strictly-necessary and functional cookies (see §11).
• Security and audit logs - every financial and compliance action inside the platform is logged for regulator review and to protect the integrity of your data.

2.3 Sensitive personal information

We do not request sensitive personal information as defined in §3(l) of RA 10173 (e.g. health, education, genetic, offenses) for normal use of the platform. If such data appears incidentally in free-text fields you upload, you are responsible for the lawful basis of its inclusion.

3 · Lawful bases & purposes

We process personal information on one or more of the following lawful criteria under §12 and §13 of RA 10173:

4 · How we use information

• Operate, maintain, and improve the Helixar platform.
• Authenticate users and enforce tenant isolation at the database layer - other Operators physically cannot see your records.
• Communicate with you about your request, application, workspace, service announcements, and security matters.
• Comply with Philippine legal and regulatory obligations including, where applicable, DOE, ERC, BIR, LGU, DENR, and NPC.
• Detect, prevent, and investigate security incidents, fraud, and violations of our Terms.

We do not sell personal information. We do not use your workspace data to train AI models. We do not share your workspace data with other Operators, ever.

5 · Sharing & disclosure

We may disclose personal information only to the following categories of recipients, under confidentiality and data-protection obligations:

• Sub-processors: cloud hosting, database, email delivery, error monitoring, and analytics providers engaged to deliver the service. A current list is available on request.
• Your Operator (if you are an End-User): only to the Operator you identify, and only the data you submit.
• Regulators, courts, and law-enforcement: where required by a lawful order or Philippine law.
• Professional advisors: auditors and counsel bound by confidentiality.
• Successors: in the event of a merger, acquisition, or asset sale, subject to equivalent protection.

6 · Cross-border transfers

Helixar primarily hosts data on infrastructure located in or serving the Philippines. Where a sub-processor is located outside the Philippines, we ensure a comparable level of protection through contractual safeguards, in accordance with §21 of RA 10173 (accountability for transfers) and NPC Circular 2020-03. You may request a list of such transfers.

7 · Retention

We retain personal information only for as long as necessary for the purposes identified or as required by law:

• Marketing / demo request data - up to 2 years from last interaction, or until consent is withdrawn.
• Workspace data - for the duration of the Operator's subscription, plus a 90-day post-termination window for export, then secure deletion.
• Financial and tax records - at least 10 years, per §235 of the National Internal Revenue Code.
• Audit and compliance logs - at least 5 years, or longer where a specific regulatory instrument requires.

8 · Your rights as a data subject

Under §16 of RA 10173 you have the right to:

• Be informed of how your data is processed.
• Access your personal information.
• Object to processing and withdraw consent.
• Rectify inaccurate or outdated data.
• Erasure or blocking where processing is unlawful, unnecessary, or no longer consented to.
• Damages for inaccurate, incomplete, outdated, false, unlawfully obtained, or unauthorized use of personal information.
• Data portability for data you have provided in a structured, commonly-used, electronic format.
• File a complaint with the National Privacy Commission.

To exercise any of these rights, contact our Data Protection Officer using §14. If you are an End-User of an Operator's workspace, you may direct requests to your Operator (the Controller) or to Helixar, and we will route them appropriately.

9 · Security measures

Helixar implements reasonable and appropriate organizational, physical, and technical measures (§20, RA 10173 and NPC Circular 16-01):

• Transport encryption (TLS 1.2+) and at-rest encryption for workspace data.
• Row-level security in the database - tenant isolation enforced at the lowest layer, not in application code.
• Role-based access control and least-privilege for Helixar personnel.
• Full audit trail on every financial and compliance action.
• Regular vulnerability testing, patching, and credential rotation.
• A Data Protection Officer, privacy impact assessments, and an incident response plan.

10 · Breach notification

In accordance with §38 of the IRR and NPC Circular 16-03, we will notify the NPC and affected data subjects within 72 hours of knowledge of a personal data breach that is likely to give rise to real risk of serious harm. Notification will describe the nature of the breach, the data concerned, measures taken, and how affected subjects can protect themselves.

11 · Cookies & analytics

We use a minimal set of cookies:

• Strictly necessary - authentication, session, CSRF. Cannot be disabled without breaking the service.
• Functional - remembering your preferences (e.g. workspace selection).
• Analytics - aggregate, privacy-preserving usage analytics only, with IP truncation. No cross-site tracking, no advertising cookies.

12 · Children

Helixar is not directed to individuals under 18. We do not knowingly collect personal information from minors. If you believe a minor's data has been submitted, contact the DPO and we will delete it.

13 · Changes to this policy

We may update this Privacy Policy from time to time. Material changes will be notified by email to account holders and by a prominent notice on this page at least 14 days before they take effect. Continued use of the platform after the effective date constitutes acceptance.

14 · Contact & Data Protection Officer

This document is provided for transparency under the Data Privacy Act of 2012. It is not legal advice. Operators remain responsible for their own compliance with RA 10173 as controllers of the personal data they enter into their workspaces.