Privacy Policy

Privacy Policy

Rhizar
Effective Date: January 5, 2026

1. Introduction

Helix Build, LLC d/b/a (“Rhizar”, "we," "us," or "our") operates a housing innovation consultancy and AI-powered business intelligence platform at https://rhizar.com (the "Service"). We are committed to protecting the privacy and security of your personal information.

This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our Service, including our AI Analyst tool. It applies to all users, including visitors to our website and clients who subscribe to our SaaS platform.

Key Information:

• Entity: Helix Build, LLC d/b/a Rhizar (Washington State)
• Address: 309 NW Dogwood Street, Issaquah, WA 98027
• Privacy Contact: privacy@rhizar.com

This policy complies with applicable privacy laws, including:

• General Data Protection Regulation (GDPR) for EU/UK users
• California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA)
• Washington State privacy laws
• Other applicable US state and international privacy regulations

2. Information We Collect

2.1 Information You Provide Directly

Account Registration:

• Name, email address, company name, job title
• Password (encrypted and never stored in plain text)
• Billing information (processed through third-party payment processors)

AI Analyst Usage:

• Chat messages and prompts you submit
• Documents you upload (PDF, Word, Excel, and other business files)
• Workspace settings and data-sharing preferences (private vs. shared)
• User-generated labels, tags, and organizational metadata

Communications:

• Email correspondence with our team
• Form submissions (contact forms, newsletter sign-ups via HubSpot)
• Support requests and feedback

Advisory/Consulting Engagements:

• Business information shared during consultations
• Project deliverables and collaborative work product

2.2 Information Collected Automatically

Usage Data:

• Device information (browser type, operating system, device identifiers)
• IP address and geolocation data (country/region level)
• Log data (access times, pages viewed, clickstream data)
• Session duration and feature usage patterns

Cookies and Tracking Technologies:

• Essential cookies for authentication and service functionality
• Analytics cookies (Google Analytics, HubSpot tracking)
• Performance monitoring cookies
• For detailed cookie information, see our Cookie Policy

2.3 Information from Third Parties

• Professional information from publicly available sources
• Data shared by your organization's administrators (for multi-user accounts)
• Integration data if you connect third-party services to your account

---

3. How We Use Your Information

We process your information for the following purposes:

3.1 Service Delivery & Contract Performance

• Provide access to the AI Analyst tool and platform features
• Process and respond to your AI queries using our language model infrastructure
• Store and index your documents for retrieval-augmented generation (RAG)
• Manage user authentication and account security
• Provide customer support and respond to inquiries

3.2 Business Operations & Legitimate Interests

• Improve and optimize our Service performance
• Develop new features and analyze usage patterns
• Prevent fraud, abuse, and security incidents
• Comply with legal obligations and enforce our Terms of Service
• Conduct internal research and product development

3.3 Marketing & Communications (With Consent)

• Send newsletters and housing industry insights (opt-in only)
• Deliver transactional emails (account notifications, system updates)
• Promote our consulting services and new product features

3.4 Legal Basis for Processing (GDPR)

• Consent: When you explicitly agree (e.g., newsletter sign-ups)
• Contract Performance: To deliver the Service you subscribed to
• Legitimate Interests: To improve our Service and prevent misuse
• Legal Obligations: To comply with applicable laws and regulations

You may withdraw consent at any time by contacting privacy@rhizar.com.

---

4. Third-Party Service Providers (Data Processors)

We engage trusted third-party processors to provide our Service. These providers are contractually obligated to protect your data and use it only for specified purposes.

4.1 AI & Machine Learning

Anthropic (Claude API)

• Purpose: Generate AI responses to user queries
• Data Shared: Chat prompts, conversation context, system instructions
• Training: Anthropic does not use commercial API data for model training
• Privacy Policy: https://www.anthropic.com/legal/privacy
• DPA: Available through Anthropic's platform

LlamaIndex/LlamaCloud

• Purpose: Document parsing, text extraction, and vector indexing for RAG
• Data Shared: Uploaded documents and extracted content
• Privacy Policy: https://www.llamaindex.ai/legal/privacy-notice
• DPA: Available upon request

4.2 Infrastructure & Hosting

Supabase

• Purpose: Authentication, database (PostgreSQL), file storage
• Data Shared: All user account data, chat histories, uploaded files
• Privacy Policy: https://supabase.com/privacy
• DPA: https://supabase.com/legal/dpa

Vercel

• Purpose: Application hosting, deployment, request logging
• Privacy Policy: https://vercel.com/legal/privacy-policy
• DPA: https://vercel.com/legal/dpa

4.3 Communications

Resend

• Purpose: Transactional emails (invitations, account notifications)
• Data Shared: Email addresses, recipient names, email content
• Privacy Policy: https://resend.com/legal/privacy-policy
• DPA: https://resend.com/legal/dpa

4.4 Analytics & Marketing

HubSpot

• Purpose: Email marketing, form submissions, CRM
• Data Shared: Contact information, form responses, engagement data
• Privacy Policy: https://legal.hubspot.com/privacy-policy

Google Analytics

• Purpose: Website traffic analysis and usage patterns
• Data Shared: Anonymized usage data, device information
• Privacy Policy: https://policies.google.com/privacy

4.5 Data Processing Addendum (DPA)

For enterprise clients requiring a formal DPA, we provide a standardized agreement incorporating Standard Contractual Clauses (SCCs) for international data transfers. Contact privacy@rhizar.com to execute a DPA.

---

5. Data Storage and International Transfers

Storage Locations:

• Primary data storage: United States (via Supabase and Vercel)
• Backup infrastructure: Geographically distributed (US and EU regions)

International Transfers: If you are located in the EU, UK, or other jurisdictions outside the United States, your data will be transferred to and processed in the US. We ensure adequate safeguards through:

• Standard Contractual Clauses (SCCs) with our processors
• Data Processing Agreements with GDPR-compliant terms
• Regular security and compliance assessments

---

6. Data Retention

We retain your information only as long as necessary to fulfill the purposes described in this policy.

Active Accounts:

• Account data: Duration of subscription plus legitimate business needs
• Chat histories: Retained while account is active (user-deletable)
• Uploaded documents: Retained while account is active (user-deletable)

Closed Accounts:

• Grace period: 30 days after account closure for data recovery
• Permanent deletion: Within 30 days of closure request (unless legal hold applies)
• Backups: Rolling 90-day retention cycle

Financial Records:

• Invoices and payment records: 7 years (tax and legal compliance)

Legal Exceptions: We may retain data longer if required by law, to resolve disputes, enforce agreements, or defend against legal claims.

7. Data Security

We implement industry-standard security measures to protect your information:

Technical Safeguards:

• Encryption in transit: TLS 1.2+ for all data transmissions
• Encryption at rest: Database and file storage encryption via Supabase
• Secure authentication: Hashed passwords, session management
• Regular security updates and vulnerability patching

Organizational Safeguards:

• Access controls: Role-based permissions, principle of least privilege
• Employee training: Data protection and security awareness
• Incident response: Documented procedures for breach notification
• Vendor management: Due diligence on all third-party processors

Limitations: No method of transmission or storage is 100% secure. While we strive to protect your data, we cannot guarantee absolute security. You are responsible for maintaining the confidentiality of your account credentials.

8. Your Privacy Rights

Your rights vary based on your location. We honor the most protective rights for all users.

8.1 Rights for All Users

• Access: Request a copy of your personal data
• Correction: Update inaccurate or incomplete information
• Deletion: Request deletion of your account and data (subject to legal exceptions)
• Portability: Receive your data in a machine-readable format
• Opt-Out: Unsubscribe from marketing emails at any time

8.2 Additional Rights (GDPR - EU/UK Users)

• Right to restriction: Limit how we process your data
• Right to object: Object to processing based on legitimate interests
• Right to withdraw consent: Revoke consent for specific processing activities
• Right to lodge a complaint: Contact your local data protection authority

8.3 Additional Rights (CCPA/CPRA - California Residents)

• Right to know: Categories and specific pieces of personal information collected
• Right to delete: Request deletion of personal information (subject to exceptions)
• Right to opt-out: We do not sell or share personal information for advertising
• Right to non-discrimination: Equal service regardless of privacy choices
• Right to correct: Request correction of inaccurate information
• Right to limit sensitive data use: Limit use of sensitive personal information

Authorized Agents: California residents may designate an authorized agent to make requests on their behalf.

8.4 Exercising Your Rights

To exercise any of these rights, contact us at:

• Email: privacy@rhizar.com
• Subject Line: "Privacy Rights Request"
• Include: Your name, email, account details, and specific request

We will respond within:

• 30 days for GDPR requests (extendable to 60 days for complex requests)
• 45 days for CCPA requests (extendable to 90 days with notice)

9. Children's Privacy

Our Service is intended for business users and professionals. We do not knowingly collect information from individuals under the age of 16 (or under 13 in the US). If we learn that we have collected information from a child, we will delete it immediately. Contact privacy@rhizar.com if you believe we have inadvertently collected such information.

10. Do Not Track Signals

Our Service does not currently respond to "Do Not Track" browser signals. However, you can manage cookies and tracking through your browser settings and our cookie consent banner.

11. Data Sharing and Disclosure

We do not sell your personal information. We may share your data in the following circumstances:

Service Providers: With third-party processors listed in Section 4 to operate our Service

Business Transfers: In connection with a merger, acquisition, or sale of assets (with notice to affected users)

Legal Requirements: To comply with legal obligations, court orders, or government requests

Protection of Rights: To enforce our Terms of Service, prevent fraud, or protect safety

With Your Consent: When you explicitly authorize sharing (e.g., workspace collaboration features)

Aggregated Data: We may share de-identified, aggregated statistics that cannot reasonably identify you

12. AI-Specific Privacy Considerations

12.1 How We Use AI

Our AI Analyst tool uses large language models (LLMs) to:

• Answer questions based on your uploaded documents
• Analyze business data and generate insights
• Provide conversational business intelligence

12.2 Your Control Over AI Processing

• Private vs. Shared Data: You control whether documents you create are accessible only to you or shared with your organization
• Document Deletion: You can delete uploaded documents at any time
• Chat History: You can delete individual chats or entire conversation histories

12.3 AI Training and Model Improvement

• Anthropic Claude: Does not use commercial API data for model training
• LlamaIndex: Indexes your documents for retrieval only; does not train models on your data
• Helix: We do not use your proprietary data to train third-party AI models

12.4 AI-Generated Content

• AI responses may occasionally be inaccurate or incomplete
• You remain responsible for verifying and validating AI-generated insights
• We do not guarantee the accuracy or completeness of AI outputs

13. Business Client Responsibilities

If you are an organization using Helix for your team:

Administrator Responsibilities:

• Ensure you have authority to submit team members' data
• Obtain necessary consents from your users
• Comply with applicable privacy laws in your jurisdiction
• Maintain your own privacy notices for employees/contractors

User Data Access:

• Organization administrators may access workspace data marked as "shared"
• Individual users control "private" data visibility
• We may access client data for support purposes with appropriate authorization

14. Changes to This Privacy Policy

We may update this policy periodically to reflect changes in our practices or legal requirements. We will:

• Update the "Last Updated" date at the top of this policy
• Notify you via email for material changes (if you have an account)
• Post a notice on our website for significant updates

Continued use of the Service after changes constitutes acceptance of the updated policy. We encourage you to review this policy regularly.

15. Contact Us

For privacy-related questions, concerns, or requests:

Privacy Contact:
Email: privacy@rhizar.com
Address: Helix Build, LLC d/b/a Rhizar 309 NW Dogwood Street, Issaquah, WA 98027

General Inquiries:
Email: info@rhizar.com
Website: https://rhizar.com

EU Representative (if applicable in future):
To be designated if we establish regular EU operations

Data Protection Officer (DPO):
Currently not required; contact privacy@rhizar.com for data protection matters

16. State-Specific Disclosures

California Residents (CCPA/CPRA)

Categories of Personal Information Collected (Last 12 Months):

• Identifiers (name, email, IP address)
• Commercial information (subscription details, usage patterns)
• Internet activity (browsing behavior, chat interactions)
• Professional information (company, job title)
• Inferences (preferences derived from usage)

Sources: Directly from you, automatically collected, from your organization

Business Purposes: Service delivery, analytics, security, legal compliance

Third-Party Sharing: Service providers only (see Section 4)

Sales/Sharing: We do not sell or share personal information for advertising

Sensitive Personal Information: We limit use to service delivery and legal compliance

Retention: See Section 6 for retention periods

Contact for CCPA Requests: privacy@rhizar.com

Washington State Residents

Washington's My Health My Data Act (MHMDA) may apply if we process consumer health data. Currently, our Service does not collect, process, or sell consumer health data as defined by MHMDA.

Other US States

If you reside in Colorado, Connecticut, Utah, Virginia, or other states with comprehensive privacy laws, you have rights similar to those described in Section 8. Contact privacy@rhizar.com to exercise your rights.

End of Privacy Policy

This policy is effective as of January 5, 2026 and governs your use of Rhizar services.