HelixHelix

Privacy Policy

Last updated: March 2026

1. What Helix Estimator Does

Helix Estimator is an internal ThoughtWorks platform that uses AI to help consulting teams build project estimates from Requests for Proposals (RFPs) and Statements of Work (SOWs). It is not a customer-facing product — only ThoughtWorks employees can access it.

2. Personal Data We Process

When you use Helix, the following personal data is collected:

  • Identity data — email address and display name from your Google Workspace account.
  • Authentication tokens — session cookies and, if you enable Google Drive integration, an OAuth refresh token (stored encrypted).
  • Usage data — login timestamps, engagement creation/edit history, and the user email attached to records you create.
  • Uploaded documents — RFP/SOW files you upload may contain third-party personal data (client contacts, stakeholder names). These are processed by AI and stored.
  • Team member data — names, roles, grades, locations, and cost rates entered during team composition planning.

If Google Analytics is enabled, anonymous page-view and event data is collected. You can opt out via the cookie consent banner.

3. How We Use Your Data

  • Authenticate you and enforce role-based access control.
  • Process uploaded documents through Google Vertex AI (Gemini) and Document AI to extract project metadata.
  • Generate project estimates, team compositions, roadmaps, and reports.
  • Store AI prompt/response logs for quality assurance and prompt evaluation.
  • Track engagement ownership, sharing, and audit trails.

4. Where Data Is Stored

Helix operates across five Google Cloud Platform regions. Your data is stored in the region closest to you and stays there — it is never moved to another region without your knowledge.

  • US-East (Virginia)us-east1 — United States & Canada
  • Frankfurt (Germany)europe-west3 — EU / EEA (GDPR & BDSG compliant)
  • Mumbai (India)asia-south1 — India & South Asia (DPDP Act 2023 compliant)
  • Sydney (Australia)australia-southeast1 — Australia & Oceania (Privacy Act 1988 compliant)
  • São Paulo (Brazil)southamerica-east1 — Latin America (LGPD compliant)

Each region has its own independent infrastructure:

  • Cloud SQL (PostgreSQL) — user accounts, engagements, team data, AI logs. Private VPC, no public IP, AES-256 encryption at rest.
  • Cloud Storage (GCS) — uploaded documents (permanent), generated assets (365-day lifecycle), temporary exports (30-day lifecycle).
  • Redis — short-lived progress tracking and caches (auto-expiring).
  • Cloud Logging — structured application logs (30-day retention).

Cross-region access is seamless — you can view engagements created in other regions, but the underlying data remains in its home region.

5. Third-Party Processors

Your data may be sent to the following Google Cloud services for processing:

  • Google Vertex AI (Gemini) — RFP content is sent for metadata extraction and analysis via a global endpoint. Per Google Cloud Data Processing Terms, data is processed synchronously and not used for model training.
  • Google Document AI — uploaded PDFs are processed for text extraction. Documents are not retained after processing.
  • Google Drive API — only when you enable Drive integration. Used to browse/save files to your own Drive.
  • Google Analytics (GA4) — optional anonymous usage analytics. Subject to consent.

Optional competitive intelligence features may query public APIs (GitHub, BuiltWith, HackerNews) using company/project names only — no personal data is shared.

6. Data Retention

  • User accounts and role assignments are retained for the lifetime of the platform.
  • Engagement data and AI prompt logs are retained indefinitely (no automated purge).
  • Uploaded RFP/SOW documents are stored permanently in Cloud Storage.
  • Temporary exports are auto-deleted after 30 days.
  • Application logs are retained for 30 days.

7. AI & Automated Processing

Helix uses AI to extract metadata from documents, recommend team compositions, score estimation models, and generate delivery roadmaps. These are project-level recommendations, not decisions about individuals. All AI outputs are editable by users.

No individual users or employees are profiled, scored, or subject to automated decisions. Decision-maker names are only extracted if explicitly present in uploaded RFP documents.

8. Your Rights

You can:

  • Access your data — use the engagement export feature or contact the Data Protection team.
  • Correct your data — edit team member details, engagement metadata, and scenario data in the UI.
  • Request deletion — contact dataprotection@thoughtworks.com.
  • Withdraw consent — revoke Google Drive access by signing out and signing back in without the Drive checkbox. Opt out of analytics via the cookie banner.

9. Contact

For questions, data requests, or concerns, contact the ThoughtWorks Data Protection team at dataprotection@thoughtworks.com.