Hosted Privacy Notice
Mabble Helix provides operators with a versioned, publicly hosted privacy notice that automatically appears at a stable URL on the operator's custom domain. This page explains how the privacy notice works — both for tenant administrators who manage it and for consumers who rely on its stability and accessibility.
How it works
Tenant perspective
Operators draft and publish privacy notices from the console under Settings > Privacy Notice. Each time you publish, Helix:
- Assigns an incrementing integer version number.
- Archives the previous version so its URL remains valid permanently.
- Makes the new version the current notice, effective immediately.
There is no downtime during a publish — Helix uses ETag-based conditional caching so CDN nodes refresh within 5 minutes.
Consumer perspective
The current notice is always reachable at:
https://<operator-domain>/public/v1/privacy/notice
Past versions are permanently accessible at:
https://<operator-domain>/public/v1/privacy/notice/v<N>
Where <N> is the version number shown in the console or in a notice's footer.
URL patterns
| URL | Description |
|---|---|
/public/v1/privacy/notice | Current published notice. ETag-cached; refreshes within 5 minutes of a new publish. |
/public/v1/privacy/notice/v1 | Version 1 (immutable once archived). Cached for 1 year. |
/public/v1/privacy/notice/v2 | Version 2, and so on. |
Only published and archived versions are accessible via the public endpoint. Draft and in-review versions return 404.
Caching behavior
| Notice state | Cache-Control header |
|---|---|
| Current (published) | public, max-age=300 (5-minute cache; ETag provides conditional freshness) |
| Historical (archived) | public, max-age=31536000, immutable (1-year cache; content is frozen) |
ETag values are derived from a SHA-256 hash of the notice content, so a CDN or browser cache is invalidated only when the content actually changes.
Publishing workflow
- Navigate to Console > Privacy Center > Privacy Notice.
- Draft or paste your notice content (Markdown is supported; Helix renders it to HTML).
- Click Preview to see the rendered HTML.
- Click Publish to release the notice publicly. The previous version is automatically archived.
- The console shows a confirmation with the new version number and the URL.
Version lifecycle
Draft → In Review → Published → Archived (on next publish)
Only one version can be in the Published state at a time. Archiving is automatic — you cannot manually archive without publishing a replacement.
Embedding the privacy notice
Because the privacy notice endpoint returns X-Frame-Options: SAMEORIGIN, you can embed the live notice in an iframe on your own domain:
<iframe
src="https://<your-domain>/public/v1/privacy/notice"
title="Privacy Notice"
style="width:100%;border:none;"
></iframe>
This keeps your embedded notice always in sync with the published version without copying and pasting content.
Historical notice archive
Helix retains all published versions indefinitely. This is important for:
- GDPR Art.13/14 obligations — you must be able to demonstrate what notice was in force at any given time.
- HIPAA §164.520 — NPP must be retained 6 years from date of creation or last effective date.
- Litigation holds — if a dispute arises over what notice a user agreed to, the archived version is authoritative.
The version number and publication timestamp are visible in the console's version history table.
Security posture
- No cookies are set on privacy notice responses.
- No authentication is required.
- Tenant identity is resolved exclusively from the
Hostheader — the same privacy notice endpoint cannot be used to retrieve another tenant's notice. X-Content-Type-Options: nosniffis set on all responses.