Privacy Policy
Privacy Policy
This page describes what personal data Helix Peptide Research collects when you visit helix.bio, place an order, or contact us, and what we do (and don't do) with it.
1. Data we collect
- Order data: name, email, shipping address, billing address, phone number (for delivery only), and order contents.
- Payment data: handled entirely by Stripe; we never see or store your card number, CVC, or bank credentials. We retain only the last-4 digits, brand, and charge outcome for refund processing.
- Site analytics: anonymized page views, referrer, country (IP-derived), and device class via Cloudflare Web Analytics — privacy-pass enabled, no third-party cookies, no cross-site tracking.
- Communications: if you contact us by email, WhatsApp, or the consult intake form, we retain the contents of those messages for the duration required to resolve your enquiry.
2. What we do NOT collect
- No advertising identifiers, no Facebook/Meta pixel, no Google Ads tag, no TikTok pixel.
- No health or biometric data through the research catalog (the consult pathway is a separate, BAA-covered flow described in §5).
- No cross-site tracking, no fingerprinting, no behavioral profiling.
3. How we use order data
We use the data you provide at checkout only to:
- Process and ship your order, including customs documentation.
- Send transactional emails: order confirmation, dispatch notification with tracking, and (where applicable) a third-party CoA for the lot you received.
- Comply with tax, accounting, and import-export recordkeeping obligations in Indonesia and the destination country.
4. Who we share data with
We share the minimum data necessary with:
- Stripe — payment processing under their standard terms.
- DHL / FedEx / JNE / SiCepat / Gojek — name, address, phone for delivery.
- Cloudflare — hosting and edge; your data passes through their network but is not retained in identifiable form by them.
- Janoshik Analytical — lot-traceability data; we share only the lot ID, not buyer information.
We do not sell, rent, lease, or trade your data with any other party. We do not share with marketing platforms, data brokers, or analytics services beyond what is listed above.
5. Consult pathway (separate flow)
The wellness/consultation pathway on this site is a separate commerce flow administered under a Business Associate Agreement with a BAA-compliant health-commerce merchant-of-record. Information submitted through the consult form is governed by that merchant's privacy policy, not this one. We do not retain consult submissions beyond forwarding them to the merchant.
6. Cookies & local storage
We use a single functional localStorage key for the age-gate attestation (30 days) and one for the currency preference. No third-party cookies are set.
7. Your rights
You can request access to, correction of, or deletion of any personal data we hold on you by emailing privacy@helix.bio. We will respond within 30 days. Indonesian buyers may also have rights under UU PDP (No. 27 of 2022); EU/UK buyers under GDPR; California buyers under CCPA/CPRA.
8. Data retention
Order records: 7 years (Indonesian tax-law minimum). Marketing communications: until you unsubscribe. LocalStorage: 30 days for age gate, indefinite for currency preference (you can clear via browser settings).
9. Security
The site is served over HTTPS with HSTS preload. Payment is handled entirely by Stripe Elements (PCI-DSS Level 1). We use Cloudflare Access for internal admin endpoints. Internal access to order data is restricted to the operations team and is logged.
10. Updates
Material changes to this policy will be posted on this page and, where we have a valid email, communicated directly. The "last updated" date above reflects the current version.
— Helix Peptide Research · Canggu, Bali, Indonesia