EU based·Ships from France·Free shipping over €150·Most orders ship within 1 business day·For research use only·
Legal

Privacy Policy

What we collect, the legal basis on which we process it, and the rights you have under the GDPR.

Draft — pending legal review.Final wording, entity details, and governing-law clauses will be set by the operator's counsel before launch.

1. Controller

helixcorebio.eu and the HelixCore Biotech brand are operated by [Registered name — pending], the controller for personal data processed through this site within the meaning of Article 4(7) GDPR.

[Registered name — pending]
[Registered address — pending]
VAT: [VAT number — pending]
Email: privacy@helixcorebio.eu

2. Data Protection Officer

We have not appointed a Data Protection Officer. Our processing does not currently meet the thresholds in Article 37(1) GDPR. For any data-protection question, contact privacy@helixcorebio.eu.

3. Categories of personal data we collect

  • Identity and contact data: name, shipping address, billing address, email address, phone number (optional).
  • Account data: email and hashed password if you create an account.
  • Order data: products purchased, order total, payment method, invoice records.
  • Payment data: we do not store card numbers. Card processing is handled by Stripe; crypto orders are handled by OxaPay. We see only the tokens / references they return.
  • Attestation data: the buyer attestation captured at checkout (version, timestamp, IP address, user-agent string, SHA-256 hash of the canonical text) as evidence the research-use declaration was made.
  • Technical and usage data: IP address, device and browser type, referring URL, pages viewed, basic analytics events (only with your consent).

4. Lawful bases for processing

  • Article 6(1)(b) — performance of a contract: processing order, account, identity, and shipping data to fulfil your purchase.
  • Article 6(1)(a) — consent: analytics and any non-essential cookies are placed only after you give consent through the cookie banner. You can withdraw consent at any time.
  • Article 6(1)(c) — legal obligation: retention of invoices and accounting records to meet tax and accounting law obligations in the EU.
  • Article 6(1)(f) — legitimate interests: fraud prevention, network and information security, defending against misuse of the service, and preserving the buyer attestation as evidence of the research-use declaration.

5. Recipients and processors

We share personal data only with vendors who process it on our behalf under Article 28 GDPR data-processing agreements:

  • Vercel — website hosting and edge delivery.
  • Upstash — Redis / key-value storage for orders and accounts.
  • Vercel Blob — encrypted off-site backups.
  • Stripe — card payment processing (when enabled).
  • OxaPay — cryptocurrency payment processing.
  • Resend — transactional and marketing email delivery.

Some of these processors are established outside the European Economic Area. Where that is the case, transfers are made under the European Commission's Standard Contractual Clauses (Implementing Decision (EU) 2021/914) and, where relevant, supplementary technical measures as required by Article 46 GDPR.

6. International transfers

Where personal data is transferred outside the EEA, we rely on adequacy decisions of the European Commission where they exist, and otherwise on Standard Contractual Clauses combined with appropriate safeguards. You can request a copy of the relevant transfer mechanism at privacy@helixcorebio.eu.

7. Retention

  • Order and invoice records: 10 years, to meet accounting and tax retention obligations.
  • Account data: kept while your account is active; deleted on request, subject to legal retention obligations above.
  • Marketing data: kept until you unsubscribe or object, then suppressed.
  • Buyer attestation: retained indefinitely as evidence of the research-use declaration at the time of sale.
  • Server logs: typically 30 days, longer if needed to investigate a security incident.

8. Your rights under the GDPR

Subject to the conditions set out in the GDPR, you have the following rights in relation to your personal data:

  • Right of access (Article 15) — to obtain confirmation of, and a copy of, the personal data we process about you.
  • Right to rectification (Article 16) — to have inaccurate or incomplete data corrected.
  • Right to erasure (Article 17) — to have your personal data deleted, subject to overriding legal obligations.
  • Right to restriction of processing (Article 18) — to have processing limited in defined circumstances.
  • Right to data portability (Article 20) — to receive data you have provided to us in a structured, commonly used, machine-readable format.
  • Right to object (Article 21) — to object to processing based on legitimate interests, including profiling.
  • Rights related to automated decision-making (Article 22) — we do not carry out solely automated decision-making that produces legal effects concerning you.
  • Right to withdraw consent — where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of prior processing.

To exercise any of these rights, email privacy@helixcorebio.eu. We respond within one month, extendable by a further two months for complex requests in line with Article 12(3) GDPR.

9. Right to lodge a complaint

You have the right to lodge a complaint with the supervisory authority in the EU Member State of your habitual residence, place of work, or place of the alleged infringement, in accordance with Article 77 GDPR. A directory of EU data protection authorities is available on the European Data Protection Board website.

10. Cookies

We use a limited number of strictly necessary cookies for cart persistence, account login, age-gate state, and security. These are placed without consent under the ePrivacy exemption for cookies strictly necessary for a service explicitly requested by the user.

Any analytics cookies are placed only after you give consent through the cookie banner. You can withdraw consent at any time by clearing the consent state in your browser.

11. Children

Our site and products are not directed to anyone under 18 years of age. We do not knowingly collect personal data from minors. If you believe we have collected data from a minor, please contact privacy@helixcorebio.eu and we will delete it.

12. Security

We use TLS for all traffic, hash passwords with industry-standard algorithms, and apply access controls and encrypted backups. No system is perfectly secure — please use a unique, strong password.

13. Changes to this policy

We may update this policy from time to time. The current version date is shown below. Material changes will be communicated where required by law.

Last updated: 2026-06 · HelixCore Biotech · [Registered address — pending]

Added to cart

Are you 18 or older?

This site contains research materials. By entering, you confirm you are 18+ and accept our Terms & RUO disclaimer.