Privacy Policy
Last updated: 1 June 2025
1. Who We Are
HelixCore Peptides (“we”, “us”, “our”) is the data controller for personal data collected through helixcore.co.uk. We take your privacy seriously and are committed to complying with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
Contact: privacy@helixcore.co.uk
2. Data We Collect
Account data: name, email address, password (hashed — we never store plaintext passwords).
Order data: shipping address, phone number, order history, payment method (not card details).
Technical data: IP address, browser type, pages visited, timestamps (collected via server logs and cookies).
Communications: any messages you send us via email.
We do not collect special category data (health, genetic, biometric data) and do not use automated profiling or decision-making.
3. How We Use Your Data
| Purpose | Lawful Basis |
|---|---|
| Process and fulfil your orders | Contractual necessity |
| Send order confirmation and dispatch emails | Contractual necessity |
| Manage your customer account | Contractual necessity |
| Verify purchaser eligibility (RUO compliance) | Legal obligation |
| Prevent fraud and abuse | Legitimate interests |
| Comply with tax and accounting obligations | Legal obligation |
| Improve our website and services | Legitimate interests |
| Send marketing emails (with your consent) | Consent |
4. Data Retention
We retain your personal data for as long as necessary to fulfil the purposes above:
- Account data: for the life of your account, plus 2 years after closure
- Order data: 7 years (legal/accounting obligation)
- Server logs: 90 days rolling
- Marketing consent records: until you withdraw consent
5. Data Sharing
We share your data only where necessary:
- Royal Mail — shipping name and address to fulfil delivery
- Payment processor — bank reconciliation details when payment is made by bank transfer or approved pay-by-bank method
- Email service provider — to send transactional emails
- Law enforcement — where required by law
We do not sell your personal data to third parties. We do not use third-party advertising trackers.
6. Cookies
We use strictly necessary cookies for session management and a persistent age-gate confirmation stored in your browser's local storage. We do not use advertising or analytics cookies. See our Cookie Policy for full details.
7. Your Rights
Under UK GDPR you have the right to:
- Access — request a copy of the personal data we hold about you
- Rectification — request correction of inaccurate data
- Erasure — request deletion of your data (subject to legal retention obligations)
- Restriction — request we restrict processing in certain circumstances
- Portability — receive your data in a structured, machine-readable format
- Object — object to processing based on legitimate interests or for direct marketing
- Withdraw consent — where processing is based on consent, you may withdraw at any time
To exercise any right, email privacy@helixcore.co.uk. We will respond within 30 days. If you are unsatisfied, you may lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk.
8. Security
We implement appropriate technical and organisational measures to protect your data, including TLS encryption in transit, bcrypt-hashed passwords, JWT-based authentication with short-lived access tokens, and server-side rate limiting. Access to production systems is restricted to authorised personnel only.
9. International Transfers
We process all data within the UK and EEA. We do not transfer personal data to countries outside these areas without appropriate safeguards.
10. Changes to This Policy
We may update this policy from time to time. Material changes will be notified by email to registered customers. The date at the top reflects the latest revision.