Privacy Policy

Effective 2026-05-01 · Version 1.0

Operator note: Working v1 privacy policy generated from a standard ecommerce + research-supply template, scoped for a US-primary direct-to-consumer business with a documented compliance gate. This is the Heroxbio (seller) policy — separate from the editorial publication policy at thecompoundbrief.com. Have it reviewed by an attorney before relying on it as the canonical legal document.

Heroxbio ("we," "us," or "Heroxbio") respects your privacy. This policy describes what information we collect when you visit heroxbio.com, complete the research-only access acknowledgement, or place an order, how we use it, who we share it with, and your rights regarding that information.

1. Data controller

The data controller for personal information collected through heroxbio.com is Vault IQ LLC, a Florida limited liability company. Registered office: 1126 S Federal Hwy Suite 704, Fort Lauderdale, FL 33316. Contact: support@heroxbio.com.

2. What we collect

When you complete the compliance gate, we collect:

Email address. Required for order updates, shop communication, and the legal record of research-only acknowledgement.
Optional first name. Used for personalization in shop emails.
Country of delivery. Used for ship-to availability checks and region-specific compliance routing.
Research-only acknowledgement record. Including timestamp (ISO), IP address, user-agent string, referring URL, and form version. This is a legal record per our research-use-only compliance program; it is retained for 7 years.
Age 21+ self-attestation. Recorded with timestamp.

When you place an order, we additionally collect:

Shipping address and phone number.
Order details. Product, quantity, batch reference.
Payment information. Processed by our payment processor; we do not store full card numbers on our systems.

3. How we use it

To fulfill orders, ship products, and provide customer service.
To maintain the legal record of research-only acknowledgement required by our compliance program.
To send order updates, shipment notifications, abandoned-cart and post-purchase communications.
To analyze aggregate site usage and improve the catalog.
To comply with applicable law, including CAN-SPAM, CCPA/CPRA, and consumer protection statutes.

We do not sell your personal information. We do not share your email address with third parties for marketing purposes. We do not use your data to retarget you with paid ads on third-party platforms.

4. Who we share with

We share data only with vetted service providers under data-protection contracts, including:

GoHighLevel — our shop-side CRM and email service provider, which hosts the "Heroxbio Shoppers" contact list and the legal record of compliance acknowledgements (stored as contact tags + a per-contact compliance note).
Payment processor — our high-risk-vertical processor for transactional payments.
Shipping carrier(s) — USPS, UPS, FedEx, or DHL as appropriate to the destination.
Analytics provider — a privacy-respecting analytics tool to measure aggregate site traffic.
Hosting and CDN providers — standard infrastructure providers for the website itself.

We disclose information when required by law, in response to a valid subpoena or court order, or to protect our rights, property, or safety.

5. Cookies and tracking

We use one strictly-necessary cookie: heroxbio_compliance_ack, set by the server when you complete the research-only access form. This cookie grants 30-day catalog access and stores the timestamp of your acknowledgement. It is HttpOnly, Secure, and SameSite=Lax. It cannot be read by client-side JavaScript.

We use additional cookies for cart functionality during checkout. We do not run third-party tracking pixels (Meta, TikTok, etc.) on the gated catalog. Do-Not-Track signals are honored.

6. Categories of personal information collected (CCPA notice)

For California residents, in the 12 months prior to the effective date of this policy, we have collected the following categories of personal information per CCPA §1798.110:

Identifiers (email, name, IP address)
Customer records (shipping address, phone number, payment information processed by our processor)
Commercial information (order history, batch references)
Internet activity (referring URL, user-agent, session-level browse activity on the catalog)
Geolocation (country of delivery — coarse only; we do not collect precise geolocation)
Inferences (none drawn for marketing-segmentation purposes)

We do not collect "sensitive personal information" as defined by CPRA §1798.140(ae). We do not use any data to make automated decisions that produce legal or similarly significant effects on you.

7. Your rights

You may request access to, correction of, deletion of, or portability of personal information we hold about you. To exercise these rights, email support@heroxbio.com. We respond within 45 days (45 days plus a 45-day extension if needed, with notice, per CPRA).

You may unsubscribe from any marketing email at any time using the unsubscribe link in every issue, or by replying with "unsubscribe." Note that transactional emails (order confirmation, shipping, refund) are not marketing and continue regardless of subscription state.

California residents have specific rights under CCPA/CPRA: the right to know what personal information we collect, the right to delete it, the right to correct it, the right to limit use of sensitive personal information (we do not collect any), and the right to opt out of any sale or sharing for cross-context behavioral advertising. We do not sell personal information and do not share for cross-context behavioral advertising. Contact the address above to exercise these rights.

EEA, UK, and other GDPR-equivalent jurisdictions: we do not market to or knowingly sell to those regions. The country selector on our compliance gate does not list EEA or UK destinations. If you have somehow created a record from one of those regions in error, contact us and we will delete it.

8. Data retention

Compliance acknowledgement records are retained for seven (7) years from the date of acknowledgement to satisfy regulatory record-keeping requirements applicable to research-supply businesses. Order records (purchase history, shipping records) are retained for the same period for tax and audit purposes. Marketing email subscription records are retained for the duration of subscription plus 24 months. Aggregate analytics data is retained indefinitely in de-identified form.

9. Affiliated entities

Heroxbio is operationally and financially related to The Compound (thecompoundbrief.com), an independent editorial publication owned by the same operator. The two entities are run as separate properties with separate compliance gates, separate email lists (GoHighLevel for the shop, Beehiiv for the editorial publication), and independent operations. The Compound's editorial content is independent of any vendor relationship, including Heroxbio. Their data controller and privacy policy are separate from this one and live at thecompoundbrief.com/privacy.

10. Children

Heroxbio is intended exclusively for adult research customers 21 years of age or older. We do not knowingly collect data from anyone under 21. If you believe we have, contact us and we will delete the record.

11. Changes to this policy

Material changes to this policy will be communicated via email to current shoppers and dated on this page. Continued use of the site or shop after a material change constitutes acceptance of the revised policy.

12. Contact

Questions about this policy: support@heroxbio.com.

Mailing address: Vault IQ LLC, 1126 S Federal Hwy Suite 704, Fort Lauderdale, FL 33316.

← back to research-only access