Privacy Policy

The short version

HelioScript reads five specific markers from raw DNA export files (FokI, BsmI, ApaI, TaqI, Cdx2) to produce a plain language vitamin D receptor report. We do not store your raw DNA. We do not sell your data. We do not share your data with insurers, employers, or marketers. The uploaded file is deleted from our server immediately after parsing, and the report exists only in your browser.

If you only read one paragraph of this policy, read the one above. The rest is the formal version of the same commitment.

1. Who we are

HelioScript is an educational analysis tool operated by the NutrientGaps team. Our website is helioscript.bio. You can contact us at hello@helioscript.bio.

2. What data we receive, and what we do not

2.1 Raw DNA files

When you upload a raw export from AncestryDNA or 23andMe, the file is transferred over an encrypted HTTPS connection to our server. The server reads the file, extracts the genotypes for the five target VDR markers (small two-letter strings like "CT" or "AG"), and then deletes the uploaded file from disk.

Specifically, our processing pipeline does the following with your uploaded file:

• Validates that the file is a recognized plain-text DNA export format
• Stores the file under a cryptographically random filename in a non-public directory
• Reads the file into memory and extracts the five target marker genotype strings
• Deletes the file from disk using the standard unlink() system call
• Verifies the file no longer exists at that path

The entire pipeline typically completes in well under one second. We do not claim a forensic "secure-erase" beyond the standard filesystem delete, because on shared hosting we don't control the underlying storage layer, so claiming more would be marketing language we couldn't honestly back. What we do guarantee: your raw DNA file is never written to our database, never copied to backups, never included in logs, and never shared. The on-disk copy is removed immediately after parsing and the in-memory copy is released right after.

The strongest privacy posture is the default: with Privacy Guard ON, your file is parsed inside your browser and never reaches our server at all. Only the five short genotype strings are transmitted.

2.2 The five genotype strings

After extraction, we work only with five short strings (such as "CC", "TT", "AG") and the rsID labels of the five VDR sites. These are used to compute your report. The report is sent back to your browser and displayed on the results page. We do not retain the genotype strings after the response is sent.

2.3 Payment data (one-time $29 unlock)

Unlocking the full report is a one-time $29 purchase processed by Stripe. Your card details are entered on Stripe's checkout page, not ours, so we never see your card. Stripe notifies our server of a successful payment via a signed webhook. We record only four fields against that event: a random access token tied to the order, the Stripe checkout session ID, the status (paid), and a timestamp. We do not store your name, email, or any genetic data alongside the payment record. Stripe's own privacy policy governs what they retain on their side.

2.4 Optional research-consent opt-in

If you tick the optional opt-in on the report page, we store three fields against your record: your email address, the consent flag, and a timestamp. We may also store the campaign source (e.g. utm_source) so we can attribute future research outreach. We never store your genetic data alongside this record, even with your consent. Email us to remove the record at any time.

2.3 Standard web request data

Like every web server, ours logs basic technical information for every request: your IP address, the time of the request, the URL you visited, the HTTP method, and your user agent. We use these logs for rate-limit enforcement and to investigate technical errors. We do not associate your IP address with your DNA analysis results in any persistent record.

Server logs are retained for up to 14 days, after which they are deleted automatically.

2.4 Contact form submissions

If you use our contact form, we receive your name (optional), email address, subject, and message. We use this only to respond to your inquiry. Contact form submissions are stored in the support inbox and may be retained for as long as is reasonably needed to handle your request and any follow-up.

3. What we do not collect

• We do not use third-party analytics that track you across sites.
• We do not use advertising trackers.
• We do not use Facebook pixels, Google ad cookies, or similar profiling tools.
• We do not buy or sell DNA data, ever.
• We do not share data with insurance companies, employers, or law enforcement except where required by valid legal process directed specifically at HelioScript (which has never happened and which, given we do not retain raw DNA, would not yield genetic information anyway).

4. Cookies

HelioScript uses no tracking cookies. The site may use strictly necessary technical cookies (for example, to remember your privacy guard toggle preference within a single session). These cookies do not identify you and are not shared with third parties.

5. Third-party content loaded by the site

For performance and design reasons, our pages load a small number of third-party assets from public CDNs:

• Google Fonts (Inter font family), where Google may receive a request from your browser for the font file. This request is anonymous and is governed by Google's privacy policy.
• Tailwind CSS via cdn.tailwindcss.com, for stylesheet delivery.
• Unsplash, for blog post hero images. Unsplash may receive a request from your browser when loading images.

None of these third parties receive your DNA data or analysis results. They serve static content only.

6. Your rights

Depending on where you live, you may have rights under privacy laws such as the EU General Data Protection Regulation (GDPR) or the California Consumer Privacy Act (CCPA). These can include:

• The right to know what personal data we hold about you
• The right to request deletion of your personal data
• The right to opt out of any sale or sharing of your personal data
• The right to non-discrimination for exercising these rights

Because HelioScript does not retain your raw DNA or genotype results, there is generally nothing in our systems tied to you as an individual after your analysis completes. If you used our contact form and would like us to delete that correspondence, email hello@helioscript.bio and we will do so promptly.

7. Children

HelioScript is intended for adults. We do not knowingly accept DNA uploads from anyone under 18 years of age. If you believe a minor has used HelioScript, contact us and we will assist as needed.

8. Data security

All data is transmitted over HTTPS. Our server is hosted on commercial infrastructure with standard security controls. The upload staging directory is protected against direct HTTP access at the web server level. Because raw DNA is destroyed within milliseconds of analysis, the attack surface for genetic data retention is, by design, near-zero.

No system is perfectly secure. If we ever discover a security incident that could affect your privacy, we will notify users promptly through the website and where possible through email.

9. International transfers

HelioScript is operated from the United States. If you access the site from outside the US, your request is processed by US-located infrastructure. Because we do not retain raw DNA or genotype results, no cross-border transfer of genetic data occurs after analysis.

10. Changes to this policy

We may update this privacy policy as the service evolves. The "Effective date" at the top of this page will reflect any changes. Material changes will be announced on the homepage for a reasonable period.

11. Contact

Privacy questions, requests, or complaints can be sent to hello@helioscript.bio. We respond to legitimate privacy inquiries within 30 days.