Privacy Policy.

Last updated: May 2026 · GDPR-aligned

1. Overview

New-U Research Compounds ("we," "us," or "our"), a brand operated by Hilxera Distribution Services LLC, operates the website new-u.io. This Privacy Policy explains how we collect, use, disclose, and safeguard your personal information when you visit our website, place an order, or interact with our services. By using our website you consent to the practices described herein.

This policy is written to comply with the EU General Data Protection Regulation (Regulation (EU) 2016/679, "GDPR"), the UK GDPR and Data Protection Act 2018, and equivalent consumer data-protection laws in the United States (including the California Consumer Privacy Act / CPRA).

2. Data Controller & Legal Basis

Hilxera Distribution Services LLC, registered in Wyoming (ID: 2026-001928701), is the data controller for personal data processed through new-u.io. You can reach our privacy contact at hello@new-u.io.

Under GDPR Article 6, we process your personal data only where one of the following legal bases applies:

• Performance of a contract (Art. 6(1)(b)) - processing orders, shipping, and customer support.
• Legal obligation (Art. 6(1)(c)) - tax, accounting, anti-fraud, and regulatory record-keeping.
• Consent (Art. 6(1)(a)) - marketing emails, SMS updates, non-essential cookies, and research-verification data. Consent is freely given, specific, informed, and can be withdrawn at any time.
• Legitimate interests (Art. 6(1)(f)) - fraud prevention, network security, and aggregate analytics. We balance these interests against your rights and only rely on this basis where it does not override your freedoms.

We do not knowingly process special-category data under GDPR Article 9.

3. Information We Collect

Information You Provide Directly

We collect personal information that you voluntarily provide when you:

• Place an order for research-grade peptide compounds
• Create an account or register for order tracking
• Subscribe to our newsletter or email communications
• Contact us via email, contact form, or other channels
• Apply for or participate in our affiliate programme
• Submit a referral through our refer-a-friend programme

This information may include your name, email address, shipping and billing address, telephone number, payment details, and any research-related enquiries you submit.

Information Collected Automatically

When you visit our website, we automatically collect certain technical data, including:

• Browser type, version, and device information
• IP address and approximate geographic location
• Pages visited, time spent on each page, and navigation paths
• Referral source and search terms used to reach our site
• Operating system and screen resolution

Information from Third Parties

We may receive limited information from third-party services we integrate with, including payment processors confirming transaction status and affiliate networks providing referral data.

4. How We Use Your Information

We use the information we collect for the following purposes:

• Order fulfilment: Processing, packaging, dispatching, and tracking your peptide orders
• Communications: Sending order confirmations, shipping updates, delivery notifications, and payment receipts
• Customer support: Responding to enquiries, resolving issues, and providing post-sale assistance
• Marketing: Sending promotional emails, product announcements, and newsletters (only with your explicit consent; you may opt out at any time)
• Compliance: Verifying that purchases are made for legitimate research purposes in accordance with applicable regulations
• Fraud prevention: Detecting and preventing fraudulent transactions, chargebacks, and unauthorised account access
• Site improvement: Analysing usage patterns to improve website performance, user experience, and product offerings
• Legal obligations: Complying with applicable laws, regulations, and lawful requests from authorities

5. Payment Processing & Financial Data

We accept payments via card and digital-wallet rails, processed through independent PCI DSS-compliant providers including Quiklie, Peptide-Pay, Conflux, CLKK Wallet, TagadaPay, NexaPay, and Lexicons, and cryptocurrency, processed through licensed gateways including NOWPayments, StableDrop, and PassimPay. All payment transactions are handled by these third-party processors; we are not the merchant of record for raw card data, and we do not use Stripe.

What each processor sees (data minimisation)

Each processor receives only the fields it needs to settle a single transaction. No single processor sees all your payments, and we never share marketing, browsing, or unrelated order history with them.

• Card & digital-wallet processors receive your billing address, the order amount, an order reference, and the card or wallet credentials you enter on their hosted form. The card number, CVV, and expiry are submitted directly into the processor's secure frame and are never seen by our servers; we only receive a tokenised reference, the last four digits of the card, the card brand, and the auth / settlement status.
• Cryptocurrency gateways receive the order amount, an order reference, and (where applicable) a contact email for invoice notifications. They return a deposit address, an invoice ID, and the on-chain transaction status. We never receive, request, or store your wallet private keys, seed phrase, or wallet balance.

On-chain transparency for crypto payments

Cryptocurrency networks are public ledgers by design. Once you broadcast a payment, the sending address, the deposit address, the amount, and the transaction hash become permanent, publicly observable records on the relevant blockchain. We do not add to that record beyond the deposit address generated for your invoice, and we cannot remove or redact entries that already exist on a public chain. If on-chain privacy matters to you, consider funding payments from a wallet that has no link to your real-world identity.

What we retain on our servers

• We do not store complete credit or debit card numbers, CVVs, or expiry dates.
• For card transactions we retain only the tokenised processor reference, the last four digits of the card, the card brand (Visa / Mastercard / Amex), the auth status, and the settlement timestamp.
• For crypto transactions we retain only the deposit address generated for your invoice, the settlement asset and network, the transaction hash, the confirmed amount, and the payment status, never wallet private keys.
• Payment data is transmitted over encrypted connections (TLS 1.2+) at all times and is subject to the same row-level security, AWS KMS envelope encryption, and access controls described in § 6.
• Retention periods for these records are set out in § 11.

6. Data Security & Our Locally-Accessed Secure Database

Article 32 GDPR requires us to implement "appropriate technical and organisational measures" to protect your data. We take this obligation seriously and our architecture is built around the principle that your personal data lives in a single secured database that is never exposed to the public internet and can only be accessed from our private backend.

Where your data is stored

• Single managed PostgreSQL database (Supabase-hosted Postgres) acts as our only store of customer records, orders, and account data. There is no shadow copy on laptops, spreadsheets, or third-party CRMs.
• No public database endpoint. The database is not reachable from the public web. It is only accessible from inside our private server network - queries originate from our own application code, never directly from your browser.
• Row-level security (RLS) is enabled so that, even inside the network, each row can only be read by the service role that is authorised to read it. A compromised key for one surface cannot read another surface's data.
• Parameterised queries only. Every SQL statement uses placeholders and bound parameters, eliminating SQL-injection as an attack path.

Encryption

• In transit: All traffic between your browser, our servers, and the database is encrypted with TLS 1.2+ (HSTS enforced).
• At rest: Database storage volumes are encrypted with AES-256. On top of that, sensitive PII fields (name, address, phone, date of birth, tax ID) are additionally encrypted at the application layer using AWS KMS envelope encryption before they are written to a row - so even a raw database dump does not reveal those fields in cleartext.
• Key management: Encryption keys live in AWS KMS with strict IAM policies. No key material is ever committed to source control or sent to the browser.
• Payment data: We never see or store full card numbers. Card data is tokenised by our PCI DSS-compliant card processors before it reaches our servers; crypto transactions are settled through licensed gateways and we retain only the transaction reference, settlement asset, and payment status.

Access control & monitoring

• Need-to-know access for any human operator; production DB credentials are rotated and stored in a secrets manager, never in chat, email, or code.
• Admin endpoints gated by a server-side admin key and rate-limited (60 requests/minute by default on API routes).
• Audit trail on order and payment mutations, so we can investigate and, where required under GDPR Art. 33/34, notify the relevant supervisory authority within 72 hours of discovering a personal-data breach.
• Web application firewall & DDoS protection in front of the public site; age-gate and content-protection on sensitive pages.
• Principle of data minimisation: we only collect fields we genuinely need for your order or legal compliance, and we do not sell data to brokers.

No system is 100% secure. If a personal-data breach ever occurs that is likely to result in a risk to your rights and freedoms, we will notify you and the competent supervisory authority within the timeframes required by GDPR.

7. Cookies & Tracking Technologies

Our website uses cookies and similar technologies for the following purposes:

• Essential cookies: Required for core site functionality including shopping cart persistence, session management, and checkout processing. These cannot be disabled without breaking site functionality.
• Preference cookies: Store your preferences such as selected currency and display settings.
• Analytics cookies: Help us understand how visitors interact with our website so we can improve the user experience.
• Affiliate tracking: Used to attribute referrals to our affiliate partners for commission purposes.

You can manage or disable cookies through your browser settings. Disabling essential cookies may prevent you from completing purchases or using certain site features.

8. Third-Party Services & Processors

We share limited data with the following categories of third-party service providers, each of whom is contractually obligated to handle your information securely and only for the purposes we specify:

• Email delivery: MailerSend - for sending transactional emails (order confirmations, shipping updates) and marketing communications
• Payment processing: Independent card and digital-wallet processors (Quiklie, Peptide-Pay, Conflux, CLKK Wallet, TagadaPay, NexaPay, Lexicons) and cryptocurrency gateways (NOWPayments, StableDrop, PassimPay), each receives only the fields required to settle your transaction, and no single processor sees all payments
• Cloud infrastructure: Amazon Web Services (AWS) - for hosting, database, and encryption services
• Shipping & fulfilment: Postal and courier services - for order delivery (we share only the information necessary for shipping)

We do not sell, rent, or trade your personal information to third parties for their marketing purposes.

9. Research Verification

As a supplier of research-grade peptide compounds, we may collect and retain information to verify that customers are purchasing products for legitimate scientific research. By placing an order you confirm that:

• You are at least 18 years of age
• You are a qualified researcher or purchasing on behalf of a research institution
• Products will be used solely for lawful in-vitro research and laboratory purposes
• You are in compliance with all applicable local, national, and international regulations

Verification data may be retained as part of our compliance records.

10. International Data Transfers

We ship to customers in the EU, USA, and UK, and your data may be processed and stored in any of these regions. Our servers and infrastructure are hosted in the United States via AWS.

For customers in the European Economic Area (EEA) or United Kingdom, transfers to processors and infrastructure outside the EEA / UK are conducted under appropriate safeguards required by GDPR Chapter V, most commonly the European Commission's Standard Contractual Clauses (SCCs), the UK International Data Transfer Addendum, an adequacy decision, or the processor's binding corporate rules. Several of our payment processors (named in § 5) are established outside the EEA; the specific transfer mechanism that applies to your order can be requested from hello@new-u.io. By using our services you acknowledge that your information may be processed in countries whose data-protection laws differ from your own.

11. Data Retention

We retain your personal data for as long as necessary to fulfil the purposes outlined in this policy:

• Order records: Retained for a minimum of 7 years for legal, tax, and compliance purposes
• Customer accounts: Retained for the duration of your account plus 2 years after the last activity
• Email subscribers: Retained until you unsubscribe or request deletion
• Affiliate data: Retained for the duration of the affiliate relationship plus 3 years
• Analytics data: Aggregated and anonymised data may be retained indefinitely for statistical purposes

You may request deletion of your personal data at any time, subject to our legal retention obligations.

12. Your Rights Under GDPR & UK GDPR

All Customers

Regardless of your location, you have the right to:

• Request access to the personal data we hold about you
• Request correction of inaccurate or incomplete data
• Request deletion of your personal data (subject to legal retention requirements)
• Opt out of marketing communications at any time
• Withdraw consent for data processing where consent is the legal basis

EU & UK Customers (GDPR / UK GDPR)

In addition to the rights above, if you are located in the EEA or UK, you also have the right to:

• Request restriction of processing of your personal data
• Request data portability - receive your data in a structured, commonly used, machine-readable format
• Object to processing based on legitimate interests
• Lodge a complaint with your local data protection supervisory authority

To exercise any of these rights, contact us at hello@new-u.io. We will respond to all requests within 30 days.

13. Children's Privacy

Our website and services are not intended for individuals under the age of 18. We do not knowingly collect personal information from minors. If we become aware that we have collected data from a person under 18, we will take immediate steps to delete that information.

14. Contact Us & Complaints

For privacy concerns, data access requests, or questions about this policy, contact us at:

New-U Research Compounds (operated by Hilxera Distribution Services LLC)
Email: hello@new-u.io
Website: new-u.io

EU and UK residents also have the right to lodge a complaint with their national data-protection supervisory authority (for example, the UK Information Commissioner's Office at ico.org.uk, or the relevant EU member-state authority listed on edpb.europa.eu). We would, however, appreciate the chance to address your concerns directly first.

15. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, or legal requirements. When we make material changes, we will update the "Last updated" date at the top of this page and, where appropriate, notify you via email or a prominent notice on our website. We encourage you to review this policy periodically.