Privacy Policy
Helian is a nutritional supplement guidance and subscription platform for men's hormonal health. We built our data architecture around the sensitivity of hormonal health data — not as an afterthought, but as a core product value.
Last updated May 2026 · Helian by Steps Ventures LLC · New York, NY
The short version
Your hormone profile, goals, and health answers live on your device. We cannot access them.
Health assessment data is stored in your browser only — it is never transmitted to our servers.
We store only your email when you subscribe, plus a non-identifiable tier label.
Wearable data (Oura, Apple Health) is processed in real time and not persisted on our servers.
We will never sell, share, or license your health data. Not now, not after acquisition.
You can delete all data — local and server-side — at any time.
Helian is operated by Steps Ventures LLC, a New York limited liability company. “Helian,” “we,” “us,” and “our” refer to Steps Ventures LLC and the Helian application available at helian.stepsventures.com.
Helian is a nutritional supplement guidance and subscription platform. We are not a healthcare provider, medical practice, pharmacy, or clinical service. Nothing in this application or its communications constitutes medical advice, diagnosis, or treatment. See our Terms of Service for the full medical disclaimer.
The following data is stored exclusively in your browser's local storage. We have no technical access to it. It does not leave your device unless you explicitly choose to sync it.
Hormone profile assessment answers (goals, symptoms, lifestyle flags, health conditions noted)
Daily supplement log entries and AM/PM protocol preferences
Onboarding responses (age range, training habits, dietary preferences, medications noted)
We collect your email address, your chosen subscription tier label, and billing confirmation signals from our payment processor. We do not store payment card data — all payment processing is handled by Stripe (PCI-DSS Level 1 certified).
If you choose to connect an Oura Ring or other wearable integration, we access the following data types under your explicit OAuth authorization:
Oura Ring: Daily readiness score, sleep summary (total sleep, REM, deep sleep duration), heart rate variability (HRV), resting heart rate, and skin temperature deviation. We request the minimum scope required to personalize your supplement stack (“daily” and “personal” scopes only).
Apple Health (future): Sleep analysis, HRV, and activity data you explicitly approve. Apple Health integrations require in-app authorization for each data type separately.
How wearable data is handled: Wearable data is fetched at session load and used in real time to personalize your AM/PM stack based on recovery state. It is not stored on our servers in persistent form. If you disconnect a wearable integration, we immediately cease all data access. You can revoke Oura authorization at any time via your Oura account at cloud.ouraring.com.
Helian's use of data from the Oura API complies with the Oura API Terms of Service. We use Oura data solely to provide and improve the nutritional personalization features you have requested. We do not use Oura data for advertising, sell Oura data to third parties, or retain Oura data beyond your active session.
We use PostHog and Google Analytics 4 for product analytics. These tools collect anonymized behavioral data: pages visited, features used, session duration. Health-related pages (profile, today's protocol, log) are excluded from analytics tracking. All inputs are masked. No health data is captured by analytics tools.
We do not collect: clinical diagnosis data, genetic information, insurance information, lab results, physician records, or any data that would constitute a protected health record. We do not run advertising trackers or capture health inputs through analytics events.
Health data: no one. We will never sell, license, transfer, or share your health information with insurers, employers, pharmaceutical companies, data brokers, research institutions, advertisers, or any third party, under any circumstances including company acquisition.
Infrastructure providers (email and account data only):
Supabase — database and authentication (SOC 2 Type II; US data center)
Resend — transactional email delivery
Vercel — application hosting and edge delivery
Stripe — payment processing (PCI-DSS Level 1; no card data stored by us)
Legal compulsion: We may disclose account-level data (email, subscription status) if required by valid legal process. Because we do not store health data, there is nothing health-related to disclose.
Right to access: request a copy of all data we hold about you
Right to deletion: request deletion of all server-side data within 30 days
Right to correction: request correction of inaccurate account data
Right to portability: request your data in machine-readable format
California residents have the right to know what personal information we collect, the right to delete it, the right to opt out of sale (we do not sell personal information), and the right not to be discriminated against for exercising these rights.
Our legal basis for processing your email address and account data is contract performance. You have the right to withdraw consent, restrict processing, and lodge a complaint with your supervisory authority.
Device-stored data persists until you reset your profile or clear your browser data. We have no copies.
Server-side data (email, subscription tier) is retained while your account is active and for 90 days after cancellation. To request earlier deletion, email privacy@stepsventures.com.
Helian is designed for adult men (18+). We do not knowingly collect personal information from anyone under 13. Users between 13–17 may use the platform with parental consent and supervision.
All data in transit is encrypted via TLS 1.3. Server infrastructure (Supabase) maintains SOC 2 Type II compliance. Authentication uses email magic links or OAuth only — no passwords stored. Wearable OAuth tokens are stored encrypted and scoped to minimum required permissions.
We will notify subscribers by email at least 30 days before any material change that weakens the privacy protections described here. Minor clarifications may be made without advance notice.
Privacy questions or rights requests: privacy@stepsventures.com
Steps Ventures LLC · New York, NY
Response within 10 business days.