Privacy Policy

Your privacy is fundamental to how Priolix works. We minimize data collection and never sell your information.

What We Collect

Priolix is designed to collect as little personal data as possible:

  • Chat queries: Questions you type into the AI chat are processed locally on our server using an open-weight language model (Qwen 3.6). The query text is not stored after the response is delivered.
  • Search queries: Search terms are processed in real time and not persisted.
  • API usage events: If you use the Priolix API with an API key, we log the request timestamp, your hashed key prefix, the route called, the HTTP status code, and the response latency (in milliseconds). We do not log the query text or response content. These events support quota enforcement and service reliability.
  • Server logs: Like all websites, our server logs IP addresses, browser user agents, and requested URLs for operational purposes (security, debugging, performance). These logs are retained for 30 days and then automatically deleted.
  • Cookies: Priolix sets only essential cookies (consent preference) and optional analytics cookies (Google Analytics, only if you consent). See our Cookie Policy for details.
  • No accounts: We do not require user accounts, email addresses, or any personal identification.

How We Process Your Data

All AI processing happens on our own server using an open-weight language model (Qwen 3.6). Your queries never leave our infrastructure. We do not send your data to third-party AI services (OpenAI, Google Cloud, AWS, etc.).

Chat responses are generated in real time and streamed directly to your browser. Once the response is delivered, the query and response are not stored in any database.

Blood Test Feature

Priolix offers a lab test analysis feature that uses AI to extract biomarker values from uploaded lab reports:

  • Image processing: When you upload a blood test or urinalysis (PDF or image), the file is sent securely to OpenAI's GPT-4o vision API for biomarker extraction. OpenAI processes the image temporarily and does not retain it to train their models (per OpenAI's enterprise privacy policy).
  • No image storage: Your original lab test images and PDFs are never stored on our servers or in our database. Processing happens entirely in transit and memory.
  • Data persistence: The numerical biomarker values, ranges, and any medications you enter are stored securely in our database. This data is tied to an anonymous, randomly generated device ID cookie (priolix_device_id) that lives in your browser for 1 year. We do not link this data to your name, email, or identity because we do not collect that information.
  • Supplement logging: If you use the "I started this" button on supplement recommendations, those dates are also stored against your anonymous device ID so we can correlate them with your biomarker trends over time.
  • Cross-referencing: Extracted values are compared against our evidence database (published research) to provide insights.
  • Not medical advice: Results are for informational purposes only. Always consult a healthcare provider.

What We Do Not Do

  • We do not sell, rent, or share your personal data with third parties.
  • We do not use your queries or lab results to train AI models.
  • We do not track you across websites or use tracking pixels.
  • We do not serve targeted advertising.
  • We do not collect personally identifiable health information (PHI) like names, birthdates, or contact details.

Third-Party Services

Priolix uses the following third-party infrastructure and sub-processors:

  • OpenAI: Used strictly via API to extract text from lab test images. (Data is not used for model training).
  • Google Analytics: Only loaded if you explicitly accept the cookie banner. Used for aggregate traffic statistics.

Our clinical evidence data is sourced from public, non-personal datasets including the National Library of Medicine (PubMed / PMC), NIH Dietary Supplement Label Database (DSLD), DDInter, and ClinicalTrials.gov.

Data Retention

Server access logs: 30 days, then auto-deleted.
Chat queries: Not stored after response delivery.
Lab test images: Never stored; processed in transit only.
Lab test results & supplement logs: Stored against an anonymous device ID. Automatically deleted if your device is inactive for 1 year (365 days).
API usage events: Retained for quota enforcement; auto-pruned after 90 days.
You can manually wipe all your stored lab data immediately by clicking the "Delete My Data" buttons in the app.

Your Rights

Because we collect minimal data and do not create user profiles, most data protection rights are inherently satisfied. However, you have specific legal rights depending on your jurisdiction:

GDPR (European Economic Area)

Controller: Priolix, contactable at privacy@priolix.com.

Legal basis for processing:

  • Legitimate interest (Art. 6(1)(f)): Server log retention for security and operational stability.
  • Consent (Art. 6(1)(a)): Google Analytics cookies, if you accept them via the cookie banner.
  • Contract performance (Art. 6(1)(b)): Processing queries to deliver the service you request.

Your rights under GDPR (Art. 15–22):

  • Right of access (Art. 15): Request a copy of any personal data we hold about you.
  • Right to rectification (Art. 16): Request correction of inaccurate data.
  • Right to erasure (Art. 17): Request deletion of your personal data. Since we do not persistently store user data, most requests are fulfilled immediately.
  • Right to data portability (Art. 20): Receive your data in a structured, machine-readable format.
  • Right to object (Art. 21): Object to processing based on legitimate interest.
  • Right to restrict processing (Art. 18): Request limitation of processing while a dispute is resolved.
  • Right to withdraw consent (Art. 7(3)): Withdraw analytics consent at any time by clearing the priolix_consent_v1 cookie or contacting us.

Complaints: You have the right to lodge a complaint with your local supervisory authority (e.g., CNIL in France, BfDI in Germany).

Data transfers: Priolix is hosted in the United States. If you are in the EEA, your data is transferred under the EU-U.S. Data Privacy Framework (if applicable) or Standard Contractual Clauses. Given the minimal nature of data we process, the risk is low.

UK GDPR (United Kingdom)

The UK GDPR mirrors the EU GDPR post-Brexit. The same rights listed above apply to UK residents. The UK supervisory authority is the Information Commissioner's Office (ICO). Data transfers from the UK to the US are governed by the UK Extension to the EU-U.S. Data Privacy Framework or UK International Data Transfer Agreement.

CCPA — California Consumer Privacy Act

California residents have the following rights under CCPA (Cal. Civ. Code § 1798.100 et seq.):

  • Right to know: Request disclosure of the categories and specific pieces of personal information we have collected about you in the past 12 months.
  • Right to delete: Request deletion of personal information we have collected from you.
  • Right to opt out of sale: Priolix does not sell personal information. We have never sold personal information and will not sell it in the future.
  • Right to non-discrimination: We will not discriminate against you for exercising your CCPA rights.

Do Not Sell My Personal Information: Priolix does not sell personal information. No action is needed to opt out of sales. If you would like to confirm that your data is not being sold, or to exercise any other CCPA right, email privacy@priolix.com with "CCPA Request" in the subject line. We will respond within 45 days.

Shine-the-Light (Cal. Civ. Code § 1798.83): California residents may request information about how we share personal information with third parties for direct marketing purposes. We do not share personal information for direct marketing.

PIPEDA — Personal Information Protection and Electronic Documents Act (Canada)

Canadian residents are protected under PIPEDA. Your rights include:

  • Right of access: Request access to personal information we hold about you (PIPEDA Principle 9).
  • Right to correction: Request correction of inaccurate personal information.
  • Right to withdraw consent: Withdraw consent for data processing, subject to legal and contractual restrictions.
  • Complaints: File a complaint with the Office of the Privacy Commissioner of Canada.

To exercise PIPEDA rights, email privacy@priolix.com with "PIPEDA Request" in the subject line.

Security

All data in transit is encrypted via HTTPS/TLS 1.3. Our server is privately hosted and not on shared cloud infrastructure. We do not store personal health information, so the risk of sensitive data exposure is minimal.

Children's Privacy

Priolix is not directed at children under 16. We do not knowingly collect personal information from children. If you believe we have inadvertently collected data from a child, contact us and we will promptly delete it.

Changes to This Policy

We may update this privacy policy from time to time. The "Last Updated" date below reflects the most recent revision. Continued use of Priolix after changes constitutes acceptance of the updated policy.

Last Updated: April 27, 2026