Peptidos

Privacy Policy

The protection of your personal data is very important to us. We continuously analyse all of our personal data processing activities and ensure their compliance with Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (hereinafter the "GDPR"), as well as all applicable national data protection legislation in the EU/EEA Member State in which our company is established.

This Privacy Policy explains who we are, what personal data we process about you, why we process it, on what legal basis, for how long we keep it, with whom we share it, and what rights you have. It applies to all visitors and customers of our website peptidos.eu (the "Website" or "E-shop").

1. Who processes your personal data?

Your personal data is processed as a controller by: Peptidos.eu

(hereinafter "we", "us", "Peptidos" or the "Controller")

You can contact us at any time regarding this Privacy Policy or the processing of your personal data by email at support@peptidos.eu or by post at the address listed above.

2. For what purposes, on what legal basis and for how long do we process your personal data?

We process personal data only for the purposes described below. For each purpose, we explain the legal basis on which we rely and the period for which we keep your data. Where a retention period is expressed in years, it begins on 1 January of the calendar year following the year in which we started processing your personal data for that purpose.

Order and purchase of goods through the E-shop

When you order research peptides or laboratory equipment from us, we need to process the personal data you provide in the order, as well as any data you make available during our business relationship, in order to advise you on product selection, accept and process your order, apply discounts, deliver the goods, handle complaints and returns, and perform any related activities.

The legal basis for this processing is the performance of a contract to which you are a party, or pre-contractual steps taken at your request, under Art. 6(1)(b) GDPR. Your consent is not required. We retain this data for the duration of the contract and for 4 years after its termination, unless a longer limitation period for claims arising from it applies.

Customer account

Placing orders on the E-shop may be done as a guest or via a customer account. If you create an account, we process the data you provided during registration and login, as well as data subsequently stored in the account (such as order history and saved addresses), so you can manage future orders.

The legal basis for this processing is the performance of a contract or pre-contractual measures, under Art. 6(1)(b) GDPR. We retain this data for the duration of the account's existence, or longer if mandatory legal provisions so require.

Direct marketing to existing customers

If you have purchased goods from us in the past, we may send you offers of similar goods from our portfolio that you may be interested in.

The legal basis for this processing is our legitimate interest in promoting similar products to existing customers, who may reasonably expect such communication, under Art. 6(1)(f) GDPR, in conjunction with Art. 13 of the ePrivacy Directive 2002/58/EC as transposed locally. You may object at any time, as explained in Section 4. We retain this data for the duration of the contractual relationship and for 2 years after its termination, or until you object, whichever comes first.

Newsletter and promotional communications

Where you are not (yet) our customer, or where the offered goods are not similar to those you previously purchased, we may send you news, special offers and promotional communications only if you have given us your consent.

The legal basis for this processing is your consent under Art. 6(1)(a) GDPR. You may withdraw your consent at any time, as explained in Section 4. We retain this data for the duration of your consent, but no longer than 2 years from the date consent was given, after which we may ask you to renew it.

Competitions, giveaways and promotional events

If you take part in a competition or promotional event organised by us, we process your personal data in order to enable your participation, evaluate the results, keep records of participants and winners, and deliver any prize.

The legal basis for this processing is your consent under Art. 6(1)(a) GDPR. We retain this data for the duration of your consent, but no longer than 2 years from the date consent was given.

Affiliate / partner programme

If we operate an affiliate programme and you reach our E-shop via an affiliate partner's link, we record the fact that the purchase originated from that partner so we can pay the agreed commission. We do not transfer your personal data to the affiliate; we only record the attribution internally for our own purposes.

The legal basis for this processing is our legitimate interest in operating a sales channel through partners, under Art. 6(1)(f) GDPR. We retain this data for 4 years, to allow possible enforcement of claims, unless a longer statutory period applies.

Suppliers and contractors

If you are our supplier or contractual partner (or a sole trader acting as such), we process the personal data necessary to negotiate, conclude and perform the contract and to enforce performance if needed.

The legal basis for this processing is the performance of a contract under Art. 6(1)(b) GDPR. We retain this data for the duration of the contract and for 4 years after its termination, unless a longer limitation period applies.

Contact persons of our partners

If you are merely a contact person, employee or representative of one of our contractual partners, we process the personal data needed to perform the contract in which you are listed as a contact.

The legal basis for this processing is our legitimate interest, and the legitimate interest of our partner, in the proper performance of the contract, under Art. 6(1)(f) GDPR. We retain this data for the duration of the contract and for 4 years after its termination.

Accounting

As an accounting entity, we keep accounts in accordance with applicable accounting legislation. Some of your personal data therefore appears in accounting records, such as incoming and outgoing invoices and payment records.

The legal basis for this processing is compliance with a legal obligation under Art. 6(1)(c) GDPR. We retain accounting records for 10 years from the end of the accounting period to which the document relates, or any longer period required by national law.

Tax obligations

We have obligations under applicable VAT and income tax legislation, which require processing of certain personal data.

The legal basis for this processing is compliance with a legal obligation under Art. 6(1)(c) GDPR. We retain this data according to the periods prescribed by tax legislation, typically 10 years.

Legal claims

We may process your personal data where it is necessary for the establishment, exercise or defence of legal claims, including monitoring compliance with applicable laws.

The legal basis for this processing is our legitimate interest in protecting our rights, or compliance with a legal obligation, under Art. 6(1)(f) and 6(1)(c) GDPR. We retain this data for the period during which the relevant claim or sanction may be enforced, typically until the relevant statute of limitations expires.

Records management and correspondence

We maintain records of incoming and outgoing correspondence and other administrative records in accordance with applicable archiving rules. These may contain your personal data if you are, for example, the addressee or sender of the correspondence.

The legal basis for this processing is compliance with a legal obligation, or our legitimate interest, under Art. 6(1)(c) and 6(1)(f) GDPR. We retain this data according to applicable retention rules, typically 3 years for ordinary correspondence.

Strictly necessary cookies

To ensure the technical functioning, security and proper loading of the Website, we use strictly necessary cookies, such as session cookies, cart cookies and security tokens. More information about cookies is available in our Cookie Policy.

The legal basis for this processing is our legitimate interest in operating a functional and secure Website under Art. 6(1)(f) GDPR. No consent is required for strictly necessary cookies under the ePrivacy rules. These cookies are typically retained for the duration of the browser session, or as set per cookie.

Analytics, preference and marketing cookies

To make the Website more useful and to better tailor content and advertising to you, we use analytics, preference and marketing cookies, including third-party tools such as Google Analytics, Meta/Facebook Pixel and advertising tags.

The legal basis for this processing is your consent under Art. 6(1)(a) GDPR, given via our cookie banner. You may withdraw or change your choice at any time. These cookies are retained according to their individual validity periods, no longer than 13 months from your visit. Details are available in our Cookie Policy.

Social media presence

We operate official pages, profiles or channels on platforms such as Facebook, Instagram, X (Twitter), TikTok, LinkedIn and YouTube. If you interact with us there by following, commenting, sharing, liking or sending messages, we process your personal data to manage and moderate those pages and to obtain anonymised insights.

The legal basis for this processing is our legitimate interest in maintaining a public-facing communications channel under Art. 6(1)(f) GDPR. The platform operator is a separate (joint or independent) controller for its own processing. We retain this data for as long as the page or your interaction exists, no longer than 5 years from the start of processing.

Statistics and reporting

We sometimes derive aggregated statistics from personal data we already hold lawfully, in order to evaluate our activities. The output is anonymised and cannot be attributed to a specific individual.

The legal basis for this processing is the compatible secondary purpose under Art. 6(4) GDPR, derived from the original lawful basis. We retain this data only until the statistics are produced; the resulting outputs are anonymous.

IT security

To protect our information systems, prevent and investigate security incidents, manage access, and otherwise administer IT, we may process technical data such as your IP address, login attempts and access logs.

The legal basis for this processing is our legitimate interest in protecting the security of our systems and your data, under Art. 6(1)(f) GDPR. We retain this data for the period necessary to follow up on the incident, no longer than 12 months.

Handling data subject requests and GDPR compliance

To handle queries, requests, complaints, security incidents and to demonstrate compliance with our obligations as a controller, we process the personal data necessary for those purposes.

The legal basis for this processing is compliance with a legal obligation under Art. 6(1)(c) GDPR. We retain this data for 5 years from the resolution of the request.

Age verification and Research-Use-Only declaration

Because all goods sold via peptidos.eu are classified as Research Use Only (RUO) and are not intended for human or animal consumption, we may process limited data confirming that you are an adult and that you are purchasing for legitimate research purposes.

The legal basis for this processing is compliance with a legal obligation and our legitimate interest in lawful sale of RUO products, under Art. 6(1)(c) and 6(1)(f) GDPR. We retain this data for the duration of the customer relationship and for 4 years after its termination.

3. To whom do we share your personal data?

We protect your personal data and we do not sell it. We only share it where necessary, with the categories of recipients described below.

We share personal data with processors acting on our behalf, who process personal data on our instructions and under a written data processing agreement. These include hosting and cloud infrastructure providers, e-commerce platform and CMS providers, payment service providers (for card, SEPA bank transfer and cryptocurrency payments), shipping and logistics partners delivering your order across Europe, email, CRM and newsletter providers, analytics, advertising and customer-support tool providers, accounting, bookkeeping and invoicing providers, and IT, software and cybersecurity providers.

We may also share personal data with independent controllers, including auditors, lawyers, tax advisors and other regulated professionals, where we use their services. They are responsible for protecting your data under their own privacy notices. We share personal data with public authorities, courts and regulators where we are required to disclose data by law or by an enforceable order, and with banks and financial institutions for the purpose of receiving payments and processing refunds. Finally, we may share personal data with successors in interest in the event of a merger, acquisition, restructuring or sale of assets, in which case we will inform you in advance where required.

Transfers outside the EU/EEA

Some of our processors, for example certain analytics, advertising or hosting providers, may process your personal data outside the EU/EEA. Where this is the case, we ensure that an adequate level of protection is in place by relying on an adequacy decision of the European Commission for the recipient country, where one applies; the Standard Contractual Clauses (SCCs) adopted by the European Commission, supplemented where necessary by additional technical, organisational and contractual safeguards; or another lawful transfer mechanism under Chapter V GDPR. You may request a copy of the safeguards we use by contacting us at support@peptidos.eu.

4. What are your rights and how can you exercise them?

As a data subject, the GDPR grants you several rights, which you may exercise at any time by contacting us at support@peptidos.eu or by writing to our registered office.

You have the right of access under Art. 15 GDPR, meaning the right to obtain confirmation as to whether we process personal data concerning you, to access that data, and to receive basic information about the processing. The first copy is free of charge; for any further copies we may charge a reasonable fee based on administrative costs.

You have the right to rectification under Art. 16 GDPR, meaning the right to ask us to correct inaccurate personal data and to complete incomplete data without undue delay.

You have the right to erasure, also known as the "right to be forgotten", under Art. 17 GDPR. You may ask us to delete your personal data where it is no longer necessary for the purpose for which it was collected, where you withdraw your consent and there is no other legal ground for processing, where you object to processing and there are no overriding legitimate grounds, where the data has been unlawfully processed, where it must be erased to comply with a legal obligation, or where it was collected in connection with the offer of information society services to a child. We will assess your request and let you know whether any exception applies, for example where retention is necessary for legal claims or to comply with a legal obligation.

You have the right to restriction of processing under Art. 18 GDPR, meaning you may ask us to store your data but not otherwise process it where you contest its accuracy, where the processing is unlawful but you oppose erasure, where we no longer need the data but you need it for legal claims, or where you have objected to processing and we are verifying our overriding grounds.

You have the right to object under Art. 21 GDPR, on grounds relating to your particular situation, to processing based on our legitimate interests, including profiling. You always have the right to object to direct marketing, in which case we will stop processing your data for that purpose immediately.

You have the right to data portability under Art. 20 GDPR. Where processing is based on consent or on the performance of a contract and is carried out by automated means, you have the right to receive the personal data you provided to us in a structured, commonly used and machine-readable format, and to transmit it to another controller, where technically feasible.

You have the right to withdraw consent at any time under Art. 7(3) GDPR, where we process your data based on consent. Withdrawal does not affect the lawfulness of processing carried out before the withdrawal.

You have the right not to be subject to automated decision-making under Art. 22 GDPR. We do not make decisions about you based solely on automated processing, including profiling, that produce legal or similarly significant effects.

Finally, you have the right to lodge a complaint with a supervisory authority under Art. 77 GDPR. If you believe that our processing of your personal data infringes the GDPR, you may lodge a complaint with the data protection authority of your habitual residence, place of work, or place of the alleged infringement.

We will respond to your request within one month of receipt. This period may be extended by up to two further months where necessary, taking into account the complexity and number of requests; we will inform you of any such extension within one month of your request.

5. Is the provision of your personal data voluntary or mandatory?

Where we process your personal data based on your consent, for example for the newsletter, non-essential cookies or competitions, provision is fully voluntary. Refusing consent or withdrawing it at a later date has no negative consequences for you, beyond the fact that we cannot provide the relevant service.

Where we process your personal data based on performance of a contract or compliance with a legal obligation, for example to process an order, issue an invoice or comply with tax law, the provision of certain personal data is necessary. If you do not provide it, we may be unable to conclude or perform the contract, or to comply with the relevant legal obligation.

Where we process your personal data based on strictly necessary cookies, refusing them may result in parts of the Website not working correctly.

In all other cases, refusing to provide personal data does not adversely affect you, but may make it harder for us to protect our legitimate interests as described in this Privacy Policy.

6. Security of personal data

We take appropriate technical and organisational measures to protect your personal data against unauthorised or unlawful processing, accidental loss, destruction, damage or disclosure, including encryption in transit (HTTPS/TLS), access controls, logging, regular backups, and staff training. In the unlikely event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the competent supervisory authority and, where required, you, in accordance with Articles 33 and 34 GDPR.

7. Children

The Website and our products are intended exclusively for adult, professional and institutional customers. We do not knowingly process personal data of persons under the age of 18. If you believe that a minor has provided us with personal data, please contact us at support@peptidos.eu and we will take appropriate steps to delete it.

8. Changes to this Privacy Policy

We may update this Privacy Policy from time to time, for example to reflect changes in our processing activities or applicable law. The current version is always available on peptidos.eu. We will indicate the date of the latest update at the top of the document. Where the changes are substantial, we will notify you in advance through the Website or by email.


If you have any questions about this Privacy Policy or the processing of your personal data, please contact us at support@peptidos.eu.