Privacy Policy

1. Who we are

PEPTIFY LIMITED ("Peptify", "we", "us") is the data controller for personal data collected through peptifyuk.com. We are registered in England & Wales under company number 17021295with registered office at 21 Harewood Drive, Ilford, England IG5 0PJ.

This Privacy Policy explains what personal data we collect, how we use it, who we share it with, and the rights you have under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

2. Data we collect

2.1 Information you provide directly

• Account details: email address, password (hashed), optional full name.
• Order details: shipping and billing address, phone number, products purchased, order notes.
• Communications: contact form submissions, support emails, product-interest sign-ups, review submissions.
• Marketing preferences: newsletter opt-in status, consent choices.

2.2 Information collected automatically

• Device & browser: IP address, browser type, operating system, screen size.
• Usage: pages viewed, buttons clicked, time on page, referring URL, UTM parameters.
• Cookies & similar technologies: see our Cookie Policy.

2.3 Information we do NOT collect

• Payment card numbers — handled entirely by our FCA-authorised payment providers (Open Banking and NOWPayments).
• Health or sensitive data — we do not ask for it; do not submit it to us.

3. How we use your data (legal bases)

• To process your orders and deliver products — legal basis: contract.
• To send transactional emails (order confirmations, shipping updates, password resets) — legal basis: contract.
• To respond to enquiries and provide customer support — legal basis: legitimate interests.
• To send marketing emails about new products and offers — legal basis: consent (opt-in at sign-up) or soft opt-in for existing customers for similar products only; you can unsubscribe in one click from any email.
• To run analytics and improve the Site — legal basis: consent via the cookie banner; off by default.
• To prevent fraud, debug the Site, and protect our systems — legal basis: legitimate interests.
• To comply with legal obligations (tax records, regulatory requests) — legal basis: legal obligation.

4. Processors & third parties we share data with

We never sell your personal data. We share it only with the following service providers, strictly to deliver the Site and fulfil orders:

• Supabase (EU region) — database, authentication, storage.
• Cloudflare (global CDN) — hosting, DDoS protection, DNS.
• Resend (US, SCCs) — transactional email delivery.
• GoCardless (UK, FCA-authorised) — Open Banking bank payments.
• NOWPayments (EU) — cryptocurrency payment processing.
• ShipStation (US, SCCs) — shipping label generation and tracking.
• Royal Mail (UK) — parcel delivery.
• Google (US, SCCs) — Analytics 4, Tag Manager, Ads conversion tracking (only if you accept analytics cookies).
• Meta Platforms (US/Ireland) — Pixel + Conversions API (only if you accept analytics cookies).
• TikTok (EEA via TikTok Technology Ltd, Ireland) — Pixel + Events API (only if you accept analytics cookies).
• Trustpilot (UK) — review collection.

All processors are bound by data processing agreements that require them to process personal data only under our instructions and to implement appropriate security measures.

5. International transfers

Some of our processors are based in the United States or process data globally. Where personal data is transferred outside the UK, we rely on one of the following legal bases, chosen per recipient:

• UK Extension to the EU-US Data Privacy Framework (the "UK-US Data Bridge"): for processors that are self-certified under the EU-US Data Privacy Framework (DPF) and have added the UK Extension. This covers transfers to Google LLC (Analytics, Tag Manager, Ads conversion tracking) and Meta Platforms, Inc. (Pixel, Conversions API), both of whom appear on the Data Privacy Framework List maintained by the US Department of Commerce.
• UK International Data Transfer Agreement (IDTA) or UK Addendum to the EU Standard Contractual Clauses: for US-based processors not certified under the DPF. This applies to Resend, Inc. (transactional email) and Auctane (ShipStation) (shipping labels), where the addendum is either executed directly or is incorporated by reference via the provider's standard DPA.
• Adequacy decisions: for transfers within the EEA or to countries the UK Government has formally recognised as providing adequate protection. This applies to Supabase (EU region) and TikTok Technology Limited (Ireland).

In all cases we apply additional technical safeguards — TLS 1.3 encryption in transit, AES-256 encryption at rest, and data minimisation so that only the personal data strictly required for the relevant service is sent.

6. Retention

• Order records & tax invoices: 7 years (HMRC requirement).
• Account data: until you delete your account or 3 years of inactivity, whichever is earlier.
• Marketing opt-ins: until you unsubscribe; suppression list retained indefinitely to honour the unsubscribe.
• Support emails: 24 months.
• Analytics (GA4): 14 months.
• Server & security logs: 90 days.

7. Your rights under UK GDPR

You have the right to:

• Access — request a copy of the personal data we hold on you.
• Rectification — ask us to correct inaccurate or incomplete data.
• Erasure ("right to be forgotten") — request deletion where applicable.
• Restriction — ask us to limit how we process your data.
• Portability — receive your data in a machine-readable format.
• Object — object to processing based on legitimate interests, including direct marketing.
• Withdraw consent at any time (where we rely on consent) without affecting prior lawful processing.
• Lodge a complaint with the UK Information Commissioner's Office (ICO) at ico.org.uk or 0303 123 1113.

To exercise any of these rights, email [email protected] from the email address associated with your Peptify account. We will confirm receipt within 5 business days and respond in full within one calendar month. Where a request is complex or you have submitted multiple requests, we may extend by a further two months under UK GDPR Art. 12(3); we will tell you within the first month if we need the extension and why.

Identity verification: to protect your account we may ask you to confirm identifying details (such as a recent order number) before we disclose personal data. If we cannot verify you as the data subject we will refuse the request and tell you why.

Manifestly unfounded or excessive requests: we may charge a reasonable admin fee or refuse to act on requests that are clearly unfounded or repetitive, as permitted by UK GDPR Art. 12(5). If we do, we will tell you.

8. Security

We apply industry-standard technical and organisational measures including: TLS 1.3 encryption in transit, AES-256 encryption at rest, row-level security on all database tables, server-side verification of payment webhook signatures, rate limiting on authentication and sensitive endpoints, least-privilege access to production systems, and automatic purging of logs after 90 days. No system is 100% secure; we strongly recommend you use a unique password and do not reuse it elsewhere.

9. Children

The Site is not directed to individuals under 18 years of age. We do not knowingly collect personal data from anyone under 18. If you believe a minor has provided data to us, email [email protected]and we will delete it.

10. Automated decision-making

We do not make decisions about you based solely on automated processing that produce legal or similarly significant effects.

11. Changes to this policy

We may update this Privacy Policy from time to time. The "Last updated" date above reflects the current version. Material changes will be notified by email (to registered users) and via a banner on the Site.

12. Contact

Data protection queries: [email protected]
Post: PEPTIFY LIMITED, 21 Harewood Drive, Ilford, England IG5 0PJ.