Privacy Policy

1. Introduction

Peptide.best, Inc. ("Peptide.best," "we," "us") respects your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your personal information when you visit peptide.best, create an account, place an order, sell as a vendor, or otherwise interact with our services (collectively, the "Services"). By using the Services you consent to the practices described here. If you don't agree, please don't use the Services.

2. Information we collect

2.1 Information you give us

• Account information. Email, password (hashed), name, optional phone number, optional date of birth (for age-restricted purchases).
• Shipping & billing addresses. Street, city, state/region, postal code, country.
• Payment information. Card numbers are tokenized by our PCI-compliant processors (Stripe, Adyen) and never stored on our systems. ACH details are tokenized by Plaid. Crypto wallet addresses are stored only as needed for refund processing.
• Order & transaction history. Products purchased, prices, dates, delivery confirmations.
• Reviews & communications. Reviews you submit, support messages, vendor messages.
• For vendors. Business legal name, EIN, banking details for payouts, government-issued ID of beneficial owners.

2.2 Information we collect automatically

• Device and browser data (IP address, user-agent, screen size, OS, language)
• Behavioral data (pages viewed, products clicked, time on site, referral source)
• Cookies and similar tracking — see our Cookie Policy

2.3 Information from third parties

• Identity verification services (Persona, Stripe Identity) for vendor onboarding
• Fraud-prevention services (Stripe Radar, Sift) for transaction screening
• Analytics aggregators (Google Analytics 4, Plausible) for traffic patterns

3. How we use your information

We use personal information to:

• Process and fulfill orders, including handing off shipping addresses to vendors and carriers
• Provide customer support, respond to inquiries, and resolve disputes
• Enforce verified-buyer review eligibility (we match user ID + product ID against delivered orders)
• Verify vendor legitimacy and prevent fraud
• Send transactional emails (order confirmations, shipping notifications, password resets)
• Send marketing emails (only if you opt in; you can unsubscribe at any time)
• Improve the Services through analytics
• Comply with legal obligations (tax reporting, law enforcement requests, etc.)
• Defend our legal interests in disputes

4. Legal bases (GDPR)

If you're in the EU/UK, we rely on:

• Contract. To deliver the services you've ordered.
• Legitimate interests. Fraud prevention, security, service improvement.
• Consent. Marketing emails, non-essential cookies, certain processing of sensitive data.
• Legal obligation. Tax records, regulatory compliance.

5. Sharing your information

We share personal information with:

• Vendors — limited to shipping address and order details needed for fulfillment. Vendors are contractually bound to use this only for fulfillment and to comply with applicable privacy law.
• Shipping carriers — USPS, UPS, FedEx, DHL — your address and contact info.
• Payment processors — Stripe, Adyen, Plaid, our crypto rails — limited to what they need to process the transaction.
• Service providers — cloud hosting (AWS), email (Postmark), customer support (Intercom), identity verification (Persona), analytics (GA4, Plausible). Contractually limited to providing services to us.
• Law enforcement & legal compliance — when required by valid legal process, such as a subpoena. We push back on overbroad requests and notify you where lawful to do so.
• Successors — if Peptide.best is acquired, your data may transfer subject to the same privacy commitments.

We do not sell personal information. We do not share data with advertising networks for cross-site behavioral advertising.

6. Cookies

See the Cookie Policy for detail. Briefly: we use essential cookies (cart, session, security), analytics cookies (Plausible by default, GA4 if you opt in), and no third-party advertising cookies.

7. Data security

We encrypt data in transit (TLS 1.3 minimum) and at rest (AES-256 for our database, KMS-managed keys). Account passwords are bcrypt-hashed. Payment card data is tokenized and never enters our systems. We segregate environments (production / staging / dev), enforce SSO + 2FA on internal access, log all admin actions, and conduct annual third-party penetration testing.

No system is perfectly secure. If we discover a breach affecting your personal information, we'll notify you within 72 hours of discovery, in line with GDPR and applicable state-law breach notification requirements.

8. Data retention

We retain:

• Account data for as long as your account is active, plus 24 months after closure for fraud-prevention purposes.
• Order data for 7 years (US tax / regulatory retention).
• Vendor data for the term of the vendor relationship plus 7 years.
• Analytics data for 26 months (Google default) or per session (Plausible).
• Support correspondence for 3 years.

You can request earlier deletion subject to legal-retention obligations — see Section 9.

9. Your rights

9.1 GDPR rights (EU/UK)

You have the right to: access your data, correct it, delete it, restrict processing, object to processing, port your data to another service, withdraw consent, and lodge a complaint with your supervisory authority.

9.2 CCPA / CPRA rights (California)

You have the right to: know what we collect, delete what we have, correct what we have, opt out of "sale" (we don't sell) or "sharing" (we don't share for cross-context advertising), and limit use of sensitive personal information. We won't discriminate against you for exercising these rights.

9.3 Other US states

Residents of Virginia, Colorado, Connecticut, Utah, and similar comprehensive-privacy-law states have analogous rights.

9.4 How to exercise

Email privacy@peptide.best with your request. We'll respond within 30 days. We may need to verify your identity before fulfilling. For deletion, we'll honor it within the constraints of legal-retention obligations and tell you what we're keeping and why.

10. International transfers

Peptide.best is based in the United States. If you're in the EU/UK, your data is transferred to the US under Standard Contractual Clauses (SCCs) and supplemental measures (encryption in transit/at rest, access controls, transparency reports).

11. Children

The Services are not directed to children under 18. We do not knowingly collect personal information from minors. If we learn we have collected such information, we will delete it.

12. Vendor-specific privacy

If you sell on Peptide.best, your business name and brand profile (including reviews) are public. Banking and identity-verification details are private and used only for payout processing and fraud prevention.

13. Do Not Track

Our website does not respond to DNT browser signals, because there's no industry consensus on what the signal means. We honor explicit cookie consent choices instead.

14. Changes to this policy

We may update this Privacy Policy. When we do, we'll change the "Last updated" date at the top, and for material changes we'll email registered account holders 30 days in advance. Continued use after the effective date constitutes acceptance.

15. Contact

Privacy questions: privacy@peptide.best
Data Protection Officer: dpo@peptide.best
Mailing address: Peptide.best, Inc., 401 Congress Ave, Suite 1500, Austin, TX 78701, USA

EU representative (under GDPR Article 27): designated upon EU expansion. Contact privacy@peptide.best for current designation.