Legal / Privacy
Privacy Policy
Effective: 2026-05-16 · Last updated: 2026-05-16
1. Who we are
HEALTHPEPS LAB ("we", "us") operates the website at healthpepslab.com. We sell research reference compounds to resellers, clinics, and research institutions.
Data controller for the purpose of GDPR/DSGVO Art. 4(7): HEALTHPEPS LAB. Contact for privacy questions: healthpepslab@proton.me.
2. What we collect and why
2.1 Order data
When you place an order we collect:
- Email address (for order updates)
- Full name and shipping address
- Phone number (optional, for courier handoff)
- Solana transaction signature (on-chain reference for your payment)
- Order items and quantities
Legal basis:GDPR Art. 6(1)(b) — contract performance. Without this data we can't ship your order.
Storage: Encrypted in Redis (Upstash, EU region) via Vercel infrastructure. Retained for 10 years per German tax law (§ 147 AO), then deleted.
2.2 Functional cookies
The cart contents and admin sessions are stored client-side in your browser's localStorage and via a small HttpOnly cookie for admin sessions. No analytics or tracking. No consent needed per EU ePrivacy Directive (strictly necessary).
2.3 Optional analytics + marketing cookies
If you click "Accept all" or enable Analytics / Marketing toggles in our cookie banner, we may load:
- Meta Pixel(Facebook + Instagram ads) — fires events like "AddToCart" and "Purchase" back to Meta for ad targeting. Sends a hashed version of your email and the events you trigger.
- Server-side Conversions API — same purpose, sent server-to-server when you complete an order. Hashed identifiers only.
Legal basis: GDPR Art. 6(1)(a) — explicit consent via our cookie banner. You can revoke anytime by clicking Cookie settings in the footer.
2.4 Server logs
Our hosting provider (Vercel) and our DNS/CDN provider (Cloudflare) automatically log every request — IP address, user agent, requested URL, timestamp. Retained for max 30 days, used only for security and abuse detection.
Legal basis: GDPR Art. 6(1)(f) — legitimate interest in security.
3. Who we share data with
- Vercel Inc. (USA) — hosting. Data Processing Agreement in place; transfers under EU SCC.
- Cloudflare Inc. (USA) — DNS + CDN + DDoS protection. DPA + EU SCC.
- Upstash (Redis) (EU region) — order storage.
- Shipping carrier (DHL, DPD, or equivalent) — gets your shipping address only.
- Meta Platforms Ireland Ltd. — only if you opted into marketing cookies. Receives hashed email + event payloads.
- Tax authority (Finanzamt) — receives invoice data on legal request only.
We do not sell your personal data. We do not share it for purposes beyond what's listed above.
4. Your rights (GDPR Art. 12–22)
You have the right to:
- Request access to all data we hold about you (Art. 15)
- Correct inaccurate data (Art. 16)
- Delete your data — "right to be forgotten" (Art. 17)
- Restrict processing (Art. 18)
- Export your data in a portable format (Art. 20)
- Object to processing based on legitimate interest (Art. 21)
- Withdraw consent at any time (cookie settings link in footer)
- File a complaint with your data protection authority (in Germany: local Landesdatenschutzbeauftragte)
To exercise any right, email healthpepslab@proton.me from the address associated with your order. We respond within 30 days.
5. Cookie details
| Name | Purpose | Lifetime |
|---|---|---|
| peps_admin | Admin session (operator login) | 24h |
| peps-cart (localStorage) | Shopping cart contents | until cleared |
| peps-consent (localStorage) | Your cookie preferences | 12 months |
| _fbp, fbevents (Meta) | Marketing — only if consented | 90 days |
6. International transfers
Some service providers (Vercel, Cloudflare, Meta) are headquartered outside the EU. Transfers happen under EU Standard Contractual Clauses (SCC, Article 46 GDPR). Where the EU Commission has issued adequacy decisions (UK, Switzerland), those apply.
7. Changes to this policy
If we change anything material, we'll show a banner notification on your next visit. Past versions are kept for reference — email us if you want a copy.