Origin Peptide.

Legal

Origin Peptide legal center.

Plain-language documents covering how we operate, ship, refund and protect your data. Updated regularly to reflect the law in our serving regions.

Last updated ยท January 15, 2026

Privacy Policy

We treat your data the way we treat our reagents โ€” clean, traceable, and never shared with anyone we wouldn't trust with our own work.

1. Data controller

The data controller is Origin Peptide Lab. Privacy contact: privacy@Origin Peptide.bio.

2. What we collect

  • Account: name, email, hashed password, country, role.
  • Orders: shipping address, items purchased, amounts, payment metadata (never card numbers).
  • Support: the messages you send us and conversation history.
  • Technical: IP, user-agent, referrer, audit logs (security purpose).
  • Optional analytics: only with your consent โ€” see Cookie Policy.

3. Why we use it (legal basis ยท GDPR Art. 6)

  • Performance of contract โ€” to fulfill your orders and shipping.
  • Legitimate interest โ€” security, fraud prevention, account abuse detection.
  • Legal obligation โ€” tax records, customs, regulatory compliance.
  • Consent โ€” analytics, marketing emails, optional newsletters.

4. Sub-processors

We rely on a short list of trusted vendors:

  • Stripe โ€” payment processing (PCI-DSS Level 1).
  • Resend โ€” transactional emails.
  • Vercel / AWS โ€” hosting and database (EU regions when possible).
  • Carriers โ€” DHL, FedEx, UPS for shipping fulfillment.

5. International transfers

Some sub-processors are located outside the EEA. In that case we rely on Standard Contractual Clauses (SCCs) and additional safeguards (encryption in transit and at rest).

6. Retention

  • Order & invoice data: 10 years (legal accounting requirement).
  • Account data: until you delete your account, then 90 days.
  • Audit & security logs: 13 months.
  • Marketing consent: until withdrawal.

7. Your rights

You have the right to access, rectify, delete, restrict, port, and object. Email us at privacy@Origin Peptide.bio. Response within 30 days. You can also lodge a complaint with your local data protection authority.

8. Security

Encrypted transport (TLS 1.3), database encryption at rest, bcrypt-hashed passwords (12 rounds), rate limiting, account lockout, and full audit logging on every admin action. See our public security architecture in Compliance.

9. Children

The Site is not directed at children under 21. We do not knowingly collect their data.

10. Updates

We will notify you of material changes by email at least 30 days before they take effect.