peptidesnow

Privacy Policy

Last updated: 2026-04-23

1. Overview

This policy explains how Peptides USA ("we", "us", "our") collects, uses, and discloses personal information when you visit our site or place an order. We handle your data in accordance with applicable US federal and state law, including the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA). We also honor the rights afforded by the EU General Data Protection Regulation (GDPR) where applicable to visitors in the European Economic Area.

2. Data We Collect

We collect the following categories of personal information:

  • Account identifiers: email address and a securely hashed password when you create an account.
  • Order details: shipping address (street, city, US state, ZIP), billing reference, items purchased, order total, and order status.
  • Payment metadata: payment method, transaction reference, and success/failure state. We do not store full card numbers or bank account numbers on our servers; those are handled by our payment processors under PCI-DSS-compliant contracts.
  • Support messages: content of messages you send through our contact form or customer support channels.
  • Technical metadata: IP address (stored only as a salted one-way hash for abuse prevention), browser user-agent string, pages viewed, and timestamps.

3. How We Use Your Data

We use your personal information only for the following purposes:

  • Processing and shipping orders, including state-restriction compliance screening.
  • Account authentication, password reset, and session management.
  • Transactional communications (order confirmation, shipping, payment, and support).
  • Marketing communications you have opted into, with a one-click unsubscribe in every email (CAN-SPAM compliant).
  • Fraud prevention, abuse detection, and rate limiting.
  • Compliance with US federal and state law, including tax and record retention.

4. Third Parties We Share Data With

We share the minimum personal information necessary with the following service providers, each bound by a data-processing agreement or equivalent contractual control:

  • Stripe, Inc. — payment processing (card transactions).
  • NOWPayments — cryptocurrency payment processing.
  • Resend — transactional email delivery.
  • Cloudflare — DNS, TLS termination, and edge network protection.
  • Umami Analytics (self-hosted) — privacy-friendly, cookie-free visit measurement. Umami does not set cookies and does not collect personal identifiers.

We do not sell your personal information. We do not share your personal information for cross-context behavioral advertising. We do not use Google Analytics.

5. Retention

Order records are retained for seven years from the order date in accordance with US accounting and tax retention requirements. Account records, support messages, and audit logs are retained for up to three years after account closure, after which they are anonymized or deleted. Newsletter subscription records are retained until unsubscribe, then anonymized.

6. Your Rights

If you are a California resident under CCPA or an EEA resident under GDPR, you have the right to:

  • Know what personal information we hold about you.
  • Access and port a copy of that information in a portable format.
  • Correct inaccurate information.
  • Delete your personal information, subject to our retention obligations.
  • Opt out of marketing communications at any time.

To exercise any of these rights, submit a request through our Privacy Request (DSR) form. We will respond within thirty days. You will not be discriminated against for exercising your rights.

7. Cookies and Tracking

We use a minimal set of first-party cookies strictly necessary for site operation — age gate verification, session management, cart persistence, and CSRF protection. We do not use advertising cookies. Our analytics provider (Umami) is cookie-free and complies with the ePrivacy Directive "anonymous measurement" exception; no consent banner is required.

8. Data Security

We maintain administrative, technical, and physical safeguards proportionate to the sensitivity of the data we handle. These include TLS encryption in transit, at-rest encryption of backups, salted password hashing (bcrypt), one-way hashed IP logging, role-based access control on administrative functions, and an append-only audit log for all data mutations. No system is perfectly secure, and we cannot guarantee the absolute security of your data.

9. Children

Our site is not directed to individuals under twenty-one years of age, and we do not knowingly collect personal information from anyone under thirteen. If you believe we have inadvertently collected information from a child, please contact us and we will delete it.

10. International Transfers

Our servers are located in the United States. If you access the site from outside the United States, your information will be transferred to, stored in, and processed in the United States. By using the site you consent to this transfer.

11. Changes to This Policy

We may update this policy from time to time. Material changes will be announced on this page and, where legally required, notified to registered account holders by email. Continued use of the site after a change constitutes acceptance of the revised policy.

12. Contact

Questions about this policy or a specific data practice may be directed to privacy@peptidesusa.com, or submitted via our Privacy Request (DSR) form.