Legal
Privacy Policy
Last updated: 29 June 2026
1. Who we are (Data Controller)
SPT Peptide Ltd is the data controller responsible for your personal data. You can contact our data protection lead at privacy@sptpeptide.co.uk.
Registered office and company number are shown on our Terms of Service page and on every invoice.
2. The personal data we collect
- Identity & contact data — name, email address, billing and delivery address, telephone number.
- Order data — products purchased, order value, order history, discount codes used.
- Payment data — handled directly by our payment processors (Shopify Payments, PayPal, and crypto gateways). We never see or store full card numbers.
- Account data — login email, hashed password, saved addresses, wishlist.
- Technical data — IP address, browser type, device identifiers, pages viewed, referring URL.
- Marketing preferences — your consent choices for email updates and cookies.
3. How we use your data and our lawful basis
- Fulfilling your order — processing payment, dispatch, returns. Lawful basis: contract.
- Account management & customer support — lawful basis: contract and legitimate interests.
- Tax, accounting and fraud prevention — lawful basis: legal obligation and legitimate interests.
- Marketing emails — sent only with your consent; you can unsubscribe at any time.
- Analytics & site improvement — only where you have accepted analytics cookies (consent).
4. Cookies
We use strictly necessary cookies to run the site and the cart. Analytics and marketing cookies are only set after you accept them via our cookie banner. You can change your choices any time by clicking Cookie preferences in the footer.
5. Who we share your data with
We share the minimum data needed with trusted processors who act on our instructions under written data-processing agreements:
- Shopify Inc. — ecommerce platform & payments.
- Royal Mail / DPD / DHL — order fulfilment and tracked delivery.
- Cloudflare — hosting, CDN and security.
- Email & support tools — transactional and marketing email delivery.
- Analytics providers — only where you've accepted analytics cookies.
We do not sell your personal data to third parties.
6. International transfers
Some of our processors are based outside the UK. Where data is transferred outside the UK, we rely on UK adequacy regulations, the International Data Transfer Agreement (IDTA), or the UK Addendum to the EU Standard Contractual Clauses to ensure your data remains protected to UK standards.
7. How long we keep your data
- Order & invoice records — 6 years after the end of the relevant tax year (HMRC requirement).
- Account data — for as long as your account is open, plus a short period to handle disputes.
- Marketing data — until you withdraw consent or after 24 months of inactivity, whichever is sooner.
- Support enquiries — up to 24 months.
8. Your rights under UK GDPR
You have the right to:
- Access the personal data we hold about you.
- Request correction of inaccurate data.
- Request erasure ("right to be forgotten") where applicable.
- Restrict or object to processing.
- Data portability for data you provided to us.
- Withdraw consent at any time (without affecting prior processing).
- Not be subject to solely automated decisions with legal effect — we don't make any.
To exercise any right, email privacy@sptpeptide.co.uk. We respond within one month.
9. Security
We use HTTPS across the entire site, encrypted databases, scoped access controls, and PCI-DSS compliant payment processors. Despite our safeguards, no system is 100% secure; please use a strong, unique password for your account.
10. Children
Our products and website are strictly for adults aged 18+ working in a laboratory research context. We do not knowingly collect data from anyone under 18.
11. Complaints
If you're unhappy with how we've handled your data, please contact us first. You also have the right to complain to the UK Information Commissioner's Office (ICO): ico.org.uk · 0303 123 1113.
12. Changes to this policy
We may update this notice from time to time. Material changes will be announced on this page and, where appropriate, by email. The "last updated" date above always reflects the current version.
