Privacy Policy

Introduction

Welcome to Beyond Peptides. We are committed to protecting your privacy and handling your personal data with care and transparency. This Privacy Policy explains what personal information we collect through our website beyond-peptides.com and how we use, share, and protect that information. It also outlines your rights under applicable data protection laws (including the EU General Data Protection Regulation, GDPR).

Important: Our website and services are intended exclusively for professional users and research institutions. The products offered are for research purposes only and not for human consumption. We do not knowingly offer our services or collect personal data from private consumers or anyone under 18 years of age. If you are a consumer seeking products for personal use, or a minor, please do not use this site.

We do not share your personal data with third parties for their own advertising or marketing purposes. We only collect and use personal data as needed to operate our site and fulfill your requests, in compliance with GDPR. Below you will find all relevant details of our data processing. Please read this policy carefully. If you have any questions, you can always contact us at the email provided in the Contact section.

Data Controller and Contact Information

The entity responsible for processing personal data on beyond-peptides.com (the “data controller”) is:

BP RESEARCH Sp. z o.o. (operating under the brand Beyond Peptides)

ul. Młyńska 16 (8th Floor)

61-730 Poznań, Poland

Managing Director (CEO): Jan Sebastian Hermann Menge

Contact Email: contact@beyond-peptides.com

If you have any questions about this Privacy Policy or wish to exercise your privacy rights, you can reach us at the above postal address or via email. We are happy to assist with any concerns regarding your personal data.

Personal Data We Collect and How We Use It

We collect personal data from you when you use our website, create an account, place an order, subscribe to our newsletter, or otherwise interact with us. We always process this data for specific purposes and on a legal basis permitted by GDPR (such as performing a contract with you, complying with our legal obligations, or based on your consent or our legitimate interests). Below we describe the categories of data and the purposes for which we use them:

We use your personal data for the following purposes:

• Order Processing:To fulfill and deliver your orders, manage payments, and maintain records.
• Verification: To confirm that you are a professional user or affiliated with a research institution.
• Legal Compliance: To ensure that we do not sell to minors and comply with all regulatory requirements.
• Customer Support: To respond to your inquiries, provide assistance, and improve our services.
• Marketing Communications: To send you information about new products, services, or significant updates relevant to professional users (we do not spam).
• Security: To protect our business and your account from fraud and other illegal activities.
• Website Improvement: To analyze how users interact with our website to enhance functionality and user experience.

• Contact Information: Name, email address, and phone number when you create an account, subscribe to our newsletter, or contact us.
• Order Information: Company name, shipping address, billing address, and purchase details necessary for order processing.
• Professional Credentials: Verification information to confirm that you are a professional user or represent a research institution.
• Communication Records: Emails, messages, and any correspondence exchanged between you and us.
• Usage Data: Information about how you use our website and services.
• Technical Data: IP address, browser type and version, time zone setting, browser plug-in types and versions, operating system, and platform.
• Cookies and Tracking Data: Information collected through cookies and similar tracking technologies.

We do not sell or rent your personal data. However, we may share your information with trusted third parties to facilitate our services:

• Service Providers:
  • GetResponse: For email marketing and storing email addresses and customer names.
  • UPS: For shipping services and order status notifications.
  • GoDaddy: For email hosting and storage.
  • Raidboxes: For website hosting services.
• Legal Compliance: To comply with legal obligations, such as regulatory requirements for the distribution of research chemicals.
• Verification Agencies: To confirm your professional status when necessary.

All third-party service providers are contractually obligated to protect your data and comply with GDPR.

1. Account Registration and Orders

When you register an account on our site or place an order, we collect the personal information necessary to provide our services. This includes:

•Identification and Contact Details: Your full name, billing and shipping address, email address, and phone number. We may also collect your company or institution name if you provide it (since our site is for professionals).

•Account Credentials: If you create an account, we collect the username or email and password you choose. (Passwords are stored in an encrypted form for security.)

•Order Details: Records of the products you purchase (e.g. which peptides or research materials), the date and time of orders, selected shipping method, and any notes or instructions you provide. We also assign you an order number and track the status of your order (e.g. payment confirmed, shipped, delivered).

How we use this data: We use this information to create and manage your user account, process and fulfill your orders, and provide customer support. Specifically, your name and address are used for invoicing and to ship the product to you; your email and phone may be used to send order confirmations, updates or to contact you if there are issues (for example, if a product is out of stock or to arrange delivery). We also use your account information to enable login and secure access to order history (e.g. through our WooCommerce-based customer portal).

We restrict access to the site to professional users, but we currently rely on your acknowledgement of our terms. We may use your provided company/institution information to verify eligibility if needed and to tailor our communications (for example, addressing you by your professional title or organization in correspondence).

Legal basis: When you register and/or place an order, the primary legal basis for processing your data is to perform our contract with you (Art. 6(1)(b) GDPR). We need this data to fulfill our obligations — without it, we cannot process your purchase or deliver products. In addition, certain processing in this context may rely on our legitimate interests (Art. 6(1)(f) GDPR), such as: ensuring that only legitimate professional customers use our platform, preventing fraud and misuse of our services, and improving user account security. For example, we may monitor login activity or limit certain functions to maintain the integrity of our website.

We also have legal obligations related to orders (e.g. tax laws) that require us to process and retain transaction data (Art. 6(1)(c) GDPR — compliance with a legal obligation). See Data Retention below for how long we keep order records.

Note: Providing the personal data marked as required (such as name, address, email) is necessary if you wish to create an account or make a purchase. If you do not provide this required information, we will not be able to process your order or provide our services. Any optional information (such as company name) is voluntary and is used to better tailor our service or communications to you.

We do not use the information from your account or order for any purpose incompatible with the above (for instance, we do not share your order details with third parties for marketing). However, we will share some of your information with our service partners for payment and shipping, as detailed below, since these are essential parts of completing an order.

2. Payment Processing

When you make a payment for an order, we process certain information to handle the transaction. We support several payment methods: bank transfer, Bitcoin, and PayU (which includes options like credit card payments, Sofort bank transfer, etc.). The data processed varies by payment method:

•Bank Transfer: If you choose to pay via direct bank/wire transfer, we will provide you our bank account details. When you initiate the transfer through your bank, we may receive personal data related to the payment. This typically includes the name of the account holder (as it appears on the transfer) and any reference or message you include with the payment. We use this information to match the payment to your order. We do not directly collect your bank account number or other financial details from our website, but such details may appear in our bank statements. We treat all such information confidentially and only use it for verifying and recording your payment.

•Bitcoin (Cryptocurrency): If you opt to pay with Bitcoin, we will provide a wallet address for you to send the cryptocurrency. We do not collect personal identifiers for Bitcoin transactions. We will see the incoming payment’s public blockchain information (such as your wallet address and transaction ID). We use this to confirm that the correct amount has been received for your order. Unless you voluntarily provide additional information (for example, if you send a separate email about your crypto payment), the only data we have is the transaction confirmation. Bitcoin payments are handled peer-to-peer, so in most cases no third-party processor is involved beyond the blockchain network itself. We do not link the blockchain address to your personal identity beyond what is needed to confirm the order is paid.

•PayU (Credit Card and Online Payments): If you choose to pay by credit card or other instant online payment methods, this will be handled by our payment service provider PayU. When you proceed to checkout and select PayU, you will be redirected to PayU’s secure payment platform (or an embedded secure form) to enter your payment details. This means your sensitive payment information (such as credit card number, cardholder name, expiration date, CVV code, or online banking login for Sofort) is collected directly by PayU, not by our website. We do not see or store your full credit card or banking credentials on our servers. After you complete the payment on PayU’s platform, PayU will notify us whether the payment was successful. The information we receive from PayU includes a confirmation of payment and details like the payment method used, an internal transaction ID, and possibly your name or email used in the PayU process if needed for reference. We use this information to update your order status to “paid” and to know that we can proceed with shipping your order.

Regardless of payment method, we use payment data only for processing your order and managing our financial records. This includes issuing an invoice/receipt, confirming payment, and handling refunds or cancellations if applicable. We retain records of payments as part of our accounting (see Data Retention).

Legal basis: Processing your payment information is necessary for performance of the purchase contract (Art. 6(1)(b) GDPR) — we cannot fulfill the order without payment. We also have a legal obligation to keep certain transaction records for financial reporting and tax compliance (Art. 6(1)(c) GDPR). In cases where we receive any fraud alerts or need to verify a payment, we may process data under our legitimate interest (Art. 6(1)(f) GDPR) in preventing fraud and ensuring secure payment processing.

Third-party involvement: PayU is a third-party payment processor (operated by PayU S.A. and affiliated companies). When you use PayU, your personal data necessary for payment (like credit card details, billing information) is processed by PayU under their own responsibility as well. PayU is PCI-DSS compliant and follows strict security standards. We recommend reviewing PayU’s Privacy Policy for details on how they handle your payment data. Similarly, if you use your bank or send Bitcoin, those transactions are facilitated by third-party networks (your bank, the cryptocurrency network) which have their own privacy and security protocols. We do not share your personal data with any payment provider beyond what is needed to complete the transaction, and we do not receive unnecessary financial information in return.

We do not store your credit card numbers or bank login credentials at any point. For card payments, all such data is handled by PayU on their secure systems.

3. Shipping and Delivery

To deliver your purchased products to you, we need to share certain personal data with our shipping partners. After your order is processed and ready to ship, we will provide the courier (delivery service) with the necessary details for transport:

•Shipping Information: This includes the recipient’s name (the name you provided for delivery), the shipping address, and your contact information (usually phone number and/or email address). Couriers often require a contact number or email to send tracking updates or in case they need to arrange delivery (for example, if you’re unavailable or to schedule a drop-off).

We use several reputable logistics carriers depending on your location and the shipping option selected, including UPS, DHL, and GLS. We will choose the courier that best fits the destination country and service level for your order. We only share your data with the carrier responsible for delivering your specific order. Each of these companies will use your personal data solely for the purpose of transporting the package and performing delivery-related services (such as customs clearance if required, or notifying you of the delivery status).

For example, if your order is being shipped by DHL, we transmit your name and address to DHL’s system to generate a shipping label and customs documents (if applicable), and DHL will handle your data as needed to get the package to you. The courier may also send you tracking emails or SMS messages if contact information is provided, or they might call to confirm delivery details. These communications are part of the delivery process, not marketing.

Legal basis: The use and sharing of your data for shipping is necessary for performance of the contract (Art. 6(1)(b) GDPR). We are obligated to deliver the products you purchased, and using a third-party courier is essential to fulfill that obligation. If delivery is international, certain information might also be used to comply with legal obligations (Art. 6(1)(c)), such as customs declarations, which could require stating the recipient’s name and address on export/import forms.

We ensure that our shipping partners handle your data securely and in compliance with data protection laws. They have their own privacy commitments as part of their service. We do not permit carriers to use your data for any purpose other than delivering your order.

Data transfers (shipping outside EU): If you are ordering from outside the European Union, note that providing your address to a courier will involve transferring your personal data to the country of delivery, because the local delivery agents and customs authorities in your country will see that information. This is necessary to fulfill the contract you have entered (to deliver goods to you internationally). We describe our approach to international data transfers in a section below, but rest assured that we only send the minimum data required for the shipment, and such transfers are done lawfully.

We do not share your personal information with any other third parties during shipping. We do not give your address or contact to anyone except the chosen delivery service and, if required, governmental authorities like customs (only if legally mandated for cross-border shipments).

4. Newsletter and Marketing Emails

If you subscribe to our newsletter or opt in to receive promotional communications, we will collect and use your contact information to send you these updates. Typically, the data we use for this purpose is:

•Email Address: The email you provide when signing up for the newsletter. This is required to send you the newsletter emails.

•Name: Optional – in some cases we may ask for your first name or full name when you subscribe, so that we can personalize the emails (for example, addressing you by name in the newsletter). If you have an account with us, we might use the name from your account for personalization as well.

•Preferences or Interests: (If you provided any information about your preferences – for instance, topics of interest – we would use that to tailor content. Currently, our signup typically only asks for your email, and possibly name, but not detailed preferences.)

We send newsletters only with your consent. You might give this consent by entering your email into a newsletter signup form on our website or by ticking a checkbox during account registration or checkout indicating you want to receive updates. We will not send you marketing emails unless you have actively opted in (or, in some cases, if you are an existing customer, we might send very limited product updates as allowed by law – but our primary approach is to rely on explicit consent).

What we send: Our newsletter aims to provide valuable insights and offers to professional researchers. For example, we may send educational content (like guides to peptides, research tips, updates on the legal status of peptides in various regions), information about new product releases or promotions (such as discount offers), and news about our company or industry events. We strive to ensure these emails are relevant and not too frequent. Typically, you’ll receive periodic emails (e.g. a few times a month or as announced on the signup form). We do not spam; our goal is to send content that our professional audience finds useful.

Use of GetResponse: We use a third-party email service provider called GetResponse to manage our newsletter subscribers and to send out emails. When you sign up for the newsletter, your email (and any other details you provided for this purpose) are stored in our account on GetResponse’s platform. GetResponse acts as a data processor on our behalf, meaning they handle your data only per our instructions and to provide the mailing service. They have robust security measures and are GDPR-compliant. We have a Data Processing Agreement in place with GetResponse to protect your information.

•Tracking and analytics: GetResponse provides us with analytics about the newsletter performance. This means the emails we send through GetResponse may contain tracking technologies such as a small invisible image (often called a web beacon or tracking pixel) or trackable links. These allow us to see, for example, whether you open the email and which links within the email you click. This information is collected at an individual recipient level and reported to us. We use these insights to understand our audience’s engagement. For instance, knowing how many people opened a newsletter or which topics got the most clicks helps us refine our content for future newsletters (so we can send more of what appears interesting and less of what is not). It also helps us identify if our emails are being delivered properly or if people are ignoring them (which could indicate we need to adjust frequency or content). We may on occasion use this data to segment our mailing list (for example, to send a follow-up email to those who clicked a certain link, or to all who did not open an email, to remind them of an offer – however, any such segmentation is purely to improve relevance of our communications, and we do not profile you for any unrelated marketing or share this behavior data externally).

•No third-party marketing: The analytics from GetResponse are used internally by Beyond Peptides. We do not share information about your email behavior (opens/clicks) with advertisers or other companies. It is solely to measure effectiveness of our newsletter. GetResponse itself does not use your email for their own purposes; they only facilitate our communication with you.

Legal basis: Sending you marketing emails is based on your consent (Art. 6(1)(a) GDPR). By subscribing, you give us permission to use your email for this purpose. You have the right to withdraw that consent at any time (see below for how to unsubscribe). In certain cases, if you are an existing customer, we might rely on our legitimate interest (Art. 6(1)(f) GDPR) to inform you about products similar to what you purchased, but we will always respect opt-out requests. Any tracking of email opens/clicks is done as part of our legitimate interest in understanding the effectiveness of our emails; however, since it is closely tied to the consented activity of receiving emails, we treat your acceptance of the newsletter as including consent to this light tracking. If you object to such tracking, you may unsubscribe from the newsletter. (Unfortunately, it’s not possible for us to send the newsletter individually without tracking to some users — the system typically applies to all emails uniformly.)

How to unsubscribe or withdraw consent: Every newsletter email we send will include an “Unsubscribe” link at the bottom. By clicking that link, you can automatically remove yourself from our mailing list. You may also unsubscribe or withdraw your consent at any time by contacting us at contact@beyond-peptides.com and letting us know you no longer wish to receive newsletters. Once you unsubscribe, we will stop sending you further marketing emails. (Please note it may take a few days to fully remove you from all mailing routines, but we endeavor to process opt-outs promptly.) Removing your email from the active mailing list will not affect any orders or other services; you can still use our site normally without receiving newsletters. We may retain your email in a suppression list or in our records to ensure we respect your unsubscribe request going forward.

5. Cookies and Similar Technologies

Our website uses cookies and similar tracking technologies to provide a smooth user experience and to comply with privacy preferences. Cookies are small text files stored on your device (computer, smartphone, etc.) by your web browser. They serve various functions, from keeping you logged in to remembering your preferences. Here is how we use cookies on beyond-peptides.com:

•Essential Cookies: These cookies are necessary for the basic operation of our website and online store. For example, when you add items to your cart or log into your account, essential cookies keep track of that information as you navigate the site. We use essential cookies to maintain your session (so you don’t have to log in repeatedly during one visit), to remember the items in your shopping cart, and for security measures (such as to help prevent cross-site request forgery in forms). Without these cookies, features like the shopping cart or account login might not work properly. These cookies do not require consent under GDPR/ePrivacy rules, because they are strictly needed to provide the service you requested.

•Preference and Functional Cookies: If applicable, these cookies allow our website to remember choices you make (such as language or region selection) and provide enhanced, more personalized features. At present, our site is primarily English and does not heavily use preference cookies beyond possibly remembering if you have dismissed certain notices or chosen a default shipping country. If any functional cookies are in use, they are also typically harmless and exist to improve your experience (for example, remembering that you are a professional user so we might not show a certain disclaimer every time). We will list these in our Cookie Policy if applicable. These may or may not require consent depending on their nature; however, we still give you control over them via our consent tool.

•Analytics Cookies: These cookies help us understand how visitors use our site, which pages are popular, and how we can improve the site’s performance. For instance, an analytics cookie might track the number of visitors to a page or the flow of users through the checkout process. As of the latest update of this policy, we do not use Google Analytics or any similar third-party analytics service that would collect your personal data. If we implement analytics in the future, we will do so in a privacy-compliant manner (for example, using an EU-based analytics solution or anonymizing IP addresses) and will ask for your consent if required. Any such cookies would be used solely for our internal analysis of site usage and to improve our services; we would not use them to profile individual users or to share data with advertisers.

•Advertising/Marketing Cookies: These cookies are used to track browsing habits and to show ads relevant to your interests on this site or others. We do not use advertising cookies or third-party ad trackers on beyond-peptides.com. We do not serve third-party ads, and we do not allow third-party advertisers to set cookies via our site. Therefore, you should not encounter any targeted advertising cookies from our site. (If this ever changes, we will update our policies and obtain your consent before enabling such cookies. But our business model does not rely on advertising; it’s based on direct product sales to professionals.)

•Cookie Consent Management (CookieYes): To comply with GDPR and other privacy regulations, we have implemented a cookie consent tool provided by CookieYes. When you first visit our site, you will see a cookie banner explaining that we use cookies and asking for your preferences. CookieYes allows you to accept or decline non-essential cookies. It also provides a link to a detailed Cookie Policy (where you can learn more about each cookie and change your preferences later). Once you set your preferences, CookieYes will store a cookie on your browser to remember what you’ve consented to. This means on subsequent visits, you won’t be asked again unless we add new cookies or the consent cookie expires. The CookieYes consent cookie contains information about your selections (e.g. which categories of cookies you allowed or blocked) and typically lasts for a certain period (often around 6-12 months) unless you clear your browser cookies sooner. CookieYes may process some minimal data (like an anonymized identifier, and possibly your IP address at the moment of consent for logging) to record your consent decision. This is purely for compliance record-keeping and not used for any other purpose.

Managing Cookies: You have full control over non-essential cookies:

•When the cookie banner appears, you can choose “Accept All” to allow all categories of cookies, or “Reject All”/“Decline” to refuse anything not strictly necessary. There may also be an option to customize your choices category by category (e.g. only allow analytics but not marketing, etc.).

•If you later change your mind, you can adjust your cookie preferences at any time. There is a link to Cookie Settings (or similar) on our website (often in the footer or the Cookie Policy page) that re-opens the CookieYes preference center. By using that, you can modify which cookies are active.

•Additionally, you can always control cookies through your browser settings. Most web browsers allow you to delete cookies or block cookies from specific sites. However, please note that blocking all cookies (especially the essential ones) might affect the functionality of our site (for example, you won’t be able to log in or add items to cart if certain necessary cookies are blocked).

Legal basis: For essential cookies, our use is based on our legitimate interest (Art. 6(1)(f) GDPR) in providing a functioning, secure, and user-friendly website. Deploying those cookies is necessary for the service you request (e.g., remembering your cart), so consent is not required for those. For non-essential cookies (like analytics), we rely on your consent (Art. 6(1)(a) GDPR). We will not set those cookies unless you have given consent via the cookie banner. If you consent and then later opt out, we will honor that choice.

Any information collected via cookies or similar technologies on our site is used only for the purposes stated. We treat cookie-derived data as we would other personal data: it’s associated with the above purposes (site functionality, analytics, etc.), and we do not share it with third parties for independent use. For instance, we are not passing your cookie data to advertising networks or data brokers.

For a detailed list of the specific cookies used on beyond-peptides.com, their purpose, and their lifespan, please see our Cookie Policy page. That page is kept updated (especially thanks to CookieYes automatically detecting and listing cookies in use) and will reflect any changes in our use of cookies.

6. Communications and Support Inquiries

If you contact us or interact with us outside of placing orders or newsletter sign-ups — for example, by sending us an email at our contact address (contact@beyond-peptides.com) or by filling out a contact/request form (if available on the site) — we will collect and process the information you voluntarily provide:

•Contact Information: This could include your name, email address, phone number (if you included it in your signature or in a form field), or other contact details you provide so we can respond to you.

•Message Content: Any personal data included in the content of your message or inquiry. For instance, if you ask a question about a product, you might include details about your research organization or the intended use of the product. If you request technical support or have an issue with an order, you might provide an order number or other details relevant to the issue.

We will use this information solely to respond to your inquiry and resolve any issues you raised. For example, if you ask a question about peptide handling, we’ll use your email to send you an answer and refer to your specific question details. If you have a problem with an order and email us, we’ll look up your order in our system and respond with a solution.

Legal basis: When you contact us, the processing of your personal data is generally based on our legitimate interest (Art. 6(1)(f) GDPR) in communicating with you, assisting you, and maintaining good customer relations. If your inquiry is about exercising your data rights or related to your contract with us (e.g. a refund request), the legal basis could also be compliance with a legal obligation (Art. 6(1)(c) GDPR) or performance of contract (Art. 6(1)(b) GDPR). In all cases, we consider it in both our interest and yours that we can read and reply to your messages appropriately.

We treat all communications as confidential. Only authorized personnel will access your message to respond. We will not use the information in your message for marketing purposes, nor add you to any mailing list without your consent (unless it directly pertains to a service you use, in which case see relevant sections above).

We will retain the correspondence for as long as necessary to address your issue and as required for our records. For example, if you make a complaint about a product and we resolve it, we might keep the email exchange on file in case it’s needed for legal reasons or quality assurance. Typically, routine inquiries are kept for a certain period (perhaps 1-2 years) and then deleted, unless they must be retained longer (e.g. a dispute or a transaction-related communication that we need to keep with the order records).

You have the same rights over communications data as with other personal data (see Your Rights below). If you wish us to delete an email thread and we have no legal need to keep it, you can request deletion.

Data Sharing and Disclosure to Third Parties

We handle your personal data with care and do not sell or rent it to any third parties for their own marketing use. We only share your data with third parties in the following circumstances:

1.Service Providers (Processors): We employ trusted third-party companies to perform certain functions on our behalf as described in sections above. These include:

•Payment processing partners: such as PayU for online payments and our banking institutions for bank transfers. They receive transaction-related data (order number, amount, and your payment details) to process payments. For cryptocurrency, while there’s no traditional “processor,” the blockchain network processes the transaction.

•Shipping companies: specifically UPS, DHL, or GLS (depending on the chosen method) to deliver your orders. They receive your name, address, and contact info for delivery purposes.

•Email service (Newsletter) provider: GetResponse, which manages our email subscriptions and sends out newsletters on our behalf. They process your email address and any provided name for the purpose of sending emails and analyzing engagement.

•Cookie consent management: CookieYes, which helps present and log your cookie preferences. It may momentarily process your IP and consent selections to ensure we honor your choices and comply with regulations.

•Website hosting and IT: We host our website on servers provided by third-party hosting providers. In our case, our site is implemented by our web development partner (noted as CartCraft in our site footer) and hosted on a secure server. This means the hosting provider and possibly the web developer might technically have access to personal data stored in our website’s database or files (such as your account info or orders) when performing maintenance or support. They are bound by confidentiality and data protection agreements, and they will only access data if needed to fix issues or ensure the site runs properly.

All these third-party service providers act under our instructions and are contractually obligated (via Data Processing Agreements) to protect your data. They cannot use your information for anything other than the specific service they are providing to us. For example, DHL cannot decide to send you marketing just because they delivered a package to you, and GetResponse cannot use your email to contact you except as we direct for our newsletters.

2.Within our company: Within BP RESEARCH Sp. z o.o., your data will be accessed only by personnel who need it to perform their jobs. For instance, our order fulfillment team will handle shipping details, our finance team will handle payment records, and customer support will handle inquiries. All staff are trained on data protection and obligated to keep your data confidential.

3.Legal Requirements and Protection: We may disclose personal data if we are legally required to do so or if it is strictly necessary to protect our rights, comply with a judicial proceeding, court order, or legal process. For example:

•If a government authority (such as tax office or customs or a data protection authority) lawfully requires us to share certain records, we will comply after verifying the request.

•If we need to enforce our Terms and Conditions or any agreements (for instance, to address non-payment or misuse of our site), we might share data with our legal advisors or law enforcement.

•In the event of detecting fraud or security issues, we might share relevant data (like server logs or fraudulent order details) with law enforcement or cybersecurity consultants to investigate and prevent harm.

4.Business Transfers: This is unlikely, but for completeness – if in the future our company or website is involved in a merger, acquisition, or sale of assets, personal data might be transferred to the new owner or partner as part of that deal, under the condition that your rights continue to be protected. If that situation arises, we will inform users as required by law.

Outside of the cases listed above, we will not share your personal information with any third party. In particular:

•We do not share or sell email lists to other companies.

•We do not pass your data to third-party advertisers or social media platforms.

•We do not disclose information about your visits or purchases to anyone unrelated to processing your order.

In summary, third parties that get access to your data are limited to those providing essential services (payment, delivery, communications, IT hosting) and authorities under law. We ensure that any third party we work with is compliant with GDPR and values data security. If you want more details about the specific third parties we use, feel free to contact us.

International Data Transfers

We are based in Poland (European Union), and we primarily process personal data on servers located within the EU/European Economic Area (EEA). However, some of our data processing activities involve transfers to or access from outside the EU/EEA, either because you are located outside the EU or because some of our service providers have operations in other countries. Whenever we transfer your data internationally, we take steps to ensure an adequate level of protection.

Here are the scenarios of international data transfer and how we handle them:

•Transfer to the United Kingdom (UK): Our cookie consent provider, CookieYes, is headquartered in the UK. The UK is no longer part of the EU, but it is considered a “third country with adequacy”. The European Commission has issued an adequacy decision for the UK, recognizing that UK law provides a level of data protection essentially equivalent to EU law. This means that personal data can flow from the EU to the UK freely, just as it does within the EU. Therefore, any data (like your consent log or associated IP for consent) that might be processed by CookieYes in the UK is protected under UK GDPR, and this transfer is permitted. We will monitor the status of the UK’s adequacy decision and, if it changes, will implement alternative safeguards as needed.

•Other Non-EU Service Providers: The majority of our other key service providers are either in the EU or in countries with adequate protection or appropriate safeguards. For example, GetResponse (our newsletter service) is a company with strong presence in the EU (it originated in Poland and has EU data centers), so your email data is likely stored in the EU. If GetResponse or any other provider (for example, if our hosting or another IT service has support teams or servers in the United States or another country without an adequacy decision) processes or accesses personal data outside the EEA, we will ensure that one of the GDPR-approved transfer mechanisms is in place. The typical safeguard we use is the European Commission’s Standard Contractual Clauses (SCCs), which are contractual commitments those providers make to protect EU personal data even outside the EU. These SCCs impose GDPR-level obligations on the recipient of the data. In some cases, providers might also rely on Binding Corporate Rules or other certification mechanisms if they are multinational companies. We carefully vet our providers and include the necessary clauses in our agreements with them to cover international transfers.

•Your Location / International Shipping: If you are located outside the EU and engage with our site (for example, by creating an account or placing an order for delivery outside the EU), then by nature your data will cross international borders. For instance, if you order from Switzerland, your personal data will be processed in Poland (for order handling) and then forwarded to Switzerland’s postal or courier systems for delivery. Similarly, if you are in the United States, we will have your data on our EU servers but will need to send your name and address to, say, UPS in the US to complete delivery. These transfers are necessary for the performance of the contract between you and us (GDPR Art. 49(1)(b)), since we cannot otherwise deliver the service you requested. While GDPR allows such transfers when they are required for a contract with the data subject, we still ensure that any party (e.g. an international shipping carrier) handling the data is reputable and will use it only for the intended purpose. Shipping companies like UPS and DHL have global data protection policies and in many cases use standardized safeguards internally for data moving between their EU and non-EU branches. We provide the minimum data needed (usually just what’s on the shipping label and customs forms).

In all cases of international transfer, our goal is to ensure your personal data continues to have equivalent protection as it would inside the EU. We will not transfer your personal data to any country or international organization unless one of the following is true:

•The European Commission has decided that the country ensures an adequate level of protection (adequacy decision).

•Appropriate safeguards (such as SCCs or Binding Corporate Rules) are in place, and enforceable data subject rights and effective legal remedies are available for you.

•A specific derogation under Article 49 GDPR applies (such as the transfer being necessary for contract performance, as in the case of an international order you place).

You can contact us if you have questions about our international data transfer arrangements or if you want to obtain a copy of the relevant safeguards (e.g. SCCs) in place.

Data Retention: How Long We Keep Your Data

We keep your personal data only for as long as necessary to fulfill the purposes for which it was collected, or as required by applicable laws and regulations. The retention period can vary depending on the type of data and the purpose of processing. Here is an overview of our retention practices for different categories of data:

•Account Information: If you register an account on our site, we will keep your account data for as long as your account remains active. You have the option to delete your account by contacting us (or via any self-service account deletion feature, if available). Upon your request, we will deactivate and/or delete your account credentials and personal details associated with the account. However, we may retain logs of past orders or other interactions linked to that account as needed for legal and legitimate business purposes (see Order data below). If an account is inactive for a very long period, we may reach out to confirm if you want to keep it. Unless you request deletion, we generally keep account information so that you can return and access your order history or use our service again without re-registering. We will periodically review accounts and may anonymize or remove those that are confirmed as no longer needed.

•Order and Transaction Data: We are required by law to retain records of commercial transactions (including invoices, payments, and related customer details) for a certain minimum period for tax, audit, and accounting purposes. In Poland (where our company is based), financial and accounting records typically must be kept for 5 years counting from the end of the financial year in which the transaction occurred (this period may align with the statute of limitations for tax liabilities). To comply with these laws, we store your order details, invoice, and payment records in our secure system for at least that duration. This means if you place an order, the basic facts of that order (what you bought, what you paid, your billing/shipping details) will usually remain on file for up to 5-6 years. After the mandatory retention period, we will erase or anonymize personal data from those records if they are no longer needed for any legitimate purpose. (For example, we might keep anonymized sales statistics but remove personal identifiers.)

Additionally, even within the retention period, we limit access to older order data to only finance or legal personnel if it’s archived for compliance, rather than having it readily accessible on the live site. Rest assured, we do not use old order data for new marketing purposes without your consent.

•Payment Information: As noted, we do not store sensitive payment details like card numbers. However, we do retain proof of payment (e.g. transaction IDs, amount, date/time, payer name from bank transfers) as part of the order record. Those details will be kept alongside order data as per above (primarily for financial record-keeping) and then deleted or anonymized after the retention period. If we receive documents for anti-fraud checks or similar, those are kept only as long as necessary to conclude the verification.

•Newsletter Subscription Data: If you are on our mailing list, we will retain your email address and associated info until you unsubscribe or until we discontinue our newsletter service (whichever comes first). We regularly clean our mailing list to remove invalid addresses or those that consistently bounce. When you unsubscribe, you will be promptly removed from the active mailing list (so you stop receiving emails). However, we may keep your email on a suppression list indefinitely to ensure we remember not to send you emails, or as a record of your opt-out (this is a common practice to comply with anti-spam laws). Also, our email service (GetResponse) keeps logs of emails sent, opens, clicks, and unsubscribes. These logs may be retained for some time even after you unsubscribe, but they are for analysis and compliance and won’t be used to contact you. We will periodically delete or anonymize old email engagement data that is no longer needed. If you resubscribe later with the same email, the history of your previous subscription (if still retained) might be re-associated, but typically we treat it as a new subscription.

•Cookie Data: Different cookies have different lifespans. For example, session cookies (used for things like keeping you logged in) expire as soon as you close your browser, while persistent cookies (like the CookieYes consent cookie or an analytics cookie) might last for several months or years unless you delete them. Our Cookie Policy provides specifics on each cookie’s duration. From our server side, any personal data from cookies (like IP addresses in logs or analytics data) is either not stored at all (in case of direct third-party cookies stored in your browser) or is stored in aggregate form. We do not maintain personal-level web tracking profiles over long periods. Raw web server logs, which include IP addresses and page requests, are typically kept for a short period (often 30 days to a few months maximum) for security monitoring and then automatically deleted or anonymized. Consent records (e.g., logs of when you gave consent via CookieYes) might be stored for a longer period (as evidence of compliance), potentially up to a couple of years, but those contain minimal data (typically just an ID, timestamp, and yes/no values, possibly IP at time of consent).

•Contact Inquiries and Support: If you correspond with us via email or other means, we may keep those communications for our records. As a general rule, we might retain routine customer service emails for about 1-2 years in case you reach out again or reference a past interaction. If the communication is related to a dispute, warranty issue, or other matter that could have legal significance, we may retain it as long as necessary for establishment, exercise, or defense of legal claims (which, under statutory limitation periods, can be multiple years). We regularly review old communications and purge those that are no longer needed. If you want us to delete a particular email thread and we have no legal obligation to keep it, please let us know and we will accommodate.

After the applicable retention period ends, we will either securely delete or irreversibly anonymize your personal data. Anonymization means altering the data in such a way that it can no longer be linked to you (for example, we might keep sales statistics that say how many orders were from each country, but remove names/emails so that the stats contain no identifying information).

Keep in mind that backup systems might retain copies of data for a short additional time. We have processes to ensure that even in backups, data is eventually purged. We also ensure that any third parties we use also follow appropriate retention practices.

Automated Decision-Making and Profiling

In plain terms, we do not use your personal data to make any fully automated decisions that have legal or similarly significant effects on you. “Automated decision-making” means that a computer algorithm makes a decision about you without any human involvement, and “significant effects” could be things like decisions about creditworthiness, hiring, insurance, etc., which is not applicable to our context.

•We do not do any automated profiling that would categorize or evaluate you in a way that significantly affects you.

•All processes described (order processing, shipping, marketing emails) involve human oversight and simple business logic, but no AI or algorithm is deciding something like rejecting your order or adjusting prices specifically for you without human review.

•The only automated processes we have are those like sending an order confirmation email when you place an order, or recommending a shipping method based on your address, which are standard and do not negatively affect your rights.

Any personalization (like addressing you by name in an email, or showing you related products on the website) is based on your interactions and choices, not hidden profile-building. And none of these automated routines have a profound effect on you – they are meant for convenience and user experience.

If this ever changes and we introduce an automated decision system that could significantly affect individuals, we will update this policy and ensure all legal requirements (including the right to human review of decisions) are provided.

Your Rights Under GDPR

As a data subject under GDPR (for example, if you reside in the European Union or otherwise your data is processed in context of the EU law), you have a number of rights regarding your personal data. We respect and uphold these rights. Below is a summary of your principal rights:

•Right to Access: You have the right to request confirmation if we are processing your personal data, and if so, to obtain a copy of the data we hold about you, as well as supplementary information about how we use it. This is often called a Data Subject Access Request. We will provide you with a copy of the personal data in our records, usually free of charge (except if requests are repetitive or excessive, in which case a reasonable fee may be charged as allowed by law).

•Right to Rectification: If you believe that any personal data we have about you is incorrect or incomplete, you have the right to request that we correct or update it. For example, if you change your email address or if we have a misspelled name on file, you can ask us to fix it. We rely on you to provide accurate data, and we will gladly make corrections or additions to ensure accuracy.

•Right to Erasure: This is also known as the “right to be forgotten.” You can ask us to delete your personal data in certain circumstances. For instance, if you created an account and you no longer want to use our services, you can request account deletion. We will erase data upon request if: the data is no longer necessary for the purpose it was collected; you originally consented and now withdraw consent (and we have no other legal basis to keep it); you object to processing based on legitimate interest and we have no overriding reason to continue; or if the data was processed unlawfully or must be erased to comply with a legal obligation. Please note that this right is not absolute – sometimes we must retain certain information (e.g. transaction records that we are legally required to keep). If that’s the case, we will inform you. We will, however, always comply with valid erasure requests to the fullest extent possible.

•Right to Restrict Processing: You have the right to request that we limit the processing of your data in certain situations. This means we would store your data but not actively use it until the restriction is lifted. You might exercise this right if, for example, you contest the accuracy of the data (we would then pause processing until we verify accuracy), or if you object to our processing and we are considering that objection. Another example is if we no longer need the data but you need us to keep it for a legal claim. When processing is restricted, we will clearly mark the data and ensure it’s only processed for allowed reasons (like with your consent or for legal claims).

•Right to Object: You have the right to object to certain types of processing. You can object to processing that is based on our legitimate interests (Art. 6(1)(f) GDPR) if you believe it impacts your rights and freedoms and you have a particular reason to object. In such a case, we will consider your objection and see if our interest in processing indeed outweighs your rights; if not, we will stop that processing. Importantly, you have an absolute right to object to direct marketing. This means if we were sending you marketing material under legitimate interest, you could tell us to stop and we would stop immediately. (As noted, we mainly send marketing emails based on consent, but if you receive any sort of direct marketing from us, you can opt out at any time.) To object, you simply need to contact us and explain which processing you’re objecting to. For example, you might object to us processing your data for internal analytics – we would then exclude your data from our analytics to the extent feasible.

•Right to Data Portability: You have the right, in certain scenarios, to receive the personal data you have provided to us in a structured, commonly used, machine-readable format and have the right to transmit that data to another controller. This applies when the processing is based on your consent or on a contract with you, and the processing is carried out by automated means. For instance, you could ask us to export the data you provided in your profile and order history so that you can import it into another service. Where technically possible, you can also ask that we transfer the data directly to another company if you want. We will do our best to accommodate such requests in a secure manner.

•Right to Withdraw Consent: If any part of our processing is based on your consent (e.g. receiving the newsletter, or accepting optional cookies), you have the right to withdraw that consent at any time. Withdrawal of consent will not affect the lawfulness of processing that happened before the withdrawal. For example, if you gave consent to receive newsletters and later withdraw it, we will stop sending newsletters going forward, but it doesn’t change the fact that we validly sent emails while you had consented. We have explained how to withdraw consent for specific scenarios (like unsubscribing from emails or changing cookie settings) in the relevant sections above. You can always contact us for assistance in withdrawing any consent.

•Right to Lodge a Complaint: If you believe we have not complied with data protection laws, you have the right to file a complaint with a data protection supervisory authority. You can do this in the EU member state where you live or work, or where you feel the infringement occurred. For instance, if you reside in Germany and have an issue with how we handled your data, you could complain to the German authorities. Our lead supervisory authority is in Poland, since that is where we are established. The Polish supervisory authority’s details are: President of the Personal Data Protection Office (Urząd Ochrony Danych Osobowych, UODO), Stawki 2, 00-193 Warsaw, Poland. However, you are free to contact any EU authority you prefer. They will coordinate to address the issue. We would appreciate if you try to resolve any concerns with us first, but you always have this right available.

To exercise any of your rights, please contact us via email at contact@beyond-peptides.com or via postal mail at the address provided in the Contact section. We may need to verify your identity to ensure we don’t disclose data to the wrong person (for example, we might ask you to confirm some details we have on file). We will respond to your request as soon as possible, and in any case within one month as required by GDPR (this can be extended by two further months for complex requests, but we will inform you if that’s the case). There is generally no fee for exercising your rights, unless requests are unfounded or excessive, in which case we might charge a reasonable fee or refuse the request (as allowed by law, but we will provide an explanation in such a case).

Your rights are very important to us. Our goal is to give you full control over your personal data. If you have any questions about your rights or how to exercise them, just ask!

Data Security

We understand that the security of your personal data is crucial. We take appropriate technical and organizational measures to safeguard the information we hold against unauthorized access, alteration, disclosure, or destruction. Some of the security steps we take include:

•Encryption: Our website is protected by SSL/TLS encryption. You can verify this by the “https://” in our URL and the padlock icon in your browser address bar. This means that any data you send through forms on our website (such as during account registration or checkout) is encrypted in transit and cannot be easily intercepted by third parties. Likewise, communications with our payment gateway (PayU) are encrypted to protect your financial information.

•Secure Infrastructure: We host our website on a secure server environment that uses firewalls and intrusion detection/prevention systems to guard against external attacks. We keep our software (including the WooCommerce platform and any plugins) up-to-date with security patches to minimize vulnerabilities. Administrative access to servers and databases is limited to authorized personnel and is protected by strong authentication methods.

•Access Controls: Within our organization and for our data processors, access to personal data is granted on a need-to-know basis. Employees and contractors who handle data are bound by confidentiality agreements. We train our staff on data protection best practices. Sensitive actions (like viewing customer lists, exporting data) are restricted to staff with the appropriate roles.

•Data Minimization: We collect only the data that we truly need for the stated purposes, which helps reduce risk. For example, we do not store credit card details, and we don’t ask for unnecessary personal information that could create additional risk if breached.

•Pseudonymization and Encryption at Rest: For certain data, we use encryption at rest or pseudonymization. Passwords, for instance, are stored hashed (not in plain text) using strong one-way hashing algorithms. This means even in the unlikely event our database is compromised, your password remains protected. Other sensitive fields may be encrypted in the database as well.

•Monitoring and Testing: We monitor our systems for possible vulnerabilities and attacks. We may perform periodic security audits and penetration tests through qualified third parties to identify and address potential weaknesses in our systems.

•Data Breach Procedures: In the unfortunate event of a security breach that leads to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data, we have an incident response plan in place. We will promptly assess the scope and impact of the breach. If a breach is likely to result in a high risk to your rights and freedoms (for example, if it involves sensitive information or could lead to identity theft or fraud), we will notify you and the relevant supervisory authority (such as UODO in Poland) without undue delay, as required by GDPR (generally within 72 hours of becoming aware of the breach, for notifying authorities, and promptly for notifying individuals when required).

While we strive to protect your data, it’s important to note that no system can be 100% secure. The internet by its nature carries some risk. We encourage you as well to take precautions — for example, use a strong unique password for our site, do not share your account details, and notify us if you suspect any unauthorized access to your account.

If you have reason to believe that your interaction with us is no longer secure (for instance, if you feel your account has been compromised), please contact us immediately so we can investigate and take appropriate measures.

Changes to This Privacy Policy

We may update or revise this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or for other operational reasons. If we make changes, we will post the updated policy on this page and update the “Last Updated” date at the end of this policy.

For any significant changes that affect your rights or the way we use your data, we will take additional steps to notify you. This might include posting a notice on our website’s homepage or login area, or sending you a direct notification (e.g., by email) if you have an account or subscription with us.

Examples of significant changes could include: adding new data processing activities (like starting to use a new analytics service), changing how/why we use data, or transferring data to a new partner. Minor changes, such as clarifications or typographical corrections, will likely just be updated on the site without a specific announcement, but you can always see the effective date to know when it was last revised.

We encourage you to review this Privacy Policy periodically so that you are aware of any updates. Continuing to use our website after a new version of the policy is in effect will constitute your acknowledgment of the modified policy.

Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or your personal data, please do not hesitate to reach out to us. We value your feedback and rights.

Contact Information for Privacy Inquiries:

• BP RESEARCH Sp. z o.o. (Beyond Peptides)

ul. Młyńska 16 (8th Floor)

61-730 Poznań, Poland

•Email: contact@beyond-peptides.com

We will do our best to respond promptly and help resolve any issue or answer any question you may have about your data. Your privacy is important to us, and we are here to help.

Last updated: April 7, 2025