Privacy Policy

The short version, and who this applies to

PeptideXpo is the catalog-and-sourcing storefront operated by PeptideXpo from Shanghai, China. This policy describes what happens to the information you hand us when you browse peptidexpo.com or send a sourcing inquiry — nothing more. Our buyers are compounding pharmacies, research institutions, biotech and pharmaceutical R&D teams, medical-aesthetic and cosmetic brands, and licensed distributors; this is a B2B desk, not a consumer storefront.

In plain terms: we collect the minimum we need to quote your order, we don't sell it, and you can ask us to show, correct, or delete it. The detail below exists so the policy holds up under the General Data Protection Regulation (EU GDPR), the California Consumer Privacy Act (CCPA/CPRA), China's Personal Information Protection Law (PIPL), and comparable laws in the markets we ship to.

Roles, for the record: under the GDPR, PeptideXpo is the data controller for what you submit here; under the PIPL, PeptideXpo is the personal-information processor (handler).

What lands in our inbox, and what the servers log

We split the data we hold into two buckets: what you type into an inquiry, and what the infrastructure records automatically.

You give us directly, when you submit an inquiry or request a sample COA:

• Salutation and your first and last name
• A business email address
• Your company or organization name
• The country or region you operate in
• Your buyer type (compounding pharmacy, med-spa, research lab, biotech, distributor, other)
• The peptides you're interested in, with quantities and timing
• Anything else you choose to write in the free-text notes

The platform records automatically, for security and measurement:

• Routine server logs (IP address, user agent, referrer, request timestamp) kept by our host Vercel to fend off abuse
• Cookieless, privacy-preserving traffic counts (visits, page views, sources) via Vercel Analytics
• Aggregated, IP-anonymized engagement metrics via Google Analytics 4, carrying no PII

We do not knowingly gather special-category data — health, biometric, racial, political, religious, or sexual-orientation information — through this Site, and we ask that you not send it.

The legal footing we rely on (GDPR Article 6)

Each thing we do with your data rests on one of these lawful bases:

• Legitimate interest — fielding unsolicited B2B inquiries from prospective buyers and keeping ordinary business correspondence
• Contract — taking the pre-contractual steps you ask for, such as preparing a quotation, sending COAs, or scheduling a follow-up call
• Legitimate interest in running and improving the Site, backed only by IP-anonymized analytics — with separate, explicit consent for any marketing you opt into (newsletter, sample requests, and the like)
• Legal obligation — holding commercial records and tax invoices for the periods local law mandates

What we actually do with it

The information above is used to:

• Answer your sourcing inquiry, prepare a quotation, and send the technical packet (COA, HPLC chromatogram, MS spectrum, stability data, SDS)
• Run pre-contractual due diligence — buyer-type verification, sanctions screening, and, where it applies, regulatory-eligibility checks
• Keep you posted on your order: confirmations, shipping notifications, invoicing, and post-shipment follow-up
• Send the occasional sourcing-intelligence or regulatory briefing — only if you opted in
• Defend the Site against fraud, abuse, and unauthorized access
• Meet our own legal duties around export controls, customs declarations, and tax reporting
• Understand Site usage in aggregate (anonymized analytics only)

We never sell, rent, or trade your personal information to anyone for their own marketing.

The providers we trust with your data

A handful of vendors process this information on our behalf. Each is under a written data-processing agreement that requires confidentiality and security at least as strong as our own:

• Vercel Inc. (USA) — website hosting, edge CDN, and anonymous performance analytics
• Alibaba Cloud (Mail) — transactional email delivery for inquiry submissions over SMTP
• Cloudflare Inc. (USA) — DNS and edge DDoS protection
• Google LLC (USA) — Google Analytics 4, IP-anonymized, no PII passed (only aggregate traffic and key event names such as form submissions and outbound clicks)
• Mainstream email providers (e.g. Microsoft 365, Google Workspace) — used by our sales desk to receive and answer your inquiries
• International couriers (DHL, FedEx, UPS, TNT) — when shipping samples or commercial orders, limited to consignee name, address, and contact details
• Banks and payment processors — only for transactions you have agreed to
• Customs brokers and freight forwarders — only when a declared shipment requires it

There are no marketing-data brokers, ad-tech retargeting networks, or social-media tracking pixels on this Site.

When your data crosses borders

We're based in China and several of our processors sit in the United States and elsewhere, so your information will move across borders. Here's the legal cover for each leg:

• EU/EEA data heading to a non-adequate country — the European Commission's Standard Contractual Clauses (SCCs) plus supplementary safeguards consistent with the Schrems II ruling
• UK data — the UK International Data Transfer Addendum
• Personal information of PRC data subjects sent abroad — the PIPL Article 38 standard contract for cross-border transfer, with personal-information-impact assessments where required
• California consumer data — the CCPA doesn't bar cross-border transfer but does require disclosure, which this section provides

Want to see the underlying transfer agreements? Write to the contact in the closing section and we'll provide copies.

How long we hold on to it

We keep your data only as long as the purpose — or the law — requires:

• Inquiry correspondence — 3 years from your last contact, then archived a further 4 years for legal-defense purposes
• Commercial invoices and shipping records — 10 years (PRC accounting-law requirement)
• Server logs — 30 days, or as Vercel sets
• Marketing-consent records — until you withdraw consent, then 2 years as compliance evidence

Once a retention window closes, we securely delete or irreversibly anonymize the data.

What you can ask us to do with your data

Depending on which law covers you, you may hold some or all of these rights over your personal information:

• Access — confirm whether we hold your data and get a copy
• Rectification — correct anything inaccurate or incomplete
• Erasure (the right to be forgotten) — ask us to delete it, subject to our legal-retention duties
• Restriction or objection — limit how we use it
• Portability — receive your data in a structured, machine-readable format and have it sent to another controller
• Withdraw consent — for anything based on consent, at any time and at no penalty
• Freedom from solely automated decisions with significant effects — which we don't make anyway
• Complaint — to your local data-protection authority (your national DPA in the EU, the ICO in the UK, the CPPA in California, the CAC in mainland China)

To use any of these, email info@peptidexpo.com with the subject "Privacy Request" and tell us which right you want to exercise. We reply within 30 calendar days and may ask you to verify your identity first.

Marketing, cookies, and minors

Three smaller points, grouped together:

Marketing — beyond directly answering your inquiry, we email you sourcing intelligence, regulatory briefings, or new-SKU announcements only if you explicitly opted in. Every such email carries a one-click unsubscribe, honored within 5 business days.

Cookies — we run a deliberately minimal set of cookies and similar technologies; our Cookies Policy lists each one with its duration and how to manage it.

Minors — this Site is for qualified business buyers and is not aimed at anyone under 18. We don't knowingly collect data from minors; if you think one has reached us, tell us and we'll delete it.

How we secure it

Your information sits behind industry-standard safeguards:

• In transit — TLS 1.2 or higher on all traffic, with HSTS preload enabled
• At rest — end-to-end encrypted email transport with our providers and access-controlled storage at Vercel
• Access — least-privilege for our staff, with multi-factor authentication required on every administrative account
• Auditing — quarterly internal review of access logs and processor agreements
• Vendor diligence — written DPAs with every sub-processor and reasonable security assurances on file

No system is ever 100% secure. We work hard to protect your data but can't guarantee the impossible, so we suggest your own safeguards (encrypted email, secure file transfer) when sending sensitive commercial or regulatory documents.

If a breach happens

Should we discover a breach affecting your personal data, we notify the relevant supervisory authority within 72 hours where the law requires it (GDPR Article 33), and we tell you directly, without undue delay, whenever the breach is likely to put your rights and freedoms at high risk (GDPR Article 34, PIPL Article 57).

Getting in touch, and how this policy evolves

Questions, requests, or anything privacy-related:

• Privacy matters — info@peptidexpo.com, subject line "Privacy"
• General sales — info@peptidexpo.com
• By post — PeptideXpo, Shanghai, China
• EU/EEA residents may also contact their local data-protection authority directly

We may revise this policy as the law or our operations change. When we do, we update the Effective Date above and, for material changes, post a notice on the Site. Continuing to use the Site after that date means you accept the updated policy.