Privacy Policy

Last updated: March 2025

1. Introduction and data controller

AmpouLabs Ltd ("we", "our", "us") is committed to protecting your privacy. This policy explains how we collect, use, store, and safeguard your personal information when you use our website and services. We are the data controller in respect of the personal data we process for these purposes.

For data protection enquiries, contact us at info@ampoulabs.com.

2. Lawful basis and purposes of processing

We process personal data only where we have a lawful basis under UK GDPR. The main purposes and bases are:

Order data (name, email, phone, addresses, order details): to perform our contract with you, prevent fraud, and meet legal obligations — lawful basis: contract (Art 6(1)(b)); legal obligation (Art 6(1)(c)) where applicable.
Order status and tracking (order number and email lookup): to fulfil orders and provide customer service — lawful basis: contract (Art 6(1)(b)).
Contact form and enquiries: to respond to your messages — lawful basis: legitimate interests (Art 6(1)(f)).
Research updates / marketing (if you sign up): to send you updates about products and research materials — lawful basis: consent (Art 6(1)(a)); PECR applies to email marketing. Consent is not required to make a purchase.
Technical and security: where we collect logs or similar data for security and troubleshooting — lawful basis: legitimate interests (Art 6(1)(f)).

3. Categories of personal data and sources

We may collect and process the following categories of data:

Identity and contact: name, email address, phone number (e.g. at checkout or when you contact us).
Address: shipping and billing address (provided at checkout).
Order and transaction data: order number, items ordered, prices, payment method, order status.
Communications: content of enquiries and order-related correspondence.
Technical data: where relevant, IP address, browser type, device information, session identifiers, page/cart activity, referral parameters, and similar operational telemetry (e.g. for security, support, fraud checks, and admin monitoring).
Marketing preferences: if you opt in to research updates or other marketing.

Source: All of the above are provided by you (e.g. when placing an order, using the Track Order feature, or contacting us) or generated from your interaction with our website (for example page views, cart changes, referral parameters, device/browser details, and server logs). We do not currently obtain your personal data from third parties; if we do in future, we will inform you and update this policy.

4. How we use your information

We use your personal information to:

Process and fulfil your orders and send order confirmations
Communicate order status, dispatch and delivery information
Respond to enquiries and provide customer support
Verify your identity when you use the Track Order feature (order number and email)
Comply with legal and regulatory obligations (e.g. tax, fraud prevention)
Monitor visitor activity, cart behaviour, and checkout issues so we can improve website performance, investigate operational problems, and support customers
Improve our website and services (where based on legitimate interests)
Send research updates or marketing only where you have given consent

5. Recipients and international transfers

We do not sell or rent your personal data. We may share your data with:

Hosting and database provider: We use Supabase to store order and related data. Supabase may process data in the EU/EEA or other regions; where data is transferred outside the UK, we ensure appropriate safeguards (e.g. UK adequacy decisions, standard contractual clauses, or International Data Transfer Agreement) are in place.
Delivery carriers: We share name, address, and contact details with delivery partners (e.g. Royal Mail or courier services) to fulfil delivery.
Payment: If you choose instant bank payment (open banking), our payment partner (Fena) processes the payment initiation in line with their privacy policy; we only share what is necessary to complete the transaction. If you choose cryptocurrency, the payment provider may process data under its own privacy policy; we only share what is necessary to complete the transaction.

All such recipients are bound by data protection agreements or equivalent obligations. We do not transfer your data outside the UK or EEA except as described above and with appropriate safeguards in place.

6. Data retention

We retain personal data only for as long as necessary for the purposes set out in this policy or as required by law. Our retention periods (or criteria) are:

Orders and order-related data: Up to seven (7) years from the end of the financial year in which the transaction occurred, for legal, tax (HMRC), and dispute purposes, after which we anonymise or delete.
Contact form and enquiries: Until the enquiry is resolved, then up to 12–24 months for record-keeping, unless a longer period is required by law.
Research updates / marketing: Until you unsubscribe, plus a short period thereafter to maintain a suppression list and respect your preference.
Track Order: Governed by order retention; we do not retain lookup data separately beyond what is in the order record.
Visitor activity and cart telemetry: raw operational metadata such as IP address and user agent are retained for a shorter period (typically 30 days) where possible; session and event records used for operational monitoring and service improvement are retained for up to 90 days unless a longer period is required for fraud, security, or dispute handling.

After the retention period, we securely delete or anonymise your data so it can no longer identify you.

7. Your rights under UK GDPR

You have the following rights in relation to your personal data:

Access: to receive a copy of the personal data we hold about you.
Rectification: to have inaccurate data corrected.
Erasure: to request deletion of your data in certain circumstances.
Restriction: to request that we restrict processing in certain circumstances.
Object: to object to processing based on legitimate interests; you have an absolute right to object to direct marketing at any time.
Data portability: to receive your data in a structured, machine-readable format where the lawful basis is consent or contract.
Withdraw consent: where processing is based on consent, you may withdraw it at any time; this does not affect the lawfulness of processing before withdrawal.
Lodge a complaint: with the Information Commissioner's Office (ICO) at ico.org.uk, or with the supervisory authority in your country if outside the UK.

To exercise any of these rights, contact us at info@ampoulabs.com. We will respond without undue delay and in any event within one month. We may ask you to verify your identity before fulfilling a request.

8. Cookies and similar technologies

First-party cookies we use:

peptide_visitor_token (httpOnly, first-party): used to recognise your browser across visits and tie operational events to a pseudonymous visitor record (for example page views, cart activity, and checkout flow monitoring). It supports the operation and security of the site and related logging. You can clear cookies via your browser settings; a new token may then be issued when you use the site again.
referral_code (first-party): used only if you confirm our storefront notice and arrive via an affiliate link or similar referral parameter, to attribute orders to that referral on a first-touch basis for our affiliate programme. This cookie is not set unless you give consent on the site (for example by confirming the initial notice). Lawful basis: consent (Art 6(1)(a) GDPR); PECR consent for storing/accessing information on your device where required.

Session storage: We use peptide_visitor_session_key in sessionStorage to hold a browser-tab session identifier sent with operational events. It is cleared when you close the tab (or when your browser clears session storage).

Local storage: We may use localStorage for your shopping cart (peptide-research-cart); to remember that you confirmed our research-use storefront notice and affiliate tracking choice (peptide-legal-disclaimer-confirmed); and for optional checkout field recall (peptide-checkout-prefill-v1). Cart data is stored only on your device and typically includes product identifiers, quantities, and prices—not your name or email unless you have entered them into checkout fields we mirror for convenience. We may use cart-related signals alongside server-side logs to diagnose checkout issues and understand cart abandonment. You can clear local storage via your browser settings.

If you opt in to marketing measurement, we send conversion events to Meta and TikTok from our servers when you place an order and when payment is confirmed, using catalog labels you do not see as product titles on the site. Analytics measurement (if opted in) uses Google Tag Manager for aggregated site usage; ecommerce item labels in analytics also use those catalog names, not public product titles. If we introduce additional categories in future, we will obtain consent where required and update this section.

9. Data security and breach notification

We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, alteration, disclosure, or destruction. Data transmitted between your browser and our servers is encrypted using TLS. We do not store card payment details; payment is by instant bank payment (Fena) or cryptocurrency as described on our website.

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the ICO as required by law and, where appropriate, notify you without undue delay.

10. Children and policy updates

Our website and services are not directed at anyone under 18. We do not knowingly collect personal data from children. If you believe we have collected data from a child, please contact us and we will delete it promptly.

We may update this privacy policy from time to time. The current version will always be on this page with a revised "Last updated" date. For material changes we may notify you by email or by a notice on the website. We encourage you to review this policy periodically.

11. Research updates and marketing

If you sign up to our research updates (e.g. via our newsletter or similar), we will use your email address only for that purpose and in accordance with this policy. You can unsubscribe at any time (e.g. via the link in our emails or by contacting us). Signing up is optional and is not required to make a purchase. Our processing for marketing is based on your consent and complies with the Privacy and Electronic Communications Regulations (PECR).

12. Contact

For privacy and data protection enquiries, contact us at info@ampoulabs.com. For general support, use info@ampoulabs.com.

AmpouLabs Ltd

For research and in vitro use only. Not for human use. UK regulatory framework