GDPR policy

1. Scope

This GDPR policy applies to any individual located in the United Kingdom, the European Economic Area, or Switzerland who interacts with nexuspeptides.com. It supplements our general Privacy Policy and Cookie Policy and prevails to the extent of any conflict for individuals in these jurisdictions.

2. Data controller

Nexus Peptides is the data controller responsible for personal data collected through this site. Our contact address for data-protection matters is dpo@nexuspeptides.com. We do not currently meet the threshold requiring a designated Data Protection Officer, but the inbox is monitored by a senior team member with privacy responsibility.

3. Lawful bases for processing

Under Articles 6 and 9 of the UK GDPR / EU GDPR we rely on the following lawful bases:

• ·Performance of a contract (Art. 6(1)(b)) — to take orders, process payments, ship products, and provide customer support.
• ·Legitimate interests (Art. 6(1)(f)) — to verify researcher status, prevent fraud, secure our systems, and respond to enquiries. We balance these interests against your rights and freedoms; you can object at any time (see Section 6).
• ·Legal obligation (Art. 6(1)(c)) — to retain transactional records for tax, accounting, and regulatory purposes.
• ·Consent (Art. 6(1)(a)) — where you opt into optional communications. Consent is freely given, specific, informed, and can be withdrawn at any time.

4. Categories of personal data

The categories of personal data we process are:

• ·Identity and contact data — name, email, telephone, billing and shipping address.
• ·Transaction data — orders placed, dose variants, pricing, and the last four digits of payment cards.
• ·Account credentials — bcrypt-hashed passwords (the plaintext password is never stored).
• ·Technical and usage data — IP address, browser and device data, pages visited, session identifiers.
• ·Communications — the content of contact-form submissions, support emails, and complaints.

5. Recipients and international transfers

Personal data is shared only with processors who help us deliver the service — for example payment providers, shipping carriers, transactional-email providers, and infrastructure hosts. Each processor is bound by a Data Processing Agreement and processes data only on our documented instructions.

Where data is transferred outside the UK or EEA, we rely on adequacy decisions issued by the UK government or the European Commission, or — where no adequacy decision applies — on the Standard Contractual Clauses (SCCs) and the UK International Data Transfer Addendum, supplemented by additional technical and organisational measures.

6. Your rights under GDPR

You have the following rights, exercisable free of charge:

• ·Right of access (Art. 15) — obtain confirmation that we process your data and a copy of it.
• ·Right to rectification (Art. 16) — have inaccurate or incomplete data corrected.
• ·Right to erasure / "right to be forgotten" (Art. 17) — have your data deleted where there is no overriding legal basis to retain it.
• ·Right to restriction (Art. 18) — limit how we process your data while a dispute is being resolved.
• ·Right to data portability (Art. 20) — receive the data you provided to us in a structured, commonly-used, machine-readable format.
• ·Right to object (Art. 21) — object to processing based on legitimate interests, including any direct marketing.
• ·Right not to be subject to automated decision-making (Art. 22) — we do not currently use solely automated decision-making with legal or similarly significant effects.
• ·Right to withdraw consent (Art. 7) — where processing is based on consent, you can withdraw it without affecting the lawfulness of processing before withdrawal.
• ·Right to lodge a complaint with a supervisory authority — see Section 9.

7. How to exercise your rights

Send a request to dpo@nexuspeptides.com from the email address associated with your account, with sufficient information for us to identify the relevant records. We will respond within one calendar month of receipt and may extend this by two further months for complex requests, in which case we will tell you why within the first month.

We may ask for additional information to verify your identity before disclosing data. If a request is manifestly unfounded or excessive we may charge a reasonable fee or refuse to act on it, and we will tell you our reasoning.

8. Retention

We keep personal data only for as long as necessary for the purposes for which it was collected. Account and order records are retained for up to seven years to satisfy UK / EU tax and accounting requirements. Contact-form submissions are retained for up to two years. Technical logs are retained for up to 90 days. When the retention period ends, data is either deleted or irreversibly anonymised.

9. Lodging a complaint

If you believe our processing of your personal data infringes the UK GDPR or EU GDPR you have the right to lodge a complaint with the supervisory authority in the country where you live, work, or where the alleged infringement took place. In the UK, this is the Information Commissioner's Office (ICO) — ico.org.uk. In the EU, you can find your national authority via the European Data Protection Board — edpb.europa.eu.

We would, of course, appreciate the chance to address your concerns first. Please contact dpo@nexuspeptides.com before approaching the regulator.

10. Children

Our site is intended for adult researchers only. We do not knowingly process personal data of anyone under the age of 18. If we become aware that such data has been collected we will delete it without delay.

11. Changes to this policy

We may update this policy from time to time. Material changes will be reflected by an updated "last updated" date at the top of this page, and significant changes will be communicated to registered users by email where appropriate.

12. Contact

Data-protection enquiries should be sent to dpo@nexuspeptides.com. General privacy questions can also be sent to research@nexuspeptides.com.