Legal

Privacy Policy.

Last updated: 2026-04-21. This page describes what personal data we collect, how we process it, and your rights under the GDPR.

1. Controller and contact

The controller of your personal data within the meaning of the General Data Protection Regulation (EU) 2016/679 (“GDPR”) is TogoPeptide, the legal entity identified on the Imprint page. For any privacy-related request, contact info@togopeptide.com with subject line including “Privacy request”. We respond within the 30-day window required by article 12(3) GDPR.

2. Categories of personal data

We collect only the minimum data required to run the site and fulfil Orders:

  • Identity & contact: email address, optional name, shipping and billing address.
  • Transaction data: order reference, items, amounts, payment-provider reference (a token — we never receive or store card or account numbers).
  • Account data (optional): hashed password, email-verification status, account creation date, last login timestamp.
  • Usage data: pages visited, timestamps, referrer, IP address (truncated where the analytics provider supports it), user-agent string.
  • Communication data: support emails sent to us, with their content and attachments.
  • Marketing data: newsletter subscription status and opt-in timestamp, if applicable.

We do not collect special categories of data (article 9 GDPR: health, biometric, political views, etc.) and we actively ask you not to share health information in support emails. If you do send such information voluntarily, we delete it from our communication history and do not process it further.

3. Purposes and legal bases

Each processing activity is tied to a specific GDPR legal basis:

  • Order fulfilment (contact, shipping, payment, dispatch notifications) — article 6(1)(b): contract performance.
  • Account management (sign-in, order history, password reset) — article 6(1)(b): contract performance.
  • Support responsesarticle 6(1)(b) or 6(1)(f): legitimate interest in responding to a request.
  • Fraud prevention and site security (IP logs, rate limits) — article 6(1)(f): legitimate interest in protecting users and operations.
  • Legal and fiscal obligations (order retention, VAT records) — article 6(1)(c): compliance with legal obligation (Dutch bookkeeping law, 7-year retention).
  • Newsletterarticle 6(1)(a): consent, withdrawable any time via the unsubscribe link.
  • Analytics, if later enabled — article 6(1)(a): consent via the cookie banner.

4. Third-party data processors

We use a minimal, audited set of processors. Each has a Data Processing Agreement (DPA) with us as required by article 28 GDPR:

  • Mollie B.V. (Amsterdam, NL) — payment processing. EU-regulated payment institution. Card data never touches our servers.
  • Resend, Inc. — transactional email delivery (order confirmations, account emails). Processes email content for the purpose of sending only.
  • Supabase, Inc. (project hosted in EU region) — order, customer and account record storage. Postgres database with encryption at rest and in transit.
  • Netlify, Inc. — static site hosting, serverless function execution and logs. EU edge caching where possible.
  • GitHub, Inc. — source code hosting (not customer data).

Where a processor is located outside the EU/EEA, transfers are covered by Standard Contractual Clauses (SCCs) and, where available, by additional safeguards. A list of current processors is updated here; a material change to the processor list will be communicated.

5. Retention periods

  • Order + invoice data: 7 years from the end of the financial year in which the Order was placed (Dutch fiscal retention obligation).
  • Account data: retained while the account is active; deleted within 60 days of a verified deletion request, subject to any overriding fiscal retention on linked Orders.
  • Support emails: up to 24 months from last communication.
  • Newsletter subscription: until you unsubscribe. Unsubscribe timestamp retained for audit.
  • Server access logs: up to 30 days.
  • Marketing analytics events (when/if enabled): aggregated after 14 months; raw data deleted after 14 months.

6. Your rights under GDPR

You have the following enforceable rights, which you may exercise by emailing info@togopeptide.com with your Order reference or account email:

  • Access (art. 15) — a copy of the personal data we process about you.
  • Rectification (art. 16) — correction of inaccurate data.
  • Erasure (art. 17) — deletion of your data, subject to legal retention obligations.
  • Restriction of processing (art. 18).
  • Data portability (art. 20) — your data in a structured, commonly-used format.
  • Objection (art. 21) — including objection to processing based on legitimate interest.
  • Withdrawal of consent (art. 7(3)) — for any consent-based processing (newsletter, analytics).
  • Lodging a complaint with the Dutch data-protection authority Autoriteit Persoonsgegevens (AP) at autoriteitpersoonsgegevens.nl or with your local supervisory authority.

We may ask you to verify your identity before responding to a data-subject request to prevent unauthorised disclosure.

7. Security measures

We apply appropriate technical and organisational measures (article 32 GDPR):

  • TLS 1.2+ for all traffic between your browser and the site.
  • Encryption at rest for the Supabase database.
  • Strict environment-variable separation for secrets; service-role keys only server-side.
  • Content Security Policy headers to limit XSS.
  • Admin writes protected by a signed-in email allowlist and server-side re-verification.
  • Principle of least privilege across processors and API keys.

8. International transfers

Your data stays within the EU/EEA where possible. When a processor is based outside the EU/EEA (e.g. Resend, Netlify, GitHub) we rely on the European Commission’s Standard Contractual Clauses (SCCs) and apply additional organisational safeguards. You may request a copy of the relevant transfer documentation for the processor concerned.

9. Data breach notification

If a personal-data breach occurs that is likely to result in a risk to your rights and freedoms, we notify the Autoriteit Persoonsgegevens within 72 hours as required by article 33 GDPR, and notify affected users without undue delay where article 34 GDPR requires.

10. Children

The site is not directed to persons under 18. We do not knowingly collect data from minors. If you believe a minor has provided data, contact us and we will delete it.

11. Cookies

The site uses only strictly-necessary cookies by default (session, cart, consent record). Any analytics, marketing or preference cookies only load after you give explicit consent via the cookie banner. Full detail: Cookie Policy.

12. Changes to this policy

We may update this Privacy Policy. The current version is always authoritative and accessible from the Legal page. Material changes (new categories of data, new legal basis, new processors) will be flagged at the top of this page.