Legal · Version 1.1 · Last updated 2026-05-06 · Changelog

Privacy Policy.

Last updated: 2026-05-06. This page describes what personal data we collect, how we process it, and your rights under the GDPR. Need to act on those rights? Use the GDPR rights form or jump straight to Article 15 access, Article 17 erasure, or contact our Data Protection Officer.

1. Controller and contact

The controller of your personal data within the meaning of the General Data Protection Regulation (EU) 2016/679 (“GDPR”) is TogoPeptide, the legal entity identified on the Imprint page. For any privacy-related request, contact info@togopeptide.com with subject line including “Privacy request”. We respond within the 30-day window required by article 12(3) GDPR.

1a. Data Protection Officer

TogoPeptide does not currently meet the GDPR article 37(1) thresholds that mandate the formal appointment of a Data Protection Officer. We have nevertheless designated a single privacy point-of-contact who acts as our internal DPO and handles every data-protection enquiry, data-subject request and supervisory-authority correspondence.

  • Role: Data Protection Officer (designated point of contact).
  • Email: info@togopeptide.com — subject line “DPO enquiry”.
  • Postal: TNF Business · Grotestraat 46 · 5431 DK Cuijk · Netherlands.
  • Response window: within the 30-day deadline of article 12(3) GDPR; complex requests may be extended once by up to 60 days with written notice and reasons.

If our processing scale changes and triggers a mandatory DPO appointment under article 37(1) GDPR, we will appoint a qualified DPO and publish their contact here.

2. Categories of personal data

We collect only the minimum data required to run the site and fulfil Orders:

  • Identity & contact: email address, optional name, shipping and billing address.
  • Transaction data: order reference, items, amounts, payment-provider reference (a token — we never receive or store card or account numbers).
  • Account data (optional): hashed password, email-verification status, account creation date, last login timestamp.
  • Usage data: pages visited, timestamps, scrubbed referrer/origin, coarse device/browser signals and security/rate-limit metadata. Analytics event URLs, referrers and props are scrubbed for email, phone, token, payment and order-reference patterns before storage or upload.
  • Communication data: support emails sent to us, with their content and attachments.
  • Marketing data: newsletter subscription status and opt-in timestamp, if applicable.

We do not collect special categories of data (article 9 GDPR: health, biometric, political views, etc.) and we actively ask you not to share health information in support emails. If you do send such information voluntarily, we delete it from our communication history and do not process it further.

3. Purposes and legal bases

Each processing activity is tied to a specific GDPR legal basis:

  • Order fulfilment (contact, shipping, payment, dispatch notifications) — article 6(1)(b): contract performance.
  • Account management (sign-in, order history, password reset) — article 6(1)(b): contract performance.
  • Support responsesarticle 6(1)(b) or 6(1)(f): legitimate interest in responding to a request.
  • Fraud prevention and site security (IP logs, rate limits) — article 6(1)(f): legitimate interest in protecting users and operations.
  • Legal and fiscal obligations (order retention, VAT records) — article 6(1)(c): compliance with legal obligation (Dutch bookkeeping law, 7-year retention).
  • Newsletterarticle 6(1)(a): consent, withdrawable any time via the unsubscribe link.
  • Analytics, when enabled by you — article 6(1)(a): consent via the cookie banner.

4. Third-party data processors

We use a minimal, audited set of processors. Each has a Data Processing Agreement (DPA) with us as required by article 28 GDPR:

  • Mollie B.V. (Amsterdam, NL) — payment processing. EU-regulated payment institution. Card data never touches our servers.
  • Resend, Inc. — transactional email delivery (order confirmations, account emails). Processes email content for the purpose of sending only.
  • Supabase, Inc. (project hosted in EU region) — order, customer and account record storage. Postgres database with encryption at rest and in transit.
  • Netlify, Inc. — static site hosting, serverless function execution and logs. EU edge caching where possible.
  • GitHub, Inc. — source code hosting (not customer data).

Where a processor is located outside the EU/EEA, transfers are covered by Standard Contractual Clauses (SCCs) and, where available, by additional safeguards. A list of current processors is updated here; a material change to the processor list will be communicated.

5. Retention periods

  • Order + invoice data: 7 years from the end of the financial year in which the Order was placed (Dutch fiscal retention obligation).
  • Account data: retained while the account is active; deleted within 60 days of a verified deletion request, subject to any overriding fiscal retention on linked Orders.
  • Support emails: up to 24 months from last communication.
  • Newsletter subscription: until you unsubscribe. Unsubscribe timestamp retained for audit.
  • Server access logs: up to 30 days.
  • Analytics events (consent-based): aggregated after 14 months; raw event rows deleted after 14 months.

6. Your rights under GDPR

You have the enforceable rights summarised below. The fastest channel is the GDPR rights form; alternatively use the dedicated mailto links per right. We may ask you to verify your identity before responding, to prevent unauthorised disclosure.

6.1 Right of access (Article 15)

You have the right to obtain confirmation of whether we process personal data about you and, if so, to receive a copy together with the supplementary information listed in article 15(1) GDPR (purposes, categories, recipients, retention periods, source if not collected from you, and existence of automated decision-making).

How to request: email info@togopeptide.com with subject “GDPR Article 15 Access Request”. Include the email address tied to your account or the Order reference. We respond within 30 days; the first copy is free.

6.2 Right to rectification (Article 16)

You have the right to obtain without undue delay the rectification of inaccurate personal data and the completion of incomplete personal data, including by means of a supplementary statement.

How to request: email info@togopeptide.com with subject “GDPR Article 16 Rectification Request”. State the field that is incorrect and the value it should be. Where the data is held by a processor (Mollie, Resend, Supabase, Netlify) we will forward the rectification under article 19 GDPR.

6.3 Right to erasure (Article 17)

You have the right to obtain the erasure of your personal data without undue delay where one of the grounds in article 17(1) GDPR applies (data no longer necessary, consent withdrawn, objection upheld, unlawful processing, legal obligation, or data of a child collected via art. 8(1)).

How to request: email info@togopeptide.com with subject “GDPR Article 17 Erasure Request”. We will erase data within 30 days, except where retention is required by Dutch fiscal law (7-year invoice retention) or to establish, exercise or defend legal claims under article 17(3) GDPR — in which case we will tell you which category remains and why.

6.4 Right to data portability (Article 20)

For data you have provided to us on the basis of consent or contract performance and which is processed by automated means, you have the right to receive that data in a structured, commonly-used and machine-readable format, and the right to transmit it to another controller without hindrance.

How to request: email info@togopeptide.com with subject “GDPR Article 20 Data Portability Request”. We export account, order and communication data as JSON (default) or CSV on request.

6.5 Right to object (Article 21)

You have the right to object, on grounds relating to your particular situation, to processing based on our legitimate interest under article 6(1)(f) GDPR — including profiling. Where you object we will stop processing unless we can demonstrate compelling legitimate grounds that override your interests, rights and freedoms, or the processing is for the establishment, exercise or defence of legal claims. Objection to direct-marketing processing is absolute.

How to request: email info@togopeptide.com with subject “GDPR Article 21 Objection”. State which processing activity you object to and the situation that grounds the objection.

7. Security measures

We apply appropriate technical and organisational measures (article 32 GDPR):

  • TLS 1.2+ for all traffic between your browser and the site.
  • Encryption at rest for the Supabase database.
  • Strict environment-variable separation for secrets; service-role keys only server-side.
  • Content Security Policy headers to limit XSS.
  • Admin writes protected by a signed-in email allowlist and server-side re-verification.
  • Principle of least privilege across processors and API keys.

8. International transfers

Your data stays within the EU/EEA where possible. When a processor is based outside the EU/EEA (e.g. Resend, Netlify, GitHub) we rely on the European Commission’s Standard Contractual Clauses (SCCs) and apply additional organisational safeguards. You may request a copy of the relevant transfer documentation for the processor concerned.

9. Data breach notification

In compliance with GDPR Articles 33 and 34, if a personal-data breach occurs that is likely to result in a risk to your rights and freedoms, we notify the Dutch Autoriteit Persoonsgegevens within 72 hours of becoming aware of the breach. Where the breach is likely to result in a high risk to your rights and freedoms, we will notify affected users directly and without undue delay, in clear and plain language, including the nature of the breach, the likely consequences, the measures taken or proposed, and the contact point for further information.

Operationally this is run from our security policy and responsible-disclosure page and the internal incident-response plan. To report a suspected breach or vulnerability, see /.well-known/security.txt or email security@togopeptide.com.

10. Children

The site is not directed to persons under 18. We do not knowingly collect data from minors. If you believe a minor has provided data, contact us and we will delete it.

11. Cookies

The site uses only strictly-necessary cookies by default (session, cart, consent record). Any analytics, marketing or preference cookies only load after you give explicit consent via the cookie banner. Full detail: Cookie Policy.

12. Changes to this policy

We may update this Privacy Policy. The current version is always authoritative and accessible from the Legal page. Material changes (new categories of data, new legal basis, new processors) will be flagged at the top of this page.

13. Version history

Past and current versions of this Privacy Policy. We keep a public changelog so you can verify what changed and when. The version listed at the top of this page is the binding one.

  • v1.1 — 2026-05-06 · current. Clarified data-protection officer contact channel, linked the new GDPR rights export form, added explicit references to the cookie-audit page and consent-log, added breach-notification cross-reference.
  • v1.0 — 2026-04-21 · first published version. Established controller, processors, retention, GDPR rights and cookie posture.