PRIVACY POLICY
x-peptides.com
Data Controller

X-peptides sp. z o.o.
al. Solidarności 68/121, 00-240 Warszawa, Poland
VAT EU: PL5252989763  |  KRS: 0001083484  |  REGON: 527547101
E-mail: kontakt@x-peptides.com

§1 General Information

  1. This Privacy Policy applies to the website operating at www.x-peptides.com (hereinafter: the “Store” or “Website”).
  2. The Data Controller of your personal data is X-peptides sp. z o.o., al. Solidarności 68/121, 00-240 Warszawa, Poland (hereinafter: the “Controller”, “we”, or “us”).
  3. Contact e-mail for data protection matters: kontakt@x-peptides.com.
  4. Personal data is processed in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (General Data Protection Regulation, hereinafter: “GDPR”) and applicable Polish data protection legislation.
  5. We respect the privacy of our users and are committed to protecting the personal data collected through the Website.

§2 Purposes and Legal Bases of Data Processing

We process personal data for the following purposes and on the following legal bases:

Purpose Types of Data Legal Basis (GDPR) Retention Period
Processing and fulfilling Orders (including preparation, packaging, and shipment of Products) Name, address, e-mail, phone number, payment details, order details Art. 6(1)(b) – performance of a contract For the duration of the contract and the statutory limitation period (generally 6 years from the end of the year in which the obligation became due)
Customer Account management Name, e-mail, login credentials, order history Art. 6(1)(b) – performance of a contract Until the Account is deleted by the user or terminated by the Controller
Handling complaints and warranty claims Name, e-mail, address, order details, complaint details Art. 6(1)(b) – performance of a contract; Art. 6(1)(c) – legal obligation For the duration of the complaint procedure and applicable statutory limitation periods
Accounting and tax obligations Name, address, NIP/VAT number, invoice details Art. 6(1)(c) – legal obligation 5 years from the end of the tax year in which the tax obligation arose
Marketing communications (e.g. promotional e-mails, if consent is given) E-mail, name Art. 6(1)(a) – consent Until consent is withdrawn or no longer than 3 years from the last interaction
Website analytics and improvement (Google Analytics, Google Ads) IP address (anonymised), browser data, pages visited, device information Art. 6(1)(a) – consent (via cookie consent mechanism) Up to 26 months (Google Analytics default); cookies expire per settings described in §8
Establishing, asserting, or defending legal claims All data relevant to the claim Art. 6(1)(f) – legitimate interest of the Controller For the duration of the statutory limitation period
Responding to enquiries (contact form or e-mail) Name, e-mail, content of the message Art. 6(1)(f) – legitimate interest (responding to enquiries); or Art. 6(1)(b) – pre-contractual steps For the duration necessary to handle the enquiry, no longer than 12 months

§3 Recipients of Personal Data

  1. Your personal data may be disclosed to the following categories of recipients where necessary to fulfil our contractual or legal obligations:
    • Hosting provider – LH.pl sp. z o.o. (data processing agreement in place);
    • Payment processors – ZEN.com (ZEN sp. z o.o.) and bank transfer intermediaries;
    • Courier and postal operators – DHL Express, DPD Polska, InPost, FedEx, UPS Polska, Poczta Polska, GLS Poland, Royal Mail, and other carriers used to deliver Orders;
    • Accounting and legal service providers – firms providing accounting, tax advisory, and legal services to the Controller;
    • Analytics providers – Google LLC (Google Analytics, Google Ads) – see §7 and §8 for details;
    • IT service providers – entities providing software, maintenance, and technical support.
  2. Each recipient processes personal data only to the extent necessary for the purpose of the relevant service, and is bound by appropriate data processing agreements or standard contractual clauses where applicable.

§4 International Data Transfers

  1. Some of our service providers (in particular Google LLC) are established in the United States. Data transfers to the United States are carried out on the basis of the EU–U.S. Data Privacy Framework, to which Google LLC has self-certified, ensuring an adequate level of data protection as recognised by the European Commission (Adequacy Decision of 10 July 2023).
  2. Where data is transferred to countries outside the European Economic Area (EEA) that do not benefit from an adequacy decision, we ensure that appropriate safeguards are in place, such as Standard Contractual Clauses adopted by the European Commission.
  3. You may request a copy of the safeguards in place by contacting us at kontakt@x-peptides.com.

§5 Your Rights

  1. Under the GDPR, you have the following rights with respect to your personal data:
    • Right of access (Art. 15) – you may request confirmation of whether your data is being processed and obtain a copy of it;
    • Right to rectification (Art. 16) – you may request correction of inaccurate or incomplete data;
    • Right to erasure (“right to be forgotten”) (Art. 17) – you may request deletion of your data where there is no longer a legal basis for processing;
    • Right to restriction of processing (Art. 18) – you may request that processing be limited in certain circumstances;
    • Right to data portability (Art. 20) – you may request to receive your data in a structured, commonly used, machine-readable format;
    • Right to object (Art. 21) – you may object to processing based on legitimate interest (Art. 6(1)(f)), including profiling. We will cease processing unless we demonstrate compelling legitimate grounds that override your interests;
    • Right to withdraw consent (Art. 7(3)) – where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of processing carried out before the withdrawal.
  2. To exercise any of the above rights, please contact us at: kontakt@x-peptides.com. We will respond within 30 days of receiving your request.
  3. You have the right to lodge a complaint with a supervisory authority. The competent authority in Poland is the Prezes Urzędu Ochrony Danych Osobowych (UODO), ul. Stawki 2, 00-193 Warszawa, Poland (uodo.gov.pl). If you reside in another EU Member State, you may also contact your local data protection authority.

§6 Data Security

  1. The Website uses SSL/TLS encryption to protect data transmitted between the user’s browser and the server. All personal data entered on the Website (including login credentials, order details, and payment information) is encrypted in transit.
  2. We regularly update all software used for the processing of personal data, including server components, CMS, and plugins, to protect against known vulnerabilities.
  3. Access to personal data is limited to authorised personnel only, on a need-to-know basis.
  4. We maintain appropriate technical and organisational measures to ensure a level of security appropriate to the risk, in accordance with Art. 32 of the GDPR.

§7 Analytics and Marketing Tools

  1. Google Analytics – we use Google Analytics, a web analytics service provided by Google LLC (1600 Amphitheatre Parkway, Mountain View, CA 94043, USA). Google Analytics uses cookies to analyse how users interact with the Website. The information generated by cookies is generally transmitted to and stored on a Google server in the United States. We use IP anonymisation (anonymizeIp), which means your IP address is truncated within the EEA before being sent to Google. Google processes data on our behalf under a data processing agreement. You may opt out of Google Analytics by installing the Google Analytics Opt-out Browser Add-on. You may also manage your ad preferences at google.com/ads/preferences.
  2. Google Ads (Remarketing / Conversion Tracking) – we use Google Ads services to measure the effectiveness of our advertising campaigns and, where applicable, to display personalised advertisements to users who have previously visited our Website. These services use cookies and may process data such as your IP address, browser type, pages visited, and conversion events. You may opt out of personalised advertising via Google Ads Settings.
  3. Both Google Analytics and Google Ads cookies are set only after you provide consent via our cookie consent mechanism (cookie banner). Without your consent, no analytics or marketing cookies are placed on your device.

§8 Cookies

8.1 What Are Cookies?

Cookies are small text files stored on your device (computer, tablet, smartphone) by your web browser when you visit a website. They typically contain the name of the originating website, their storage duration, and a unique identifier.

8.2 Who Places Cookies?

Cookies are placed by the Website operator (first-party cookies) and, where you have given consent, by third-party service providers (in particular Google LLC).

8.3 Types of Cookies We Use

Category Purpose Consent Required? Duration
Strictly necessary Essential for the operation of the Website (e.g. session management, shopping cart, cookie consent preferences) No (exempt under Art. 5(3) ePrivacy Directive) Session or up to 12 months
Functional Remember user preferences (e.g. language, currency) Yes Up to 12 months
Analytics Measure Website usage and performance (Google Analytics) Yes Up to 26 months
Marketing Deliver relevant advertisements and measure campaign effectiveness (Google Ads) Yes Up to 13 months

8.4 Managing Cookies

You can manage your cookie preferences at any time via our cookie consent banner (available by clicking the cookie settings link in the Website footer). You can also control cookies through your browser settings:

Mobile devices:

Please note that disabling cookies that are strictly necessary for the Website’s operation may impair or prevent its use.

§9 Hosting

  1. The Website is hosted by LH.pl sp. z o.o. (Poland). The hosting provider maintains server-level logs for technical reliability purposes. These logs may include:
    • URLs of requested resources (pages, files);
    • timestamps of requests and responses;
    • client identification via the HTTP protocol;
    • HTTP error information;
    • referring URL (if the user arrived via a link);
    • browser and device information;
    • IP address.
  2. Server logs are stored for technical and security purposes and are not used to identify individual users. Processing is based on Art. 6(1)(f) of the GDPR (legitimate interest – ensuring the security and proper functioning of the Website).

§10 Information Collected via Forms

  1. The Website collects information provided voluntarily by the user through forms, including personal data where provided.
  2. The Website may record connection parameters (timestamp, IP address) for security purposes.
  3. Data entered into forms is processed for the purpose arising from the function of the specific form (e.g. processing an order, handling a contact enquiry, registering an account). Each form clearly indicates its purpose.

§11 Automated Decision-Making and Profiling

  1. We may use automated tools (e.g. Google Ads remarketing) that involve profiling in order to display relevant advertising. This profiling does not produce legal effects or similarly significantly affect you.
  2. We do not use automated decision-making that produces legal effects or similarly significantly affects data subjects within the meaning of Art. 22 of the GDPR.
  3. You have the right to object to profiling for marketing purposes at any time (see §5).

§12 Changes to This Privacy Policy

  1. We reserve the right to amend this Privacy Policy to reflect changes in applicable law, our data processing practices, or the features of the Website.
  2. Any significant changes will be communicated via a notice on the Website. We encourage you to review this Privacy Policy periodically.
X-peptides sp. z o.o.
al. Solidarności 68/121, 00-240 Warszawa, Poland
VAT EU: PL5252989763  |  KRS: 0001083484  |  REGON: 527547101
E-mail: kontakt@x-peptides.com