PEPVERAAUTHENTIC HIGH-QUALITY PEPTIDES
SIGN IN
PRIVACY

What we keep. What we do not.

Effective date: May 12, 2026.
Last revised: May 12, 2026.

This Privacy Policy explains how PEPVERA (“PEPVERA,” “we,” “us”) collects, uses, shares, retains, and protects personal information of visitors and customers of pepvera.xyz and related subdomains (collectively, the “Service”). It also explains the rights you have under applicable privacy laws, including the California Consumer Privacy Act as amended by the CPRA (“CCPA”), the Virginia Consumer Data Protection Act (“VCDPA”), the Colorado Privacy Act (“CPA”), the Connecticut Data Privacy Act (“CTDPA”), the UK Data Protection Act 2018, and the EU General Data Protection Regulation (“GDPR”).

PEPVERA operates a marketplace for research-grade peptides offered strictly for laboratory and research applications. See the Research-Only Disclaimer. Nothing in this Policy modifies or replaces that disclaimer.

1. Controller / contact

PEPVERA is the data controller (GDPR) and business (CCPA) for personal information processed through the Service. For privacy questions, requests, or complaints, email support@pepvera.xyz or write to the contact address listed in the Terms of Service.

2. Information we collect

We collect only what is necessary to operate the Service:

  • Identity and contact: name, email address, shipping address, optional phone number.
  • Account credentials: hashed password or wallet address used to sign in.
  • Transaction data: order line items, totals, refund history, wallet address used for settlement, NOWPayments transaction reference.
  • Compliance data: age-attestation result, research-use attestation, OFAC / OpenSanctions screening hash (name + country + city only).
  • Technical data: IP address, browser user-agent, device type, referrer, pages visited, timestamps, error traces.
  • Communications: support emails, shipping inquiries, refund tickets, opt-in marketing preferences.

We do not collect credit-card numbers (settlement is handled by our crypto payment processor), government-issued IDs, biometric data, health data, religion, race, sexual orientation, union membership, or precise geolocation.

3. How we use information

  • Fulfilling orders and shipping shipments.
  • Screening shipping addresses against the OFAC Specially Designated Nationals list and the OpenSanctions consolidated list before an order is forwarded to a supplier.
  • Preventing fraud, abuse, chargeback, and laundering; protecting the Service and other users.
  • Sending transactional messages (order confirmation, tracking, refund, dispute).
  • Sending opt-in marketing only after explicit consent; honoring unsubscribe and global privacy-control signals immediately.
  • Aggregated, non-identifying analytics to understand which products and pages are used.
  • Complying with legal obligations (tax records, sanctions law, customs cooperation, court orders, valid subpoenas).

4. Legal bases (GDPR / UK GDPR)

  • Contract — processing necessary to fulfill the order you place with us.
  • Legal obligation — sanctions screening, tax retention, and law-enforcement cooperation.
  • Legitimate interest — fraud prevention, security, and service improvement, balanced against your rights.
  • Consent — opt-in marketing communications and any non-essential cookies. You may withdraw consent at any time without affecting prior processing.

5. Sharing & named recipients

We do not sell personal information and we do not share personal information for cross-context behavioral advertising. We do share the minimum required data with the following named service providers (acting as processors / sub-processors under written contracts):

  • NOWPayments — crypto payment processing (USDC on Base).
  • Resend — transactional email delivery.
  • Plausible Analytics — cookie-less, IP-anonymized site analytics.
  • Sentry — error monitoring and performance traces.
  • OpenSanctions — OFAC / sanctions screening API.
  • Mapbox — address autocomplete (when enabled).
  • Vercel and Railway — hosting and database infrastructure.
  • USPS, UPS, FedEx, DHL, and supplier-named carriers — shipment delivery and tracking.
  • Supplier of record for each order line — we forward the shipping name and address only to the specific supplier fulfilling that line.
  • Telegram — internal operator alerts (no customer data forwarded; alerts contain order IDs only).

We may also disclose information when required by law, to enforce our Terms of Service, to investigate fraud, or to protect the rights, property, or safety of PEPVERA, our customers, or others. In the event of a merger, acquisition, or sale of assets, customer data may transfer to the successor entity subject to this Policy.

SMS / mobile data: if you opt in to SMS updates, mobile phone numbers and consent records are not shared with or sold to third parties or affiliates for marketing or promotional purposes.

6. Cookies & tracking

We use only strictly-necessary cookies to operate the cart, session, and checkout. We do not run advertising trackers. Site analytics are collected via Plausible, which does not use cookies and does not identify individual users. We honor the Global Privacy Control (GPC) browser signal as a valid opt-out request for any future non-essential cookie or tracking technology we may add.

7. Data retention

  • Order records: retained for seven (7) years from the date of order, for tax and accounting compliance.
  • Sanctions-screening logs: retained for five (5) years from the date of order, as required for export-control audit.
  • Account data: retained until the account is deleted or three (3) years of inactivity, whichever is sooner.
  • Marketing data: retained until opt-out, then deleted within thirty (30) days.
  • Support tickets: retained for two (2) years.
  • Server logs / error traces: retained for ninety (90) days.

8. Security

All traffic to the Service is encrypted in transit (TLS 1.2+). Stored personal information is encrypted at rest. Access to production systems is limited to authorized personnel using multi-factor authentication. We never store credit-card numbers. If a breach is detected we will notify affected users without undue delay and in any event within seventy-two (72) hours where required by law.

9. International transfers

We operate in the United States; data is processed in the United States and the European Union (depending on the processor). When personal information of EEA, UK, or Swiss residents is transferred to the United States, we rely on the European Commission's Standard Contractual Clauses (SCCs) and the UK International Data Transfer Addendum, or an applicable adequacy decision, as the lawful transfer mechanism.

10. Your rights — US state privacy laws

If you are a resident of California, Virginia, Colorado, Connecticut, Utah, or any other US state with a comprehensive privacy law, you have the right to:

  • Know / access the categories and specific pieces of personal information we hold about you.
  • Correct inaccurate personal information.
  • Delete personal information we hold about you, subject to legal retention exceptions.
  • Portability — receive a copy in a portable, machine-readable format.
  • Opt out of the “sale” or “sharing” of personal information. We do not sell personal information.
  • Non-discrimination — we will not deny service, charge a different price, or provide a different quality of service in retaliation for exercising any of these rights.
  • Authorized agent — you may use an authorized agent to make a request; we will verify the agent's authority before acting.

To exercise any of these rights, email support@pepvera.xyz. We will respond within forty-five (45) days, with a one-time extension of up to forty-five (45) days where reasonably necessary.

11. Your rights — EU / UK / Swiss residents (GDPR)

You have the rights of access, rectification, erasure, restriction of processing, data portability, objection to processing, and the right not to be subject to a decision based solely on automated processing. You also have the right to lodge a complaint with a supervisory authority in your member state. Email support@pepvera.xyz to exercise these rights.

12. Children

The Service is not directed to anyone under twenty-one (21) years of age and we do not knowingly collect personal information from children. If we learn that we have collected personal information from a person under thirteen (13), or under sixteen (16) without parental consent where required by local law, we will delete it promptly. See the Age Verification page.

13. Automated decision-making

Sanctions screening is partially automated: the OpenSanctions API returns a match score that may place an order on manual review. No order is denied by automation alone — a human operator reviews every flagged order before any final decision. You may request human review or contest the outcome by emailing support@pepvera.xyz.

14. Changes to this Policy

We may revise this Policy from time to time. The effective date at the top will change. Material changes will be communicated via banner notice or email to registered users. Continued use of the Service after a revision means you accept the updated Policy.

15. Contact

Privacy questions, deletion requests, data-export requests, or complaints: support@pepvera.xyz. Postal contact is available on request via that email.

PEPVERA — Forged in marble. Engineered for ascent.