Legal // Privacy
Privacy Policy
Last updated: February 2026Data Controller
The data controller is Toptimum Ltd, Griva Digeni 51, Athineon Court, Office 202, 8047 Paphos, Cyprus. Contact: info@peptidesdirect.io.
Data We Collect
We collect: (a) Account data - name, email address, password (hashed); (b) Order data - shipping/billing address, phone number, order history; (c) Payment data - payment method selected and transaction references (we do NOT store credit card numbers); (d) Technical data - IP address, browser type, device information, cookies; (e) Communication data - emails and contact form messages.
Purpose of Processing
We process your data to: fulfil orders and deliver products; process payments; communicate about your orders; provide customer support; comply with legal obligations (tax, accounting); improve our website and services; send order-related notifications.
Legal Basis (GDPR Art. 6)
Contract performance (Art. 6(1)(b)): processing orders, shipping, payments. Legal obligation (Art. 6(1)(c)): tax records, invoicing. Legitimate interest (Art. 6(1)(f)): fraud prevention, website improvement. Consent (Art. 6(1)(a)): marketing emails (only with explicit opt-in).
Data Retention
Account data is kept until you delete your account. Order data is retained for 10 years (legal requirement for tax/accounting). Technical logs are deleted after 90 days. Marketing consent records are kept for the duration of consent.
Your Rights (GDPR)
You have the right to: access your personal data (Art. 15); rectify inaccurate data (Art. 16); erase your data (Art. 17, "right to be forgotten"); restrict processing (Art. 18); data portability (Art. 20); object to processing (Art. 21); withdraw consent at any time (Art. 7(3)). To exercise these rights, email info@peptidesdirect.io. We respond within 30 days.
Data Security
We implement appropriate technical and organizational measures: encrypted data transmission (HTTPS/TLS); secure password hashing; access controls and authentication; regular security reviews. Despite our measures, no internet transmission is 100% secure.
Supervisory Authority
You have the right to lodge a complaint with a data protection supervisory authority, in particular in the EU member state of your habitual residence. The competent authority in Cyprus is the Commissioner for Personal Data Protection (www.dataprotection.gov.cy).