Legal

Privacy Policy.

Effective {{EFFECTIVE_DATE}} · {{COMPANY_LEGAL_NAME}}

This policy explains how {{COMPANY_LEGAL_NAME}} (“{{COMPANY_SHORT_NAME}},” “we,” or “us”) collects, uses, and shares information when you use our software at peptideclients.com, app.peptideclients.com, docs.peptideclients.com, and any related services (collectively, the “Service”).

We try to be plain about this. If something isn’t clear, write us at {{PRIVACY_EMAIL}}.

1. Scope

This policy covers two roles {{COMPANY_SHORT_NAME}} plays:

  • Controller — for the small amount of information we collect about you as a user of our Service (account email, billing details, support correspondence).
  • Processor — for the operational data you put into the Service about your own customers, orders, inventory, and so on. That data belongs to you. We process it on your instructions, governed by our Terms and, where applicable, our Data Processing Addendum.

2. What we collect

2.1 Information you give us

Account information
Email address and password (stored hashed by Supabase Auth). Display name, organization name, and store name if you provide them.
Billing information
If we begin charging for the Service, we’ll process card details through a PCI-DSS Level 1 payment processor (Stripe). We never store full card numbers ourselves.
Operational data
Whatever your team enters into the Service: client records, orders, shipping addresses, notes, messages, and so on. We don’t use this to train models, advertise, or sell to anyone — ever. See Section 3.
Support correspondence
Messages you send to {{SUPPORT_EMAIL}} or via in-product chat (if applicable).

2.2 Information we collect automatically

Audit log
For every operational change you make in the Service, we record who did it, when, and what changed. This is for your security, not ours; you can review the log inside the app.
Authentication events
Sign-in attempts, sign-out, password resets — recorded by Supabase Auth for fraud detection.
Server logs
IP address, browser type, page URL, timestamps. Retained 30 days for operational debugging.
Product analytics
If we add product analytics later, we’ll update this section and avoid third-party trackers that share data with advertising networks.

2.3 What we don’t collect

  • We don’t use third-party advertising trackers.
  • We don’t sell, lease, or rent personal data to anyone.
  • We don’t fingerprint you or build a behavioral profile across sites.

3. Why we collect it

Each category is collected for a specific, narrow purpose:

  • Account information — to let you sign in, identify your organization, and contact you about your account.
  • Billing information — to charge you for the Service and meet our tax/accounting obligations.
  • Operational data — to provide the Service to you. We don’t look at it except (a) when you ask us to (e.g., debugging a support ticket), or (b) when legally compelled to.
  • Audit log + server logs — to keep the Service secure, debug issues, and let you review what your own team has done.

4. Who we share with

We share data only in the following narrow circumstances:

  • Sub-processors we use to operate the Service. See the list in Section 5.
  • Your authorized users — the people in your organization you’ve granted access to.
  • Legal compulsion — if served with a valid subpoena, court order, or equivalent. When legally permitted, we’ll notify you first so you can challenge the request.
  • Successor in interest — in the event of a merger, acquisition, or sale of {{COMPANY_LEGAL_NAME}}, your data may transfer to the successor, who will be bound by this policy (or one no less protective) and notify you in advance.

We do not share with advertising networks, data brokers, or any third party for marketing purposes.

5. Sub-processors

We rely on a short list of vendors to operate the Service. They’re each bound by data-protection agreements consistent with this policy.

Supabase
Database, authentication, file storage, and serverless functions. Data resides in AWS us-west-1. supabase.com/privacy
Netlify
Static hosting and CDN for the marketing, docs, and app sites. netlify.com/privacy
Resend
Transactional email delivery — account confirmation, password resets, proposal and invoice notifications to your clients, and internal notifications to your team. resend.com/legal/privacy-policy
Stripe
Subscription billing and payment processing. Card details are entered directly into Stripe’s PCI-DSS Level 1 environment; we never see or store full card numbers. stripe.com/privacy

We will update this list at least 14 days before adding a new sub-processor that has access to your operational data. To get notified, subscribe at {{PRIVACY_EMAIL}}.

6. How long we keep it

  • Operational data — for as long as your account is active. After cancellation, we keep your data for 30 days to let you reactivate or export it, then delete it.
  • Account information — same.
  • Billing records — retained for at least 7 years to meet US tax and accounting requirements, even after cancellation.
  • Audit log — retained for the life of your account; included in your export.
  • Server logs — 30 days.

You can request earlier deletion under Section 7.

7. Your rights

Depending on where you live, you may have some or all of these rights regarding your personal information:

  • Access — ask us what we have about you.
  • Correction — ask us to fix something inaccurate.
  • Deletion — ask us to delete it, subject to legal retention requirements.
  • Portability — ask us for an export in a common machine-readable format. You can also export your own operational data from the app at any time.
  • Restriction or objection — ask us to limit how we process your data, or to stop.
  • Withdrawal of consent — where processing relies on consent, you can withdraw it.

Email {{PRIVACY_EMAIL}} to exercise any of these. We’ll respond within 30 days. We don’t charge for these requests in normal circumstances.

If you’re a California resident, you have specific rights under the CCPA/CPRA, including the right to know what categories of personal information we collect and the right to opt out of any “sale” or “sharing” of personal information. We do not sell or share personal information as those terms are defined under California law.

If you’re in the EU/UK, see our Data Processing Addendum for the details on cross-border transfers and lawful bases.

8. Security

See our Security overview for the operational details. The short version: encryption in transit and at rest, strict tenant isolation enforced at the database level, audit logging on every change, and no service-role keys in client code.

9. International transfers

Our infrastructure is in the United States (AWS us-west-1, hosted by Supabase). If you’re using the Service from outside the US, your data will be transferred to and processed in the US. For EU/UK customers, we rely on Standard Contractual Clauses; see the DPA for specifics.

10. Children

The Service is intended for business use by adults. We don’t knowingly collect personal information from anyone under 16. If you believe a child has provided information to us, contact {{PRIVACY_EMAIL}} and we’ll delete it.

11. Changes to this policy

If we make material changes, we’ll notify account owners by email and post the updated version here with an effective date at least 14 days before it takes effect. Continued use of the Service after the effective date constitutes acceptance.

12. Contact

{{COMPANY_LEGAL_NAME}}
{{BUSINESS_ADDRESS_LINE1}}
{{BUSINESS_ADDRESS_LINE2}}
{{BUSINESS_CITY}}, {{BUSINESS_STATE}} {{BUSINESS_POSTAL_CODE}}
{{BUSINESS_COUNTRY}}

Privacy questions: {{PRIVACY_EMAIL}}
General contact: {{CONTACT_EMAIL}}