1. Data controller

The data controller within the meaning of the General Data Protection Regulation (EU) 2016/679 ("GDPR") is:

PEPTEX, 91, rue du Faubourg Saint Honoré, Paris, France. Contact for data protection matters: +33 7 74 58 48 99 (WhatsApp).

This Privacy Policy describes which personal data we collect when you interact with peptex.shop or with our assisted channels, the purposes for which we process that data, the legal bases on which the processing relies, the recipients with whom data may be shared, the retention periods, the rights that you can exercise under the GDPR and the procedure for exercising them.

2. What data we collect

We collect personal data directly from you when you create an account, place an Order, contact customer care, subscribe to our newsletter, or use a feature of the Website. We also collect technical data automatically when you browse the Website.

2.1 Data you provide

• Identification data: first name, last name.
• Contact data: email address, phone number, Telegram handle where applicable.
• Shipping data: street address, city, postal code, country.
• Order data: products ordered, sizes, prices, date of purchase, discount codes used, bonus points balance.
• Payment data: transaction identifier, payment method, masked card information (last four digits). We do not store full card numbers, expiration dates or CVV codes.
• Communication data: messages exchanged with our customer care team through email, WhatsApp, Telegram or the Website chat.
• Review data: ratings, text and media that you voluntarily submit as a product review.

2.2 Data collected automatically

• Technical data: IP address, device type, browser, operating system, referring page, session identifier.
• Usage data: pages visited, products viewed, cart events, search queries, duration of session.
• Marketing identifiers: where you arrive from a campaign, the campaign parameter (utm), click identifier (fbclid, gclid) or referral code.

3. Purposes of processing and legal bases

We process your personal data for the following purposes, under the following legal bases under Article 6(1) GDPR:

3.1 Contract performance, Art. 6(1)(b)

• Creating and managing your account.
• Processing and fulfilling your Orders, including payment, shipping and tracking.
• Responding to customer care requests related to an Order.
• Managing returns, refunds and warranty claims.

3.2 Legal obligations, Art. 6(1)(c)

• Retaining invoicing and accounting records for the duration required by French tax and commercial law.
• Responding to legally binding requests from public authorities.
• Fraud prevention and anti-money-laundering checks at payment level.

3.3 Legitimate interest, Art. 6(1)(f)

• Analyzing Website traffic and usage to improve the service and detect technical issues.
• Remarketing to customers who have shown interest in our products and not yet completed an Order, within the limits of applicable e-privacy rules.
• Securing the Website and the payment flow against fraud, abuse and automated attacks.
• Maintaining internal records of disputes and quality incidents.

Before relying on legitimate interest, we conduct a balancing test to ensure that the processing does not override your fundamental rights and freedoms. You can object to a legitimate-interest processing at any time (see Section 8 below).

3.4 Consent, Art. 6(1)(a)

• Sending marketing newsletters to subscribers.
• Storing non-essential cookies (analytics, marketing) when required by local e-privacy rules.
• Processing product reviews and any voluntary testimonial you submit.

Consent can be withdrawn at any time. Withdrawing consent does not affect the lawfulness of processing already carried out.

4. Cookies and trackers

Peptex.shop uses a limited set of cookies and similar technologies. Essential cookies are required to operate the Website and store your cart, language preference and session. Non-essential cookies are deployed only with your consent through the cookie banner displayed on first visit.

4.1 Analytics

We run a self-hosted Matomo instance for audience measurement. Matomo is configured to anonymize IP addresses and does not share data with any third party. Analytics data is stored on infrastructure under our direct control.

4.2 Advertising and remarketing

With your consent, we use the Meta (Facebook) Pixel and the Meta Conversions API to measure advertising performance and to reach audiences who have interacted with our Website on Meta platforms. The Conversions API is a server-side integration that transmits a limited set of events (page view, add to cart, purchase) together with hashed identifiers (hashed email, hashed phone) to Meta Platforms Ireland Limited, acting as an independent controller. You can opt out at any time via the cookie banner or via your Meta account settings.

4.3 Functional trackers

Cookies strictly required for cart persistence, session authentication, language selection and cart reminders are set without consent, as permitted by the e-privacy framework.

5. Third-party processors

To fulfill Orders and operate the Website, we rely on the following categories of data processors. Each processor is bound by a data processing agreement that restricts the use of the data to the purposes of the corresponding service.

• Payment processor, APIPymts. Processes card transactions under a PCI DSS environment. Card credentials are transmitted directly to the processor and never touch PEPTEX infrastructure.
• Delivery carrier, UPS. Receives the shipping address and contact phone number required to deliver the parcel and to provide tracking events.
• SMTP provider. Delivers transactional emails (Order confirmations, shipping notifications, password resets).
• Translation service, DeepL. Used server-side to translate product and article content into additional European languages. No customer-specific personal data is transmitted to DeepL.
• Analytics, Matomo. Self-hosted, no third party involved.
• Advertising platform, Meta. With your consent, receives events for performance measurement and remarketing, as described in Section 4.2.

6. Data retention

We retain personal data only for as long as needed for the purposes of the processing and for the periods imposed by applicable law.

• Customer account: for the duration of the contractual relationship, and for up to 3 years after the last activity for commercial prospecting purposes.
• Order and invoicing data: 10 years from the end of the accounting period, in line with French commercial and tax law.
• Payment transaction metadata: 13 months from the transaction date, 15 months for transactions under dispute.
• Customer care conversations: 3 years from the last exchange.
• Analytics logs: 25 months maximum, aggregated after that.
• Marketing consents and withdrawals: 3 years from the last action.
• Cookie consent records: 13 months.

At the end of the retention period, data is deleted or anonymized. Data retained solely for legal obligations is archived with access restricted to authorized personnel.

7. International transfers

We prefer processors located within the European Economic Area. Where a processor is located outside the EEA, the transfer is governed by one of the following safeguards under Chapter V of the GDPR: an adequacy decision of the European Commission, Standard Contractual Clauses approved by the European Commission, or another valid transfer mechanism. A copy of the applicable safeguard can be requested by writing to +33 7 74 58 48 99 (WhatsApp).

8. Your rights under the GDPR

Subject to the conditions set by the GDPR, you have the following rights:

• Right of access: obtain confirmation of whether we process data about you, and a copy of that data.
• Right to rectification: request correction of inaccurate or incomplete data.
• Right to erasure ("right to be forgotten"): request deletion of your data when the legal conditions are met.
• Right to restriction of processing: request that we limit processing in specific situations.
• Right to data portability: receive the data you have provided in a structured, commonly used and machine-readable format, and transmit it to another controller.
• Right to object: object at any time to a processing based on legitimate interest, including profiling for marketing purposes.
• Right to withdraw consent: withdraw a previously given consent, without affecting the lawfulness of processing based on that consent before withdrawal.
• Right to define post-mortem directives: under applicable EU and French law, the right to provide directives on what happens to your data after death.

To exercise any of these rights, contact us on WhatsApp at +33 7 74 58 48 99 with the subject line "GDPR request". We reply within one month of receipt, extensible by two months for complex requests. We may request proof of identity before acting on a request that could otherwise compromise your privacy.

9. Supervisory authority

If you believe that our processing of your personal data is not compliant with the GDPR, you can lodge a complaint with the competent supervisory authority. In France, the competent authority is the Commission Nationale de l'Informatique et des Libertes (CNIL), 3 Place de Fontenoy, TSA 80715, 75334 Paris Cedex 07, France. www.cnil.fr.

You are also entitled to lodge a complaint with the supervisory authority of your country of residence or of your workplace.

10. Security

We implement technical and organizational measures adapted to the sensitivity of the data processed: encryption in transit (TLS), encrypted storage for sensitive fields, segregation of environments, access control based on the least privilege principle, audit logging, periodic review of permissions, secure development practices and incident response procedures. In the event of a personal data breach likely to result in a risk to your rights and freedoms, we notify the CNIL within 72 hours and, where required, inform affected individuals without undue delay.

11. Children

The Website is not intended for children under 16. We do not knowingly collect personal data from children under 16. If you become aware that a child under 16 has provided us with personal data, contact us so that we can delete the data.

12. Changes to this policy

We may update this Privacy Policy to reflect changes in our processing, in the services we use or in applicable law. The version in force is the version published on the Website. Material changes are communicated by email to registered users at least 15 days before entry into force, except where immediate application is required by law.

13. Contact

PEPTEX, 91, rue du Faubourg Saint Honoré, Paris, France. For any data protection matter, contact us on WhatsApp at +33 7 74 58 48 99 with the subject line "Privacy". For general inquiries, you can also reach us on WhatsApp and phone at +33 774 58 48 99, or on Telegram at @Maria_PEPTEX.