Privacy Policy

01

Who We Are

Clarix Research Ltd (trading as Clarix Peptides) is the data controller responsible for personal data collected through this website (clarixpeptides.com).

Clarix Research Ltd
Registered in England and Wales | Company No. 17269311
Registered Office: 66 Paul Street, London EC2A 4NA
Email: info@clarixpeptides.com

As data controller, we determine the purposes and means by which your personal data is processed. If you have any questions about this Privacy Policy or your personal data, please contact us at the address above.

02

Data We Collect

We collect personal data in the following circumstances:

Category	Data Collected	How Collected
Account registration	First name, last name, email address, hashed password	When you create an account on our website
Order processing	Full name, delivery address, email address, order details, order reference	When you place an order at checkout
Contact enquiries	Name, email address, message content	When you submit our contact form
Newsletter / discount sign-up	Email address	When you subscribe via the newsletter form or discount popup
Technical data	Browser type, device type, IP address (via hosting provider logs)	Automatically when you visit the website

We do not collect payment card data directly. Bank transfers are made independently by you to our bank account. Open banking payments (where available) are processed by our payment provider, Fena, under their own privacy policy.

We do not collect sensitive personal data (special category data) as defined under Article 9 of UK GDPR.

03

How We Use Your Data

Purpose	Data Used
Processing and fulfilling your order	Name, address, email, order details
Sending order confirmations and dispatch notifications	Name, email address
Sending your requested discount code	Email address
Responding to your enquiries or support requests	Name, email, message content
Maintaining your account and enabling login	Email, hashed password
Complying with legal obligations (record-keeping, fraud prevention)	Name, address, order records
Improving website security and performance	Technical/log data

We do not use your personal data for automated decision-making or profiling. We do not sell, rent, or trade your personal data with third parties for marketing purposes.

04

Legal Basis for Processing

Under UK GDPR, we must have a lawful basis for processing your personal data. We rely on the following:

Contract (Article 6(1)(b)): Processing necessary to fulfil your order, manage your account, and provide the services you have requested.
Legitimate interests (Article 6(1)(f)): Processing for fraud prevention, website security, and responding to enquiries. Our legitimate interests do not override your rights.
Consent (Article 6(1)(a)): Where you have voluntarily subscribed to our newsletter or discount emails, we process your email address on the basis of your consent. You may withdraw consent at any time by contacting us at info@clarixpeptides.com.
Legal obligation (Article 6(1)(c)): Where we are required by law to retain or process records (e.g. for HMRC compliance).

05

Third-Party Processors

We use the following trusted third-party services that may process your personal data on our behalf. All third-party processors are required to handle your data securely and only for the purposes we specify.

Processor	Purpose	Data Shared	Location
Netlify	Website hosting and delivery	Technical/log data (IP address, browser)	USA (EU-US Data Privacy Framework)
EmailJS	Sending transactional emails (discount codes, password resets)	Email address, name	USA / EU (GDPR-compliant)
Web3Forms	Processing contact form submissions and admin notifications	Name, email address, message content	USA (GDPR-compliant)
Fena	Open banking payment processing (where selected)	Name, bank account data (processed directly by Fena)	United Kingdom
Google Fonts	Web font delivery	IP address (anonymised)	USA (EU-US Data Privacy Framework)

We do not transfer your personal data to any country outside the UK or EEA without ensuring appropriate safeguards are in place as required by UK GDPR Chapter V.

06

Data Retention

We retain your personal data only for as long as necessary for the purposes set out in this policy, or as required by law:

Account data — retained while your account is active. You may request deletion at any time.
Order records — retained for a minimum of 6 years from the date of the transaction, in accordance with HMRC record-keeping requirements.
Contact form enquiries — retained for up to 2 years from the date of your enquiry, or until resolved.
Newsletter/discount email subscriptions — retained until you withdraw your consent or request removal.
Technical/log data — retained by Netlify in accordance with their data retention policies (typically 30 days).

Data stored in your browser (localStorage/sessionStorage) is held locally on your device and is not transmitted to our servers. You can clear this at any time by clearing your browser data.

07

Your Rights

Under UK GDPR and the Data Protection Act 2018, you have the following rights regarding your personal data:

Right of access — You may request a copy of the personal data we hold about you (Subject Access Request).
Right to rectification — You may ask us to correct inaccurate or incomplete data.
Right to erasure ("right to be forgotten") — You may request that we delete your personal data where there is no compelling reason for its continued processing.
Right to restriction — You may ask us to restrict the processing of your data in certain circumstances.
Right to data portability — You may request that we provide your data in a structured, machine-readable format.
Right to object — You may object to processing based on legitimate interests or for direct marketing purposes.
Right to withdraw consent — Where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of processing before withdrawal.

To exercise any of these rights, please contact us at info@clarixpeptides.com with the subject line "Data Rights Request". We will respond within one calendar month as required by UK GDPR.

We will not charge a fee for handling data rights requests unless the request is manifestly unfounded or excessive.

08

Cookies & Local Storage

Our website uses browser storage technologies to provide core functionality. We do not use advertising or analytics cookies.

Storage	Purpose	Type
`clarix_cart`	Stores your shopping basket between page loads	localStorage (functional)
`clarix_accounts`	Stores your account credentials locally on your device (hashed password)	localStorage (functional)
`clarix_orders`	Stores your order history locally on your device	localStorage (functional)
`clarix_session`	Maintains your login session during your browser visit	sessionStorage (functional)
`clarix_popup_seen`	Remembers that you have dismissed the discount popup	localStorage (functional)

Third-party scripts loaded by this website (Google Fonts, Tailwind CSS CDN) may set their own cookies or make network requests that log your IP address. Please refer to Google's Privacy Policy for information on how they handle font API data.

All browser storage listed above is strictly functional and necessary for the website to operate. By using this website, you consent to the use of these functional storage technologies.

09

Data Security

We take the security of your personal data seriously. The following measures are in place:

All data transmitted between your browser and our website is encrypted via HTTPS/TLS.
Passwords are hashed using SHA-256 before storage; we never store plaintext passwords.
Our website is hosted on Netlify, which provides infrastructure-level security including DDoS protection and automatic HTTPS.
HTTP security headers (X-Frame-Options, Content-Security-Policy, X-Content-Type-Options) are implemented to prevent common web attacks.
We do not store payment card data at any point.

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the ICO within 72 hours of becoming aware and will inform affected individuals without undue delay.

10

Children's Privacy

Our website is not directed at persons under the age of 18. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us immediately at info@clarixpeptides.com and we will take steps to delete such data.

11

Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. The "Last updated" date at the top of this page will reflect when changes were last made.

We encourage you to review this policy periodically. Where changes are material, we will take reasonable steps to notify you.

12

Contact & Complaints

For any questions, concerns, or data rights requests relating to this Privacy Policy, please contact our Data Controller:

Clarix Research Ltd (trading as Clarix Peptides)
66 Paul Street, London EC2A 4NA
Email: info@clarixpeptides.com

If you are not satisfied with our response, you have the right to lodge a complaint with the Information Commissioner's Office (ICO), the UK's supervisory authority for data protection:

Information Commissioner's Office
Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF
Website: ico.org.uk
Helpline: 0303 123 1113

Contents