Privacy Policy
Last updated · 2026-05-16 · Version 2026-05-16-v7
US Precision Peptides ("USPP," "we," "us," or "our") respects your privacy. This Privacy Policy describes how we collect, use, disclose, and safeguard your information when you visit usprecisionpeptides.com (the "Site"), create an account, place an order, or otherwise interact with us.
This Privacy Policy applies to information collected through the Site and our related services. It does not apply to information collected by third parties whose websites or services are linked from or integrated with the Site, except as expressly stated.
By using the Site, you agree to this Privacy Policy. If you do not agree, do not use the Site.
1. Scope and Applicability
(a) Geographic Scope. USPP operates in and serves customers in the United States only. The Site is intended for users located in the United States. We do not knowingly collect, store, or transfer personal information of individuals outside the United States.
(b) Children. The Site is not directed to children. USPP requires all users to be at least 21 years of age. We do not knowingly collect personal information from any individual under the age of 13. If we learn that we have collected personal information from a child under 13, we will delete it promptly. If you believe we may have collected information from a child under 13, please contact us at privacy@usprecisionpeptides.com.
(c) Health Information. USPP is not a healthcare provider, health plan, or healthcare clearinghouse, and is not subject to the Health Insurance Portability and Accountability Act ("HIPAA"). USPP does not solicit, request, or require health information from any user. Any health information voluntarily disclosed by a user (including in inquiries, support communications, or product reviews) is handled with the same standards of care as other personal information described in this Policy, but is not protected health information under HIPAA. We strongly discourage users from disclosing health information in any communication with USPP.
2. Information We Collect
2.1 Information You Provide
We collect information you provide directly, including:
(a) Account Information. When you create an account, we collect your email address and a password you choose. You may optionally provide a display name and one default shipping address and one default billing address (used to prefill checkout). Passwords must be at least twelve (12) characters; we use a bcrypt one-way hash (cost factor 12) for storage, and the raw password value is never persisted in our database. As an alternative or fallback to password sign-in, you may also request a single-use, time-limited "magic-link" URL that we email to your verified address.
(a)(i) Account Session Data. When you sign in to your account, we issue a long-lived session cookie (ninety-day rolling expiry by default; one-year expiry if you check "Keep me signed in on this device" at sign-in). The cookie value is stored on our servers as a SHA-256 hash; the raw value is never persisted in our database. For each session we record the time the session was created, the time it was last seen, the IP address it was last seen from, and a truncated user-agent string. This data is used for security forensics, audit, and to let you review and revoke active sessions from your account settings.
(a)(ii) Email Verification State. When you create an account, we record the timestamp at which you verified your email address by claiming a verification link, and a seven-day grace window during which you may explore the Site before verification becomes required. If the grace window elapses without verification, your account remains in our records but Site access is restricted until verification is completed. The grace timestamp and the verification timestamp are retained for the life of the account for compliance and audit.
(a)(iii) Site-Access Registration Data. Registration also captures: (i) a 21-or-older self-attestation timestamp and the IP address from which it was made (parity with the per-order age affirmation under our Research Use Disclaimer); (ii) the version of these account terms accepted at registration; (iii) optional answers to a "how did you hear about us?" question, including a free-text "other" entry if selected (used only for aggregate marketing-attribution analytics and never shared with third parties); (iv) a marketing-email opt-in flag whose default depends on the jurisdiction we infer from your IP at registration time (pre-checked for U.S. visitors per the CAN-SPAM Act opt-out posture, unchecked for visitors detected in the EU or U.K. per GDPR affirmative-consent requirements); and (v) if you arrived via an affiliate link bearing a ?ref= query parameter, the affiliate code captured in the uspp_aff_ref cookie at first touch.
(b) Order Information. When you place an order, we collect your billing address, shipping address, phone number, order details, and information about products purchased.
(c) Payment Information. Payments may be processed by third-party payment processors. USPP does not collect or store full payment card numbers ("PAN"), CVV codes, or full magnetic stripe data for any card-based rail. For card payments processed by Bankful (when activated), USPP receives limited payment metadata including a transaction reference, payment status, card brand, and the last four digits of the card used; full card data is collected and stored by Bankful subject to its own privacy practices and PCI-DSS obligations. For Venmo, USPS-hosted Solana Pay, and BTCPay payments, USPP receives transaction-confirmation metadata only.
(d) Communications. When you contact us through the inquiry form, support email, or other channels, we collect the contents of your communication and any information you choose to provide.
(e) Marketing Preferences. When you subscribe to email or SMS communications, we collect your email address, phone number, and preferences.
(f) Reviews and Submitted Content. If you submit a product review, comment, or other content, we collect that content along with your account identifier.
(g) Back-in-stock notification email. When you submit your email address using a back-in-stock notification form on a product page, we store that email address together with the specific product SKU you have subscribed to, and metadata about the submission (timestamp, IP address, user agent). We use this information only to (i) email you when that product is restocked, (ii) send up to two follow-up reminders during the fourteen (14) days after the restock notification, and (iii) enforce a thirty-day cooldown before the same email may re-subscribe to the same product after a completed funnel. You may unsubscribe at any time using the link included in any back-in-stock email. Back-in-stock subscriptions are not used for general marketing or any other purpose.
(h) Bot verification (Cloudflare Turnstile). When you submit the registration form on the Site, your browser interacts with Cloudflare Turnstile, a managed CAPTCHA-style service, to confirm you are not an automated client. Cloudflare receives limited request signals (your IP address, browser characteristics, and a one-time challenge response) for the purpose of issuing a verification token. We submit only that token to Cloudflare's verification endpoint to confirm validity. Cloudflare's collection and use of this data is governed by its own privacy policy. We retain no Turnstile data of our own.
(i) Breached-password screening. When you set a new password on the Site (account creation, password reset, or "force-complete" interstitial for legacy account holders), we send the first five (5) hexadecimal characters of the SHA-1 hash of your password to the Pwned Passwords API operated by Have I Been Pwned (HIBP) using the k-anonymity model. Your full password, the full SHA-1 hash, and any account or browser identifier are never transmitted. The API returns a list of suffixes-and-counts that share the same five-character prefix; we compare locally to determine whether your specific password has appeared in a known data breach above an internal frequency threshold (currently 100,000 prior appearances). No record of this check is retained on our servers. If the HIBP API is unreachable, your registration or password change proceeds (fail-open posture).
(j) Product-interest analytics (account holders only). When you are signed in to your account, the Site records which product cards you view and approximately how long each card was in your browser viewport, together with a per-event timestamp, the page that referred you (if any), a truncated browser user-agent string, and a flag indicating whether you added the same product to your cart during the same browser session. These signals are recorded in the product_views and cart_events data categories and are used only to inform aggregate product-merchandising and supply decisions; they are never shared with third parties and never combined with advertising identifiers. Recording is gated at two layers: (i) the analytics consent toggle you set in the cookie banner stops the browser from transmitting events at all, and (ii) the dedicated "Do not record product-interest analytics from my browsing" toggle on the /account/privacy page stops the USPP server from accepting events from any browser on which you are signed in, even if that browser's cookie banner consent is set to allow. Either toggle alone is sufficient to suppress recording; the server-side toggle is the authoritative override for account holders and persists across browsers and devices. Raw per-event rows are retained for one hundred eighty (180) days and then deleted; aggregated daily counts (per-product view totals, unique-viewer counts, average dwell, cart-add counts) are retained indefinitely. Aggregation runs once per night via a server-side cron job; raw rows older than 180 days are purged in the same job.
2.2 Information Collected Automatically
When you access the Site, we and our service providers automatically collect:
(a) Device and Browser Information. IP address, device type, operating system, browser type and version, screen resolution, language preferences, time zone, and unique device identifiers.
(b) Usage Information. Pages visited, features used, links clicked, search queries entered, time spent on pages, referring and exit URLs, and timestamps.
(c) Session Replay and Behavioral Data. Through Microsoft Clarity, we collect behavioral data including mouse movement, scroll behavior, click patterns, and session recordings. Clarity may also use cookies and similar technologies to identify returning visitors.
(d) Cookies and Similar Technologies. See Section 5 for details on cookies, pixels, and tracking technologies.
2.3 Information from Third Parties
We may receive information about you from:
(a) Payment Processors. Transaction confirmation, payment status, fraud screening results, and limited payment metadata as described in Section 2.1(c).
(b) Shipping Carriers. Tracking and delivery confirmation information from USPS, UPS, and FedEx.
(c) Marketing and Advertising Platforms. If you interact with our advertisements on third-party platforms, we may receive limited campaign attribution information.
(d) Fraud Prevention Services. Risk scores and identity verification results from fraud prevention providers, if used.
3. How We Use Your Information
We use the information we collect to:
(a) Process, fulfill, and ship orders, including communicating with you about order status;
(b) Create and maintain your account, authenticate your identity, and provide customer support;
(c) Process payments and detect, investigate, and prevent fraud, abuse, and security incidents;
(d) Send transactional communications (order confirmations, shipping notifications, account alerts, security notices, and other communications related to your purchases or account);
(e) Send marketing communications via email and SMS, where you have opted in or where permitted by law, including promotional offers, product updates, and newsletters;
(f) Personalize your experience on the Site, including remembering your preferences and showing relevant content;
(g) Operate, maintain, secure, and improve the Site, our products, and our services, including through analytics and session replay tools;
(h) Conduct research and analytics, including measuring the effectiveness of our marketing and advertising;
(i) Comply with applicable laws, regulations, legal processes, and government requests, including tax, accounting, and recordkeeping obligations;
(j) Enforce our Terms of Use, Terms of Sale, Research Use Only Policy, and other applicable policies;
(k) Establish, exercise, or defend legal claims;
(l) Carry out any other purpose disclosed at the time of collection or with your consent.
4. How We Share Your Information
We do not sell your personal information for monetary consideration. We share your information only as described below.
4.1 Service Providers
We share information with third-party service providers who perform services on our behalf, including:
| Service Provider | Purpose | Categories of Data Shared |
|---|---|---|
| Vercel (hosting, edge, Postgres via Neon, Blob storage) | Site hosting, content delivery, primary database, COA file storage | All Site interaction data necessary for hosting; account and order data; uploaded COA files |
| Cloudflare | DNS, edge proxy, DDoS protection, Turnstile bot-verification on registration | IP address, request metadata, browser challenge response |
| Have I Been Pwned (Pwned Passwords API) | Breached-password screening at password set (k-anonymity model; only a 5-character SHA-1 prefix is sent) | 5-character SHA-1 prefix of password (not the password itself, not the full hash, not any account identifier) |
| Resend | Transactional and marketing email delivery; email engagement tracking | Email address, name, email content, engagement metrics |
| Bankful (when activated) | Card payment processing | Order amount, billing details, payment authorization data |
| n8n via Zeus (Venmo confirmation pipeline) | Reads inbound Venmo notification emails to confirm payment receipt | Order ID, sender display name, transaction amount |
| Solana Pay (self-hosted) | Crypto payment confirmation | Order ID, on-chain transaction signature |
| BTCPay Server (self-hosted) | Crypto payment confirmation | Order ID, invoice ID, payment status |
| USPS, UPS, FedEx | Shipment fulfillment and tracking | Shipping name, address, phone, package details |
| Google Analytics 4 | Website analytics | Usage data, device data, IP address (anonymized where supported) |
| Microsoft Clarity | Session replay and behavioral analytics | Usage data, device data, session recordings, click and scroll behavior |
| Umami Cloud | Cookieless privacy-first page analytics | Aggregate usage data; no cookies; no personally identifiable data |
| Advertising Partners (when activated) | Targeted advertising and measurement; subject to your opt-out under Section 7(e) | Identifiers (cookies, IP, device IDs), usage data |
We may add additional service providers from time to time. Material changes to this list will be reflected in updates to this Privacy Policy.
These service providers are contractually required to use your information only to provide services to USPP and to maintain appropriate safeguards.
4.2 Advertising and Cross-Context Behavioral Advertising
USPP may work with third-party advertising partners (such as Meta, Google Ads, TikTok, or other ad platforms) to deliver advertising, including targeted advertising based on your interactions with the Site. Where this involves the disclosure of personal information for cross-context behavioral advertising as defined under applicable state privacy laws, you have the right to opt out at any time.
To exercise this right, use the "Your Privacy Choices" link located in the Site footer, or follow the instructions in Section 7.
USPP honors validated Global Privacy Control ("GPC") browser signals as opt-out requests for the sale or sharing of personal information for cross-context behavioral advertising, in accordance with applicable state privacy laws.
Your opt-out preference is associated with the device or browser from which it is made. If you use multiple devices or browsers, you must opt out on each. If you have an account, your opt-out is also associated with your account and applies wherever you are signed in.
4.3 Legal and Safety
We may disclose your information when we believe in good faith that disclosure is necessary to:
(a) Comply with a subpoena, court order, or other legal process;
(b) Comply with applicable law, regulation, or government request;
(c) Investigate, prevent, or take action regarding suspected fraud, security threats, violations of our Terms, or activity that may expose USPP or others to liability;
(d) Protect the rights, property, or safety of USPP, our users, or others;
(e) Enforce our Terms of Use, Terms of Sale, or other policies.
4.4 Business Transfers
If USPP is involved in a merger, acquisition, financing, reorganization, bankruptcy, sale of all or a portion of our assets, or similar transaction, your information may be transferred as part of that transaction. We will notify you of any such transfer and any choices you may have regarding your information.
4.5 With Your Consent
We may share your information for any other purpose with your consent.
5. Cookies, Pixels, and Tracking Technologies
5.1 Categories of Technologies Used
We and our service providers use cookies, web beacons, pixels, and similar technologies to operate the Site and to understand how it is used.
(a) Strictly Necessary Cookies. Required for core functionality, including login, cart persistence, checkout, and security. These cannot be disabled without breaking the Site. The two persistent first-party cookies in this category are:
uspp_anon_id— UUID v4, 13-month rolling expiry, set on your first visit. Keys your "Your Privacy Choices" preferences (opt-out of sale/share, targeted advertising, limit-sensitive). Stored asHttpOnly; SameSite=Lax; Secure.uspp_customer_session— opaque random token, 90-day rolling expiry (or 1-year if you check "Keep me signed in on this device" at sign-in), set ONLY after you successfully sign in to your account. The cookie value is stored on our servers as a SHA-256 hash; the raw token is never persisted. Stored asHttpOnly; SameSite=Lax; Secure.uspp_aff_ref— short alphanumeric affiliate code, 30-day expiry, set only when you arrive at the Site via a URL containing a?ref=query parameter that matches our affiliate-code shape. The cookie records the first such code you arrive with (first-touch attribution; later?ref=values do not overwrite it) and is consumed and cleared the moment you complete account registration, at which point the code is associated with your account record for revenue-share attribution. Stored asHttpOnly; SameSite=Lax; Secure.uspp_account_csrf— short-lived (1-hour) cross-site-request-forgery token for the account-access form submissions. Set on the registration / sign-in page; cleared on form submit. Stored asSameSite=Lax.
Both cookies are functional and not subject to consent under applicable privacy laws. Neither is shared with third parties.
(b) Analytics Cookies. Used by Google Analytics 4 and Microsoft Clarity to understand how visitors use the Site, measure performance, and improve user experience.
(c) Email Tracking Pixels. Used by Resend to measure email open rates, click-through rates, and engagement with our communications.
(d) Advertising Cookies (Future). When advertising programs are activated, additional cookies and pixels may be set by advertising partners to deliver and measure targeted advertising.
5.2 Cookie Choices
You can manage cookie preferences through:
(a) The cookie banner displayed when you first visit the Site;
(b) Your browser settings (which allow you to block or delete cookies);
(c) Opt-out tools provided by analytics and advertising platforms, including the Google Analytics opt-out browser add-on and the Microsoft Clarity opt-out (if available);
(d) Industry opt-out programs such as the Digital Advertising Alliance (optout.aboutads.info) and the Network Advertising Initiative (optout.networkadvertising.org), once advertising cookies are in use;
(e) Browser-level "Global Privacy Control" (GPC) signals, which we treat as a valid opt-out request for cross-context behavioral advertising under applicable state law.
5.3 Linking of Browser-Level Choices to Your Account
Your "Your Privacy Choices" preferences are stored against your uspp_anon_id browser cookie until you create or sign in to a USPP account. The first time you successfully sign in, we make a one-time, audit-logged copy of those preferences to your account record so they continue to apply when you sign in from a different browser or device. The original browser-level row is preserved unchanged for audit purposes; it is never deleted by the account-linking process. After linking, future preference changes you make while signed in are recorded against your account; preference changes you make while signed out (including from a different browser) are recorded against that browser's uspp_anon_id. You can review the full change history at /account/privacy/log.
5.4 Do Not Track
Our Site does not currently respond to "Do Not Track" browser signals because there is no common industry standard for interpretation. We do honor Global Privacy Control (GPC) signals as described above.
6. Email and SMS Marketing
(a) Email. When you subscribe to marketing emails, you may receive promotional communications about products, offers, and updates. You can unsubscribe at any time using the unsubscribe link in any marketing email or by contacting privacy@usprecisionpeptides.com. Unsubscribing from marketing email does not affect transactional communications related to your orders or account.
(b) SMS. When you opt in to SMS communications, you may receive order updates, shipping notifications, and, where you have separately consented, marketing messages. Message and data rates may apply. Message frequency varies. Reply HELP for help. Reply STOP to cancel. Consent to SMS is not a condition of purchase.
(c) Consent Records. USPP retains records of your consent to email and SMS marketing, including timestamp and IP address, for compliance with the CAN-SPAM Act, the Telephone Consumer Protection Act ("TCPA"), and applicable state laws.
7. Your Privacy Rights
Depending on the state in which you reside, you may have certain rights regarding your personal information under state privacy laws including, without limitation, the California Consumer Privacy Act ("CCPA") as amended by the California Privacy Rights Act ("CPRA"), the Colorado Privacy Act ("CPA"), the Connecticut Data Privacy Act ("CTDPA"), the Virginia Consumer Data Protection Act ("VCDPA"), the Utah Consumer Privacy Act ("UCPA"), the Texas Data Privacy and Security Act ("TDPSA"), the Oregon Consumer Privacy Act ("OCPA"), the Montana Consumer Data Privacy Act, and similar laws.
USPP grants the following rights to all U.S. residents, regardless of state of residence:
(a) Right to Know / Right of Access. You may request access to the personal information we hold about you, including the categories of information collected, the sources, the purposes of processing, and the categories of recipients with whom we share it.
(b) Right to Correct. You may request that we correct inaccurate personal information.
(c) Right to Delete. You may request that we delete personal information we hold about you, subject to legal exceptions (including retention for tax, legal, fraud-prevention, and dispute-resolution purposes).
(d) Right to Data Portability. You may request a copy of your personal information in a portable, structured, and commonly used format.
(e) Right to Opt Out of Sale or Sharing. You may opt out of the sale or sharing of your personal information for cross-context behavioral advertising. To opt out, use the "Your Privacy Choices" link in the Site footer, configure your browser to send a Global Privacy Control signal, or contact us using the methods in Section 7.1.
(f) Right to Opt Out of Targeted Advertising. You may opt out of processing of your personal information for targeted advertising.
(g) Right to Limit Use of Sensitive Personal Information. Where applicable, you may request that we limit the use and disclosure of sensitive personal information to that which is necessary to provide requested services.
(h) Right to Non-Discrimination. We will not discriminate against you for exercising any of these rights. We will not deny services, charge different prices, or provide a lower quality of service because you exercised your privacy rights.
(i) Right to Appeal. If we deny a privacy rights request, you may appeal the decision by replying to our denial response or contacting privacy@usprecisionpeptides.com.
7.1 How to Exercise Your Rights
To exercise any of these rights, contact us at:
- Email: privacy@usprecisionpeptides.com
- Mail: US Precision Peptides, Attn: Privacy, 9901 Brodie Lane, Suite 160 PMB893, Austin, TX 78748
We will verify your identity before responding to your request, typically by confirming information already associated with your account or order. We will respond to verifiable requests within the timeframes required by applicable law (generally within 45 days, with one possible extension).
7.2 Authorized Agents
You may designate an authorized agent to make a privacy rights request on your behalf. We will require written proof of the agent's authority and may verify your identity directly.
7.3 California Shine the Light
California residents may request information about our disclosure of personal information to third parties for those parties' direct marketing purposes during the preceding calendar year, pursuant to California Civil Code § 1798.83. To make such a request, contact privacy@usprecisionpeptides.com. USPP does not currently disclose personal information to third parties for their direct marketing purposes.
7.4 Your Privacy Choices Page
The "Your Privacy Choices" link in the Site footer takes you to a page where you can:
(a) Opt out of the sale or sharing of your personal information for cross-context behavioral advertising;
(b) Opt out of targeted advertising;
(c) Manage cookie preferences;
(d) Submit other privacy rights requests.
Your choices are saved per device and per browser. If you clear cookies or use a different browser, you may need to set your preferences again. If you have an account, your choices are also saved to your account profile.
8. Data Retention
We retain personal information only as long as necessary for the purposes described in this Privacy Policy, including to:
(a) Maintain your account and provide ongoing services;
(b) Fulfill orders and provide customer support;
(c) Comply with tax, accounting, and other legal obligations (typically a minimum of seven (7) years for transactional records);
(d) Resolve disputes, enforce our agreements, and prevent fraud;
(e) Operate our business in accordance with applicable law.
When personal information is no longer required, we delete or anonymize it in accordance with our retention policies and applicable law.
You may request deletion of your account and associated personal information at any time, subject to the legal exceptions described in Section 7.
Email-change retention. If you change the email address on your account, the previous address is retained as a recovery alias for thirty (30) days. During this window, sign-in links sent to the previous address remain valid; after thirty days, the previous address is permanently dropped from the account record. The change itself is recorded in your account audit log.
9. Data Security
USPP implements reasonable administrative, technical, and physical safeguards designed to protect your personal information from unauthorized access, disclosure, alteration, and destruction. These include:
(a) Encryption of data in transit using TLS;
(b) Encryption of sensitive data at rest where technically feasible;
(c) Access controls limiting employee and contractor access to personal information on a need-to-know basis;
(d) Password storage and hashing: account passwords are hashed using bcrypt with a cost factor of 12 before storage. Raw passwords are never persisted in our databases. Magic-link sign-in remains available as an alternative or fallback authentication path; magic-link tokens are stored as SHA-256 hashes and expire fifteen (15) minutes after issuance;
(d)(i) Session-token storage: session cookie values are stored on our servers as SHA-256 hashes; raw token values are never persisted in our database. Default session lifetime is ninety (90) days rolling; one (1) year if you choose "Keep me signed in on this device";
(d)(ii) Sign-in alert emails: an email is sent to your account address on every successful sign-in, containing the timestamp, IP address, and a truncated user-agent string. If you did not initiate the sign-in, you can revoke all active sessions from a one-click link in that alert;
(d)(iii) Breached-password screening at every password set, using Have I Been Pwned's Pwned Passwords API under the k-anonymity model described in Section 2.1(i). Passwords appearing in more than 100,000 prior breach corpus entries are rejected;
(d)(iv) Bot-verification on registration via Cloudflare Turnstile, as described in Section 2.1(h);
(e) Use of payment processors that maintain PCI-DSS compliance, such that USPP does not store full payment card data;
(f) Regular review of security practices and service-provider obligations.
No method of transmission or storage is completely secure. While we strive to protect your information, we cannot guarantee absolute security. You are responsible for safeguarding your account credentials and for promptly notifying us of any suspected unauthorized access.
In the event of a data breach affecting your personal information, USPP will notify affected users and regulators in accordance with applicable law.
10. International Users and Data Transfers
The Site is intended for and directed to users in the United States only. All personal information collected by USPP is stored on servers located in the United States. We do not knowingly transfer personal information to or from outside the United States.
If you are accessing the Site from outside the United States, please do not use the Site or provide personal information.
11. Third-Party Links
The Site may contain links to third-party websites and services. This Privacy Policy does not apply to third-party sites or services. We encourage you to review the privacy policies of any third-party sites or services you visit.
12. Changes to This Privacy Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will:
(a) Update the "Last Updated" date at the top of this Privacy Policy;
(b) Post the revised Privacy Policy on the Site;
(c) Where required by law or where the changes are material, provide additional notice (such as an email to account holders or a banner on the Site).
Your continued use of the Site after the effective date of the revised Privacy Policy constitutes your acceptance of the changes. If you do not agree with the changes, you must stop using the Site and may close your account.
13. Contact Us
If you have questions, concerns, or complaints about this Privacy Policy or our privacy practices, contact us at:
US Precision Peptides
Attn: Privacy
9901 Brodie Lane, Suite 160 PMB893
Austin, TX 78748
privacy@usprecisionpeptides.com
For California residents, you may also designate an authorized agent or submit a verifiable consumer request as described in Section 7.
