Privacy Policy

Data controller: US Pept Clinic, LLC, a Florida limited liability company with its principal place of business in Miami, Florida ("US Peptide Clinic").

Contact for privacy matters:
Email: [email protected]
Address: Miami, FL (full mailing address provided upon request)

This policy applies to the US Peptide Clinic platform accessible at our primary domain, including all subpages, account portals, and any associated services operated by us.

A. Account Registration Data
When you register, we collect information about your business and designated contact person, including:

• Business legal name, DBA name (if applicable), and business type;
• Federal Employer Identification Number (EIN) or tax identification number;
• Business address (street, city, state, ZIP);
• Business phone number and primary contact email address;
• Name, title, and email of the individual completing registration;
• Login credentials (email address; password is hashed and never stored in plaintext);
• Business licenses, permits, or institutional affiliations provided voluntarily to support the approval process.

B. Order & Transaction Data
For each purchase order, we collect and retain:

• Products ordered, quantities, and unit prices;
• Order dates, invoice numbers, and payment status;
• Shipping address and delivery confirmation records;
• Payment method type (e.g., ACH, wire transfer) — we do not collect or store bank account or routing numbers directly; payment instructions are exchanged via invoice.

C. Usage & Analytics Data
We use PostHog (a product analytics tool) to understand how approved users navigate the platform. PostHog may collect:

• Pages visited and time spent on each page;
• Click patterns, search queries within the catalog;
• Browser type, operating system, and device type;
• IP address (which may be truncated or anonymized at the edge).

PostHog data is used in aggregate to improve platform usability and is not used to build individual advertising profiles. You may opt out of PostHog session recording by contacting us.

D. Communication Data
If you contact us by email or through platform support channels, we retain records of that correspondence. Transactional emails (order confirmations, account status notifications) are sent via Resend and records are retained as part of your account history.

E. Automatically Collected Technical Data
Our platform infrastructure (hosted on Cloudflare's edge network) automatically collects standard web server logs including IP addresses, request timestamps, HTTP status codes, and referrer URLs. This data is used for security monitoring, abuse prevention, and platform performance optimization.

We use the information we collect for the following specific purposes:

• Account verification and approval: To review your registration, verify your business identity, and determine eligibility for platform access;
• Order fulfillment: To process purchase orders, generate invoices, coordinate shipping, and provide order status updates;
• Platform operation: To authenticate your login, maintain your account, and ensure platform security and integrity;
• Communications: To send transactional emails (order confirmations, shipping notices, invoice delivery, account approvals or rejections) and, with your consent, product updates or new catalog announcements;
• Compliance and legal obligations: To maintain transaction records as required by applicable law, respond to lawful regulatory requests, and cooperate with law enforcement where legally required;
• Fraud prevention and security: To detect, investigate, and prevent fraudulent transactions, unauthorized access, and other illegal activity;
• Platform improvement: To analyze aggregated usage patterns and improve platform functionality and user experience.

We do not use your information for advertising, data brokerage, or any purpose not described above. We do not sell your data.

We do not sell, rent, or trade your personal or business information to third parties. We share information only with the following categories of service providers, each engaged under data processing agreements:

Supabase (database & authentication): Our primary backend infrastructure provider stores account data, order records, and product information. Supabase is hosted in U.S.-based data centers. Data is encrypted at rest and in transit.

Resend (email delivery): We use Resend to deliver transactional emails. Resend processes the recipient email address and email content necessary to deliver the message. Resend does not use this data for its own marketing purposes.

PostHog (analytics): Product analytics provider. Data collected is anonymized or pseudonymized where possible and is used solely for platform improvement. PostHog offers data residency options; our data is stored in the United States.

Cloudflare (CDN & edge infrastructure): All traffic passes through Cloudflare's global network for DDoS protection, performance optimization, and SSL termination. Cloudflare processes request metadata (IP addresses, headers) in accordance with its own privacy policy and data processing addendum.

Legal and regulatory disclosures: We may disclose information when required by law, court order, or regulatory authority (including the FDA, DEA, or other applicable agencies), or when we believe in good faith that disclosure is necessary to protect the rights, property, or safety of US Peptide Clinic, our customers, or the public.

Business transfers: In the event of a merger, acquisition, or sale of substantially all of our assets, your account information may be transferred as part of that transaction. We will provide notice before your data becomes subject to a different privacy policy.

We retain your data for as long as your account is active and for a period thereafter as necessary to comply with our legal obligations:

• Account registration data: Retained for the duration of the account relationship plus 7 years following account closure (consistent with standard business record retention requirements);
• Order and transaction records: Retained for a minimum of 7 years from the date of the transaction, as required for tax, accounting, and regulatory compliance;
• Communication records: Retained for 3 years from the date of the communication;
• Analytics data: Aggregated and anonymized data may be retained indefinitely; identifiable session data is retained for up to 12 months;
• Server logs: Standard Cloudflare edge logs are retained for up to 30 days for security purposes.

Upon account closure, we will delete or anonymize personal data within 90 days, subject to retention requirements mandated by law or regulation.

Depending on your location, you may have the following rights regarding your data:

All users:

• Access: Request a copy of the personal and business information we hold about you;
• Correction: Request correction of inaccurate or incomplete information in your account;
• Deletion: Request deletion of your account data, subject to our legal retention obligations;
• Opt-out of non-transactional communications: Unsubscribe from any promotional or product announcement emails at any time.

California residents (CCPA / CPRA): If you are a California resident acting in a B2C capacity (which is not our primary use case), you may have additional rights under the California Consumer Privacy Act, including the right to know, delete, correct, and opt out of the sale or sharing of personal information. As a B2B platform, we do not sell personal information. To submit a CCPA request, contact [email protected]. We will respond within 45 days as required by law.

To exercise any of these rights, contact us at [email protected] with "Privacy Request" in the subject line. We will verify your identity before processing any request and will respond within 30 days.

We implement industry-standard technical and organizational measures to protect your information against unauthorized access, alteration, disclosure, or destruction:

• All data in transit is encrypted via TLS 1.2 or higher;
• All data at rest in Supabase is encrypted using AES-256;
• Passwords are hashed using bcrypt and never stored in plaintext;
• Access to account data is restricted to authenticated sessions and authorized US Peptide Clinic personnel;
• Cloudflare DDoS protection and WAF rules protect the platform perimeter;
• Admin-level access to backend systems requires multi-factor authentication.

No method of electronic transmission or storage is 100% secure. While we use commercially reasonable measures, we cannot guarantee absolute security. In the event of a data breach that materially affects your account, we will notify you promptly in accordance with applicable breach notification laws.

This platform is a B2B service intended exclusively for authorized business representatives who are at least 18 years of age. We do not knowingly collect personal information from any individual under the age of 18.

If we learn that personal information has been collected from a minor without proper consent, we will take prompt steps to delete such information. This platform does not target, market to, or permit registration by minors, and our practices are designed to be consistent with the Children's Online Privacy Protection Act (COPPA).

For any questions, concerns, or requests related to this Privacy Policy or our data practices, please contact:

US Pept Clinic, LLC
Privacy & Data Inquiries
Miami, FL
[email protected]

We reserve the right to update this Privacy Policy at any time. Material changes will be communicated to registered account holders via email at least 14 days in advance of the change taking effect. The effective date at the top of this document will be updated with each revision.