Privacy Policy

The data controller responsible for your personal data is PeptideTrace. For any enquiries regarding this Privacy Policy or the processing of your personal data, please contact us at:

Email: info@peptidetrace.com

When you create a PeptideTrace account, we collect the following personal data:

• Email address: Required for account creation, authentication, and communication.
• Password: Stored in hashed form. We do not have access to your plaintext password.
• Account creation date: Recorded automatically at the time of registration.

When you use account features, we may collect:

• Jurisdiction preferences: The jurisdictions you select for personalised regulatory status highlighting on compound pages (e.g., US, UK, EU, Australia, Canada).
• Saved compounds: A record of compound pages you have chosen to save or follow.

When you browse the Platform, we may automatically collect certain technical and usage information:

• IP address: Used for security monitoring and approximate geographic analysis.
• Browser type and version: Used for compatibility monitoring and debugging.
• Device information: Operating system, screen resolution, and device type.
• Pages visited and navigation paths: Used to understand how the Platform is used and to improve content and functionality.
• Referring URLs: The web address that directed you to PeptideTrace.
• Timestamps: The date and time of your visits and interactions.

If you subscribe to the PeptideTrace newsletter, we collect:

• Email address: Required for newsletter delivery.
• Subscription date: Recorded automatically.
• Subscription source: Which page or form you used to subscribe (e.g., footer, compound page, article page).

If you submit a user experience report on an approved compound page, we collect:

• Rating data: Your numerical ratings across the defined dimensions.
• Selected indication: The therapeutic indication you selected when submitting your report.
• Submission timestamp: When the report was submitted.

User experience reports are associated with your account but are displayed publicly in aggregate form only. Individual ratings are never displayed in a way that identifies the submitting user.

If you contact us via email, we retain the contents of your correspondence, your email address, and any other information you provide, for the purpose of responding to your enquiry and maintaining records of correspondence.

We process your personal data for the following purposes and on the following legal bases:

• Processing your account registration and managing your account.
• Delivering personalised features such as jurisdiction preferences and saved compounds.
• Displaying aggregated user experience reports on compound pages.
• Sending you service-related communications (e.g., email verification, password resets, account notifications).

Legal basis: Performance of a contract (Article 6(1)(b) UK-GDPR). The provision of account features constitutes a contract between you and PeptideTrace.

• Analysing usage patterns to understand how the Platform is used.
• Identifying technical issues and improving platform performance.
• Informing editorial decisions about content priorities and compound coverage.

Legal basis: Legitimate interests (Article 6(1)(f) UK-GDPR). We have a legitimate interest in understanding how the Platform is used in order to improve it. This processing does not override your fundamental rights and freedoms.

• Sending the PeptideTrace newsletter to subscribers.
• Sending occasional platform announcements or updates to account holders.

Legal basis: Consent (Article 6(1)(a) UK-GDPR) for the newsletter. You may withdraw consent at any time by using the unsubscribe link in any newsletter email. Legitimate interests for essential service communications related to your account.

• Monitoring for suspicious activity, unauthorised access, and abuse.
• Enforcing our Terms of Use.

Legal basis: Legitimate interests (Article 6(1)(f) UK-GDPR). We have a legitimate interest in maintaining the security and integrity of the Platform.

• Responding to lawful requests from public authorities.
• Establishing, exercising, or defending legal claims.

Legal basis: Legal obligation (Article 6(1)(c) UK-GDPR) and legitimate interests (Article 6(1)(f) UK-GDPR).

PeptideTrace uses essential cookies that are necessary for the Platform to function. These include:

• Authentication cookies: To maintain your logged-in session.
• Security cookies: To protect against cross-site request forgery and other security threats.

These cookies are strictly necessary and do not require your consent under the Privacy and Electronic Communications Regulations 2003 (PECR).

We may use privacy-respecting analytics tools to understand how the Platform is used. Where analytics tools are deployed, they are configured to minimise data collection and, where possible, do not use cookies or track individuals across websites. We do not use Google Analytics or any advertising-based analytics platform.

If we deploy analytics that require consent, we will present a clear cookie consent mechanism before any non-essential cookies are placed.

PeptideTrace does not display advertising. We do not use advertising cookies, retargeting pixels, or tracking technologies operated by third-party advertisers. We do not sell or share personal data with advertisers.

PeptideTrace uses the following categories of third-party services to operate the Platform:

The Platform is hosted on cloud infrastructure providers located in the European Union and/or regions covered by adequate data protection arrangements. These providers process data on our behalf under Data Processing Agreements that comply with UK-GDPR requirements.

User authentication is provided by Supabase, which processes your email address and hashed password for account management purposes. Supabase acts as a data processor on our behalf.

Newsletter delivery and transactional emails (verification, password reset) are handled by third-party email service providers that process your email address on our behalf under Data Processing Agreements.

If and when paid features are introduced to the Platform, payment processing will be handled by Stripe. Stripe will process your payment information directly. PeptideTrace does not store credit card numbers or full payment details on its own servers. Stripe’s processing of your data is governed by Stripe’s own privacy policy.

We do not sell, rent, or trade your personal data to any third party for their own marketing or commercial purposes.

Your personal data may be transferred to and processed in countries outside the United Kingdom. Where such transfers occur, we ensure that appropriate safeguards are in place, including:

• Transfers to countries recognised by the UK Secretary of State as providing an adequate level of data protection.
• Standard Contractual Clauses (SCCs) approved by the UK Information Commissioner’s Office (ICO).
• Other legally recognised transfer mechanisms under UK-GDPR.

We retain your personal data only for as long as necessary to fulfil the purposes for which it was collected, or as required by law:

• Account data: Retained for the duration of your account. Upon account deletion, your personal data is deleted within 30 days, except where retention is required by law.
• Usage data: Aggregated and anonymised usage data may be retained indefinitely for analytical purposes. Individual-level usage data is retained for no longer than 24 months.
• Newsletter subscription data: Retained until you unsubscribe. Upon unsubscription, your email address is removed from the mailing list within 30 days.
• User experience reports: Aggregated rating data may be retained after account deletion to preserve the integrity of compound-level aggregate statistics. No individually identifiable data is retained.
• Communication records: Retained for up to 24 months for record-keeping and quality purposes.

You have the following rights in relation to your personal data:

You have the right to request confirmation of whether we process your personal data and, if so, to request a copy of that data. We will respond to access requests within one month.

You have the right to request that we correct any inaccurate personal data we hold about you, or complete any incomplete data.

You have the right to request that we delete your personal data. You can delete your account directly from the Account Settings page, which will trigger deletion of your personal data. You may also contact us to request erasure.

We may retain certain data where we have a legal obligation to do so or where retention is necessary for the establishment, exercise, or defence of legal claims.

You have the right to request that we restrict the processing of your personal data in certain circumstances, such as where you contest the accuracy of the data or where you have objected to processing pending verification of legitimate grounds.

You have the right to receive your personal data in a structured, commonly used, and machine-readable format, and to transmit that data to another controller, where the processing is based on consent or contract and is carried out by automated means.

You have the right to object to processing based on legitimate interests. Where you object, we will cease processing unless we can demonstrate compelling legitimate grounds that override your interests, rights, and freedoms.

PeptideTrace does not engage in automated decision-making or profiling that produces legal or similarly significant effects on individuals.

Where processing is based on consent (such as newsletter subscriptions), you have the right to withdraw consent at any time. Withdrawal of consent does not affect the lawfulness of processing carried out prior to withdrawal.

We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, alteration, disclosure, or destruction. These measures include:

• Encryption of data in transit using TLS/SSL.
• Encryption of sensitive data at rest.
• Row Level Security (RLS) policies enforced at the database level to ensure users can only access data they are authorised to view.
• Regular review of access controls and security practices.
• Use of hashed passwords with industry-standard algorithms.

While we take all reasonable precautions to protect your data, no method of transmission over the internet or electronic storage is completely secure. We cannot guarantee absolute security.

PeptideTrace is not directed at individuals under the age of 16. We do not knowingly collect personal data from children under 16. If we become aware that we have collected personal data from a child under 16 without appropriate consent, we will take steps to delete that data as promptly as possible.

If you believe that a child under 16 has provided us with personal data, please contact us at info@peptidetrace.com.

The Platform may contain links to external websites, including regulatory agency websites, clinical trial registries, and published research sources. These links are provided for informational purposes. PeptideTrace is not responsible for the privacy practices or content of third-party websites. We encourage you to review the privacy policies of any external websites you visit.

We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or Platform functionality. When we make material changes, we will update the “Last updated” date at the top of this page.

Where material changes affect your rights or how we process your data, we will make reasonable efforts to notify you, such as by posting a notice on the Platform or sending an email to account holders.

We encourage you to review this Privacy Policy periodically to stay informed about how we protect your data.

If you have any questions, concerns, or requests regarding this Privacy Policy or our processing of your personal data, please contact us at:

Email: info@peptidetrace.com

You also have the right to lodge a complaint with the UK Information Commissioner’s Office (ICO):

For individuals located in the European Economic Area, you may also lodge a complaint with your local data protection authority.