Privacy Policy

1. About this Policy

This Privacy Policy explains what information Maxxing Peptides ("Maxxing Peptides," "we," "our," or "us") collects when you visit maxxingpeptides.com(the "Site"), how we use it, who we share it with, and the rights you have under applicable privacy law — including the EU and UK General Data Protection Regulation (GDPR), the California Consumer Privacy Act as amended by the California Privacy Rights Act (CCPA/CPRA), and other US state privacy laws.

Please read this Policy together with our Terms of Use. By using the Site you confirm that you understand the practices described here.

2. Who We Are and Scope

Maxxing Peptides operates this Site as a research catalog and editorial publication. We do not maintain user accounts, take payment on this domain, run a newsletter, or run a contact form on the Site. Orders for any catalog SKU are completed on a third-party research-supply vendor reached through the outbound/out/redirect described in Section 6. That vendor is a separate controller with its own privacy policy.

For the limited information we do collect on the Site (server logs and privacy-preserving analytics, as described below), Maxxing Peptides is the data controller. To exercise the rights described in Sections 13–15, contact us at privacy@maxxingpeptides.com.

3. Information We Collect Automatically

Like nearly every website, our hosting provider records technical information about each request to keep the Site running, prevent abuse, and produce aggregate traffic statistics. We collect the following:

• Server access logs (Vercel hosting): IP address, user-agent string, requested URL, referrer URL, response status, response size, and timestamp. These are standard HTTP access logs generated by our hosting provider.
• Privacy-preserving analytics (Vercel Analytics): page URL, referrer, country (derived from IP), browser family, device type, and operating system. Vercel Analytics does not set cookies and does not store raw IP addresses. Visitor identifiers are derived using a daily rotating one-way hash of IP + user-agent that cannot be reversed to identify an individual.
• Approximate location: derived from IP address only at country level. We do not collect precise geolocation, GPS coordinates, or device sensor data.
• Performance and error data: aggregated request latency, build metrics, and uncaught client-side errors that may be captured by our hosting platform for the purpose of diagnosing outages.

We do not link the data above to a name, email address, account, or any other directly identifying attribute, because we do not collect those attributes (see Section 4).

4. Information We Do Not Collect on the Site

The Site does not include features that would collect personal information of the kinds listed below. Specifically:

• No user accounts, sign-up, or login.
• No email newsletter, mailing list, or subscription form.
• No contact, comment, review, or feedback form on the Site.
• No payment processing, billing, or shipping information collected on this domain.
• No advertising cookies, retargeting pixels, or third-party advertising SDKs.
• No first-party cookies set by Maxxing Peptides for tracking purposes.
• No social-media sharing widgets that load third-party scripts (e.g., Facebook Pixel, Twitter widgets, LinkedIn Insight Tag).
• No biometric, health, financial, government-ID, or precise-location data, and no "sensitive personal information" as that term is defined under the CPRA.

If you contact us directly by email at the address in Section 19, the contents of your email and your email address are processed for the sole purpose of responding to your request and are retained no longer than is reasonably necessary for that purpose.

5. Cookies and Similar Technologies

The Site does not set first-party cookies for tracking, advertising, or personalization. Our analytics provider (Vercel Analytics) is a cookieless analytics tool. The only cookie-like storage you may encounter on this domain is a session-scoped value used by the underlying web framework (Next.js / React) for routing and basic application state; this is a strict-necessity, first-party value with no tracking purpose.

Web fonts (Montserrat) are served from our own domain. Even though the font is sourced from the Google Fonts catalog, our framework downloads it at build time and self-hosts it, so loading a Site page does not initiate an HTTP request to Google's servers and does not result in your IP being logged by Google for our font usage.

Third-party sites you reach through the outbound /out/redirect (Section 6) may set their own cookies under their own privacy policies; those cookies are not within our control.

6. Outbound Links and Third-Party Suppliers

Outbound product links on the Site take the form /out/<product-slug> and route to a third-party research-supply vendor. The redirect itself is performed server-side and does not collect personal data beyond the standard server log fields described in Section 3.

Any account creation, address entry, payment, order processing, customer support, shipping, returns, and post-purchase communication takes place on the third-party vendor's site and is governed by that vendor's privacy policy and terms. Maxxing Peptides does not receive your name, email, postal address, payment details, order contents, or order status from the vendor as a matter of routine. The vendor may share aggregated, non-identifying referral statistics (for example, click counts and commission totals) with us under the affiliate program described on our About page.

We encourage you to review the vendor's privacy policy before completing a purchase.

7. How We Use Information

We use the information described in Section 3 strictly for the following purposes:

• Operating, maintaining, and securing the Site.
• Producing aggregate traffic and audience statistics (which pages are read, which referrers send visitors, which countries readers come from) to improve our editorial coverage.
• Detecting and mitigating abuse, scraping, denial-of-service activity, and other security events.
• Diagnosing and fixing application errors and performance regressions.
• Complying with applicable law and responding to lawful requests from public authorities.

We do not sell or share personal information with third parties for monetary or other valuable consideration, and we do not use personal information for cross-context behavioral advertising. We do not engage in automated decision-making or profiling that produces legal or similarly significant effects about you.

8. Legal Bases for Processing (GDPR)

Where the EU or UK GDPR applies, we rely on the following legal bases under Article 6(1):

• Legitimate interests (Article 6(1)(f)): for keeping the Site available, secure, and free from abuse; for measuring aggregate readership using a privacy-preserving, cookieless analytics tool; and for maintaining server logs. Our assessment is that these interests are not overridden by the rights and freedoms of visitors, given the limited scope and non-identifying nature of the data.
• Compliance with legal obligation (Article 6(1)(c)): where we are required to retain or disclose information to comply with applicable law.
• Consent (Article 6(1)(a)): where you choose to send us an email with a question, you are consenting to our processing of that email solely to respond.

9. Service Providers and Sub-processors

We share limited information with the following service providers, each of which acts as a processor on our behalf and is bound by data-processing terms:

• Vercel Inc. — hosting, content delivery, build infrastructure, and Vercel Analytics. Refer to Vercel's published privacy notice for details.
• Domain registrar and DNS provider — for operating the maxxingpeptides.com domain and routing traffic. These providers do not receive content-level data.

The third-party vendor reached through the outbound redirect described in Section 6 is not a sub-processor of Maxxing Peptides. It is an independent controller for the data you provide on its site.

10. International Data Transfers

Maxxing Peptides operates from the United States. Our hosting provider serves the Site from a global edge network, which means request logs may be processed in data-center regions other than your country of origin (including the United States). For visitors located in the EU/EEA or the United Kingdom, the transfer of personal data to the United States is effected on the basis of the European Commission's adequacy decision for the EU-US Data Privacy Framework (where the recipient is certified) or on the basis of the European Commission's Standard Contractual Clauses, supplemented where necessary by the additional safeguards required by case law and guidance from supervisory authorities.

11. Data Retention

• Server access logs: retained by our hosting provider for the period set out in its published log-retention policy (typically not longer than 30 days for raw logs) and then deleted or aggregated.
• Vercel Analytics aggregates: retained for up to 12 months in aggregate, non-identifying form so that we can compare year-over-year readership.
• Email correspondence: retained no longer than is reasonably necessary to respond to your request and to maintain a record of resolution, after which it is deleted or anonymized.
• Statutory or legal-hold retention: where law requires longer retention (for example, in connection with a tax record or a litigation hold), we retain the relevant data for that statutory period only.

12. Data Security

We take reasonable and appropriate technical and organizational measures to protect the limited information we process: transport encryption (HTTPS/TLS) on every request to and from the Site, hardened hosting infrastructure operated by our service provider, the principle of data minimisation (we do not collect what we do not need), and strict role-based access for the small number of personnel who can read aggregated analytics. No method of transmission or storage is perfectly secure, however, and we cannot guarantee absolute security.

13. Your Rights — EU/EEA and United Kingdom (GDPR)

If you are located in the EU, EEA, or United Kingdom, you have the following rights with respect to your personal data:

• Right of access — confirmation of whether we hold personal data about you and a copy of it.
• Right to rectification — correction of inaccurate or incomplete data.
• Right to erasure ("right to be forgotten") — deletion in defined circumstances.
• Right to restriction of processing.
• Right to data portability where processing is based on consent or contract and is automated.
• Right to object to processing based on legitimate interests, including profiling.
• Right to withdraw consent at any time, where consent is the legal basis.
• Right to lodge a complaint with a supervisory authority — for example, your local Data Protection Authority in the EU/EEA or the Information Commissioner's Office (ICO) in the United Kingdom.

To exercise any of these rights, email privacy@maxxingpeptides.com. We will respond within one calendar month, extendable by two further months for complex requests, in accordance with Article 12(3) GDPR. Because we hold a very limited amount of non-identifying data, we may need additional information from you to verify that the data we hold relates to you before we can act on a request — and in some cases we may not be able to identify a specific record at all.

14. Your Rights — California (CCPA / CPRA)

If you are a California resident, the California Consumer Privacy Act as amended by the California Privacy Rights Act gives you the following rights:

• Right to know the categories and specific pieces of personal information we have collected about you, the categories of sources, the business purposes for which we collected it, and the categories of third parties with whom we shared it.
• Right to delete personal information we have collected from you, subject to statutory exceptions.
• Right to correct inaccurate personal information we maintain about you.
• Right to limit use of sensitive personal information. We do not collect sensitive personal information as defined under the CPRA, so this right does not have a practical application on the Site.
• Right to opt out of the sale or sharing of personal information. We do not sell personal information for monetary consideration and we do not share it for cross-context behavioral advertising. There is therefore nothing to opt out of, and we treat any opt-out request as already honored by default.
• Right of non-discrimination for exercising any of the rights above.

In the preceding twelve months, the categories of personal information we have collected fall under "Internet or other electronic network activity information" and "Geolocation data" (country level only) as defined in Cal. Civ. Code §1798.140. We have not sold or shared any category of personal information for cross-context behavioral advertising. To submit a request, email privacy@maxxingpeptides.com. You may also designate an authorized agent to act on your behalf; we may require written proof of authorization and identity verification before responding.

15. Other US State Privacy Rights

Residents of Virginia, Colorado, Connecticut, Utah, Texas, Oregon, Montana, and other states with comprehensive consumer privacy laws have substantially equivalent rights — to access, delete, correct, and obtain a portable copy of personal data, and to opt out of targeted advertising, the sale of personal data, and certain profiling. Because we do not engage in targeted advertising, sale of personal data, or qualifying profiling, those opt-outs are honored by default. To exercise an access, deletion, correction, or portability right, contact us at privacy@maxxingpeptides.com. If we deny a request, you may have the right to appeal in your state.

16. Global Privacy Control and Do Not Track

We honor the Global Privacy Control (GPC) browser signal as a valid opt-out under the CCPA/CPRA and equivalent state laws. Because we do not sell or share personal information and do not engage in targeted advertising, GPC and Do Not Track signals do not change Site behavior in practice — there is no profile to suppress and no advertising signal to disable.

17. Children's Privacy

The Site is not directed at children under 16, and the products discussed on the Site are sold for adult, laboratory-use research only. We do not knowingly collect personal information from children under 16, and we comply with the US Children's Online Privacy Protection Act (COPPA) and applicable international child-data protection rules. If you believe a child has provided personal information to us, contact us at privacy@maxxingpeptides.com and we will delete it promptly.

18. Changes to this Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, in the services we use, or in the law. The "Last updated" and "Effective date" values at the top of this page indicate the most recent revision. Material changes will be highlighted at the top of this page for at least 30 days following the effective date. Your continued use of the Site after the effective date constitutes acceptance of the updated Policy.

19. Contact Us

For privacy-related questions, requests, or complaints, contact us at privacy@maxxingpeptides.com. If you prefer, you may also write to us using the postal contact address available on request via the same email. We aim to respond to all privacy inquiries within 30 days, and within statutory deadlines where applicable law (such as the GDPR or CCPA) prescribes a shorter response window.