Privacy Policy & Data Protection


GDPR & Data Protection

Privacy Policy
& Data Protection

BIOTOPEP processes your personal data with the utmost care, in strict compliance with the General Data Protection Regulation (GDPR — EU Regulation 2016/679) and national legislation in force.

GDPR Compliant (EU) 2016/679 Encrypted & secure data No third-party sales
Table of Contents
Article 1

Data Controller

The data controller for your personal data is the BIOTOPEP brand, whose logistical and administrative infrastructure is located within the European Union. BIOTOPEP’s primary activity is the distribution of high-purity peptides exclusively for scientific research.

For any questions regarding the processing of your personal data, you can contact our Data Protection Officer (DPO) at the following address: contact@biotopep.com.

This privacy policy was updated on May 21, 2025. BIOTOPEP reserves the right to modify it at any time to reflect legal, regulatory, or technical developments. The current version is the one available online on our website.

Article 2

Personal Data Collected

BIOTOPEP collects only the data strictly necessary for the performance of its services, in accordance with the principle of data minimization set forth in Article 5 of the GDPR.

Data Category Relevant Data Source Mandatory
Identification Data Last name, first name, company name, SIRET/intra-community VAT number Order form Yes
Contact Data Professional email address, phone number, shipping address Order form / customer account Yes
Scientific Qualification Data Institutional affiliation, nature of research activity, lab accreditation number Customer qualification form Yes
Financial Data Billing information, order history, transaction amounts (no credit card data stored) Order system / payment provider Yes
Connection Data IP address, browser type, pages visited, connection timestamps Automatic collection (server, analytics) Optional
Communication Data Content of emails exchanged with our customer service, support ticket history Incoming communications Depending on interaction
No banking data stored
BIOTOPEP does not store any credit card data on its servers. Payments are processed exclusively by our PCI-DSS certified payment providers (Stripe, PayPal). These providers are subject to their own privacy policies.
Article 3

Purposes of processing and legal bases

Purpose Description Legal basis (GDPR art. 6)
Order fulfillment Processing, preparation, shipping, and tracking of research peptide orders Contract (6.1.b)
Regulatory compliance verification Verification of customer eligibility (scientific research activity, accreditation) Legal obligation (6.1.c)
Accounting and tax management Issuance of invoices, accounting archival, tax and customs declarations Legal obligation (6.1.c)
Customer service Handling inquiries, complaints, and exchanges Contract (6.1.b)
Lot traceability Maintenance of peptide lot traceability records (regulatory requirement) Legal obligation (6.1.c)
Commercial communication Sending newsletters, promotional offers, and scientific news (with consent only) Consent (6.1.a)
Website improvement Anonymized statistical analysis of traffic and browsing behavior Consent (6.1.a)
Fraud prevention Detection and prevention of fraudulent orders and identity theft Legitimate interest (6.1.f)
Article 4

Data retention period

Personal data is retained only for the period strictly necessary for the purposes for which it was collected, in accordance with Article 5(1)(e) of the GDPR.

Type of data Retention period Justification
Order and billing data 10 years from the close of the accounting year Accounting obligation (Commercial Code art. L.123-22)
Lot traceability data 5 years from the shipping date Regulatory requirement for scientific traceability
Active customer account Duration of the commercial relationship + 3 years after the last interaction Customer relationship management, three-year limitation period
Commercial prospecting data 3 years from the last contact or withdrawal of consent CNIL recommendations (deliberation n°2016-264)
Connection logs (IP, browser) 12 months Legal obligation (ePrivacy directive)
Analytics cookies (anonymized) Maximum 13 months (in accordance with CNIL recommendations) CNIL recommendations on cookies
Customer service data / tickets 5 years from case closure Five-year civil limitation period (Civil Code art. 2224)
Article 5

Recipients of personal data

BIOTOPEP never sells, rents, or transfers your personal data to third parties for commercial purposes. However, your data may be communicated to the following categories of recipients within the strict framework of the described purposes.

Logistics and transport providers: They receive the data necessary for delivery (name, address, phone number). These providers act as data processors under Article 28 of the GDPR and are subject to confidentiality agreements.

Payment providers: Stripe and PayPal process the financial data required for payment collection. These providers are PCI-DSS certified and have their own data protection policies.

Website and data host: Data is hosted on servers located in the European Union, in ISO 27001 certified data centers.

Competent authorities: BIOTOPEP may be required to communicate data to judicial, customs, or tax authorities upon legal requisition.

Auditors and accountants: Our accounting firm and external auditors access billing data strictly within the framework of their legal duties, subject to professional secrecy.

Article 6

Transfers of data outside the European Union

BIOTOPEP strives to keep your data within the European Union. Some of our technical providers (particularly for hosting certain cloud services) may be established in the United States or other third countries.

In such cases, transfers are governed by the protection mechanisms provided for in the GDPR, including Standard Contractual Clauses (SCCs) approved by the European Commission (implementing decision 2021/914), or by the guarantees offered by the EU-US Data Privacy Framework (in force since July 2023).

Upon request sent to dpo@biotopep.com, you can obtain information on the safeguards implemented for these transfers.

Article 7

Your data protection rights

In accordance with the GDPR (Articles 15 to 22), you have the following rights regarding your personal data. These rights can be exercised at any time by contacting our DPO.

Right of access
Obtain confirmation that your data is being processed and receive a complete copy of it.
Art. 15 GDPR
Right to rectification
Correct inaccurate or incomplete data concerning you in our systems.
Art. 16 GDPR
Right to erasure
Request the deletion of your data, subject to legal retention obligations.
Art. 17 GDPR
Right to restriction of processing
Temporarily suspend the processing of your data in certain situations provided for by the GDPR.
Art. 18 GDPR
Right to data portability
Receive your data in a structured, commonly used and machine-readable format.
Art. 20 GDPR
Right to object
Object at any time to the processing of your data for commercial prospecting purposes.
Art. 21 GDPR
Right to withdraw consent
Withdraw consent previously given at any time, without affecting prior processing.
Art. 7(3) GDPR
Right to lodge a complaint
Lodge a complaint with the CNIL (www.cnil.fr) if you believe your rights are not being respected.
Art. 77 GDPR
How to exercise your rights?
Send your request by email to dpo@biotopep.com, specifying your identity and the nature of the right you wish to exercise. Attach a copy of your identity document if your request concerns data access or erasure. BIOTOPEP has one month to respond, extendable by two additional months in case of complexity or a large volume of requests.
Article 8

Cookies and trackers

Cookie type Purpose Duration Consent required
Strictly necessary cookies Browsing session, shopping cart, authentication, CSRF security Session No (essential)
Preference cookies Memorization of language, display preferences, and search filters 12 months Yes
Analytical cookies Anonymized audience measurement (number of visitors, page views, traffic origin) via a GDPR-compliant tool 13 months Yes
Marketing cookies Personalization of advertisements and behavioral targeting — BIOTOPEP does not currently use this type of cookie Not used

You can manage your cookie preferences at any time via the cookie management banner displayed during your first visit, or by accessing your browser's privacy settings. Refusing analytical cookies does not affect your ability to place orders on our site.

Article 9 — Data Security
Technical and organizational security measures

In accordance with Article 32 of the GDPR, BIOTOPEP implements appropriate security measures to protect your personal data against unauthorized access, loss, alteration, or accidental disclosure.

TLS 1.3
Encryption of in-transit communications
AES-256
Encryption of sensitive data at rest
ISO 27001
Certification of our data host
72h
Max. CNIL notification period in case of breach
Article 10

Contact with the Data Protection Officer

For any questions, requests to exercise rights, or complaints related to the protection of your personal data, you can contact our DPO by email at contact@biotopep.com.

If, after contacting us, you believe that your rights are not being respected, you have the option to lodge a complaint with the competent supervisory authority, in France the Commission Nationale de l'Informatique et des Libertés (CNIL), whose contact details are available at www.cnil.fr.

Legal Disclaimer — Exclusively for Scientific Use
BIOTOPEP products are research peptides intended exclusively for scientific laboratory use. They are not intended for human consumption, injection, or any veterinary or cosmetic use. The collection and processing of customers' scientific qualification data are necessary to verify the regulatory compliance of orders. This data is processed with the utmost confidentiality and is never disclosed to unauthorized third parties.