Cresten Labs sells only through crestenlabs.eu and orders@crestenlabs.eu. Any other site or social account using our name is not us.
Research Use Only, not for human or veterinary consumption Ships across the EU single market Verified, every batch
Order status
Buy Peptides
Research Areas Verification About Contact Methodology Editorial Calculator Bulk RFQ
Privacy Policy Reg. (EU) 2016/679, GDPR

Personal data,
processed only for what is asked of it.

This document records what personal data Cresten Labs collects, why each category is collected, the legal basis for processing, the retention period, and the rights of the data subject under the General Data Protection Regulation. The policy is updated when the practice is updated, not on a schedule.

Data controller Cresten Labs
Jurisdiction Delaware (US) / EEA data subjects
Last revised 2026-04-15

This privacy policy provides the disclosures required under Articles 13 and 14 of the European General Data Protection Regulation (Regulation 2016/679, GDPR), together with equivalent disclosures under applicable United States privacy law. Section numbers below correspond to topical disclosure groups; the substantive content satisfies Articles 13(1), 13(2), 14, 21, 22, and 27 in respect of EU data subjects.

1. Identity of the controller

Meridian Land Ventures LLC, a limited liability company organised under the laws of the State of Delaware, United States of America, trading as Cresten Labs, is the controller of personal data processed through this site within the meaning of GDPR Article 4(7). Full corporate identification details are published on the Imprint page.

For all matters concerning the processing of personal data, including the exercise of data subject rights, contact privacy@crestenlabs.eu. We do not currently designate a Data Protection Officer; the privacy mailbox is monitored by qualified personnel within the company.

2. EU representative (GDPR Article 27)

Because the controller is established outside the European Union and offers goods or services to data subjects in the Union, an EU representative is designated in writing under GDPR Article 27 to act as the contact point for supervisory authorities and data subjects in the Union on all matters relating to the processing of personal data.

EU Article 27 representative An EU member state representative is being appointed under GDPR Article 27. Until the appointment is confirmed in writing, EU data subjects may contact the controller directly at privacy@crestenlabs.eu for any matter under the GDPR. The representative's name, postal address, member state, and dedicated contact email will be published on this page once the appointment is in force.

EU data subjects may contact the representative directly for any matter under the GDPR. Contact with the representative does not preclude direct contact with the controller at privacy@crestenlabs.eu.

3. Categories of personal data we process

We process the minimum data necessary for each defined purpose. The categories of personal data are:

  • Identification data: first name, last name, salutation where given, country of residence.
  • Contact data: email address, postal shipping address, telephone number where voluntarily provided.
  • Transaction data: order reference, items ordered, batch references, order date and time, order total, payment method indicator (not card details), inquiry acknowledgement record (the six affirmative confirmations made at order placement, with timestamps).
  • Account data: where an optional account is created, email address, hashed password, order history, communication preferences.
  • Communication data: messages sent to research, compliance, legal, wholesale, or privacy email addresses, with the metadata necessary to reply and to maintain a service record.
  • Technical data: IP address (truncated before storage), browser user agent string (truncated to 200 characters), language preference, page-view timestamps, device class. Not joined to identification data unless an order is completed from the same session.
  • Cookie consent data: the choice you made on the cookie banner, the timestamp of that choice, and the version of the policy displayed at the time.

Sources of personal data: data we process is collected directly from the data subject through the website forms, email correspondence, or order placement. We do not acquire personal data from data brokers, advertising aggregators, or third-party advertising networks.

4. What we refuse to collect

  • Special category data under GDPR Article 9. We do not collect health data, biometric data, genetic data, racial or ethnic origin, political opinions, religious beliefs, trade union membership, sexual orientation, or sex life data.
  • Information about how a buyer intends to use a research compound. Buyer use is the buyer’s decision within their own research framework. We do not ask, and we do not record any answer if volunteered.
  • Cross-site tracking data. No Facebook Pixel, no Google Ads conversion pixel, no third-party retargeting tags, no fingerprinting scripts, no session-replay tools.
  • Personal data from minors. The site is age-gated to 21+ at first visit and the order acknowledgement requires affirmation of 21+ at order placement. We do not knowingly collect data from individuals under 18, or from individuals between 18 and 21 in jurisdictions where 21 is the threshold.
  • Geolocation beyond country level. We do not collect precise geolocation, GPS coordinates, or device location services data.

5. Purposes of processing and lawful basis

Each purpose has a defined lawful basis under GDPR Article 6, and the data processed for that purpose is limited to what is necessary for it (data minimisation, Article 5(1)(c)).

Purpose Data categories used Lawful basis (GDPR Art. 6)
Order fulfilment. Processing the order, taking payment, dispatching the compound. Identification, contact, transaction. Performance of contract (Art. 6(1)(b)).
Inquiry acknowledgement record. Logging the six affirmative confirmations made at order placement. Transaction (acknowledgement record), technical (IP, timestamp). Legal obligation (Art. 6(1)(c)) and legitimate interest in regulatory compliance (Art. 6(1)(f)).
Tax and accounting records. Retaining order records for the legally mandated period. Identification, contact, transaction. Legal obligation (Art. 6(1)(c)).
Customer support. Responding to research, compliance, or order questions. Contact, communication. Legitimate interest in customer service (Art. 6(1)(f)) or contract performance (Art. 6(1)(b)) where the inquiry concerns an active order.
Optional account. Maintaining an account for repeat ordering. Account, transaction. Consent given at account creation (Art. 6(1)(a)), withdrawable by deleting the account.
Editorial newsletter. Sending the methodology briefing and subsequent editorial issues. Contact (email only). Consent given at signup (Art. 6(1)(a)), withdrawable from any newsletter.
Site operation and security. Operating the site, preventing abuse, mitigating security incidents. Technical (truncated IP, user agent, request metadata). Legitimate interest in operating a secure website (Art. 6(1)(f)).
Cookie consent record. Recording your cookie banner choice. Cookie consent data only. Legal obligation (Art. 6(1)(c)) per ePrivacy Directive 2002/58/EC and Art. 7 GDPR (proof of consent).
Fraud prevention. Detecting and preventing fraudulent orders, chargeback fraud, identity fraud. Transaction, technical, payment processor signals. Legitimate interest in preventing fraud (Art. 6(1)(f)) and legal obligation under applicable AML rules (Art. 6(1)(c)).
Aggregated analytics. Understanding site usage in aggregate. Technical (anonymised, aggregated). Legitimate interest in operational measurement (Art. 6(1)(f)). Where any analytics tool sets non-essential cookies, consent (Art. 6(1)(a)) and ePrivacy Directive Article 5(3) apply.

Where processing is based on legitimate interest, the controller has conducted a balancing test under GDPR Article 6(1)(f). A summary of any specific balancing test is available on request to privacy@crestenlabs.eu.

6. Recipients of personal data

Personal data is shared only with the following categories of recipients, each of which is bound either by a Data Processing Agreement under GDPR Article 28 (where they act as a processor on our behalf) or operates as an accredited controller for the data we share with them.

Recipient category Purpose Role
Hosting and content delivery. Cloudflare, Inc. (US, with EU data residency configured) and our primary hosting provider. Site delivery, DDoS mitigation. Processor.
Email transport. Our transactional and editorial email service provider, named in advance of any newsletter or transactional dispatch. Email delivery. Processor.
Payment processors. The merchant acquirer, card processor, SEPA processor, and where applicable the cryptocurrency gateway. Taking payment. Accredited controller for card data; processor for transaction reference data shared back to us.
Shipping carriers. InPost, Packeta, DPD, or equivalent EU-licensed carriers. Delivery. Accredited controller for delivery data.
Fulfilment partner. EU-located fulfilment partner who picks, packs, and dispatches orders. Order fulfilment. Processor.
Tax and accounting service. Our retained accountants and tax advisors. Statutory record keeping. Processor (or accredited controller for their own statutory records).
Legal advisors. Engaged law firms in connection with regulatory inquiries or specific legal matters. Legal advice and representation. Accredited controllers under their professional confidentiality regime.

A current list of named processors with names, addresses, and the data they process is available on written request to privacy@crestenlabs.eu. We do not sell personal data. We do not share personal data with advertising networks, data brokers, or advertising aggregators.

7. International transfers

The controller is established in the United States. Personal data of EU data subjects is therefore transferred from the EU to the United States by virtue of the controller’s location. Where any processor is also established in the United States or in another country outside the European Economic Area, the same considerations apply.

Transfers to the United States are made on the basis of the EU-US Data Privacy Framework (where the recipient is certified) or on the basis of the European Commission’s Standard Contractual Clauses (Decision 2021/914) supplemented by appropriate technical and organisational measures including encryption in transit and at rest, access controls, and contractual obligations on processors.

Where transfers occur outside the EEA to countries that are not subject to an adequacy decision and not covered by Standard Contractual Clauses, transfers are made only on a derogation under GDPR Article 49 and only where strictly necessary. A copy of the safeguards in place for any specific transfer is available on request.

8. Retention periods

  • Order records and inquiry acknowledgements: 7 years from the order date, as required by applicable tax, accounting, and consumer protection regulations. After 7 years the records are deleted or fully anonymised.
  • Account data: until the account is deleted by the data subject, or after 3 years of complete inactivity, whichever is sooner.
  • Editorial newsletter list: until the data subject unsubscribes, plus a 30-day operational lag for system propagation. Unsubscribe records are kept for a further 12 months as proof of withdrawal.
  • Customer correspondence: 2 years from the last reply, then deleted, except where retention is required for an open dispute, regulatory matter, or legal proceeding.
  • Cookie consent records: 12 months from the consent decision, then deleted (the banner reappears for a fresh decision).
  • Anonymised analytics: 26 months in identifiable form, then aggregated only.
  • Server logs: 30 days for raw logs, then aggregated. IP addresses in raw logs are truncated before storage.

Where data is retained beyond the period in which it is actively used (for example, order records held for tax purposes), it is held in a restricted-access archive and is no longer used for any active purpose.

9. Automated decision-making and profiling

The controller does not engage in automated decision-making, including profiling, that produces legal effects concerning the data subject or similarly significantly affects the data subject within the meaning of GDPR Article 22. Order acceptance, customer service responses, and editorial decisions are made by qualified personnel reviewing the relevant facts. Fraud prevention may use automated signals as inputs, but any decision to decline an order is reviewed by a human before being communicated to the buyer.

10. Your rights

EU data subjects have the rights set out below under the GDPR. Data subjects in the United States have substantially equivalent rights under applicable state privacy laws (including but not limited to California, Colorado, Connecticut, Virginia, Utah). To exercise any right, contact privacy@crestenlabs.eu or, for EU data subjects, the EU representative identified in Section 2. We respond within 30 days of a verified request, with one possible extension of two months for complex requests under GDPR Article 12(3).

  • Right of access (Article 15). A copy of your personal data and the supplementary information required under Article 15(1).
  • Right to rectification (Article 16). Correction of inaccurate or incomplete data.
  • Right to erasure (Article 17). Deletion on request, subject to legal retention obligations and other Article 17(3) exceptions.
  • Right to restrict processing (Article 18). Suspension of processing in the circumstances set out in Article 18(1).
  • Right to data portability (Article 20). Provision of your data in a structured, commonly used, machine-readable format for the data you have provided directly under Article 6(1)(a) or 6(1)(b).
  • Right to object (Article 21). Objection to processing based on legitimate interest under Article 6(1)(f), including a specific right to object to direct advertising.
  • Right to withdraw consent (Article 7(3)). Withdrawal of consent at any time, without affecting the lawfulness of prior processing based on consent.
  • Right not to be subject to automated decision-making (Article 22). As stated in Section 9, the controller does not engage in such decision-making within the meaning of Article 22.
  • Right to lodge a complaint (Article 77). EU data subjects may file a complaint with their national supervisory authority. A list of EU supervisory authorities is published by the European Data Protection Board at edpb.europa.eu. EU data subjects may also contact the EU representative identified in Section 2.

We may ask for verification of identity before acting on a request, to prevent identity fraud. We respond to all requests in writing, by email to the address from which the request was received, unless the data subject specifies a different return method.

11. Security

Personal data is encrypted in transit using TLS 1.3 minimum and at rest using AES-256 minimum. Access to personal data is restricted to authorised personnel under contractual confidentiality and on a need-to-know basis. The site infrastructure is hosted with providers that maintain SOC 2 Type II or ISO 27001 certification. Backup data is encrypted and stored in a geographically separate location within the EU or under an EU adequacy decision.

In the event of a personal data breach, the relevant supervisory authorities are notified within 72 hours of the controller becoming aware of the breach, where required under GDPR Article 33. Affected data subjects are notified without undue delay where the breach is likely to result in a high risk to their rights and freedoms, under GDPR Article 34.

12. Children

The site is not directed at children. Access requires affirmation of being 21 years of age or older, and order placement requires the same affirmation again. We do not knowingly collect personal data from individuals under the threshold age. If we become aware that we have collected personal data from a person under the threshold, we delete it promptly. Parents or guardians with concerns can contact privacy@crestenlabs.eu.

13. Updates to this policy

We update this privacy policy when our processing practices change. The effective date and version below changes when we update. Material changes are announced by email to active customers and by a banner on the site at least 30 days before the change takes effect.

Effective date: 2026-04-29, Last reviewed: 2026-04-29, Version: 2.0, GDPR Articles 13, 14, 21, 22, 27 disclosure compliance