CCPA & GDPR Policy

Pepgen Lab CCPA & GDPR Privacy Policy

Last Updated: October 31, 2025

Our peptide products are for laboratory research use only (not for human consumption). Cosmetic products are for external use as directed on labels.

PepGen Lab (“PepGen Lab,” “Company,” “we,” “our,” or “us”) respects your privacy and is committed to protecting personal information. This Privacy Policy explains how we collect, use, disclose, and safeguard personal information when you access or use our website, place orders, or communicate with us.

This Policy is intended to comply with applicable data protection and privacy laws, including:

• The California Consumer Privacy Act, as amended by the California Privacy Rights Act (CCPA/CPRA)
• The EU General Data Protection Regulation (GDPR)
• The UK GDPR

This Policy applies to all users, including California residents and individuals located in the European Union, European Economic Area, and United Kingdom.

1. Data Controller

For the purposes of the GDPR and UK GDPR, PepGen Lab is the data controller responsible for the processing of your personal information.

Contact Information
Email: contact@pepgenlab.com
Website: https://www.pepgenlab.com/contact-us/
WhatsApp: +1 (917) 672-7361

2. Personal Information We Collect

We collect personal information directly from you, automatically through your interaction with our website, and from third-party service providers.

Categories of Personal Information

• Identifiers: Name, Email address, Telephone or WhatsApp number, IP address, Device and browser identifiers.
• Commercial Information: Order history, Billing and shipping addresses, Payment transaction details (processed by third-party payment processors), Invoices and receipts.
• Internet or Technical Information: Browser type and version, Operating system, Website interaction data, Cookies and similar tracking technologies.
• Professional or Business Information: Organization or company name, Laboratory, institutional, or business affiliation, Professional role or title (if voluntarily provided).
• Communications: Customer service correspondence, Support requests, Feedback and inquiries.

Sensitive Personal Information

PepGen Lab does not intentionally collect sensitive personal information, as defined under the CPRA or GDPR (including health data, biometric data, precise geolocation, or racial or ethnic origin).

If such information is voluntarily provided, it will be processed only for the specific purpose disclosed at the time of collection and in accordance with applicable law.

3. Purposes of Processing

We use personal information for the following purposes:

• To process and fulfill orders
• To administer customer accounts
• To provide customer support and respond to inquiries
• To send transactional or administrative communications
• To operate, maintain, and improve our website
• To conduct analytics and monitor performance
• To detect, prevent, and address fraud, security incidents, or unauthorized activity
• To comply with legal, regulatory, accounting, and tax obligations

4. Legal Bases for Processing (GDPR & UK GDPR)

We process personal data based on one or more of the following lawful grounds:

• Performance of a contract – where processing is necessary to fulfill an order or provide services.
• Consent – where you have provided consent, including for non-essential cookies.
• Legal obligation – where processing is required to comply with applicable laws.
• Legitimate interests – where processing is necessary for business operations, security, or improvement of services, and does not override your fundamental rights.

5. Disclosure of Personal Information

We disclose personal information only to trusted third parties, including:

• Payment processing providers
• Shipping and logistics partners
• IT service providers, hosting services, and analytics platforms
• Professional advisors, including legal and accounting firms
• Government authorities or regulators, where required by law

Sale or Sharing of Personal Information

PepGen Lab does not sell personal information and does not share personal information for cross-context behavioral advertising, as those terms are defined under the CPRA.

6. International Data Transfers

Personal information may be transferred to and processed in jurisdictions outside your country of residence. For individuals located in the EU, EEA, or UK, such transfers are conducted using lawful transfer mechanisms, including Standard Contractual Clauses, to ensure an adequate level of data protection.

7. Data Retention

We retain personal information only for as long as necessary to:

• Provide services
• Fulfill contractual obligations
• Comply with legal and regulatory requirements
• Resolve disputes
• Enforce agreements

Retention periods vary depending on the nature of the data and applicable legal requirements and are documented internally.

8. Security Safeguards

We implement reasonable and appropriate administrative, technical, and physical safeguards designed to protect personal information from unauthorized access, disclosure, alteration, or destruction. While no system can guarantee absolute security, we continuously review and improve our security practices.

9. Your Privacy Rights

9.1 California Residents (CCPA/CPRA)

California residents have the right to:

• Know what personal information is collected, used, and disclosed
• Access personal information we maintain about you
• Request deletion of personal information, subject to lawful exceptions
• Request correction of inaccurate personal information
• Opt out of the sale or sharing of personal information (not applicable, as we do not sell or share)
• Limit the use and disclosure of sensitive personal information
• Not be discriminated against for exercising privacy rights

Submitting Requests
Email: contact@pepgenlab.com
Website: https://www.pepgenlab.com/contact-us/
WhatsApp: +1 (917) 672-7361
Requests will be verified and responded to within 45 days, as required by law.

9.2 EU / EEA / UK Residents (GDPR)

You have the right to:

• Access your personal data
• Rectify inaccurate or incomplete data
• Request erasure of personal data
• Restrict processing
• Object to processing
• Receive personal data in a portable format
• Withdraw consent at any time

You also have the right to lodge a complaint with your local data protection authority.

Requests may be submitted using the contact details above and will be addressed within 30 to 45 days.

10. Cookies and Tracking Technologies

We use cookies and similar technologies to operate and improve our website and to analyze usage. Where required by law, we obtain your consent before placing non-essential cookies. Cookie preferences may be managed or withdrawn at any time through our cookie banner or browser settings.

11. Automated Decision-Making

PepGen Lab does not engage in automated decision-making or profiling that produces legal or similarly significant effects.

12. Children’s Privacy

Our website and services are not intended for individuals under the age of 21, and we do not knowingly collect personal information from minors.

13. Updates to This Privacy Policy

We may update this Privacy Policy periodically. Any changes will be posted on this page, and the “Last Updated” date will reflect the most recent revision.