PepGuys
PepGuys / Policies / Privacy Policy

Privacy Policy

The data we collect, why, who we share it with, and how to get it back or delete it. Plain English first; the legalese is at the bottom.

Last updated · April 12, 2026
In plain English
We collect what we need to ship your order, run a research-grade catalog, and stop fraud. We don't sell your data, train AI models on your messages, or run third-party ad pixels. You can delete everything at any time.
§01

Our principles

  • Collect less. If we don't need it to ship a vial, we don't ask for it.
  • No selling, no ad networks. Your data is not a revenue stream.
  • No model training. We don't feed your messages or order history into AI training.
  • Easy export, easy delete. One button each, in account settings.
§02

What we collect

Here's everything, at a glance:

Kind
Examples
Why
Retention
Account info
Name, email, hashed password, researcher verification status.
Run your account and gate research-use-only products.
Until you delete your account + 30 days.
Order data
Items, quantities, shipping address, order notes.
Fulfill the order and route the shipment.
7 years (tax + warranty).
Payment
BTC transaction hash only — no card numbers, no bank info, no billing address.
Confirm payment landed and match it to your order.
Not stored beyond order confirmation.
Device & log
IP, user agent, timestamps, page paths.
Security, abuse detection, debugging.
90 days.
Support messages
What you write to us, attachments you send.
Resolve your ticket; train our humans (not models).
3 years.
§03

Why we collect it

We process your data on these legal bases:

Contract
To accept and fulfill orders, ship vials, issue COAs, and process refunds. Without this we can't run the store.
Legitimate interest
Security, fraud detection, basic analytics, and protecting our staff and other customers from abuse.
Legal obligation
Tax records, customs declarations, and responses to lawful requests from regulators.
Consent
Marketing emails, optional analytics cookies, and anything we explicitly ask permission for. You can withdraw consent at any time.
§04

Who we share with

The only third parties that touch your data are the carriers that deliver your order:

  • USPS — standard shipping label and tracking.
  • FedEx — overnight shipping label and tracking.

They receive only the name and address needed to deliver the package. We do not sell, rent, or trade your information with anyone, full stop.

§05

Cookies & analytics

We use a single first-party session cookie to keep you signed in and a short-lived cart cookie. That's it for required cookies.

Plausible collects anonymous, aggregated traffic data — no IPs stored, no cross-site tracking, no third-party cookies. You can opt out under Settings → Privacy.

Do Not Track
We honor the DNT and Sec-GPC headers. If your browser sends either, we disable analytics for your visit.
§06

How long we keep it

Specific retention is in the table in §02. Generally: as long as we need to deliver the service, fulfill warranties, and meet tax / legal obligations. After that, we delete or anonymize.

If you delete your account, we wipe profile data within 30 days and keep only what we must (invoices for tax, COA records linked to your order number).

§07

Your rights

You can, at any time:

  • Access — download a JSON of everything we have on you.
  • Correct — edit anything inaccurate from your account page.
  • Delete — purge your account; we honor within 30 days.
  • Port — export order history in CSV.
  • Object — opt out of marketing or any non-essential processing.

California residents have rights under CCPA/CPRA, including the right to know what we sell or share — we sell nothing. To exercise any right, email privacy@pepguys.com from the address on your account.

Note: PepGuys does not sell to or service customers in the European Union or United Kingdom. EU/UK residents should not create an account or place an order.

§08

Security

All traffic uses TLS 1.3. Passwords are stored hashed (argon2id). Card data never touches our servers. We run quarterly penetration tests and our infrastructure is hosted on SOC-2-audited platforms.

No system is unbreakable. If we discover a breach affecting your data, we'll notify you and the appropriate authorities within 72 hours of confirmation.

§09

Children

The site is intended for adult researchers. We do not knowingly collect data from anyone under 18, and we do not market to them. If you believe a child has registered, write us and we'll delete the account.

§10

Contact us

Privacy questions? Email privacy@pepguys.com. For postal mail:

PepGuys Labs — Privacy
2400 E. Cesar Chavez St.
Austin, TX 78702
United States
Other policies
Terms of Service
Account, orders, conduct.
Shipping Policy
Cutoffs, carriers, delays.