1. Overview & Scope
Arcadia Labs LLC d/b/a Iron Steed Labs ("Iron Steed Labs," "we," "us," or "our") operates the website ironsteedlabs.com and sells Research Use Only (RUO) peptides exclusively to independent researchers for legitimate scientific research purposes. This Privacy Policy explains how we collect, use, share, and protect personal information we receive from visitors, researchers, and customers who interact with our website, services, and communications channels.
This Policy applies to:
- All visitors to ironsteedlabs.com
- Researchers who place orders or inquire about products
- Individuals who contact us via email, our AI-powered chat assistant, or social media (including Instagram)
- Subscribers to our email communications
By using our website or services, you acknowledge and agree to the practices described in this Privacy Policy. If you do not agree, please discontinue use of our services.
2. Data We Collect
2.1 Information You Provide Directly
- Identity data: Full name
- Contact data: Email address, mailing/shipping address
- Institutional data: Research institution or organization affiliation (voluntary)
- Order data: Products ordered, order history, purchase dates
- Communications: Messages sent via contact forms, email inquiries, or Instagram DMs
- Research context: Information you voluntarily provide about your research purpose
2.2 Information Collected Automatically
- Usage data: Pages visited, time spent on pages, referral URLs, browser type and version, operating system
- Technical data: IP address, device identifiers (anonymized where possible)
- Cookies & similar technologies: Session cookies necessary for website function; analytics cookies (where consent is obtained)
2.3 What We Do NOT Collect
- We do not collect payment card numbers, bank account details, or full payment credentials — all payment processing is handled exclusively by Square (see Section 5).
- We do not collect sensitive personal information such as health data, biometric data, race, religion, or sexual orientation.
- We do not knowingly collect data from individuals under 18 years of age.
2.4 Information From Third Parties
We may receive limited information from third-party platforms, such as:
- Meta (Instagram): Name, Instagram username, and message content when you initiate contact via Instagram Direct Message using Meta's Messaging API.
- Square: Order confirmation data and transaction identifiers (not full payment credentials).
3. How We Use Your Data
We use personal data only for the purposes described below:
- Order fulfillment: Processing, packaging, and shipping your orders; sending order confirmations and tracking information via Resend.
- Customer communications: Responding to inquiries, requests, complaints, or data subject requests sent to us by email or Instagram.
- Compliance & verification: Verifying researcher identity and institutional affiliation as part of our responsible sales compliance process.
- Lead management: Capturing prospective researcher inquiries in Google Sheets for follow-up. Leads are not shared with third parties and are used solely for sales communications.
- Transactional email: Sending order receipts, shipping updates, and critical account notifications via Resend.
- Website improvement: Analyzing anonymous usage data to improve our website and user experience.
- Legal obligations: Complying with applicable laws, regulations, court orders, or governmental requests.
We do not use personal data for automated decision-making or profiling that produces legal or similarly significant effects on individuals.
4. Lawful Basis for Processing GDPR
If you are located in the European Union or European Economic Area (EU/EEA), we rely on the following lawful bases under Article 6 of the GDPR to process your personal data:
| Processing Activity | Lawful Basis |
|---|---|
| Processing and fulfilling your order | Contract performance (Art. 6(1)(b)) — necessary to perform the contract with you |
| Sending order confirmations and transactional emails | Contract performance (Art. 6(1)(b)) |
| Maintaining order and business records | Legal obligation (Art. 6(1)(c)) — accounting, tax, and regulatory retention requirements |
| Responding to inquiries and support requests | Legitimate interests (Art. 6(1)(f)) — we have a legitimate interest in responding to customer communications |
| Lead capture and marketing follow-up | Legitimate interests (Art. 6(1)(f)) — with opt-out provided; or Consent (Art. 6(1)(a)) where required |
| Website analytics | Legitimate interests (Art. 6(1)(f)) for anonymous analytics; Consent for non-essential cookies |
| Compliance with legal obligations | Legal obligation (Art. 6(1)(c)) |
Where we rely on legitimate interests, we have conducted a balancing test confirming our interests do not override your fundamental rights and freedoms. You may request a summary of any such assessment by contacting us at privacy@ironsteedlabs.com.
International Data Transfers
Arcadia Labs LLC d/b/a Iron Steed Labs is based in the United States. If you are located in the EU/EEA or UK, your personal data may be transferred to and processed in the United States. Where required, we rely on Standard Contractual Clauses (EU SCCs, June 2021 version) or other appropriate transfer mechanisms recognized under GDPR Chapter V to ensure adequate protection of your data.
Our third-party processors are required to maintain comparable safeguards. Please refer to each processor's own data protection documentation for transfer mechanism details.
5. Third-Party Processors
We share personal data only with the following trusted service providers, each engaged solely to provide services on our behalf. We do not permit these providers to use your data for their own purposes beyond the services they provide to us.
| Processor | Purpose | Data Shared | Privacy Info |
|---|---|---|---|
| Square, Inc. | Payment processing | Name, billing address, email; payment card data processed directly by Square — we never receive or store full card numbers | Square Privacy Policy |
| Google LLC | Lead capture and data management (Google Sheets) | Name, email, institutional affiliation, inquiry details | Google Privacy Policy |
| Anthropic, PBC | AI-powered chat assistant (Claude API) | Chat message content submitted during a session; sessions are ephemeral and not persistently stored by Iron Steed Labs | Anthropic Privacy Policy |
| Meta Platforms, Inc. | Instagram Direct Messaging (Meta Messaging API) | Instagram username, name (if provided), message content when you contact us via Instagram DM | Meta Privacy Policy |
| Resend, Inc. | Transactional email delivery | Name, email address, email content (order confirmations, shipping notices) | Resend Privacy Policy |
| Railway Corp. | Cloud hosting for AI chatbot backend | Server logs may transiently include IP addresses; no persistent personal data storage by Iron Steed Labs on Railway beyond ephemeral session handling | Railway Privacy Policy |
| Netlify, Inc. | Website hosting and CDN | Standard server access logs (IP address, browser type, pages visited) retained per Netlify's standard data retention policy | Netlify Privacy Policy |
We do not engage additional sub-processors without appropriate data protection assessments. If you have questions about any processor, contact us at privacy@ironsteedlabs.com.
6. No Sale or Sharing of Personal Data
This applies to all users, including California residents exercising rights under CCPA/CPRA. Because we do not sell or share personal data for advertising, there is no need to opt out of any data sale; however, the right to opt out is acknowledged and honored as described in Section 9.
We disclose personal data to third-party processors only as described in Section 5 above, and solely as necessary to provide our services.
We may disclose personal data if required to do so by law, court order, subpoena, or governmental authority, or where we believe disclosure is necessary to protect the rights, property, or safety of Iron Steed Labs, our customers, or the public.
7. Data Retention
We retain personal data only for as long as necessary to fulfill the purposes for which it was collected, or as required by law:
- Order records & billing data: Retained for a minimum of 7 years to comply with applicable tax and accounting laws. Records are archived and access-restricted after fulfillment.
- Customer communications: Retained for up to 3 years from last contact, unless a deletion request is submitted.
- Lead and inquiry data (Google Sheets): Retained for up to 2 years from collection, reviewed annually.
- Chat session data: Ephemeral — not stored persistently beyond the active session.
- Website server logs: Typically retained by hosting providers (Netlify, Railway) for 30–90 days per their standard policies.
- Marketing email lists: Retained until you unsubscribe or request deletion.
Upon a verified deletion request, we will delete or anonymize your personal data within 30 calendar days, except where retention is required by law or necessary for the establishment, exercise, or defense of legal claims.
8. Your Rights Under GDPR EU/EEA
If you are located in the EU or EEA, you have the following rights under the General Data Protection Regulation (GDPR):
Obtain a copy of the personal data we hold about you (Art. 15).
Request correction of inaccurate or incomplete personal data (Art. 16).
Request deletion of your personal data ("right to be forgotten") where no lawful retention ground applies (Art. 17).
Request that we restrict processing of your data in certain circumstances (Art. 18).
Receive your data in a structured, commonly used, machine-readable format (Art. 20).
Object to processing based on legitimate interests, including direct marketing (Art. 21).
Withdraw consent at any time where processing is consent-based, without affecting prior processing.
Lodge a complaint with your local supervisory authority (e.g., your national data protection authority).
Response Timelines
We will acknowledge your request within 72 hours and provide a substantive response within 30 calendar days of receipt. Where a request is complex or numerous, we may extend this period by an additional 60 days, in which case we will notify you of the extension and the reasons within the initial 30-day period.
How to Exercise GDPR Rights
Submit a request using the form at the bottom of this page, or email privacy@ironsteedlabs.com with the subject line "Data Request". We may need to verify your identity before processing your request. We will not charge a fee for reasonable requests; manifestly unfounded or excessive requests may be subject to a reasonable fee or refusal, with explanation provided.
Right to Lodge a Complaint
If you believe we have not handled your personal data in accordance with GDPR, you have the right to lodge a complaint with your EU Member State's supervisory authority. A list of EU data protection authorities is available at edpb.europa.eu.
9. Your Rights Under CCPA/CPRA California
If you are a California resident, the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), grants you the following rights:
Know what categories and specific pieces of personal information we have collected about you and how it is used and shared.
Request deletion of personal information we have collected, subject to certain exceptions.
Request correction of inaccurate personal information (CPRA right).
Opt out of the "sale" or "sharing" of personal information for cross-context behavioral advertising. We do not sell or share data, but you may assert this right.
Limit the use and disclosure of sensitive personal information (CPRA right).
Not receive discriminatory treatment for exercising any of your CCPA/CPRA rights.
Categories of Personal Information Collected (CCPA)
| CCPA Category | Examples Collected | Business Purpose |
|---|---|---|
| Identifiers | Name, email address, IP address | Order fulfillment, communications, website function |
| Commercial Information | Products purchased, order history, transaction amounts | Order fulfillment, account management |
| Internet/Electronic Activity | Browsing history on our website, chat session content | Website improvement, customer support |
| Geolocation Data | Shipping address, general location inferred from IP | Order fulfillment, fraud prevention |
| Professional/Employment Info | Institutional affiliation (voluntary) | Researcher verification, compliance |
| Inferences | Research interests inferred from inquiry content | Personalized communications (opt-out available) |
Right to Opt-Out of Sale/Sharing
As stated in Section 6, Iron Steed Labs does not sell or share personal information for cross-context behavioral advertising. If you nonetheless wish to formally assert your opt-out right, email us at privacy@ironsteedlabs.com with the subject line "Do Not Sell or Share My Personal Information."
Response Timelines
We will acknowledge your request within 10 business days and provide a substantive response within 45 calendar days. Where necessary, we may extend by an additional 45 days with notice.
Authorized Agents
California residents may designate an authorized agent to submit requests on their behalf. We will require written proof of authorization and may verify the consumer's identity directly.
10. Data Subject Request (DSAR / SAR) Process
We have established a straightforward process to handle all data access, deletion, and correction requests from individuals exercising rights under GDPR, CCPA/CPRA, or any other applicable privacy law.
How to Submit a Request
Option 2 — Form: Use the Data Request Form at the bottom of this page. The form submits directly to privacy@ironsteedlabs.com.
What to Include
- Your full name and email address associated with your account or order
- The type of request: Access, Delete, or Correct
- A description of your request (e.g., "Please delete all personal data associated with my account" or "Please provide a copy of all data you hold about me")
- If submitting on behalf of another person: written authorization from that person
Verification
To protect your personal data, we will verify your identity before fulfilling any DSAR. Verification may require you to confirm details we already have on file (such as the email address associated with your account). We will not share data with an unverified requester.
Response Timeline
- Acknowledgment: Within 72 hours (GDPR) or 10 business days (CCPA)
- Substantive response / deletion: Within 30 calendar days (GDPR) or 45 calendar days (CCPA) from receipt of a verified request
- Extension: Up to an additional 60 days (GDPR) or 45 days (CCPA) for complex requests, with prior written notice
Data Deletion
Upon a verified deletion request, we will delete or permanently anonymize your personal data within 30 calendar days. We will also notify our third-party sub-processors (see Section 5) to delete your data where technically feasible and not prohibited by their terms of service or applicable law.
Deletion may not apply to data we are required to retain by law (e.g., tax and accounting records, legal hold obligations) or data necessary to defend legal claims. In such cases, we will inform you of the categories of data retained and the legal basis for retention.
No Fee
We do not charge a fee for fulfilling reasonable data requests. We reserve the right to charge a reasonable administrative fee for manifestly unfounded, repetitive, or excessive requests, or to decline such requests with explanation.
11. Security
We implement industry-standard technical and organizational measures to protect your personal data against unauthorized access, disclosure, alteration, or destruction. These measures include:
- Encryption in transit: All data transmitted to and from our website and services is encrypted using TLS (HTTPS).
- Access controls: Access to personal data is restricted to personnel who require it to perform their duties, and is governed by role-based access controls.
- Payment security: We do not process or store payment card data directly. All payment processing is performed by Square, a PCI DSS-compliant payment processor.
- Vendor assessments: We review security practices of our third-party processors and require appropriate contractual protections.
No method of electronic transmission or storage is 100% secure. In the event of a data breach affecting your rights and freedoms, we will notify affected individuals and, where required, the relevant supervisory authority within the timeframes required by applicable law (72 hours for GDPR reportable breaches).
If you believe your personal data has been compromised, please contact us immediately at privacy@ironsteedlabs.com.
12. Children's Privacy
Our products and services are intended solely for adult independent researchers aged 18 and older. We do not knowingly collect personal information from children under the age of 18. If we become aware that we have inadvertently collected personal information from a minor, we will promptly delete that information.
If you are a parent or guardian and believe we have collected data from your child, please contact us at privacy@ironsteedlabs.com.
13. Policy Changes
We may update this Privacy Policy from time to time to reflect changes in our practices, services, or applicable law. When we make material changes, we will:
- Update the "Last Updated" date at the top of this page
- Post a notice on our website for a reasonable period
- Where required by law, notify you directly by email
Your continued use of our website or services after the effective date of any update constitutes acceptance of the revised Policy. We encourage you to review this Policy periodically.
Previous versions of this Policy are available upon request by emailing privacy@ironsteedlabs.com.
14. Contact Us
If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:
Privacy Inquiries
Email: privacy@ironsteedlabs.com (subject: "Data Request" for DSARs)
Website: ironsteedlabs.com
We aim to respond to all privacy inquiries within 5 business days. For formal data subject requests (DSARs), see Section 10 for applicable timelines.
Submit a Data Request
Use this form to submit an Access, Deletion, or Correction request. Your message will be sent directly to privacy@ironsteedlabs.com. We will acknowledge receipt within 72 hours.