Data Controller
The data controller responsible for processing your personal data is:
ShePeps
For EU residents, ShePeps acts as the data controller under Article 4(7) GDPR. For UAE residents, ShePeps is the personal data controller under Article 1 UAE PDPL. Where required by GDPR Article 27, we maintain a representative within the European Economic Area — contact details available on request.
Data We Collect
We collect only what is necessary. The categories of personal data we process are set out below.
| Category | Examples | Source |
|---|---|---|
| Identity | Full name, professional credentials, age confirmation | You, at registration / age gate |
| Contact | Email address, phone number (WhatsApp orders) | You, during checkout / enquiry |
| Account | Username, password (hashed), account preferences | You, at account creation |
| Transaction | Order history, cart contents, invoices (no raw card data) | You, during purchase |
| Technical | IP address, browser type, device identifiers, referrer URL | Automatic — website interaction |
| Usage | Pages viewed, session duration, click patterns | Automatic — analytics (with consent) |
| Communications | Support enquiries, WhatsApp messages, emails | You, voluntarily |
| Professional | Research role, institutional affiliation, licence number | You, at verification or wholesale registration |
ShePeps does not collect or process special categories of personal data (health, biometric, genetic data) as defined under GDPR Article 9 or UAE PDPL Article 4. We do not collect payment card numbers — payment is handled by PCI-DSS compliant third-party processors.
Legal Bases for Processing
We process your personal data only where a lawful basis applies. Under GDPR Article 6 and UAE PDPL Articles 9–12, our legal bases are:
| Basis | When We Rely on It |
|---|---|
| Contract | Processing your order, managing your account, delivering products and invoices. Necessary for fulfilment of our purchase agreement. |
| Legal Obligation | Complying with UAE Commercial Transactions Law, VAT obligations, regulatory record-keeping, and age/professional verification requirements under applicable laws. |
| Legitimate Interests | Fraud prevention, site security, internal analytics, wholesale relationship management — subject to a balancing test ensuring your rights are not overridden. |
| Consent | Optional analytics cookies, marketing communications, and newsletters. You may withdraw consent at any time without affecting prior processing. |
How We Use Your Data
We use personal data for the following purposes only:
- To verify your age (21+) and professional research status before granting site access
- To process, fulfil, and dispatch your orders and send order confirmations
- To manage your account and provide customer support
- To process WhatsApp-based orders and respond to wholesale enquiries
- To send transactional communications (order updates, shipping notifications)
- To send marketing emails or newsletters — only with your explicit consent
- To comply with UAE federal law, VAT, and customs documentation requirements
- To detect and prevent fraudulent transactions and abuse
- To improve site functionality and product listings (aggregate analytics only)
- To generate Certificate of Analysis (COA) records associated with orders
ShePeps products are sold exclusively for in-vitro laboratory and research use only. We do not collect health, clinical, or diagnostic data in connection with any end use. Your personal data is never processed to infer health conditions or used for profiling in a clinical sense.
Cookies & Tracking Technologies
We use cookies and similar technologies in compliance with the EU ePrivacy Directive and UAE TDRA Guidelines. Our cookies are categorised as follows:
| Type | Purpose | Consent Required |
|---|---|---|
| Strictly Necessary | Session management, age-gate state, cart functionality, security tokens | No — essential operation |
| Analytics | Aggregated visitor statistics, page performance, error logging | Yes — opt-in |
| Advertising / Health | Not used. We do not deploy health or medical advertising cookies per ePrivacy Directive and TDRA guidelines. | N/A — not deployed |
You can manage cookie preferences at any time via the cookie banner displayed on your first visit, or by contacting us at privacy@shepeps.com. Note that disabling strictly-necessary cookies may impair site functionality.
Our site may load a Facebook Meta Pixel for aggregate audience measurement only. Where required, this is loaded only after your cookie consent is obtained. The Pixel ID in our code is a placeholder — no health or research-related custom audiences are created using visitor data.
Data Sharing & International Transfers
We do not sell your personal data. We share data only in the following limited circumstances:
- Payment processors: Encrypted tokenised data only, via PCI-DSS compliant gateways (e.g. Stripe, Telr, or equivalent). No raw card data is transmitted to us.
- Logistics & couriers: Name and delivery address shared with shipping partners (DHL, Aramex, or equivalent) solely for fulfilment.
- IT infrastructure: Hosting and cloud providers (e.g. AWS, Cloudflare) acting as data processors under appropriate Data Processing Agreements (DPAs).
- Analytics providers: Anonymised/aggregated data only, where consent has been given (e.g. Google Analytics with IP anonymisation enabled).
- Legal compliance: UAE regulatory bodies, customs authorities, or law enforcement when required by law or valid legal process.
- Business transfers: In the event of a merger or acquisition, subject to equivalent privacy protections and advance notice to you.
International transfers (GDPR): Where data is transferred outside the EEA, we rely on the European Commission's Standard Contractual Clauses (SCCs) under GDPR Article 46(2)(c), or the adequacy decision applicable to the recipient country.
International transfers (PDPL): Cross-border transfers are conducted in accordance with UAE PDPL Chapter 6, ensuring the destination jurisdiction provides an adequate level of protection or that appropriate contractual safeguards are in place.
Data Retention
We retain personal data only for as long as necessary for the purpose for which it was collected, or as required by law:
| Data Type | Retention Period | Basis |
|---|---|---|
| Order & transaction records | 7 years | UAE Commercial & Tax Law |
| Account data (active) | Duration of account | Contract |
| Account data (closed) | 3 years post-closure | Legitimate interest / dispute resolution |
| Age verification records | Duration of account + 1 year | Legal obligation |
| Marketing consent records | 3 years from last interaction | GDPR / PDPL — consent management |
| Server / access logs | 90 days | Security / fraud prevention |
| Support communications | 3 years | Legitimate interest |
After the applicable retention period, data is securely deleted or permanently anonymised in accordance with our internal data destruction procedures.
Security Measures
ShePeps implements appropriate technical and organisational measures to protect your personal data as required by GDPR Article 32 and UAE PDPL Article 16, including:
- TLS 1.2+ encryption for all data in transit (HTTPS enforced site-wide)
- Passwords stored using strong one-way hashing algorithms (bcrypt or equivalent)
- Access controls and role-based permissions limiting data access to authorised personnel only
- Regular security assessments and penetration testing
- Third-party processors vetted and bound by Data Processing Agreements (DPAs)
- Cloudflare DDoS protection and Web Application Firewall (WAF)
In the event of a personal data breach that poses a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours of becoming aware (GDPR Article 33), and notify you without undue delay where required (GDPR Article 34 / UAE PDPL Article 22).
Your Rights Under GDPR
If you are located in the European Economic Area or the United Kingdom, the GDPR grants you the following rights:
Request a copy of the personal data we hold about you (Art. 15).
Have inaccurate or incomplete data corrected without undue delay (Art. 16).
Request deletion of your data ("right to be forgotten"), subject to legal obligations (Art. 17).
Limit processing of your data in certain circumstances (Art. 18).
Receive your data in a structured, machine-readable format and transfer it (Art. 20).
Object to processing based on legitimate interests or direct marketing (Art. 21).
Withdraw consent for consent-based processing at any time without penalty (Art. 7(3)).
Not be subject to solely automated decisions with significant legal effects (Art. 22).
To exercise any of these rights, contact us at privacy@shepeps.com. We will respond within 30 days. You also have the right to lodge a complaint with your local Data Protection Authority (DPA).
Your Rights Under UAE PDPL
If you are located in the UAE or your data is processed within the UAE, the Federal Decree-Law No. 45 of 2021 (PDPL) grants you the following rights (Chapter 3):
- Right to be informed — to know what personal data we hold and how it is being processed
- Right of access — to request a copy of your personal data and obtain a record of processing activities
- Right to correction — to request correction of inaccurate, incomplete, or misleading personal data
- Right to erasure — to request deletion of your personal data where the purpose for collection no longer exists or where consent is withdrawn
- Right to restrict processing — to restrict processing of your data in specified circumstances
- Right to object — to object to processing where it causes harm or violates your privacy
- Right to data portability — to receive your data in a usable format or have it transferred to another controller
- Right to withdraw consent — to withdraw any consent previously given, without affecting the lawfulness of prior processing
To submit a PDPL data rights request, email privacy@shepeps.com with the subject line PDPL Data Request. We will acknowledge within 5 business days. You may also file a complaint with the UAE Data Office established under the PDPL.
Age Restriction & Minors
ShePeps is exclusively for adults aged 21 years or older who are qualified researchers or licensed professionals. We do not knowingly collect personal data from individuals under 21. If we become aware that a minor has submitted personal data without appropriate verification, we will promptly delete that data. Contact us at privacy@shepeps.com if you believe we have inadvertently collected data from a minor.
Policy Updates & Contact
We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or regulatory guidance. Material changes will be notified by:
- A prominent banner on our website for a period of not less than 30 days
- Email notification to registered account holders where practicable
The effective date at the top of this Policy reflects the date of the most recent revision. Your continued use of the site after notification constitutes acceptance of the revised Policy.
Get in Touch
For all privacy-related enquiries, data rights requests, or complaints: