Privacy policy.

Astrel Bio is the controller of the personal data you provide to us. We are registered with the UK Information Commissioner’s Office.

The personal data we collect about you may include:

• Name and email address (account, orders, contact form)
• Shipping and billing address (orders)
• Phone number (optional, for delivery)
• Research institution (optional, on registration)
• Order history and the products you purchase
• Hashed IP for newsletter consent and contact-form audit logging
• Communications you have with our support team

We do not collect or store payment card details — those are handled directly by our payment processor.

• Contract performance — to fulfil orders, take payment, ship goods, and provide customer support
• Legal obligation — to keep VAT and order records as required by HMRC for seven years
• Consent — for the newsletter (you opt in; you can withdraw at any time)
• Legitimate interests — for site analytics (we use Plausible, which collects no personal data and sets no cookies), for security logging, and for the audit trail on contact-form submissions

• Account data — until you delete your account, then immediately deactivated and personally-identifying fields scrubbed after a 30-day cooling period
• Order records — seven years from order date, as required for VAT-registered businesses under UK HMRC rules. Personally-identifying fields on orders linked to deleted accounts are redacted at the 30-day point
• Newsletter subscribers — until you unsubscribe
• Contact form submissions — three years from submission, then deleted

Under UK GDPR you have the right to:

• Access the personal data we hold about you — request via data export or email
• Correct inaccurate personal data
• Delete your account — request via account delete or email (subject to legal retention for VAT records)
• Restrict or object to processing
• Withdraw consent for newsletters or marketing at any time
• Lodge a complaint with the UK Information Commissioner’s Office (ico.org.uk) if you think we have handled your data unlawfully

We use the following cookies for essential functionality:

• astrel_age_verified — your age confirmation (1 year)
• astrel_cart_token — your shopping cart (60 days)
• Auth.js session cookie — your sign-in session (30 days, signed in only)

For analytics we use Plausible, a privacy-friendly analytics service that collects aggregated traffic data, sets no cookies, and processes no personally identifying information. Because Plausible is non-PII it does not require a consent banner under ICO guidance.

We share your personal data only with the third parties required to deliver our service to you:

• Our payment processor — for the duration of a transaction
• Our shipping carrier — name and address only, for delivery
• Our hosting provider — encrypted in transit and at rest
• Our email provider — for transactional emails (order confirmations, password resets) and, if you have opted in, the newsletter

We do not sell your personal data to anyone, ever. We do not use it for retargeted advertising.

For any privacy-related question or to exercise a right above, contact privacy@astrelbio.co.uk.