🇬🇧 UK Manufactured & TestedCertificate of Analysis IncludedFor Research Use Only
Mercia Research

Legal · Privacy

Privacy Policy

Last updated: 17 May 2026

1. Who we are

Mercia Research Limited (“Mercia Research”, “we”, “us”, “our”) is a UK supplier of research-grade peptides for in-vitro laboratory and analytical reference work.

Our registered office is 5th Floor, 167-169 Great Portland Street, London, United Kingdom, W1W 5PF. For any data-protection enquiry contact privacy@merciaresearch.lab.

We are the data controller for personal data processed through merciaresearch.lab under the UK GDPR and the Data Protection Act 2018.

2. What personal data we collect

  • Order data: name, email, billing/shipping address, the items you order, order reference, tracking token, order events.
  • Communications: email content and metadata when you contact us through the contact form or by email.
  • Newsletter: email address and signup source if you choose to subscribe.
  • Technical data: IP address and browser user-agent string when you submit forms (recorded for fraud-prevention and abuse-monitoring purposes).
  • Payment data: in production, card payments are handled by a PCI-DSS certified payment processor (e.g. Stripe). We do not store raw card numbers; we only retain the last 4 digits, expiry month and a processor token to enable refunds.

We do not currently use behavioural analytics or advertising cookies. The only cookie we set is a session cookie for the admin login.

3. Lawful basis for processing

  • Contract — to fulfil your order and provide customer support.
  • Legal obligation — to keep commercial records for the period required by HMRC and other UK statutes.
  • Consent — for the newsletter subscription, which you can withdraw at any time.
  • Legitimate interests — to keep the site secure, prevent fraud, and improve our service.

4. How long we keep your data

  • Order records: 6 years from the date of the order, to meet UK accounting/HMRC requirements.
  • Contact-form messages: 24 months from receipt, then deleted.
  • Newsletter subscriptions: until you unsubscribe.
  • Server logs: 30 days for security-monitoring purposes.

5. Who we share your data with

We share personal data only with carefully chosen processors necessary to operate the service:

  • Payment processor (Stripe or equivalent) — to take and refund payments.
  • Shipping carrier (DHL, DPD or Royal Mail) — to deliver cold-chain shipments.
  • Email infrastructure (Resend or equivalent) — to send transactional and consented marketing emails.
  • Hosting provider — to operate the website and database.

We never sell your data and never share it for third-party advertising. Where a processor is outside the UK, we ensure transfers are covered by adequacy regulations or the UK International Data Transfer Addendum to the EU Standard Contractual Clauses.

6. Your rights under UK GDPR

  • Right of access — request a copy of the personal data we hold about you.
  • Right to rectification — ask us to correct inaccurate or incomplete information.
  • Right to erasure — ask us to delete your data subject to legal retention requirements.
  • Right to restrict or object to processing.
  • Right to data portability — receive your data in a machine-readable format.
  • Right to withdraw consent (e.g. from the newsletter) at any time.
  • Right to complain to the UK Information Commissioner’s Office (ICO) at ico.org.uk.

To exercise any right, email privacy@merciaresearch.lab from the email address associated with your record. We will respond within one calendar month.

7. Security

We protect personal data with TLS in transit, encrypted database storage at rest, and access controls limiting who can see customer information. Despite our efforts, no system is completely secure; please notify us immediately at security@merciaresearch.lab if you suspect a breach.

8. Cookies

We use a single, strictly-necessary HTTP-only session cookie when you sign in to the admin area. We do not set any analytics, advertising or third-party tracking cookies on the public site. We will update this section if that ever changes.

9. Children

Our site is intended only for users aged 18 or over. We do not knowingly collect personal data from anyone under 18. If you believe a child has provided us with personal data, contact us and we will delete it.

10. Changes to this policy

We may update this policy from time to time. The “Last updated” date at the top of the page records when changes were made. Material changes will be highlighted at the top of the page for at least 30 days.

11. Contact

For any privacy enquiry email privacy@merciaresearch.lab or write to us at the address at the top of this page.

See also our Terms & Conditions and FAQ.