Ascend Bio LabsAll Legal Documents

Privacy Policy

How we collect, use, share, retain, and protect your personal information — with full CCPA/CPRA, US state privacy, GDPR/UK, and COPPA disclosures.

Last updated:
Version:
privacy-v0.1-20260409

For Laboratory Research Use Only

Products sold on this site are intended exclusively for in-vitro laboratory research by qualified professionals. They are not drugs, not dietary supplements, not foods, not cosmetics, and not medical devices. They are not FDA-approved to diagnose, treat, cure, prevent, or mitigate any disease, illness, or health condition. They are not for human or animal consumption under any circumstances.

Draft — pending counsel review. This document is a draft based on industry best practices and competitor analysis. It has not been reviewed by a licensed attorney and should not be relied upon as the operative policy until it has been. Do not launch without sign-off from counsel experienced with FDA / FFDCA and e-commerce compliance.

1. Scope And Who We Are

This Privacy Policy describes how [ENTITY_NAME](“Ascend Bio Labs,” “we,” “us,” or “our”) collects, uses, shares, retains, and protects personal information when you visit ascendbiolabs.com or any related page, create an account, or purchase a product. It is incorporated into our Terms of Service.

We are the data controller (in EEA/UK terms) and business (in California terms) for the personal information described here.

2. Key Definitions

  • Personal Information (or “Personal Data”) means information that identifies, relates to, or could reasonably be linked with a particular individual or household.
  • Sensitive Personal Information has the meaning given by the California Privacy Rights Act (CPRA).
  • Process means any operation performed on Personal Information, whether automated or not — collection, storage, use, disclosure, deletion, etc.
  • Sell and Share have the meanings given by the CPRA. See Section 12.
  • Service Provider means a third party we engage to process Personal Information on our behalf under a written contract that restricts their use of it.

3. Information We Collect

We collect the following categories of Personal Information:

Identifiers and contact information

Name, email address, phone number, shipping and billing address, and Clerk user ID. Collected directly from you when you create an account, place an order, contact support, or sign up for email.

Commercial information

Products viewed and purchased, order history, cart contents, wishlist, discount codes used, and customer service interactions.

Payment information

Payment is processed by our third-party payment processor. We do not store full payment-card numbers, CVV codes, or bank account numbers on our servers. We receive limited information such as the last four digits of the card, card brand, expiration date, a processor token, and billing ZIP for fraud scoring and dispute handling.

Internet and device information

IP address, browser type and version, operating system, device identifiers, timestamp, referring URL, pages visited, clickstream, session duration, and cookie identifiers. See Section 9 and our Cookie Policy.

Approximate geolocation

General location inferred from your IP address (country, state, city, ZIP). We do not collect precise (GPS-level) geolocation.

Inferences

Inferences drawn from the above — for example, product interests and fraud risk signals — used to improve the Site and detect abuse.

Information we do NOT collect

We do not collect biometric information, precise GPS location, health or medical records, genetic data, racial or ethnic origin, religion, sexual orientation, union membership, or content of private communications you have with third parties.

4. Sources Of Collection

  • Directly from you — account registration, checkout, contact forms, email signup.
  • Automatically from your device — via cookies and similar technologies (see Section 9).
  • From our authentication provider (Clerk) — when you sign in with Google OAuth, Clerk passes us your name, email, and Clerk user ID.
  • From our commerce backend (Medusa) — which stores the order history linked to your account.
  • From our payment processor — limited transaction and fraud-scoring data.
  • From service providers — analytics, fraud prevention, error monitoring.

5. How We Use Personal Information

  • to create and maintain your account and let you sign in;
  • to process, fulfill, ship, and support your orders, including customer service and returns/refund handling;
  • to detect, prevent, investigate, and respond to fraud, chargebacks, account takeover, and abuse of the Site;
  • to verify your eligibility to purchase, including researcher affiliation screening described in our Terms of Service;
  • to operate, secure, maintain, measure, debug, and improve the Site and our products;
  • to send transactional communications about your orders, account, and the Site;
  • with your consent, to send marketing communications (see Section 17);
  • to comply with legal obligations, respond to law-enforcement requests, establish, exercise, or defend legal claims, and enforce our Terms of Service; and
  • for any other purpose disclosed to you at the time of collection or with your consent.

7. How We Share Personal Information

We do not sell Personal Information for money. We share Personal Information only in the following circumstances and only as described in this Policy.

Service providers

We engage the following service providers, each under a written contract that restricts their use of Personal Information to providing services to us:

  • Clerk — authentication, session management, user records.
  • Medusa — commerce backend (products, cart, orders, customers).
  • Render — Medusa hosting, managed Postgres, managed Redis.
  • Vercel — hosting and edge delivery of the Next.js frontend.
  • Cloudflare R2 — product image and asset storage.
  • Klaviyo — transactional and opt-in marketing email and SMS (M3 onwards).
  • [PAYMENT_PROCESSOR] — payment processing, fraud scoring, dispute handling.
  • Sentry — error monitoring and performance tracing.
  • Google (Google Tag Manager / Google Analytics) — web analytics (only with your consent where required).

Business transfers

If we are involved in a merger, acquisition, reorganization, asset sale, bankruptcy, or similar transaction, Personal Information may be transferred as part of that transaction. We will notify you (where required by law) and the acquiring entity will be bound by this Privacy Policy until it is updated.

Legal compliance and rights protection

We may disclose Personal Information where we believe in good faith that disclosure is necessary to (a) comply with applicable law, subpoena, court order, or lawful government request; (b) protect the rights, property, or safety of Ascend Bio Labs, our users, or the public; (c) detect, prevent, or respond to fraud, security issues, or technical problems; or (d) enforce our Terms of Service.

With your consent

We may share Personal Information with third parties when you ask or authorize us to.

8. No Sale; Limited Sharing

We do not sell Personal Information for monetary value. In the twelve months preceding the last updated date of this Privacy Policy, we have not sold Personal Information.

Under the CPRA, “sharing” can include disclosing Personal Information to third-party advertising partners for cross-context behavioral advertising, even where no money changes hands. We do not currently share Personal Information for cross-context behavioral advertising. If we begin to, we will update this Policy and provide a “Do Not Sell or Share My Personal Information” link (see Section 12).

9. Cookies And Tracking Technologies

We use cookies and similar technologies (pixels, local storage, device identifiers). Strictly necessary cookies are required for the Site to function (authentication, cart, CSRF protection). Analytics and advertising cookies load only after you have given consent through our cookie banner. For the complete list and your controls, see our Cookie Policy.

10. Data Retention

We retain Personal Information for as long as necessary to provide the Site and the Products you have ordered, to comply with our legal obligations, to resolve disputes, to enforce our agreements, and to prevent fraud. Representative retention periods:

  • Account records — for the life of your account plus up to 24 months after deletion, unless a longer period is required by law.
  • Order and transaction records — for at least 7 years to comply with tax, accounting, and fraud-investigation obligations.
  • Support communications — up to 3 years from last contact.
  • Web analytics events — up to 14 months in Google Analytics, subject to your consent.
  • Error monitoring records — up to 90 days in Sentry.
  • Marketing contact records — until you unsubscribe plus a short suppression window to honor your opt-out.

11. Security

We take reasonable and appropriate technical, administrative, and physical safeguards to protect Personal Information against unauthorized access, disclosure, alteration, and destruction. These include encryption in transit (TLS) and at rest with our providers, authentication through Clerk, least-privilege access controls, and monitoring for security events.

No method of transmission or storage is 100% secure, however, and we cannot guarantee absolute security. If you have reason to believe your account or information has been compromised, contact us immediately at [security@ascendbiolabs.com].

12. Your California Privacy Rights (CCPA / CPRA)

If you are a California resident, the California Consumer Privacy Act as amended by the California Privacy Rights Act (collectively,“CCPA”) gives you specific rights with respect to Personal Information we collect about you. Exercising these rights is free, and we will not discriminate against you for doing so.

Right to know

You have the right to request that we disclose the categories and specific pieces of Personal Information we have collected about you, the categories of sources, the business or commercial purposes for collection, and the categories of third parties with whom we have shared or disclosed Personal Information, during the preceding 12 months.

Right to delete

You have the right to request that we delete Personal Information we have collected from you, subject to the exceptions in the statute (such as completing a transaction, detecting fraud, or complying with legal obligations).

Right to correct

You have the right to request that we correct inaccurate Personal Information we hold about you.

Right to opt out of sale or sharing

You have the right to opt out of the “sale” or “sharing” (for cross-context behavioral advertising) of your Personal Information. As stated in Section 8, we do not currently sell or share Personal Information as those terms are defined by the CCPA. If that ever changes, you will be able to exercise this right by visiting “Do Not Sell or Share My Personal Information” at [/legal/ccpa-opt-out] or by following the instructions below.

Right to limit use of sensitive personal information

You have the right to limit our use and disclosure of sensitive personal information. We do not collect sensitive personal information for purposes beyond those permitted by the CPRA without this right.

Global Privacy Control (GPC)

We honor the Global Privacy Control signal as a valid opt-out of sale or sharing under the CCPA when we detect it in a browser request.

How to exercise your rights

Submit a request by emailing [privacy@ascendbiolabs.com]with the subject line “CCPA Request” and describing the right you want to exercise. We will verify your identity before responding — typically by matching information you provide against information we already hold — and respond within the timeframes required by law (generally 45 days, with one 45-day extension where reasonably necessary). You may designate an authorized agent to submit a request on your behalf by providing the agent with written, signed permission; we may require the agent to verify your identity before we respond.

No retaliation

We will not deny you goods or services, charge you a different price, or provide a different level of quality because you exercised any CCPA right.

13. Other U.S. State Privacy Rights

If you are a resident of Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Utah (UCPA), Texas (TDPSA), Oregon (OCPA), Montana (MTCDPA), Delaware (DPDPA), or another U.S. state with a comprehensive consumer privacy law, you have rights similar to the California rights described in Section 12 — including the right to access, correct, delete, or obtain a portable copy of your Personal Information, and to opt out of targeted advertising, sale, or certain profiling. To exercise any of these rights, email [privacy@ascendbiolabs.com]with the subject line “State Privacy Request” and indicate your state of residence and the right you want to exercise. Where applicable law provides for an appeal of our decision, you may appeal by replying to our response.

14. European Economic Area, United Kingdom, And Switzerland

If you are in the EEA, UK, or Switzerland, you have the rights of a data subject under the GDPR (or UK GDPR, as applicable), including:

  • the right to access and receive a copy of your Personal Data;
  • the right to rectify inaccurate or incomplete Personal Data;
  • the right to erasure (“right to be forgotten”);
  • the right to restrict processing;
  • the right to object to processing based on legitimate interests or direct marketing;
  • the right to data portability;
  • the right to withdraw consent where processing is based on consent; and
  • the right to lodge a complaint with your local data protection supervisory authority.

To exercise these rights, email [privacy@ascendbiolabs.com]. Your Personal Data will be transferred to and processed in the United States and other jurisdictions where our service providers operate. Where required, we rely on Standard Contractual Clauses or other lawful transfer mechanisms.

15. Children's Privacy

The Site is not directed to children under 18, and the Products are not for purchase, possession, or use by children. We do not knowingly collect Personal Information from children under 13 in violation of the Children's Online Privacy Protection Act (COPPA), and we do not knowingly sell, share, or process for targeted advertising the Personal Information of any minor under 16. If you are a parent or guardian and you believe your child has provided Personal Information to us, please contact us at [privacy@ascendbiolabs.com] and we will delete that information.

16. Do Not Track And Global Privacy Control

Web browsers may provide a “Do Not Track” (DNT) signal. Because there is no finalized industry standard for how to respond to DNT signals, we do not currently respond to them. We do honor the Global Privacy Control (GPC) signal as described in Section 12.

17. Marketing Communications

With your consent, we may send you email or SMS marketing communications about products, promotions, and news. You can unsubscribe at any time by clicking the unsubscribe link in any email, replying STOP to any marketing SMS, or contacting us at [privacy@ascendbiolabs.com]. Transactional messages about your order, account, or legal notices are not considered marketing and may still be sent after you unsubscribe from marketing. SMS marketing is sent subject to the Telephone Consumer Protection Act (TCPA) and requires your separate opt-in; message and data rates may apply.

19. Updates To This Policy

We may update this Privacy Policy from time to time. When we do, we will post the updated version here with a new “Last updated” date. For material changes, we will provide additional notice (for example, by email or a prominent notice on the Site). Your continued use of the Site after the effective date of the updated Policy constitutes acceptance of it.

20. Contact Us

Questions about this Privacy Policy or how we handle Personal Information? Email us at [privacy@ascendbiolabs.com] or write to us at [ENTITY_NAME], Attn: Privacy, [REGISTERED_ADDRESS].

← All legal documents