Peptika.
Legal · Privacy

Privacy & GDPR.

Last updated · 2026-05-16In force · Version 1.0
This Privacy Policy explains how Phoenix Cluster B.V.(the "Controller") processes personal data within the meaning of Regulation (EU) 2016/679 ("GDPR"), including data concerning health, in the operation of the Peptika telemedicine platform.

1 — Controller & DPO

The data controller is Phoenix Cluster B.V., Kennemerplein 6-14, 2011MJ Haarlem, the Netherlands. The Data Protection Officer can be reached at dpo@peptika.com.

2 — Categories of personal data

  • Identification data — name, date of birth, country of residence, contact details.
  • Health data (Article 9 GDPR) — medical history, current medications, clinical objectives, consultation answers, prescription history, batch numbers received.
  • Financial data — payment instrument tokens, invoicing details (processed via Paynova).
  • Technical data — device identifiers, IP address, cookies, analytics events.

3 — Lawful bases (Article 6 & 9)

Processing of health data relies on Article 9(2)(h) GDPR — provision of healthcare and medical diagnosis. Processing of administrative data relies on Article 6(1)(b) (contract performance), Article 6(1)(c) (legal obligation, in particular tax and pharmaceutical record-keeping) and Article 6(1)(f) (legitimate interests, for fraud prevention).

4 — Recipients

Your data is shared only with: (a) the EU-licensed physician treating you; (b) the compounding pharmacy fulfilling your prescription; (c) Peptika operations and patient-support staff bound by confidentiality; (d) regulated infrastructure providers (cloud, payment, logistics) acting as processors under Article 28 GDPR. We do not sell personal data.

5 — International transfers

Personal data is hosted in the European Union (Frankfurt region). Where a sub-processor is established outside the EU/EEA, transfers rely on Standard Contractual Clauses or an adequacy decision adopted by the European Commission.

6 — Retention

Health data is retained for the period required by the applicable national medical record-keeping rules (typically 10 years after the last consultation). Account administration data is retained for the duration of the account and up to 5 years after closure for legal-obligation purposes.

7 — Your rights

Under GDPR Articles 15 to 22, you have the right to access, rectify, erase, restrict, port and object. Where processing relies on consent, you can withdraw it at any time. You can also lodge a complaint with your national supervisory authority. Requests can be sent to dpo@peptika.com.

8 — Security

Health data is encrypted at rest and in transit. Access is role-based and audit-logged. We perform regular vulnerability assessments and security reviews.

Need a clarification on this page? Patient support is available via the contact form.

See imprint & entity details