Data governance & privacy framework

Effective: May 15, 2026

1. Institutional Context

Aeterna Lab LLC (“Aeterna Lab,” “the Institution,” “we”) supplies research-grade chemical compounds and peptides to qualified laboratory professionals through its procurement platform at aeternabiolab.com (“the Site”). This Data Governance & Privacy Framework sets forth the Institution’s practices regarding the collection, handling, retention, and protection of information obtained through the Site and through procurement transactions with the Institution.

The Institution maintains this Framework as an operational standard, not merely as a compliance document. Every data practice described herein reflects the Institution’s determination — grounded in its role as a supplier to the research community — of what is necessary, proportionate, and appropriate.

Inquiries regarding this Framework may be directed to [email protected] or by post to:

Aeterna Lab LLC
30 N Gould St Ste R
Sheridan, WY 82801
United States

2. Scope of Data Collection

2.1 Transactional Data

Procurement of research materials through the Site requires the submission of certain identifying and transactional data. The Institution collects only that information which is necessary to process, fulfill, and maintain a record of procurement transactions. This includes:

  • Purchaser identity: Full name and institutional affiliation, where provided.
  • Contact particulars: Email address, shipping address, billing address, and telephone number.
  • Transaction records: Products procured, order history, and payment instrument references. Full payment card numbers are not retained on Institution systems; payment processing is conducted exclusively through PCI-compliant third-party gateways.
  • Correspondence: The content of any communication directed to the Institution’s support personnel.

2.2 Technical Data

The Site’s infrastructure automatically records certain technical parameters during each session. This data is collected for operational necessity — site functionality, security monitoring, and performance analysis — and includes:

  • Internet Protocol (IP) address
  • Browser type, version, and operating system
  • Referring resource and navigation path through the Site
  • Session duration and page-level engagement metrics

The Site employs session and persistent cookies to maintain procurement cart state, authenticate user sessions, and compile aggregate usage analytics. These are standard mechanisms for web platform operation. Cookies deployed include: session cookies (essential — cart state, authentication), persistent preference cookies (site display settings), and analytics cookies (aggregate traffic analysis). Researchers may configure browser-level cookie controls; doing so may affect the functionality of the procurement interface.

2.3 Data the Institution Does Not Collect

The Institution does not collect, request, or retain: Social Security numbers or national identifiers; government-issued identification documents; health information or medical histories; biometric data; or any information unrelated to the procurement of research materials. The Institution’s relationship with purchasers is a supplier-researcher relationship, and its data collection reflects that narrow scope.

3. Operational Uses of Data

Information held by the Institution is used for the following operational purposes and for no other purpose absent explicit authorization:

  • Procurement fulfillment: Processing orders, arranging shipment, communicating order status, and maintaining transaction records.
  • Support and inquiry response: Addressing purchaser questions, investigating order issues, and providing assistance.
  • Platform operations: Authenticating user sessions, maintaining account records, and administering the Site’s technical infrastructure.
  • Regulatory and legal obligations: Complying with applicable law, responding to lawful process, and enforcing the Institution’s Terms of Supply.
  • Platform analytics: Analysing aggregate usage patterns to maintain and improve Site performance and security.

The Institution does not use purchaser data for marketing or promotional communication except where the purchaser has independently and affirmatively opted into such communication. Any opt-in consent may be withdrawn at any time through the mechanism provided in the communication or by contacting the Institution directly.

4. Data Sharing and Disclosure

4.1 Operational Service Providers

The Institution engages specialized third-party service providers to perform functions essential to platform operation and order fulfillment. These providers are engaged under contractual terms that limit their use of data to the specific services they perform for the Institution and impose confidentiality and security obligations commensurate with this Framework. Such providers include:

  • Payment processors (transaction processing)
  • Shipping carriers (order delivery)
  • Hosting and infrastructure providers (platform operation)
  • Communication services (order confirmation and support correspondence)

4.2 No Sale of Data

The Institution does not sell, rent, license, trade, or otherwise exchange purchaser data for consideration. This is an institutional policy, not a temporary practice. The Institution has not sold personal information at any point in its operating history and has no present intention to do so.

4.3 Compelled Disclosure

The Institution may disclose data in response to a valid subpoena, court order, or binding regulatory demand, or where the Institution determines in good faith that disclosure is necessary to protect its rights, its personnel, or the safety of others, or to investigate fraud or security incidents.

4.4 Structural Transitions

In the event of a merger, acquisition, reorganization, or transfer of assets, purchaser data may be among the transferred assets. The Institution will provide notice of any such transition through the Site and, where feasible, by direct communication to affected purchasers.

5. Data Retention

The Institution retains transactional records for the duration required by applicable tax, commercial, and regulatory obligations. Retention periods are determined by the legal requirements of the State of Wyoming and applicable federal law. Upon expiration of the applicable retention period, data is securely deleted or anonymized.

Correspondence and support records are retained for the period reasonably necessary to address the inquiry and maintain an institutional record, after which they are routinely purged.

6. Data Security

The Institution maintains administrative, technical, and physical safeguards designed to protect data against unauthorized access, alteration, disclosure, or destruction. These safeguards include:

  • Transport Layer Security (TLS) encryption for data in transit between the purchaser’s client and the Site
  • PCI-compliant payment processing through established third-party gateways
  • Access controls restricting data access to personnel with a documented operational need
  • Regular review of security practices and infrastructure

No data transmission over public networks or electronic storage system can be guaranteed absolutely secure. The Institution’s safeguards reflect commercially reasonable practice; they do not and cannot constitute an absolute guarantee.

In the event of a confirmed data breach involving personal information, the Institution will notify affected purchasers without undue delay and, where required, report to relevant regulatory authorities in accordance with applicable law.

7. Data Subject Rights

7.1 California Residents — Rights Under the CCPA

The California Consumer Privacy Act (CCPA) confers specific rights on California residents regarding their personal information. The Institution extends the transparency principles embodied in the CCPA to all purchasers, regardless of jurisdiction, as a matter of institutional practice.

Categories of Information Collected

In the twelve months preceding the effective date of this Framework, the Institution has collected the following categories of personal information:

  • Identifiers: Name, email address, shipping address, billing address, IP address
  • Commercial information: Products procured, transaction history
  • Internet activity: Browsing history and interaction data related to the Site

The Institution has not sold any category of personal information. The Institution does not have actual knowledge of selling personal information of individuals under 16 years of age.

Right to Know

Purchasers may request disclosure of the categories and specific pieces of personal information the Institution holds about them, the sources from which it was collected, the purposes for which it is used, and the categories of third parties with whom it is shared.

Right to Deletion

Purchasers may request deletion of personal information held by the Institution, subject to statutory exceptions — including where retention is necessary to complete a transaction, detect security incidents, comply with legal obligations, or support internal uses compatible with the context in which the information was provided.

Right to Opt Out of Sale

The Institution does not sell personal information and therefore does not maintain an opt-out mechanism. Should this institutional practice change, the Institution will update this Framework and implement a compliant opt-out process.

Non-Discrimination

The Institution does not discriminate against purchasers who exercise their rights under the CCPA — including by denying goods or services, varying pricing, or altering the quality of service provided.

Exercising Rights

Requests under this section should be submitted to [email protected]. The Institution will acknowledge receipt and respond within 45 days, with the possibility of a single 45-day extension where reasonably necessary. Identity verification will be required prior to processing any request.

8. Age and Professional Standing

The Site and the Institution’s procurement platform are designed for use by qualified research professionals aged 21 and above. The Institution does not knowingly collect or retain information from individuals under the age of 21. Any such information discovered in the Institution’s systems will be promptly deleted. The Institution complies with the Children’s Online Privacy Protection Act (COPPA) and does not knowingly collect personal information from individuals under the age of 13. Any such information inadvertently collected will be promptly deleted. The Institution’s products are sold exclusively to qualified professionals for in-vitro laboratory research; this Framework reflects the data governance standards appropriate to that relationship.

9. Third-Party Platforms and Services

The Site operates on WordPress with WooCommerce infrastructure. These platforms deploy their own session and analytics mechanisms, which are governed by their respective privacy policies. The Institution recommends that purchasers review the Automattic privacy framework at https://automattic.com/privacy/.

The Institution does not exercise control over the data practices of third-party sites or services that may be referenced on or linked from the Site.

10. Cross-Border Data Processing

The Institution’s servers and operations are located in the United States. Purchasers accessing the Site from outside the United States acknowledge that their data will be transferred to, stored, and processed within the United States. The Institution applies the standards described in this Framework to all data in its custody, regardless of the purchaser’s jurisdiction of origin.

11. Framework Revisions

The Institution may revise this Framework from time to time to reflect changes in its operational practices, legal obligations, or institutional policies. Revisions are effective upon publication to the Site, and the effective date above will be updated accordingly. Purchasers engaged in ongoing procurement relationships with the Institution are encouraged to review this Framework periodically. Continued use of the Site following revision constitutes acknowledgment of the updated Framework.

12. Contact

For any matter arising under this Framework — including inquiries, data subject requests, and notices of concern — contact the Institution:

Email: [email protected]
Post:
Aeterna Lab LLC
30 N Gould St Ste R
Sheridan, WY 82801
United States

Scroll to Top