Entry verification

You are about to enter a research catalogue.

Compounds shown on this site are sold strictly for laboratory and research use. They are not licensed medicines and are not intended for human or veterinary consumption. UK 18+ verification is required to enter.

Date of birth

Date of birth (day, month, year)
I do not qualify · leave the site

MHRA · ASA · ICO · UK GDPR aware

Last updated · 17 May 2026

Privacy policy

Optimal Lab ("the lab", "we", "us") is the data controller for personal data collected through this website. This policy explains what we collect, why, how long we keep it, and the rights you hold under the United Kingdom General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

1. Who we are

Optimal Lab — a research-compound laboratory based in Newport, South Wales. Registered company details, VAT number, and ICO registration number are available on request and will be published here ahead of public launch.

Contact for privacy queries: privacy@optimallab.co.uk.

2. Personal data we collect

When you register an account

  • Name, email address, hashed password (Firebase Authentication)
  • Account-creation timestamp, last sign-in timestamp, account-verification status

When you place an order

  • Billing and delivery address, telephone number
  • Date of birth — self-declared at checkout, used to confirm you are 18 or over (our catalogue is adult-only research material) and held on the order record. Not shared with any third party.
  • Order line items, lot identifiers, and certificates of analysis you have accessed
  • Payment is processed by an external provider; we do not store card numbers

When you sign at checkout

Before any payment is taken the cart page asks you to tick four consent boxes and to draw a signature on a canvas. The Lab stores the following consent record against the resulting order:

  • A copy of the four consent texts you ticked, and the SHA-256 hash of each one
  • Your drawn signature, stored as a PNG image
  • The timestamp at which the consent was submitted
  • The IP address from which the consent was submitted
  • The user-agent string of your web browser
  • The dimensions of your browser viewport at the moment of signing
  • Your browser language preference and time-zone setting

We retain the consent record so that the contract of sale can be evidenced if challenged. The lawful bases are performance of a contract(Article 6(1)(b) UK GDPR), legitimate interest in evidencing lawful supply (Article 6(1)(f)), and your explicit consent(Article 6(1)(a)) for the storage of the signature image and audit metadata.

When you message the lab

  • Contents of the contact-form or email exchange, including your phone number where supplied

When you browse the website

  • Strictly necessary cookies (session, age-gate confirmation)
  • Analytics cookies (Firebase Analytics) — set only after explicit consent

3. Why we process this data — lawful bases

  • Contract (Art. 6(1)(b)): processing orders, dispatching products, returning correspondence
  • Legal obligation (Art. 6(1)(c)): retaining order records for HMRC and Trading Standards
  • Legitimate interest (Art. 6(1)(f)): fraud screening, age verification, security logging
  • Consent (Art. 6(1)(a)): analytics cookies, optional marketing email

4. How long we keep your data

  • Order records: 6 years (HMRC retention requirement; aligned with the statutory limitation period for simple contract claims under section 5 of the Limitation Act 1980)
  • Consent records (signature, hashed IP, user agent, viewport, month-year date of birth, etc.): 6 years from the date of order, on the same basis
  • Cash-order evidence pack (name-fuzzy-match audit, age-gate confirmation timestamp): 18 months from collection / fulfilment, the minimum window for a Trading Standards age-sale challenge
  • Cookie consent log (hashed IP, choice flags, user agent): 24 months from the date the choice was recorded, after which the ICO presumes the consent stale and we re-prompt
  • Data Subject Request log (your request, our response timestamps, fulfilment evidence): 3 years from the request, kept as compliance evidence under Art. 30
  • Order audit log (status-change history, reconciliation events linked to your orders): 6 years, on the same HMRC basis as the order record it relates to, after which it is purged automatically
  • Bank-transfer reconciliation records (Starling incoming-payment metadata matched to your order): retained alongside the order record for 6 years on the same HMRC basis
  • Admin AI assistant conversation history: approximately 4 hours from the last message, after which the conversation expires automatically
  • Account data: until you delete the account; we will retain transactional history for the same 6-year window
  • Email and contact-form correspondence: 2 years from last contact
  • Analytics: Firebase default retention, currently 14 months

After the retention period expires the data is deleted from primary storage. Some derived, aggregated, or anonymised reporting data may be retained indefinitely because it is no longer personal data under UK GDPR.

5. Who we share data with

  • Google Firebase (authentication, Firestore database, hosting, Cloud Functions) — Google Ireland Limited; processing region europe-west2 (London).
  • Firebase Analytics (Google Analytics 4) — Google Ireland Limited / Google LLC; provides anonymised, IP-anonymised behavioural analytics on the storefront (page views, add-to-cart events, purchase events). Loaded only after you opt in via the cookie banner. Processor location: United States, with aggregated event data transiting to Google infrastructure under the EU–US Data Privacy Framework / UK Extension. Lawful basis: consent (Article 6(1)(a) UK GDPR).
  • Google Workspace — Google Ireland Limited; hosts our hello@, admin@, paul@, and carla@optimallab.co.uk mailboxes for inbound and outbound email storage, and powers the Gmail-reply poller integration used to route customer correspondence into the admin console. Processor location: European Union with onward replication to the United States. Lawful bases: performance of a contract (Article 6(1)(b) UK GDPR) and legitimate interest (Article 6(1)(f)) in operating a functional customer-support inbox.
  • Resend Inc. — transactional email delivery, including order confirmations, bank-transfer instructions, dispatch notifications, contact-form replies, and password-reset emails. Processor location: United States, transfers safeguarded by Standard Contractual Clauses. We send only your name, email address, and the order or thread reference. Lawful bases: performance of a contract (Article 6(1)(b) UK GDPR) and legitimate interest (Article 6(1)(f)) in keeping customers informed about the status of their order.
  • Starling Bank Limited — provides the incoming-payment feed we use to reconcile bank-transfer orders against your payment. We read the metadata Starling attaches to each incoming transfer (the payer name, the amount, and the payment reference you quote) and match it to the matching order so the order can be marked as paid. We do not share your order contents with Starling; we only read the payment feed Starling already holds. Processor location: United Kingdom. Lawful bases: performance of a contract (Article 6(1)(b) UK GDPR) and legitimate interest (Article 6(1)(f)) in confirming that an order has been paid for.
  • Janoshik Analytical s.r.o. — receives lot identifiers only, never customer-personal data.
  • Royal Mail and DHL — name, address, telephone for delivery only.
  • Google Gemini API — our admin team uses Google's Gemini model to draft suggested replies to customer enquiries. The contents of your enquiry plus any prior thread context are sent to the Gemini API under our Google Workspace tenant. Per Google's API terms, your data is not used to train Google's models. A human reviews and edits every suggestion before any reply is sent — no message is ever auto-sent. You may opt out of AI-assisted replies for your thread by emailing privacy@optimallab.co.uk.
  • Pep (our admin AI assistant, powered by Google Gemini) — Pep is an internal, admin-operated assistant that helps the lab's operations team manage the back office. It is never customer-facing. When a member of staff asks Pep about orders, Pep can read order and dispatch-board context to answer the question — this can include your name, email address, and order metadata (the order reference, status, line items, and amounts). The same Google Gemini terms apply: your data is not used to train Google's models. To keep a single back-office conversation coherent, Pep stores the conversation history for approximately four hours, after which it expires and is removed automatically. Pep does not build a long-term profile of you.
  • HMRC / Trading Standards / MHRA / ICO / law enforcement where legally required.

We do not sell personal data. Where personal data is transferred outside the United Kingdom or European Economic Area (for example to Resend in the United States, or to Google Analytics infrastructure), transfers are safeguarded by an adequacy decision or Standard Contractual Clauses approved by the Information Commissioner's Office.

5b. Cash-rail collection evidence

Where you choose to collect your order in person from Newport (the cash-on-collection rail), we capture a small additional evidence pack at the point of handover. This pack sits alongside the standard consent record described above and exists to defend the lab against three specific risks: a Trading Standards challenge that we sold to an under-18, fraud (someone collecting an order that is not theirs), and an MHRA query about lawful supply of research material.

The cash-rail evidence pack consists of:

  • Photographic ID check at collection. A member of the lab visually confirms photo ID against the order and records that the check was passed, together with the type of ID shown (passport, driving licence, PASS card). We do not photograph or scan the ID itself — only the fact that the check happened and who performed it. Why: Trading Standards expects a documented age-sale challenge defence under the Children and Young Persons (Protection from Tobacco) Act and equivalent age-restricted-product guidance.
  • Signature on the printed pick-sheet. You sign the printed collection sheet to acknowledge that you received the goods listed. The signed sheet is scanned and stored against the order. Why: evidences chain of custody — that the order was handed to a person, not lost in transit or mis-delivered — which is our primary defence to a chargeback or fraud claim.
  • Name-fuzzy-match audit log.When the name given at collection differs slightly from the name on the order — for example a shortened first name, a transliteration, or a married name — the system runs a Levenshtein-distance comparison and records the score plus the reviewer's decision to release the order. Why: shows we did not release the goods blindly when names did not match exactly, and protects against a later claim that we handed an order to the wrong person.
  • Age-gate confirmation timestamp and month-year of birth. The timestamp at which you confirmed you were 18 or over on the website, paired with the month and year of birth you self-declared at checkout (never the full date). Why: double-evidences age verification — once at the digital age-gate and once at physical handover — which is what Trading Standards expects from any age-restricted retailer operating a click-and-collect model.

The cash-rail evidence pack is retained for 18 months from the date of collection — the minimum window over which a Trading Standards age-sale challenge can be brought against a retailer. After 18 months the pack is deleted from primary storage. This is the same 18-month line item that appears in the retention table at section 4 above. The lawful bases are legal obligation (Article 6(1)(c) UK GDPR — Trading Standards and MHRA compliance) and legitimate interest (Article 6(1)(f) — fraud avoidance and contractual non-repudiation).

6. Your rights

Under UK GDPR you have the right to:

  • Request a copy of the data we hold about you (right of access)
  • Correct inaccurate data (rectification)
  • Request deletion of your data, subject to legal retention limits (erasure)
  • Object to processing based on legitimate interest
  • Withdraw consent at any time (analytics, marketing)
  • Lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk

Requests should be sent to privacy@optimallab.co.uk. We will respond within 30 calendar days.

7. Security

Account passwords are stored as one-way hashes by Firebase Authentication. The website is served exclusively over HTTPS. Order records are accessed only by the lab's operations team. Suspected breaches are logged and reported to the ICO within 72 hours where they meet the reporting threshold.

8. Changes to this policy

Material changes will be announced on this page with a revised "last updated" date and, where appropriate, by email to registered account holders.