PeptidePal Privacy Policy

Summary of Key Points

This privacy notice for Blank Labs LLC ("we," "us," or "our") describes how and why we access, collect, store, use, and share ("process") your personal information when you use PeptidePal (formerly Pep Pal; the "app") — a peptide research, reference, and personal tracking app. PeptidePal lets you browse a peptide library, configure protocols, log doses, and chat with an AI research assistant.

In short: we collect the minimum needed to run your account, your onboarding preferences, the body metric observations and progress photos you choose to log, the chat messages you send our AI, and anonymous usage analytics. Your dose logs, protocol history, and chat history stay on your device. We do not sell your personal information, we do not use your data for advertising, and you can delete your account in the app at any time.

What Information We Collect

Account information. When you sign up with Sign in with Apple or Sign in with Google we receive your email address and an account identifier from Apple or Google. We store this in our Supabase database so we can authenticate you on future launches. We never receive your Apple ID or Google account password.

Onboarding and health-adjacent preferences.During onboarding we ask you about your goals (for example weight loss, recovery, longevity), your experience level with peptides, any obstacles you'd like our help with, the peptides you are currently exploring, preferred check-in cadence, and basic demographics (age, biological sex, height, and weight). You choose what to share. We store your answers in our Supabase database so PeptidePal can personalize what you see. This information is never used for advertising and is never shared with third parties for marketing.

Where your tracking data lives. PeptidePal stores different categories of data in different places. Knowing where each category lives matters when you uninstall the app or delete your account.

• On-device only.Your protocol entries, dose logs, stack configurations, streak history, chat history, and local preferences are stored in the app's on-device storage. They are not uploaded to our servers. Because they live on your device, you are responsible for backing them up; if you delete the app or lose your device, we cannot recover them.
• Stored in your private PeptidePal account (Supabase). Your account profile (email, onboarding preferences, demographics), the body metric observations you log (weight, body fat, lean body mass, waist circumference, mood), the progress photos you capture (EXIF-stripped, in a private user-scoped bucket), and your subscription and referral records. Each row and file is protected by row-level security so it is accessible only to you, encrypted in transit, and permanently deleted when you delete your account.
• Transmitted in-flight to third parties (not retained by us). Chat messages you send to the AI assistant are forwarded to Anthropic to generate a response and discarded server-side. Anonymous product analytics events are sent to TelemetryDeck.

AI chat messages.The messages you type into the PeptidePal chat assistant are transmitted to our backend and forwarded to our AI provider to generate a response (see "AI Chat Feature" below). The response is returned to your device and stored there. We do not persist your chat messages or the responses on our servers.

Health tracking data. Body metric observations you manually log in the app — such as weight, body fat percentage, lean body mass, waist circumference, and mood — are stored in your private PeptidePal account on our servers (Supabase). This data is linked to your account, accessible only to you via row-level security, encrypted in transit, and permanently deleted when you delete your account. If you connect Apple Health, bidirectional sync occurs on-device between PeptidePal and Apple Health; your Apple Health data is never transmitted to our servers.

Progress photos. If you use the progress photo feature (Hair, Body, or Face), photos you capture are processed on-device before upload: all EXIF metadata, including GPS location, camera model, and capture time, is stripped before the photo leaves your device. The stripped photo is then uploaded over TLS to a private, user-scoped storage bucket in our Supabase account. Photos are linked to your account and accessible only to you. No photo is ever used for diagnosis, screening, treatment decisions, or shared with third parties. You can delete individual photos or all photos at any time from within the app, and all photos are permanently deleted when you delete your account.

Referral code redemptions. If you enter a referral code and redeem it with a paid subscription, we store the code, the redemption timestamp, and a transaction identifier from Apple so we can honor the referral and prevent double-redemption. We verify the App Store receipt with Apple and discard the raw receipt; we do not keep a copy.

Payment data. All purchases flow through the Apple App Store. Apple handles your payment information. We do not receive or store your payment method, credit card number, or billing address.

Usage analytics.We collect anonymous, device-scoped product usage data (for example which screens you viewed, how far you progressed through onboarding, whether a paywall was shown, approximate message counts) using TelemetryDeck. Events are stamped with a random device identifier that resets when you reinstall the app; they are not linked to your name, email, or a cross-app advertising identifier. We also use the Meta (Facebook) SDK to send anonymous campaign attribution signals (app installs, app opens, and in-app purchase events) to Meta Platforms, Inc. for advertising measurement purposes. See "Service Providers We Share Information With" for details.

Automatically collected information. When your device connects to our servers we receive standard technical information (IP address, approximate device and OS type, app version, request timestamps). We use this for security, abuse prevention, and debugging. We do not correlate it with advertising identifiers.

What We Do Not Do

We do not use your personal information, chat messages, health data, or onboarding answers for advertising or marketing to you. We do not sell your data. We do not share your name, email, or any personally identifiable information with ad networks. We do send anonymous app-event signals (installs, opens, purchases) to Meta Platforms, Inc. for advertising campaign measurement — see "Service Providers We Share Information With." We do not request App Tracking Transparency (ATT) permission and do not collect your device's Advertising Identifier (IDFA). We do not use health metric observations or progress photos for advertising, marketing, or any purpose other than providing the health-tracking features of the app. We do not share your data with data brokers.

How We Use Your Information

We process the information described above to: create and authenticate your account; personalize the in-app experience based on your onboarding answers; generate AI chat responses to the messages you send; verify subscription and referral eligibility with Apple; deliver push notifications you opt into (dose reminders, streak alerts, refill reminders — scheduled on your device); understand aggregate product usage so we can improve the app; protect the service from abuse and fraud; and comply with legal obligations.

We do not process your information for any purpose that is incompatible with the purposes above without your consent.

AI Chat Feature

PeptidePal's AI chat assistant helps you research peptides and explore the peptide library. When you send a message it is transmitted over TLS to our backend, combined with a system prompt describing PeptidePal's research-only scope, and forwarded to our AI provider. The generated response is streamed back to your device.

What is sent. Only the message text you type, the prior messages in the same chat session (so the assistant has context), and, optionally, a short summary of your active protocol if you have configured one in the app and allowed the assistant to use it. Your email, your Supabase user identifier, and your raw tracking logs are not included.

AI provider. Our current AI provider is Anthropic, PBC (Claude). Anthropic processes your messages under its commercial terms and does not use API inputs to train its models. Anthropic may retain inputs for up to thirty (30) days solely for trust-and-safety and abuse monitoring, after which the data is deleted. If we change AI providers we will update this policy.

No server-side chat history.PeptidePal does not store your chat messages or AI responses on our servers. Your chat history lives on your device in the app's local storage; deleting the app deletes your chat history.

Peptide Library Content

The PeptidePal peptide library contains general reference information about research peptides. The library is provided for educational purposes only and is not a personalized recommendation, a prescription, or medical advice. It is not tailored to your personal situation. See our Terms of Service for the full disclaimer, including the specific rules that apply to FDA-approved prescription drugs such as Semaglutide, Tirzepatide, and other GLP-1 medications.

Service Providers We Share Information With

We use the service providers listed below, and only the categories of data described, to operate PeptidePal. Each provider is contractually bound to process data only on our instructions.

• Apple Inc. — Sign in with Apple (account creation), App Store subscriptions and receipts, and Apple Push Notification service for delivering notifications you opt into.
• Google LLC — Sign in with Google (account creation), when you choose this method.
• Supabase Inc. — Managed Postgres database and authentication. Stores your email, onboarding answers, demographics, subscription flag, and referral redemptions.
• Google Cloud Platform (Google LLC) — Hosts our backend API (Cloud Run) and manages deployment secrets (Secret Manager). Receives API request metadata.
• Anthropic, PBC — Generates AI chat responses from the messages you send, as described in "AI Chat Feature" above.
• Superwall Inc. — Renders the in-app paywall and reports paywall analytics. Receives a device-scoped Superwall identifier and anonymized paywall interaction events; does not receive your email or Supabase identifier.
• TelemetryDeck (Telemetry Deck GmbH) — Processes anonymous product analytics events. Receives a device-scoped random identifier that resets on reinstall; does not receive your email, your Supabase identifier, or advertising identifiers.
• Meta Platforms, Inc. — Advertising campaign measurement. When you install or use PeptidePal, the Meta (Facebook) SDK sends anonymized app-event data (app installs, app opens, and in-app purchase signals) to Meta to help us understand which ads led to app installs and measure the effectiveness of our campaigns. We do not send your name, email, health data, chat messages, or any personally identifiable information to Meta. We do not request App Tracking Transparency (ATT) permission and do not collect your device's Advertising Identifier (IDFA).

We may also disclose information when required by law, to respond to lawful requests and legal process, to protect our rights and the safety of our users, or in connection with a merger, acquisition, or sale of company assets — in which case we will notify you and take reasonable steps to ensure the successor is bound by this policy.

International Data Transfers

Our servers and most of our service providers are located in the United States. If you access PeptidePal from outside the United States your information will be transferred to, stored in, and processed in the United States and in other countries where our service providers operate. Where required, we rely on appropriate transfer mechanisms such as the EU Standard Contractual Clauses.

How Long We Keep Your Information

We keep your account information for as long as your account is active. When you delete your account we delete your Supabase auth record, your profile row (which includes your email, onboarding answers, and demographics), all of your health metric observations, and all of your progress photos from our private storage bucket. Referral redemption ledger rows are retained to preserve creator-code accounting, but your user identifier is detached from them so they are no longer linked to you.

Your on-device tracking data (dose logs, protocols, chat history) persists only as long as you keep the app installed and is deleted when you uninstall PeptidePal.

How We Keep Your Information Safe

We use TLS for data in transit, enforce row-level security in Supabase so each user can only read their own row, store all service credentials in Google Cloud Secret Manager, and verify every backend request against a short-lived Supabase-issued token. Despite these safeguards, no transmission over the Internet is 100% secure; we cannot guarantee absolute security.

Minors

PeptidePal is not directed to anyone under 18. We do not knowingly collect personal information from anyone under 18. By using PeptidePal you represent that you are at least 18 years old. If you believe a minor has provided us with personal information, please contact us at [email protected] and we will delete it.

Your Privacy Rights

Depending on where you live — including California, Colorado, Connecticut, Utah, Virginia, the EEA, the UK, Switzerland, and Canada — you may have the right to request access to the personal information we hold about you, to correct inaccuracies, to delete your personal information, to request a portable copy, and to withdraw any consent you previously gave. You also have the right to lodge a complaint with your local data-protection authority.

To exercise any of these rights, email us at [email protected] from the email address associated with your account. The fastest way to delete your account is described below.

How to Delete Your Account

You can permanently delete your PeptidePal account from inside the app: open Me → Settings → Delete Account and confirm twice. This action is immediate and irreversible. It deletes your Supabase authentication record, your profile row (email, onboarding answers, and demographics), every health metric observation associated with your account, and every progress photo associated with your account. Referral redemption entries are kept for accounting but are no longer linked to your identity. Your on-device tracking data is cleared when the app signs out.

Deleting your PeptidePal account does not cancel an active Apple App Store subscription. To cancel a subscription, open Settings → [your name] → Subscriptions on your iPhone and cancel PeptidePal; Apple handles subscription cancellation and refunds.

If you cannot access the in-app deletion flow, email us at [email protected] from the email address associated with your account and we will delete your account within thirty (30) days.

Do Not Track and Global Privacy Control

PeptidePal is a mobile app and does not respond to browser Do Not Track or Global Privacy Control signals from web browsers. We do not request App Tracking Transparency (ATT) permission and do not actively collect the iOS Advertising Identifier (IDFA). We do use the Meta (Facebook) SDK to send anonymous app-event signals for advertising campaign measurement, as described above. Our first-party analytics (TelemetryDeck) are anonymous and device-scoped by design.

Changes to This Notice

We may update this privacy notice from time to time. The updated version will be indicated by a revised "last updated" date above. If we make material changes we will take reasonable steps to notify you, for example through an in-app notice or by updating the app.

Contact Us

If you have questions about this notice or how we handle your personal information, you can reach us at [email protected] or by mail at: Blank Labs LLC, California, United States.