Legal

PeptidePal Privacy Policy

Last updated June 21, 2026

Summary of Key Points

This privacy notice for Blank Labs LLC ("we," "us," or "our") describes how and why we access, collect, store, use, and share ("process") your personal information when you use PeptidePal (formerly Pep Pal; the "app") — a peptide research, reference, and personal tracking app. PeptidePal lets you browse a peptide library, configure protocols, log doses, and chat with an AI research assistant.

In short: we collect the minimum needed to run your account, your onboarding preferences, the body metric observations and progress photos you choose to log, the chat messages you send our AI, and anonymous usage analytics. Your detailed dose logs, protocol history, and chat history stay on your device. The one narrow exception is that about once a day we send the list of peptides in your active protocols (peptide names only — never your doses, dates, sites, or notes) to our own servers, stored against a one-way hash of an anonymous device identifier rather than your account, solely to understand in aggregate which peptides the community is exploring. We do not sell your personal information, we do not use your data for advertising, and you can delete your account in the app at any time.

What Information We Collect

Account information. When you sign up with Sign in with Apple or Sign in with Google we receive your email address and an account identifier from Apple or Google. We store this in our Supabase database so we can authenticate you on future launches. We never receive your Apple ID or Google account password.

Onboarding and health-adjacent preferences.During onboarding we ask you about your goals (for example weight loss, recovery, longevity), your experience level with peptides, any obstacles you'd like our help with, the peptides you are currently exploring, preferred check-in cadence, and basic demographics (age, biological sex, height, and weight). You choose what to share. We store your answers in our Supabase database so PeptidePal can personalize what you see. This information is never used for advertising, is never shared with third parties for marketing, and is never sold. The one exception is that we share limited, coarse, non-identifying signals (such as a broad age range and experience tier) with our paywall provider, Superwall, solely to personalize which in-app paywall you see. These signals contain no free text or raw answers, are used only for paywall personalization, and are never used for advertising.

Where your tracking data lives. PeptidePal stores different categories of data in different places. Knowing where each category lives matters when you uninstall the app or delete your account.

  • On-device only.Your protocol entries, dose logs, stack configurations, streak history, chat history, and local preferences are stored in the app's on-device storage. They are not uploaded to our servers, with one narrow exception described below. Because they live on your device, you are responsible for backing them up; if you delete the app or lose your device, we cannot recover them. One narrow exception: about once a day the app sends the list of peptides in your active protocols (peptide names only — never your doses, dates, injection sites, or notes) to our own servers, stored against a one-way hash of an anonymous device identifier, never your account. We use this only to understand, in aggregate, which peptides the community is exploring; an entry is reported only when at least five distinct devices share it, so no individual can be identified. It is not shared with third parties and is never used to target advertising.
  • Stored in your private PeptidePal account (Supabase). Your account profile (email, onboarding preferences, demographics), the body metric observations you log (weight, body fat, lean body mass, waist circumference, mood), the progress photos you capture (EXIF-stripped, in a private user-scoped bucket), and your subscription and referral records. Each row and file is protected by row-level security so it is accessible only to you, encrypted in transit, and permanently deleted when you delete your account.
  • Transmitted in-flight to third parties (not retained by us). Chat messages you send to the AI assistant are forwarded to Anthropic to generate a response and discarded server-side. Anonymous product analytics events are sent to TelemetryDeck.

AI chat messages.The messages you type into the PeptidePal chat assistant are transmitted to our backend and forwarded to our AI provider to generate a response (see "AI Chat Feature" below). The response is returned to your device and stored there. We do not persist your chat messages or the responses on our servers.

Health tracking data. Body metric observations you manually log in the app — such as weight, body fat percentage, lean body mass, waist circumference, and mood — are stored in your private PeptidePal account on our servers (Supabase). This data is linked to your account, accessible only to you via row-level security, encrypted in transit, and permanently deleted when you delete your account. If you connect Apple Health, bidirectional sync occurs on-device between PeptidePal and Apple Health; your Apple Health data is never transmitted to our servers.

Progress photos. If you use the progress photo feature (Hair, Body, or Face), photos you capture are processed on-device before upload: all EXIF metadata, including GPS location, camera model, and capture time, is stripped before the photo leaves your device. The stripped photo is then uploaded over TLS to a private, user-scoped storage bucket in our Supabase account. Photos are linked to your account and accessible only to you. No photo is ever used for diagnosis, screening, treatment decisions, or shared with third parties. You can delete individual photos or all photos at any time from within the app, and all photos are permanently deleted when you delete your account.

Referral code redemptions. If you enter a referral code and redeem it with a paid subscription, we store the code, the redemption timestamp, and a transaction identifier from Apple so we can honor the referral and prevent double-redemption. We verify the App Store receipt with Apple and discard the raw receipt; we do not keep a copy.

Payment data. All purchases flow through the Apple App Store. Apple handles your payment information. We do not receive or store your payment method, credit card number, or billing address.

Usage analytics.We collect anonymous, device-scoped product usage data (for example which screens you viewed, how far you progressed through onboarding, whether a paywall was shown, approximate message counts) using TelemetryDeck. We also collect non-identifying engagement counts — such as how many active protocols you have and how many doses you logged in the last 7 and 30 days — sent through TelemetryDeck as daily aggregate integers; we do not send peptide names or any other health details to our analytics provider. Events are stamped with a random device identifier that resets when you reinstall the app; they are not linked to your name, email, your Supabase account identifier, or a cross-app advertising identifier. We also use the Meta (Facebook) SDK to send anonymous campaign attribution signals (app installs, app opens, and in-app purchase events) to Meta Platforms, Inc. for advertising measurement purposes. See "Service Providers We Share Information With" for details.

Automatically collected information. When your device connects to our servers we receive standard technical information (IP address, approximate device and OS type, app version, request timestamps). We use this for security, abuse prevention, and debugging. We do not correlate it with advertising identifiers.

What We Do Not Do

We do not use your personal information, chat messages, health data, or onboarding answers for advertising or marketing to you. We do not sell your data. We do not share your name, email, or any personally identifiable information with ad networks. We do send anonymous app-event signals (installs, opens, purchases) to Meta Platforms, Inc. for advertising campaign measurement — see "Service Providers We Share Information With." We do not request App Tracking Transparency (ATT) permission and do not collect your device's Advertising Identifier (IDFA). We do not use health metric observations or progress photos for advertising, marketing, or any purpose other than providing the health-tracking features of the app. We do not share your data with data brokers.

How We Use Your Information

We process the information described above to: create and authenticate your account; personalize the in-app experience based on your onboarding answers; generate AI chat responses to the messages you send; verify subscription and referral eligibility with Apple; deliver push notifications you opt into (dose reminders, streak alerts, refill reminders — scheduled on your device); understand aggregate product usage so we can improve the app, including which peptides the community is exploring in aggregate (via the device-hashed, k-anonymity-suppressed peptide report described above); protect the service from abuse and fraud; and comply with legal obligations.

We do not process your information for any purpose that is incompatible with the purposes above without your consent.

AI Chat Feature

PeptidePal's AI chat assistant helps you research peptides and explore the peptide library. When you send a message it is transmitted over TLS to our backend, combined with a system prompt describing PeptidePal's research-only scope, and forwarded to our AI provider. The generated response is streamed back to your device.

What is sent. Only the message text you type, the prior messages in the same chat session (so the assistant has context), and, optionally, a short summary of your active protocol if you have configured one in the app and allowed the assistant to use it. Your email, your Supabase user identifier, and your raw tracking logs are not included.

AI provider. Our current AI provider is Anthropic, PBC (Claude). Anthropic processes your messages under its commercial terms and does not use API inputs to train its models. Anthropic may retain inputs for up to thirty (30) days solely for trust-and-safety and abuse monitoring, after which the data is deleted. If we change AI providers we will update this policy.

No server-side chat history.PeptidePal does not store your chat messages or AI responses on our servers. Your chat history lives on your device in the app's local storage; deleting the app deletes your chat history.

Community Q&A Forum

PeptidePal includes a community Q&A forum where you can post questions and answers and read other members' contributions. You participate under a randomly generated pseudonym and avatar — not your name — so your posts are not publicly tied to your real identity. Questions, answers, and votes you submit are visible to other members.

Moderation and safety. Every post passes an automated content review before it appears, and you can report content or block other members at any time. Community posts are not medical advice. We never use the health goals, experience level, or any health information from your profile to personalize, target, or advertise within the community, and we never sell or share your community activity with third parties for marketing.

Your community content and account deletion.You can delete any of your own posts at any time. If you delete your account, your profile, pseudonym, and reputation are removed; posts you published are kept but disassociated from you and shown under a generic "PeptidePal member" identity, unless you delete them first. This is also disclosed on the account-deletion confirmation screen in the app.

Peptide Library Content

The PeptidePal peptide library contains general reference information about research peptides. The library is provided for educational purposes only and is not a personalized recommendation, a prescription, or medical advice. It is not tailored to your personal situation. See our Terms of Service for the full disclaimer, including the specific rules that apply to FDA-approved prescription drugs such as Semaglutide, Tirzepatide, and other GLP-1 medications.

Service Providers We Share Information With

We use the service providers listed below, and only the categories of data described, to operate PeptidePal. Each provider is contractually bound to process data only on our instructions.

  • Apple Inc. — Sign in with Apple (account creation), App Store subscriptions and receipts, and Apple Push Notification service for delivering notifications you opt into.
  • Google LLC — Sign in with Google (account creation), when you choose this method.
  • Supabase Inc. — Managed Postgres database and authentication. Stores your email, onboarding answers, demographics, subscription flag, and referral redemptions.
  • Google Cloud Platform (Google LLC) — Hosts our backend API and stores our service credentials securely. Receives API request metadata.
  • Anthropic, PBC — Generates AI chat responses from the messages you send, as described in "AI Chat Feature" above.
  • Superwall Inc. — Powers our in-app subscription paywall and its analytics. Receives an account identifier, limited onboarding and referral information used to present and measure the paywall, and paywall interaction events. It does not receive your email, and none of this data is used for advertising. This information is cleared when you reset your data or delete your account.
  • TelemetryDeck (Telemetry Deck GmbH) — Processes anonymous product analytics events. Receives a device-scoped random identifier that resets on reinstall; does not receive your email, your Supabase identifier, or advertising identifiers.
  • Meta Platforms, Inc. — Advertising campaign measurement. When you install or use PeptidePal, the Meta (Facebook) SDK sends anonymized app-event data (app installs, app opens, and in-app purchase signals) to Meta to help us understand which ads led to app installs and measure the effectiveness of our campaigns. We do not send your name, email, health data, chat messages, or any personally identifiable information to Meta. We do not request App Tracking Transparency (ATT) permission and do not collect your device's Advertising Identifier (IDFA).

We may also disclose information when required by law, to respond to lawful requests and legal process, to protect our rights and the safety of our users, or in connection with a merger, acquisition, or sale of company assets — in which case we will notify you and take reasonable steps to ensure the successor is bound by this policy.

International Data Transfers

Our servers and most of our service providers are located in the United States. If you access PeptidePal from outside the United States your information will be transferred to, stored in, and processed in the United States and in other countries where our service providers operate. Where required, we rely on appropriate transfer mechanisms such as the EU Standard Contractual Clauses.

How Long We Keep Your Information

We keep your account information for as long as your account is active. When you delete your account we delete your Supabase auth record, your profile row (which includes your email, onboarding answers, and demographics), all of your health metric observations, and all of your progress photos from our private storage bucket. Referral redemption ledger rows are retained to preserve creator-code accounting, but your user identifier is detached from them so they are no longer linked to you. Community Q&A posts you published are kept but disassociated from you and shown under a generic "PeptidePal member" identity, unless you delete them first — see "Community Q&A Forum" above.

Your on-device tracking data (dose logs, protocols, chat history) persists only as long as you keep the app installed and is deleted when you uninstall PeptidePal. The single exception is the once-daily aggregate peptide-popularity report described above: it is the only piece of your tracking data that reaches our servers, it is keyed only to a one-way hash of an anonymous device identifier (never your account), it contains no doses, dates, sites, notes, or other identifying details, and it is retained only in aggregate for product research.

How We Keep Your Information Safe

We use TLS to encrypt data in transit, enforce row-level security so each user can only access their own data, authenticate every backend request, and store service credentials securely. Despite these safeguards, no transmission over the Internet is 100% secure; we cannot guarantee absolute security.

Minors

PeptidePal is not directed to anyone under 18. We do not knowingly collect personal information from anyone under 18. By using PeptidePal you represent that you are at least 18 years old. If you believe a minor has provided us with personal information, please contact us at [email protected] and we will delete it.

Your Privacy Rights

Depending on where you live — including California, Colorado, Connecticut, Utah, Virginia, the EEA, the UK, Switzerland, and Canada — you may have the right to request access to the personal information we hold about you, to correct inaccuracies, to delete your personal information, to request a portable copy, and to withdraw any consent you previously gave. You also have the right to lodge a complaint with your local data-protection authority.

To exercise any of these rights, email us at [email protected] from the email address associated with your account. The fastest way to delete your account is described below.

How to Delete Your Account

You can permanently delete your PeptidePal account from inside the app: open Me → Settings → Delete Account and confirm twice. This action is immediate and irreversible. It deletes your Supabase authentication record, your profile row (email, onboarding answers, and demographics), every health metric observation associated with your account, and every progress photo associated with your account. Referral redemption entries are kept for accounting but are no longer linked to your identity. Your on-device tracking data is cleared when the app signs out.

Deleting your PeptidePal account does not cancel an active Apple App Store subscription. To cancel a subscription, open Settings → [your name] → Subscriptions on your iPhone and cancel PeptidePal; Apple handles subscription cancellation and refunds.

If you cannot access the in-app deletion flow, email us at [email protected] from the email address associated with your account and we will delete your account within thirty (30) days.

Do Not Track and Global Privacy Control

PeptidePal is a mobile app and does not respond to browser Do Not Track or Global Privacy Control signals from web browsers. We do not request App Tracking Transparency (ATT) permission and do not actively collect the iOS Advertising Identifier (IDFA). We do use the Meta (Facebook) SDK to send anonymous app-event signals for advertising campaign measurement, as described above. Our first-party analytics (TelemetryDeck) are anonymous and device-scoped by design.

Changes to This Notice

We may update this privacy notice from time to time. The updated version will be indicated by a revised "last updated" date above. If we make material changes we will take reasonable steps to notify you, for example through an in-app notice or by updating the app.

Contact Us

If you have questions about this notice or how we handle your personal information, you can reach us at [email protected] or by mail at: Blank Labs LLC, California, United States.