Privacy Policy

PeptideOS ("we", "us", "our") operates the PeptideOS application and website (the "Service"). This Privacy Policy explains what information we collect, how we use it, and the rights you have over your data. By using the Service you agree to the practices described in this policy.

Health disclaimer. PeptideOS is a personal tracking and education tool. It is not medical advice, diagnosis, or treatment. Always consult a qualified healthcare professional before making decisions about medications, peptides, or supplements.

• Account data: name, email address, and password hash created when you register.
• Profile preferences: units, time zone, plan tier, and notification settings.
• Tracking data you enter: compounds, doses, schedules, inventory, symptoms, body-map reactions, and notes.
• Billing data: when you upgrade, our payment processor (Stripe) collects payment details on our behalf. We never see or store full card numbers.
• Technical data: IP address, browser type, device identifiers, and basic usage telemetry needed to operate the Service.

• To provide and maintain the Service.
• To compute insights such as adherence, streaks, and Protocol Score.
• To send transactional emails (verification, password resets, billing).
• To detect abuse, fraud, and security incidents.
• To meet legal obligations.

We do not sell your personal data, and we do not share your tracking data with advertisers.

Where applicable, we process personal data on the following legal bases: performance of a contract (providing the Service), legitimate interests (security, product analytics), consent (optional marketing emails), and legal obligation (tax, fraud prevention).

We rely on a small number of subprocessors to operate the Service:

• Cloud hosting and database — for application hosting, authentication, and encrypted data storage.
• Stripe — for subscription billing and payments.
• Email delivery — for transactional emails.

Each subprocessor is bound by contractual confidentiality and security obligations. We do not transfer data to third parties for advertising.

We retain your account data for as long as your account is active. If you delete your account, we delete or anonymize your personal data within 30 days, except where we are legally required to retain certain records (e.g. tax invoices).

All data is transmitted over TLS. Passwords are stored using industry standard salted hashing. Access to production systems is restricted and logged. No system is perfectly secure — please use a strong, unique password and enable any additional security features we offer.

Depending on your jurisdiction, you may have the right to access, correct, export, or delete your personal data, restrict or object to processing, and lodge a complaint with a supervisory authority. You can exercise most of these rights from your account settings, or by contacting us.

The Service is not intended for individuals under 18. We do not knowingly collect personal information from children.

Your data may be processed in countries other than your own. Where required, we rely on Standard Contractual Clauses or equivalent safeguards to protect international transfers.

We may update this Privacy Policy from time to time. Material changes will be announced in-app or by email. The "Last updated" date above always reflects the current version.

For privacy questions or to exercise your rights, contact us through the in-app support page. A response will typically be provided within 30 days.