Pepta ("we", "us", "our") operates the Pepta mobile application (the "Service") and is the data controller for the personal data processed through it. Our full company name and registered address are set out in Section 11 (Contact) at the end of this policy.
This Privacy Policy explains what we collect, why, where it is stored, and what rights you have. If you have questions, contact us at contact@pepta.app.
1. What We Collect
1.1 Information you provide
- Account data: email address, country of residence, year of birth. - Profile data (optional): display name, biological sex (used for body-map illustrations and reference ranges), height, starting weight, experience level, goals. - Health-tracking data: peptide protocols, doses, schedules, injection logs, injection sites, weight and other measurements, progress photos, laboratory results, and any free-text notes you add. - AI feature inputs: when you use our AI features, the lab report you upload (PDF or photo) and the blood-marker values plus the peptides in your active protocol that are sent to our AI provider to read your report and generate insights (see Section 5). - Subscription data: subscription status and entitlement, processed through RevenueCat. We do not receive or store your full payment card details — payment is handled directly by Apple. - Support data: contents of any message you send us.
1.2 Information collected automatically
- Device and analytics data: anonymous device identifiers, app version, OS version, locale, crash diagnostics, anonymous usage events (e.g., "calculator opened"). We do not collect precise location or IP-address-derived geolocation. - Diagnostic data: scrubbed error reports via Sentry, with personal identifiers removed before transmission. - Advertising attribution data: if you grant tracking permission via Apple's App Tracking Transparency prompt, we and Meta Platforms, Inc. process your device advertising identifier (IDFA) together with a limited set of app events (install, registration, and subscription) to measure and optimise our own advertising campaigns. If you decline, we rely only on Apple's privacy-preserving SKAdNetwork, which provides aggregate, non-identifying attribution. We never share your health data, doses, notes, or AI feature content for advertising.
1.3 What we do not collect
- We do not collect your real name unless you choose to enter it. - We do not collect your contacts, calendar, microphone, or precise location. - We do not collect biometric identifiers. - We do not access your photos beyond images you explicitly upload as progress photos or lab reports. - We do not display third-party advertising inside the app, and we never use your health data for advertising. Advertising-measurement tracking runs only with your consent (see Section 1.2) and can be switched off at any time in Settings -> Privacy.
2. How We Use Your Data
We process your data only for the following purposes:
- To provide the Service (account, sync, calculator, tracking) — legal basis: performance of contract; explicit consent for health data. - To provide AI features (reading uploaded lab reports and generating marker insights) by sending the relevant data to our AI provider OpenAI — legal basis: your explicit consent, given in-app before any data is sent and revocable at any time in Settings → Privacy. - To process Subscriptions and prevent fraud — legal basis: contract; legitimate interest. - To diagnose crashes and improve reliability — legal basis: legitimate interest. - To produce aggregate, anonymous product analytics — legal basis: legitimate interest. - To measure and optimise our own advertising campaigns (e.g. attributing an install to an ad) — legal basis: consent, obtained through the App Tracking Transparency prompt. - To communicate service announcements and security notices — legal basis: contract; legitimate interest. - To comply with legal obligations — legal basis: legal obligation.
We do not sell your personal data. Other than the limited advertising- attribution data described in Section 1.2 and Section 4 — which is shared with Meta only if you grant tracking consent — we do not share your personal data for cross-context behavioural advertising. We never share your health data, the lab reports or marker values processed by our AI features, or any AI output for advertising, and our AI provider does not use them to train its models.
3. Where Your Data Is Stored
Your account and health data are stored on Supabase infrastructure in ap-southeast-2 (Sydney, Australia). Files (lab reports, progress photos) are stored in user-isolated Supabase Storage buckets protected by row- level security so that only you can read your own files.
If you are located in the European Union, the United Kingdom, Switzerland, or another jurisdiction whose data-protection law restricts international transfers, your personal data is transferred to and processed in Australia, which has not been recognised by the European Commission as offering an adequate level of protection. We rely on Standard Contractual Clauses approved by the European Commission (and the UK Addendum where applicable) as the legal mechanism for the transfer, together with appropriate technical and organisational safeguards. You can request a copy of the Standard Contractual Clauses by writing to contact@pepta.app.
Encryption: data is encrypted in transit (TLS) and at rest (provider default).
4. Sub-Processors
We use the following sub-processors. Each acts on documented instructions and is bound by contract to confidentiality and security obligations.
- Supabase — database, authentication, file storage — Australia. - RevenueCat — subscription management — United States. - Apple — payment processing, App Store delivery — global. - PostHog — bucketed product analytics — United States. Events contain only structural metadata (e.g. dose ranges, screen names, feature flags) and never carry doses, notes, or identifying details. You can disable analytics at any time in Settings → Privacy → Share usage data; crash reporting stays on so we can keep the app safe. - Sentry — crash diagnostics, with personal identifiers scrubbed before transmission — United States. - OpenAI — large-language-model processing that powers our AI features: reading the lab reports you upload (to extract marker values) and generating marker insights from your values and active-protocol peptides — United States. Data is sent only with your consent (see Section 5), is processed solely to return your results, and is not used to train OpenAI's models. - Expo — application build, over-the-air updates, push notification delivery — United States. - Meta Platforms, Inc. — advertising attribution and measurement for our own campaigns — United States. Receives only a limited set of app events (install, registration, subscription) and, with your App Tracking Transparency consent, your device advertising identifier. No health data, doses, notes, or AI feature content is ever shared. Disable at any time in Settings -> Privacy -> Share usage data, or by declining App Tracking Transparency.
For any cross-border transfer outside your region, we rely on Standard Contractual Clauses or equivalent mechanisms.
We will update this list when we add or remove a sub-processor. Material changes will be announced in the Service before they take effect.
5. Ai Features — Data Processing and Consent
Pepta offers AI features that rely on a third-party AI provider, OpenAI, L.L.C. (United States): (a) reading a lab report you upload to extract its marker values, and (b) generating a short plain-language insight and description for a marker.
5.1 What is sent, to whom, and why
- Lab report reading: the file you upload (the PDF or photo, which may include the lab name, collection date, and any personal details printed on it) is transmitted to OpenAI for the sole purpose of extracting the marker values. - Marker insights: the marker code and value, its reference and optimal ranges, and the names of the peptides in your active protocol are transmitted to OpenAI for the sole purpose of generating the insight and description. - OpenAI processes this data on our documented instructions, only to return the result to you, and does not use it to train its models.
5.2 Your consent and control
- We ask for your explicit consent before any data is sent to OpenAI. Nothing is sent to the AI provider unless you have consented. - You can withdraw consent at any time in Settings → Privacy → AI features. When AI features are off, no data is sent to OpenAI and the rest of Pepta keeps working. - Do not upload a report containing, or enter, information about other identifiable individuals.
You are responsible for what you submit. Pepta's AI features are an educational tool, not a medical service, and their output is not medical advice.
6. How Long We Keep Your Data
- Active account data: indefinitely, until you delete your account. - Soft-deleted data after account deletion: 30 days in a recoverable state, then hard-deleted. - Crash and diagnostic logs: up to 90 days. - Anonymous analytics events: up to 24 months. - Audit and consent records (e.g., accepted Terms, region confirmation): up to 6 years after account closure for legal- defence purposes.
7. Your Rights
Subject to applicable law (the General Data Protection Regulation for EU/EEA residents, the UK GDPR for UK residents, the United Arab Emirates Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data for UAE residents, and equivalent rights elsewhere), you have the right to:
- Access the personal data we hold about you. - Rectify inaccurate or incomplete data. - Erase your data ("right to be forgotten"). - Restrict or object to processing. - Data portability — export your data in a structured, machine- readable format. - Withdraw consent at any time, without affecting the lawfulness of processing carried out before the withdrawal. - Lodge a complaint with your local supervisory authority — for example, the relevant Data Protection Authority in the EU/UK, or the UAE Data Office.
You can exercise most rights directly in the app (Settings > Account > Export data / Delete account). For anything else, write to contact@pepta.app. We respond within 30 days.
8. Children
The Service is not intended for users under 18. We do not knowingly collect personal data from minors. If you believe a minor has provided us data, contact contact@pepta.app and we will delete the account.
9. Security
We apply technical and organisational measures appropriate to the sensitivity of the data: TLS for transport, encryption at rest, row- level security policies for user-isolated access, scoped service credentials, principle-of-least-privilege access for our team, and audit logging. No system is perfectly secure. If you suspect a security incident, contact contact@pepta.app.
10. Changes to This Policy
We may update this Privacy Policy. If a change is material, we will notify you in the Service or by email before it takes effect. The "Last updated" date at the top reflects the most recent version.
11. Contact
The data controller is KLC Group LLC, a limited liability company registered in the Sharjah Media City (Shams) Free Zone, United Arab Emirates.
Registered address: Sharjah Media City (Shams Free Zone), Sharjah, United Arab Emirates
All privacy, data-protection, and security inquiries: contact@pepta.app