Privacy

Privacy Policy

How PEP9 collects, uses, and protects information when you use the app.

Effective: May 30, 2026
Updated: May 30, 2026

This Privacy Policy explains how PEP9 (“PEP9,” “we,” “us,” or “our”) collects, uses, discloses, and protects information when you use the PEP9 mobile application for iOS and Android (the “App”) and any related services (collectively, the “Service”). By creating an account or using the Service, you agree to the practices described in this Policy. If you do not agree, do not use the Service.

PEP9 is operated by Vertek Ventures LLC (“we”), located at 1234 Innovation Way, Suite 200, Arlington, VA 22203, USA. For privacy questions, contact us at privacy@pep9.app.

This Policy should be read together with our Terms of Service, which include important medical and substance disclaimers, an assumption of risk, and a limitation of liability that apply to your use of the Service.

1 Summary at a Glance

We collect the minimum information needed to operate the App: your email address, profile preferences, and the peptide tracking data you choose to enter (protocol names, doses, schedules, dose logs, optional notes, optional injection sites).
We use Supabase to store your data, Apple and Google to process subscription payments via RevenueCat, PostHog for product analytics, and Sentry for crash diagnostics. We do not sell or share your personal information for cross-context behavioral advertising, and we do not use your data to train any machine-learning model.
We are not a HIPAA Covered Entity or Business Associate, and the tracking data you enter is not “Protected Health Information” under HIPAA. Other consumer-health-data and state privacy laws may still apply; see Sections 13 and 14.
You can export, correct, or delete your account at any time from within the App (“Settings” then “Delete Account”) or by emailing us.
The App is not a medical device. We do not diagnose, treat, or provide medical advice. See the Terms of Service for the full medical disclaimer.

2 Who This Policy Applies To

This Policy applies to all users of the App worldwide. Additional regional disclosures for users in the European Economic Area, United Kingdom, Switzerland, California, Washington, Nevada, and other U.S. states appear in Section 13.

The App is intended for adults aged 18 and over. We do not knowingly collect information from anyone under 18. The Children’s Online Privacy Protection Act (“COPPA”) in the United States prohibits us from collecting personal information from children under 13 without verifiable parental consent; because the App is 18+, we do not direct any feature to children under 13 and we do not knowingly collect information from them. If you believe a minor has provided us with information, contact us at privacy@pep9.app and we will delete it.

3 Information We Collect

3.1 Information You Provide

Account identifiers

Examples: Email address; one-time login codes sent to your email address; or, if you choose Sign in with Apple or Sign in with Google, the identifier returned by that provider (OAuth subject ID, the name you elect to share, and either your account email or an Apple private-relay address)
Source: You, at signup, and your chosen identity provider

Profile preferences

Examples: Display name (optional), time zone
Source: You, during onboarding or in Settings

Health and tracking data

Examples: Peptide names, doses, dose units (mg, mcg, IU), schedules, start and end dates, free-text notes, optional injection-site labels, dose-log timestamps
Source: You, when you create protocols or log doses

Support communications

Examples: Contents of any email or in-App feedback you send us
Source: You

We do not request or store passwords, government-identifier numbers, payment-card numbers, precise geolocation, contacts, photos, audio, or biometric identifiers. If you sign in with Apple and choose to hide your email, we receive only an Apple private-relay address and never see your real email.

3.2 Information Collected Automatically

Device and diagnostic data

Purpose: App version, operating system, device model, language, crash reports, performance traces
Source: Sentry SDK

Usage events

Purpose: Screen views, feature interactions, button taps, session start and stop, subscription status changes
Source: PostHog SDK

Push notification token

Purpose: Sending reminders you have opted in to
Source: Apple Push Notification service or Firebase Cloud Messaging via Expo Notifications

Subscription receipts

Purpose: Verifying your subscription status
Source: Apple App Store or Google Play, via RevenueCat

Network metadata

Purpose: IP address, request timestamps (used transiently for security and abuse prevention)
Source: Supabase, Sentry, PostHog

We have disabled Sentry’s default personal-data capture (sendDefaultPii = false). Crash reports do not include your IP address, username, or request headers by default. We do enable Sentry session replay at a sampled rate to diagnose UI errors; replays redact text input by default but may capture other on-screen content. You can opt out of replay capture by contacting us.

3.3 Information We Do Not Collect

We do not collect data from Apple HealthKit or Google Health Connect. We do not access your device’s contacts, calendar, microphone, or camera. The App does not use cross-app or cross-website advertising trackers, and we do not participate in any advertising identifier or attribution program.

We do not collect biometric identifiers or biometric information as defined by the Illinois Biometric Information Privacy Act, the Texas Capture or Use of Biometric Identifier Act, the Washington biometrics statute, or any comparable law. We do not collect fingerprints, voiceprints, retinal or iris scans, hand or face geometry, or any other biometric identifier. We do not use Face ID, Touch ID, or any other biometric authentication; if your device unlocks the App with Face ID, Touch ID, fingerprint, or device passcode, that authentication is performed by your operating system and we never receive the biometric data.

3.4 Sensitive Personal Information

The peptide-tracking data you enter may constitute “sensitive personal information” under the California Privacy Rights Act (“CPRA”), “consumer health data” under the Washington My Health My Data Act (“MHMDA”) and Nevada Senate Bill 370, and analogous categories under other state laws. We use this information solely to provide and improve the Service as described in this Policy. We do not use sensitive personal information for any purpose other than what is necessary to deliver the Service you requested, to detect security incidents, to maintain quality and safety, or to comply with the law. We do not sell or share sensitive personal information for cross-context behavioral advertising, and we do not disclose sensitive personal information for inference purposes.

3.5 HIPAA Status

Vertek Ventures LLC is not a “Covered Entity” or “Business Associate” as those terms are defined under the U.S. Health Insurance Portability and Accountability Act (“HIPAA”). Information you enter into the App is not “Protected Health Information” under HIPAA. This means HIPAA’s specific protections and rights do not apply to our handling of your data; however, we voluntarily apply the practices described in this Policy, and other laws (including state consumer-health-data laws and the GDPR for EEA users) provide enforceable rights. Do not use the Service to share data subject to HIPAA (for example, on behalf of a patient as a healthcare provider) without a separate written agreement with us.

4 How We Use Information

We use the information described above for the following purposes:

Operate the Service. Authenticate you, sync your protocols and dose logs across your devices, send the reminders you have scheduled, process your subscription, and provide customer support.
Maintain reliability and security. Detect, prevent, and investigate abuse, fraud, security incidents, and technical failures.
Improve the App. Understand which features are used, fix bugs, and prioritize the roadmap. We use aggregated and pseudonymous analytics for this purpose.
Communicate with you. Send transactional emails (account verification, password reset, receipts), respond to your inquiries, and, if you opt in, send product updates. We do not send marketing emails without your consent.
Comply with legal obligations. Respond to lawful requests, enforce our Terms of Service, and protect our rights, your rights, and the rights of third parties.

We do not use your data to train machine-learning models, develop generative AI, or build inference profiles, and we do not use your data for behavioral advertising. We do not perform automated decision-making, including profiling, that produces legal or similarly significant effects concerning you within the meaning of Article 22 of the GDPR. We do not engage in “targeted advertising” or “profiling in furtherance of decisions that produce legal or similarly significant effects” within the meaning of state consumer-privacy laws.

Legal Bases (EEA and UK users)

Where the EU or UK General Data Protection Regulation applies, we rely on the following legal bases:

Performance of a contract. To provide the Service you signed up for.
Legitimate interests. To keep the Service secure, prevent abuse, and improve the product, balanced against your rights.
Consent. For optional push notifications and any marketing communications. You can withdraw consent at any time.
Legal obligation. To comply with applicable laws.

For special categories of data under Article 9 GDPR (health data), we rely on your explicit consent given when you enter such data into the Service, or on the basis that you have manifestly made the data public for purposes of operating your own tracking. You can withdraw consent at any time by deleting the data or your account.

We share information only with the categories of recipients listed below, and only as needed to operate the Service. We do not sell personal information for money or other valuable consideration, and we do not share personal information for cross-context behavioral advertising. We have not sold or shared personal information in the prior 12 months.

Supabase, Inc.

Role: Authentication, database, and hosting (United States)
Data shared: Account credentials, profile, protocols, dose logs, IP address (transiently)

RevenueCat, Inc.

Role: Subscription management
Data shared: Anonymous app user ID, subscription status, Apple or Google receipt tokens

Apple Inc. and Google LLC

Role: Payment processing, push-notification delivery, and identity (Sign in with Apple, Sign in with Google)
Data shared: Subscription-receipt tokens, push tokens, OAuth subject ID, and the name and email (or Apple private-relay email) associated with the Apple ID or Google Account you use to sign in

PostHog, Inc.

Role: Product analytics
Data shared: Pseudonymous user ID, event names, screen names, device metadata

Sentry (Functional Software, Inc.)

Role: Crash and performance monitoring
Data shared: Crash payloads, device metadata, sampled session replays

Resend (Resend, Inc.)

Role: Transactional email delivery for authentication emails
Data shared: Email address, email body

Expo (650 Industries, Inc.)

Role: Push-notification dispatch infrastructure
Data shared: Push token, notification payload

Professional advisors

Role: Lawyers, accountants, auditors when engaged
Data shared: Limited to what is required

Authorities

Role: Law-enforcement or regulators responding to a valid legal request
Data shared: Limited to what is required

Successor entity

Role: In the event of a merger, acquisition, or asset sale
Data shared: The data covered by this Policy, subject to the successor’s continued compliance

Each processor is bound by a written agreement requiring confidentiality, security, and use of your data only for the purposes we direct.

6 International Transfers

We are based in the United States, and our processors are located in the United States and the European Union. If you access the Service from outside these jurisdictions, your information will be transferred to and processed in them.

For transfers of personal data from the European Economic Area or Switzerland to the United States, we rely on the European Commission’s Standard Contractual Clauses (“SCCs”) or, where applicable, the EU-U.S. Data Privacy Framework. For transfers from the United Kingdom, we rely on the UK Addendum to the SCCs (the “UK IDTA”). Contact us at privacy@pep9.app for a copy of the relevant safeguards.

7 Data Retention

We retain your information for as long as your account is active and for a limited period afterward to satisfy the purposes described in this Policy.

Account record (email, profile)

Retention: Until you delete your account, then deleted within 30 days

Protocols and dose logs

Retention: Until you delete the record or your account; soft-deleted protocols are hard-deleted within 90 days of account deletion

Crash and analytics events

Retention: Up to 12 months, then aggregated or deleted

Subscription receipts

Retention: As required by Apple, Google, and tax-records laws (typically 7 years)

Backups

Retention: Encrypted backups are cycled out within 35 days

We may retain limited information longer if required by law, to enforce our Terms, to resolve disputes, or to defend ourselves against legal claims.

8 Security

We use industry-standard safeguards to protect your data, including:

TLS in transit between the App and our servers.
Encryption at rest for the primary database and backups, as provided by Supabase.
Row-level security policies that restrict every record to its owning user.
Passwordless authentication: one-time email codes and OAuth sign-in via Apple or Google. We never collect, store, or transmit user passwords. Code-delivery and OAuth callback endpoints are rate-limited.
Principle-of-least-privilege access for our staff and processors.
No service-role database keys shipped in the App binary.

No system is perfectly secure. If we determine that a security incident has resulted in unauthorized access to your personal data, we will notify you and, where required, the appropriate regulatory authorities within the timeframes required by applicable law (within 72 hours of becoming aware, where the GDPR or similar regimes apply). If you believe your account has been compromised, contact us immediately at security@pep9.app.

9 Your Choices

Account settings. Update your display name, time zone, and notification preferences in the App’s Settings screen.
Notifications. Reminders are sent only after you grant permission. You can revoke the permission in your device settings at any time.
Subscription. Manage or cancel your subscription in App Store Settings or Google Play. The App provides a “Restore Purchases” button in Settings and on the paywall.
Account deletion. Tap “Delete Account” in Settings. This permanently deletes your account and associated data, subject to the retention windows in Section 7. You can also request deletion by emailing privacy@pep9.app.
Data export. Email privacy@pep9.app to request a machine-readable copy of your data.
Global Privacy Control. We honor opt-out preference signals (including Global Privacy Control) as required by applicable law. Because we do not sell or share personal information for cross-context behavioral advertising, the practical effect of a GPC signal on our processing is minimal, but we will treat the signal as a valid opt-out request from any applicable resident.
Authorized agents. Where applicable law permits, you may designate an authorized agent to submit requests on your behalf. We will require proof of the agent’s authorization and your identity before acting.
Withdraw consent. Where we rely on your consent (for example, for optional notifications), you may withdraw consent at any time without affecting the lawfulness of processing carried out before withdrawal.
Complain to a regulator. You may lodge a complaint with your local data-protection authority (for EEA, UK, or Swiss residents) or applicable state attorney general (for U.S. state-law residents).

We will not discriminate or retaliate against you for exercising any right under this Policy.

10 Third-Party Privacy Policies

The third parties listed in Section 5 have their own privacy practices. Relevant links:

Apple App Store: https://www.apple.com/legal/privacy/
Google Play: https://policies.google.com/privacy
Supabase: https://supabase.com/privacy
RevenueCat: https://www.revenuecat.com/privacy
PostHog: https://posthog.com/privacy
Sentry: https://sentry.io/privacy/
Resend: https://resend.com/legal/privacy-policy
Expo: https://expo.dev/privacy

11 Apple App Tracking Transparency

The App does not track you across apps or websites owned by other companies. We do not display the App Tracking Transparency prompt because we do not engage in tracking as Apple defines it.

12 Changes to This Policy

We may update this Policy from time to time. If we make material changes, we will provide notice by posting the updated Policy in the App and updating the “Last Updated” date. For material changes that affect EEA, UK, Swiss, or state-law residents’ rights, we will provide additional notice as required by applicable law. Continued use of the Service after the update constitutes acceptance of the new Policy.

13 Regional Disclosures

13.1 European Economic Area, United Kingdom, and Switzerland

If you are located in the EEA, UK, or Switzerland, you have the right to:

access your personal data;
request correction of inaccurate data;
request deletion;
restrict or object to processing;
request portability of data you provided to us;
withdraw consent where processing is based on consent;
not be subject to a decision based solely on automated processing, including profiling, that produces legal or similarly significant effects (we do not engage in such processing);
lodge a complaint with your local data-protection authority.

The data controller is Vertek Ventures LLC, 1234 Innovation Way, Suite 200, Arlington, VA 22203, USA. To exercise your rights, contact privacy@pep9.app. We will respond within 30 days, extendable by an additional 60 days where the request is complex.

13.2 California

Under the California Consumer Privacy Act (“CCPA”) and California Privacy Rights Act (“CPRA”), California residents have the right to:

know the categories and specific pieces of personal information we have collected about them in the prior 12 months;
request deletion of personal information;
request correction of inaccurate personal information;
opt out of the sale or sharing of personal information; we do not sell or share personal information for cross-context behavioral advertising and have not done so in the prior 12 months;
limit use of sensitive personal information; we do not use sensitive personal information for any purpose beyond what is necessary to provide the Service;
not be retaliated against for exercising any right under the CCPA.

We do not discriminate against you for exercising your rights. To exercise these rights, contact privacy@pep9.app. We verify requests by matching the request against the email on your account. Authorized agents may submit requests with proof of authorization.

California “Shine the Light” law: we do not disclose personal information to third parties for their direct-marketing purposes.

13.3 Other US States

If you reside in Virginia, Colorado, Connecticut, Utah, Texas, Oregon, Montana, Delaware, Iowa, Tennessee, Indiana, New Jersey, New Hampshire, Minnesota, Maryland, or another state with a comprehensive consumer-privacy statute, you have similar rights of access, deletion, correction, portability, and opt-out as described above. Contact privacy@pep9.app to exercise them.

13.4 Washington (My Health My Data Act)

If you are a Washington consumer, the Washington My Health My Data Act (“MHMDA”) gives you specific rights regarding “consumer health data,” which may include the peptide-tracking data you enter into the Service. You have the right to:

confirm whether we collect, share, or sell your consumer health data;
access your consumer health data, including a list of the categories of third parties and specific persons with whom we have shared it;
withdraw consent to our collection and sharing of your consumer health data;
request deletion of your consumer health data.

We do not sell consumer health data for monetary or other valuable consideration, and we do not engage in geofencing of any in-person healthcare service location. We collect consumer health data only with your affirmative consent, given when you create an account and enter the data, and we use it only to provide the Service. To exercise your MHMDA rights, contact privacy@pep9.app with the subject line “MHMDA Request.”

13.5 Nevada

Nevada Senate Bill 370 provides rights similar to those in MHMDA for “consumer health data” of Nevada residents. We do not sell consumer health data of Nevada residents. To exercise your rights under Nevada law, contact privacy@pep9.app with the subject line “Nevada Health Data Request.” Nevada SB-220 also gives you the right to opt out of the sale of certain personal information; because we do not sell personal information, there is nothing to opt out of, but we will treat any such request as a confirmation of our no-sale practice.

13.6 Children’s Privacy

The Service is not directed to children under 18, and we do not knowingly collect personal information from anyone under that age. The Service does not knowingly collect personal information from any child under 13, and we do not direct any feature at children under 13 within the meaning of COPPA. If we learn that we have collected information from a person under 18, we will delete it promptly.

14 Consumer Health Data and Sensitive Information

This Section consolidates how we handle the peptide-tracking data that may be classified as consumer health data, sensitive personal information, or a special category of personal data under applicable laws.

Source. We collect this data only from you, only when you choose to enter it into the App, and only the data fields you choose to fill in.
Purpose. We process this data only to operate the Service for you, to display it back to you across your devices, to send reminders you have configured, and to maintain security and reliability.
No secondary uses. We do not use this data to train machine-learning models, derive datasets for sale, perform inference for advertising or marketing, profile you in furtherance of decisions that produce legal or similarly significant effects, or for any purpose unrelated to operating the Service.
Sharing. We share this data only with the processors listed in Section 5, each bound by a written agreement to confidentiality and to use the data only as we direct.
No sale. We do not sell consumer health data or sensitive personal information.
Consent. Your entry of this data into the App constitutes your affirmative, voluntary consent to our collection and processing of it for the purposes described in this Policy. You may withdraw consent at any time by deleting the data or your account.
Access, correction, deletion. You can view, edit, and delete this data at any time from within the App, or request a copy by emailing privacy@pep9.app.
Retention. See Section 7. We delete this data within the windows stated there.

15 Contact Us

For any privacy-related question, request, or complaint:

Email: privacy@pep9.app
Postal: Vertek Ventures LLC, 1234 Innovation Way, Suite 200, Arlington, VA 22203, USA