Privacy Policy
Last updated: 2026-04-27
Draft pending review by a Quebec-licensed lawyer. This document declares Peptidia's intended privacy posture. Final language will be reviewed and revised before public launch and may be adjusted further as the product evolves.
Who we are
Peptidia is operated by [Legal Entity TBD] ("Peptidia", "we", "us") in Quebec, Canada. Privacy questions can be directed to our designated privacy officer at privacy@peptidia.app.
What we collect
Account data: email address; sign-in identifier (Apple ID / Google ID / magic link).
Profile data: display name, date of birth (used for the 18+ age gate; the underlying date is stored), sex, country, peptide-experience level, primary outcome goals selected during onboarding.
Sensitive health-adjacent data: outcome goals (sleep, recovery, longevity, etc.), self-reported safety conditions used to gate Pro features (pregnancy, breastfeeding, active cancer history), notable observations entered freely in the wellness journal, daily mood / sleep / energy ratings.
App-generated data: AI coach conversation history, audit log entries for sensitive actions (subscription changes, data deletion).
Subscription metadata: RevenueCat subscriber identifier, Apple original transaction identifier, current subscription status. We do not receive your credit card details — those are held by Apple.
Device data: for push notifications, an Expo push token tied to your installation. No advertising identifiers are collected.
Diagnostic data: crash reports and performance traces (Sentry), product analytics events (PostHog). Where possible we collect this without linking to your identity.
What we don't collect
- Advertising identifiers (no IDFA, no ad-tracking).
- Location data.
- Photos, contacts, calendar, or microphone data.
- Anything from HealthKit (V1 doesn't request HealthKit access).
- Payment-instrument details.
How we use it
- Deliver the product: show you a personalized library, run the AI assistant, store your journal, track your subscription state.
- Operate safely: detect abuse, enforce rate limits, monitor errors, maintain audit logs of sensitive actions.
- Improve the product: measure conversion funnels and feature usage in aggregate via PostHog.
- Communicate with you: transactional emails (welcome, account deletion confirmation), launch announcement (if you opted in).
We do not sell or rent your data. We do not share data with third-party advertisers.
Where it lives
Our database is hosted by Supabase in Montreal (ca-central-1, Canada). Other sub-processors process data in their own regions:
| Sub-processor | Purpose | Region |
|---|---|---|
| Vercel | Web/API hosting | US |
| Cloudflare | DNS, edge proxy | Global |
| Apple App Store / RevenueCat | iOS subscriptions | US |
| Anthropic | AI assistant inference | US |
| Voyage AI | Vector embeddings | US |
| Resend | Transactional email | US |
| PostHog | Product analytics | US |
| Sentry | Error tracking | US |
| Upstash Redis | Rate limiting | Region per project |
| Expo Push | iOS push delivery | US |
For users in the European Economic Area, transfers to the US occur under Standard Contractual Clauses where applicable. For users in Quebec, our practices are governed by the Act respecting the protection of personal information in the private sector (Bill 25).
Your rights
You have the right to:
- Access the personal data we hold about you (in-app data export will be available; in the meantime, email privacy@peptidia.app).
- Correct inaccurate data (edit profile in-app, or email us).
- Delete your account and all associated data via Settings → Delete Account in the iOS app, or by emailing us. We process deletion within 30 days as required by Bill 25 and the GDPR.
- Object to processing for non-essential purposes (e.g., analytics), where applicable.
- Withdraw consent for processing that depends on consent.
EEA / UK residents may also lodge a complaint with their local data-protection authority. Quebec residents may complain to the Commission d'accès à l'information du Québec.
Retention
- Account data is retained for the active life of your account.
- Sensitive health-adjacent data (journal entries, goals) is retained for the life of the account plus 12 months post-cancellation, then purged.
- Audit log entries are retained for 24 months then anonymized.
- Diagnostic data (Sentry, PostHog) follows each provider's standard retention (typically 90 days for events, 30 days for crash reports).
Children
Peptidia is not intended for users under 18. Onboarding includes an age gate. We do not knowingly collect data from minors; if you believe we have, contact us at privacy@peptidia.app and we will delete it.
Cookies
The marketing site uses minimal cookies (preference + anti-CSRF). No advertising cookies. The iOS app does not use cookies.
Security
Data is encrypted at rest (Supabase default) and in transit (TLS). Access to production infrastructure is restricted to the founder. Sensitive operations are logged to an audit log.
In the event of a data breach affecting your personal information, we will notify you and the appropriate regulator within the timeframes required by law (Bill 25: 72h to the Commission and affected users where the breach poses a risk of serious harm; GDPR: 72h to the supervisory authority).
Changes
We will notify you of material changes by email and update the "Last updated" date above.
Contact
Privacy questions, rights requests, or breach inquiries: privacy@peptidia.app.