Last updated: July 8, 2026 Applies to: iOS · Android · Web

Privacy Policy.

Peptide Tracker is an independent tracking tool. We are not a peptide vendor, a pharmacy, or an advertising company. This page describes what data the app collects, why, and what we will never do with it.

Who we are

Peptide Tracker is an independent product. We build the iOS and Android apps, the web tools, and the backend that serves them. We are not owned by, controlled by, or operationally entangled with any peptide manufacturer, reseller, or clinic.

We may, however, link to third-party partners in marketing emails and SMS messages you opt into, and we may earn a commission when you purchase through those links. Section 4 below describes that relationship in detail.

You can reach us at hello@peptidetracker.ai. Our backend is hosted in the United States.

What we collect

We only collect what the app needs to work. Here is what we collect and why.

Device ID

A random identifier generated on first launch and stored in the device's secure store (iOS Keychain or Android Keystore). This is how anonymous accounts work. It is not your Apple ID, Google account, phone number, or email.

Protocol data

The peptides, doses, schedules, vials, and injection sites you enter. This is the core of the product, and without it the app has nothing to show you.

Dose log

Each injection you record, including the time, site, vial, and any note you add. Notes are your own writing and we don't read them.

Email (optional)

Only if you choose Sign in with Apple or Google and elect to share your email, or if you create an email account to sync across devices. You can use Apple's private relay, and we don't see the underlying address.

Marketing email & phone (optional)

Only if you enter them on the onboarding contact screen or in Settings. These are kept separate from the account email above so an Apple Private Relay address (which we can't use for marketing) doesn't replace one you actually want to receive mail at. US phone numbers only for now.

Marketing consent records

When you tick a marketing opt-in checkbox or revoke one, we record the timestamp, which channel (email or SMS), the exact disclaimer text you saw, the source (onboarding or Settings), and your IP address and browser/app user-agent. We keep this so we can prove what you consented to if a vendor or regulator ever asks. Required for CAN-SPAM and TCPA compliance.

Timezone

Used to schedule dose reminders at the correct local time. Changes when your device timezone changes.

Device push token

Required to deliver local and remote dose reminders. Revoked when you disable notifications.

Crash diagnostics

Stack traces and error context when the app crashes, sent to Sentry. Authentication tokens are stripped before upload. Used to fix bugs.

Product analytics events

Named events such as onboarding completed, protocol created, or dose logged, sent to PostHog (PostHog Cloud, US region) under your account's random identifier. Events carry coarse metadata, never peptide names, dose amounts, or note contents. Used to see where people get stuck in product flows. No ad or cross-app tracking and no IDFA.

Marketing activity sync (Klaviyo)

Only if you opt into marketing. We send our email service provider Klaviyo (US region) your marketing email and a profile snapshot, such as your demographics, how engaged you are, and when you were last active, so it can personalize the messages you opted into. If you do not opt into marketing, nothing about you is sent to Klaviyo.

Vial photos (optional)

Photos you attach to a vial, if you choose to add them. They are stored with the rest of your account data, are visible only to you, and we don't scan or analyze them.

Assistant messages (optional)

If you use the in-app assistant, the messages you send and its replies are saved to your account so you can see your history. You can clear them at any time. See How we use it for what gets sent to generate a reply.

How we use it

We use your data to store your protocols and dose history, to deliver dose reminders, to keep your data in sync across your own devices if you sign in, to diagnose bugs when the app crashes, and to see where people get stuck in product flows so we know what to fix.

If you have opted in via the marketing consent checkboxes, we also use your marketing email and/or phone number to send the kind of message you ticked the box for. Section 4 covers what those messages are and how to stop receiving them.

If you have opted into marketing, we sync a profile snapshot to our email provider, Klaviyo, so the messages you opted into can be relevant rather than generic. The snapshot covers attributes such as your demographics, how engaged you are, and when you were last active. If you have not opted into marketing, nothing is sent to Klaviyo.

If you join the optional Founding Membership, a receipt identifier and your subscription status from the App Store or Google Play are sent to us through RevenueCat, our subscription management provider and a sub-processor acting on our behalf, so we can record that your membership is active. Your payment card details are handled by Apple or Google and never reach us or RevenueCat.

If you use the in-app assistant, your message and a limited slice of context, meaning your active protocols, recent dose logs, and the peptides you track, are sent to our AI provider so it can generate a reply. That provider may retain it for up to 30 days to monitor for abuse. We do not send your notes, your photos, or your contact details, and using the assistant is always your choice.

Marketing communications & affiliates

We send marketing email and SMS only after you have opted in via the corresponding checkbox during onboarding or in Settings. The exact wording of the consent you agreed to, the version number of that wording, and the timestamp are stored in our audit log so we can prove what you consented to.

Marketing emails and SMS messages from us may include offers from health-product partners, including peptide suppliers, lab and diagnostic test providers, at-home test kits, and related services. We personalize which offers you see based on your activity and what you track in the app, including the peptides and protocols in your account and your supply levels, so the offers are relevant to you rather than generic. Peptide Tracker may earn a commission when you purchase through a link in one of those messages. We disclose this relationship in the message itself, not just here. Receiving these offers is not a condition of using the app, opt-in is entirely optional, and opt-out is one tap.

We choose which offers to show you on our own systems, so we don't share your tracked data with those partners. They receive a normal web visit from a tagged URL when you click, but they do not receive your contact details or anything you track in the app.

Our email and SMS messages are delivered through Klaviyo, our email service provider and a sub-processor acting on our behalf. For users who have opted into marketing, Klaviyo receives the activity events and profile attributes described in Section 2 so it can segment and personalize those messages. Klaviyo is contractually our processor. It does not buy your data and may not use it for its own purposes. This is separate from the affiliate vendors above, who receive none of it.

To unsubscribe, reply STOP to any SMS message, click the unsubscribe link in any email, or go to Settings › Marketing in the app. Unsubscribes are honored immediately, and we keep a revocation record in the same audit log so the next time we send to the channel we know to skip you.

California residents: under the CCPA and CPRA, you have the right to opt out of any "sale" or "sharing" of personal information for cross-context behavioral advertising. We do not sell or share personal data for those purposes. The affiliate links described above pass no personal data to the vendor and do not constitute a sale or share under the CCPA. You may still exercise your access, correction, and deletion rights as described in Section 7.

What we don't do

A short list is clearer than a long one.

  • We don't sell your data. No data broker or ad network receives anything about you. The service providers that run the app for us, like our email provider, act only on our instructions, never as buyers of your data.
  • We don't run third-party display ads. There is no outside advertising SDK or ad network in the app. The personalized offers we send reach you only through the marketing email and SMS you opted into, described in Section 4.
  • We don't share your protocols or health data with vendors. Affiliate vendors receive a normal web visit from a tagged URL when you click a link in our messages. They do not receive your email, phone number, protocols, doses, vials, notes, or any other tracked data.
  • We don't share with insurers or employers. Ever.
  • We don't read your notes. Dose notes and protocol notes travel over HTTPS, and we have no workflow that surfaces them to anyone on our team.
  • We don't run ad or cross-app tracking. No Google Analytics, no Facebook SDK, no AppsFlyer, no IDFA. Our product analytics is never sold.

Storage & security

Your data is stored in a managed database hosted in the United States, and any photos you upload are kept with our cloud storage provider, also in the United States. All traffic between the app and our servers is encrypted in transit over HTTPS, and data at rest is encrypted by our hosting providers.

Authentication tokens live in your device's secure store (iOS Keychain or Android Keystore). We do not store your password in plain text. Password-based accounts use a one-way hash (bcrypt), so even we can't see the original.

We retain your data for as long as you keep the account. If you delete your account, we remove it from the active database within 24 hours and from backups within 30 days.

Your rights

You can export your data, correct it, or delete it. You don't need to justify a deletion request and we won't try to talk you out of one.

To delete your account, open the app and go to Settings › Danger zone › Delete account. To request an export, email us at hello@peptidetracker.ai from the address associated with your account and we'll send a JSON archive within seven days.

If you are in the EU, UK, or California, you have additional rights under GDPR and CCPA, including the right to object to processing and to lodge a complaint with a supervisory authority. Reach out and we will honor those requests.

Children

Peptide Tracker is not intended for anyone under 18. We do not knowingly collect data from children. If you believe a child has created an account, email us and we will delete the account and its data.

Changes to this policy

If we change anything material, such as new data collected, a new sub-processor, or a new region, we will update the date at the top of this page and let you know inside the app.

Contact

Privacy contact

For questions, data export requests, or complaints, email hello@peptidetracker.ai. A human replies, usually within two business days.

This policy does not create a contractual relationship between us. Nothing here is medical advice. Always consult a qualified clinician before starting, pausing, or changing a peptide protocol.