Privacy Policy.
Peptide Tracker is an independent tracking tool. We are not a peptide vendor, a pharmacy, or an advertising company. This page describes what data the app collects, why, and what we will never do with it.
Who we are
Peptide Tracker is an independent product. We build the iOS and Android apps, the web tools, and the backend that serves them. We are not owned by, controlled by, or operationally entangled with any peptide manufacturer, reseller, or clinic.
We may, however, link to third-party peptide vendors in marketing emails and SMS messages you opt into, and we may earn a commission when you purchase through those links. Section 4 below describes that relationship in detail.
You can reach us at hello@peptidetracker.ai. Our backend is hosted in the United States.
What we collect
We only collect what the app needs to work. The list below is exhaustive. If something isn't here, we don't collect it.
Device ID
A random identifier generated on first launch and stored in the device's secure store (iOS Keychain or Android Keystore). This is how anonymous accounts work. It is not your Apple ID, Google account, phone number, or email.
Protocol data
The peptides, doses, schedules, vials, and injection sites you enter. This is the core of the product, and without it the app has nothing to show you.
Dose log
Each injection you record, including the time, site, vial, and any note you add. Notes are your own writing and we don't read them.
Email (optional)
Only if you choose Sign in with Apple or Google and elect to share your email, or if you create an email account to sync across devices. You can use Apple's private relay, and we don't see the underlying address.
Marketing email & phone (optional)
Only if you enter them on the onboarding contact screen or in Settings. These are kept separate from the account email above so an Apple Private Relay address (which we can't use for marketing) doesn't replace one you actually want to receive mail at. US phone numbers only for now.
Marketing consent records
When you tick a marketing opt-in checkbox or revoke one, we record the timestamp, which channel (email or SMS), the exact disclaimer text you saw, the source (onboarding or Settings), and your IP address and browser/app user-agent. We keep this so we can prove what you consented to if a vendor or regulator ever asks. Required for CAN-SPAM and TCPA compliance.
Timezone
Used to schedule dose reminders at the correct local time. Changes when your device timezone changes.
Device push token
Required to deliver local and remote dose reminders. Revoked when you disable notifications.
Crash diagnostics
Stack traces and error context when the app crashes, sent to Sentry. Authentication tokens are stripped before upload. Used to fix bugs.
Product analytics events
Named events - like onboarding completed, protocol created, or dose logged - sent to PostHog (PostHog Cloud, US region) under your account's random identifier. Events carry coarse metadata, never peptide names, dose amounts, or note contents. Used to see where people get stuck in product flows. No ad or cross-app tracking, no IDFA, no sharing with marketing partners.
How we use it
We use your data to store your protocols and dose history, to deliver dose reminders, to keep your data in sync across your own devices if you sign in, to diagnose bugs when the app crashes, and to see where people get stuck in product flows so we know what to fix.
If you have opted in via the marketing consent checkboxes, we also use your marketing email and/or phone number to send the kind of message you ticked the box for. Section 4 covers what those messages are and how to stop receiving them.
If you upgrade to a paid subscription in the future, a receipt identifier from the App Store or Google Play will be sent to us so we know which features to unlock. Payment details are handled by Apple or Google and never touch our servers.
Marketing communications & affiliates
We send marketing email and SMS only after you have opted in via the corresponding checkbox during onboarding or in Settings. The exact wording of the consent you agreed to, the version number of that wording, and the timestamp are stored in our audit log so we can prove what you consented to.
Marketing emails and SMS messages from us may include offers from independent third-party peptide vendors. Peptide Tracker may earn a commission when you purchase through a link in one of those messages. We disclose this relationship in the message itself, not just here. Receiving these offers is not a condition of using the app, the calculators, or anything else we ship - opt-in is entirely optional and opt-out is one tap.
We don't share your protocol data, dose history, peptide selections, vial inventory, notes, or any other health-adjacent data with affiliate vendors. They receive a normal web visit from a tagged URL - that is, they know the click originated from a Peptide Tracker message, but they do not receive your email, your phone number, or anything you have tracked in the app.
To unsubscribe, reply STOP to any SMS message, click the unsubscribe link in any email, or go to Settings -> Marketing in the app. Unsubscribes are honored immediately, and we keep a revocation record in the same audit log so the next time we send to the channel we know to skip you.
California residents: under the CCPA and CPRA, you have the right to opt out of any "sale" or "sharing" of personal information for cross-context behavioral advertising. We do not sell or share personal data for those purposes. The affiliate links described above pass no personal data to the vendor and do not constitute a sale or share under the CCPA. You may still exercise your access, correction, and deletion rights as described in Section 7.
What we don't do
A short list is clearer than a long one. We don't do any of the following, and we have no plans to.
- We don't sell your data. No data broker, ad network, or marketing partner receives anything about you.
- We don't run in-app ads. There is no advertising SDK in the app. We have no ad-supported tier. Marketing emails and SMS that include affiliate offers are disclosed in Section 4 and require your explicit opt-in.
- We don't share your protocols or health data with vendors. Affiliate vendors receive a normal web visit from a tagged URL when you click a link in our messages. They do not receive your email, phone number, protocols, doses, vials, notes, or any other tracked data.
- We don't share with insurers or employers. Ever.
- We don't read your notes. Dose notes and protocol notes travel over HTTPS, and we have no workflow that surfaces them to anyone on our team.
- We don't run ad or cross-app tracking. No Google Analytics, no Facebook SDK, no AppsFlyer, no IDFA. Our product analytics stays inside our own funnel and is never sold or shared with marketing partners.
Storage & security
Your data is stored in a managed PostgreSQL database hosted by Render in the United States. All traffic between the app and our servers is encrypted in transit over HTTPS. Data at rest is encrypted by the hosting provider.
Authentication tokens live in your device's secure store (iOS Keychain or Android Keystore). We do not store your password in plain text. Password-based accounts use a one-way hash (bcrypt), so even we can't see the original.
We retain your data for as long as you keep the account. If you delete your account, we remove it from the active database within 24 hours and from backups within 30 days.
Your rights
You can export your data, correct it, or delete it. You don't need to justify a deletion request and we won't try to talk you out of one.
To delete your account, open the app and go to Settings -> Account -> Delete account. To request an export, email us at hello@peptidetracker.ai from the address associated with your account and we'll send a JSON archive within seven days.
If you are in the EU, UK, or California, you have additional rights under GDPR and CCPA, including the right to object to processing and to lodge a complaint with a supervisory authority. Reach out and we will honor those requests.
Children
Peptide Tracker is not intended for anyone under 18. We do not knowingly collect data from children. If you believe a child has created an account, email us and we will delete the account and its data.
Changes to this policy
If we change anything material, such as new data collected, a new sub-processor, or a new region, we will update the date at the top of this page and notify you inside the app before the change takes effect. Archived versions will be linked here.
Contact
For questions, data export requests, or complaints, email hello@peptidetracker.ai. A human replies, usually within two business days.
This policy does not create a contractual relationship between us. Nothing here is medical advice. Always consult a qualified clinician before starting, pausing, or changing a peptide protocol.