Privacy Policy

Overview

PeptideAIx ("we", "us", "the service") is an educational peptide-protocol tracker. You use the service to track doses you choose to take, calculate syringe draws, log daily check-ins, and keep a personal activity history.

This Privacy Policy explains what information we collect when you use PeptideAIx, how we use it, who we share it with, and what control you have over it. By using PeptideAIx you agree to the practices described here.

What we collect

Information you give us directly

• Account details: email address, display name, and password. Passwords are stored only as a one-way salted hash — we never see or store your plaintext password.
• Profile preferences: timezone, units of measure, week-start day, notification preferences.
• Protocols and compounds you create: compound names, dose values, schedules, cycle lengths, and any notes you add.
• Activity entries: dose logs (taken / skipped / window), daily check-ins, dose-calculator snapshots, and any free-form notes you write.
• Cookie preferences: your choices for the optional storage categories described below, plus an append-only history of every change so we can demonstrate the consent we relied on at any point in time.
• Email preferences:a single boolean flag for whether you've opted out of marketing emails, plus the timestamp of when you last changed it. Used to suppress future marketing sends and to demonstrate the consent we relied on at the moment any email was dispatched.
• Support correspondence: if you emailsupport@peptideaix.com or use our contact channels.

Information collected automatically

• Authentication metadata: sign-in timestamps, IP address at sign-in, and which sign-in method you used. Used for security (detecting unusual sign-in patterns).
• Browser context: browser type, operating system, screen size, and approximate region (derived from your IP). Used for compatibility and bug diagnosis.
• Service-level logs: our hosting provider keeps standard request logs (path, status code, response time). Standard for any web application.

What we do NOT collect

• Bloodwork, lab results, or medical diagnoses— PeptideAIx has no field for this and we don't want it.
• Health insurance information.
• Payment card data— when paid plans launch, payments will be processed by a regulated payment processor; we'll never see your full card number.
• Marketing tracking pixels or third-party advertising cookies — the service uses no scripts that track you across other sites.

How we use your information

We use the information we collect to:

• Provide the service — render your protocols, calculate doses, sync your data across devices.
• Send transactional emailsrequired for the account to work: a one-time welcome, email verification, password reset, security notifications, and replies to support questions. You cannot opt out of these — they're required to use the service.
• Send service nudge emails— for example, an onboarding reminder if you haven't built a protocol within an hour of signing up, or product changelog updates when something material ships. These are sent under the "legitimate interest" lawful basis (you signed up for a peptide-tracking service; nudging you to actually use it is consistent with that). Every such email includes a one-click unsubscribe link in the footer, and you can opt out at any time from your profile's Email preferences section. Once you opt out, the suppression is honoured globally — no further marketing email is sent to your address.
• Maintain account security: detect unusual sign-in patterns, rate-limit abuse, enforce access controls.
• Provide support when you email us.
• Comply with legal obligations (responding to lawful requests, preventing fraud, enforcing our Terms of Service).
• Improve the service— at an aggregate level (e.g. "most-used features", "average protocol length"). Aggregate analysis never identifies individual users.

We do not use your data to train AI/ML models, sell to data brokers, or share with advertisers. We have no advertising business model.

Where your data is stored

Your data is hosted in the United Statesacross multiple data centres for redundancy and high availability. The location is the same whether you sign up from Sydney, San Francisco, or Stockholm — we don't maintain region-specific replicas.

• Account and app data (your protocols, dose logs, profile settings) — replicated across multiple U.S. data centres.
• Authentication state— managed by our authentication provider's global identity infrastructure.
• Server-side rendering and Cloud Functions — run from a U.S. data centre, co-located with the database.
• Static assets — served from a global CDN, so the bytes that build the UI come from the nearest edge location to you.
• Outbound email delivery — handled by our transactional-email provider. Recipient address and email content are processed by the provider to deliver the message to your inbox.

All data in transit is encrypted (TLS 1.2+). Data at rest is encrypted using industry-standard at-rest encryption.

Third-party processors

We use a small number of vendors to operate the service. Each is listed below with what data they process and a link to their privacy practices. This section names specific vendors because GDPR Article 28 and Australian Privacy Principle 8 both require identification of data processors — the rest of this policy describes vendor roles rather than brand names.

• Google LLC (Firebase + Google Cloud): authentication, database storage, hosting, and server-side execution. Data is processed under Google's Cloud Data Processing Addendum.
• Zoho Corporation (ZeptoMail + Zoho Mail): outbound transactional-email delivery (welcome, verification, password reset, security notices) and our support inbox. See Zoho's privacy policy.
• GoDaddy.com, LLC: domain registrar for the peptideaix.com domain. Does not process user data — only manages our DNS records.
• Functional Software, Inc. (Sentry): error tracking. When the app crashes or throws an unhandled exception, we send a redacted stack trace + browser/OS metadata to Sentry so we can fix the bug. We strip email addresses, cookies, request bodies, and URL query strings from every event before transmission. This only runs if you have accepted the "Analytics" cookie category— visitors who decline (or haven't decided) never have errors sent to Sentry. See Sentry's privacy policy and DPA.
• GeoJS (IP geolocation): to show approximate visitor countries in our internal analytics, we resolve your country from your IP address using GeoJS, a free IP-geolocation service. We send only your IP for the lookup and store only the resulting 2-letter country code — never your IP address, and never your city or precise location. This only runs if you have accepted the "Analytics" cookie category— visitors who decline (or haven't decided) never have their IP looked up. See GeoJS.
• Stripe, Inc. (planned, not yet active):when paid plans launch, Stripe will process payment information. We'll update this section before any payment data starts flowing and notify you per the changelog policy.

We do not use Google Analytics, Facebook Pixel, Mixpanel, Segment, Hotjar, or any other third-party analytics or advertising tracker.

Sharing and disclosure

We do not sell your data. We do not share your data with advertisers. The only circumstances in which we disclose your data to anyone outside the third-party processors above:

• With your explicit consent: e.g. if you choose in a future feature to share a protocol with a practitioner or clinician, that recipient sees what you choose to share.
• Legal compulsion:if served a valid subpoena, court order, or government request that we're legally required to honour. We will push back on overbroad or vague requests where lawful to do so, and (where the request permits) notify you before disclosure.
• Safety: if we have a good-faith belief that disclosure is necessary to prevent imminent harm or fraud.
• Business transfer:if PeptideAIx is acquired or merged with another entity, your data may transfer as part of that transaction. We'll notify you in advance, and the acquiring entity will be bound by this Privacy Policy (or a stricter successor).

Your rights

Depending on where you live, you have some or all of these rights over your data. Even where laws don't mandate them, we honour them globally as a matter of policy.

• Access: ask for a copy of what we have about you.
• Correction: update inaccurate information (e.g. your display name, email).
• Deletion: delete your account and have us wipe your protocols, compounds, dose logs, activity events, and user record. (Use /profile → Danger zone → Delete my account once that flow ships, or email us in the meantime.)
• Portability: request your data in a structured format. CSV export is on the roadmap; in the interim email support@peptideaix.comand we'll generate one for you.
• Objection / restriction:object to a specific processing activity. Note: there are processing activities (authentication, email verification) without which the service can't function — opting out means your account stops working.

To exercise any of these rights, email support@peptideaix.com from the email address associated with your account. We'll respond within 30 days, usually within a few business days.

If you're in the European Union or UK

You have rights under the General Data Protection Regulation (GDPR) and the UK GDPR. The lawful basis for our processing is performance of a contract (account features) and legitimate interests(security, fraud prevention). You can lodge a complaint with your local data protection authority if you believe we're mishandling your data.

If you're in Australia

Your data is handled in accordance with the Australian Privacy Principles (APPs) under the Privacy Act 1988. You may complain to the Office of the Australian Information Commissioner (OAIC) if you believe we've breached the APPs.

If you're in California (or another US state with privacy laws)

You have the right to know what personal information we collect about you, to delete it, and to opt out of any "sale" of personal information. We do not sell personal information, so there's nothing to opt out of — but the right exists if our practices ever change.

Cookies and local storage

PeptideAIx uses cookies and similar browser storage in four categories. The first is required for the service to work; the other three are optional and entirely under your control via the in-app preference chooser. You can open the chooser any time from the footer ("Cookie preferences") or from your profile page.

The categories

• Essential (always on, cannot be disabled). Keeps you signed in, secures your session, caches your data on your device for instant loads and offline use, and remembers your idle-timeout preference. Without these the service literally cannot function.
• Preferences (opt-out — defaulted ON). Remembers your timezone, week-start day, units, and other locale settings across devices. Off means every session resets to system defaults.
• Analytics (opt-in — defaulted OFF). Reserved for anonymous usage statistics so we can see which features actually get used. We currently don't run any analytics here, so opting out today is a no-op — but the consent record is there before we ever wire something up.
• Marketing (opt-in — defaulted OFF). Reserved for measuring how people discover PeptideAIx (e.g. Reddit-campaign effectiveness). Same as analytics: nothing is wired today, the consent record is what it'll authorise if we wire something tomorrow.

What we keep about your choices

Every time you set or change your cookie preferences, we record:

• The exact category selections you made.
• The timestamp of the change.
• Where the change came from (banner / customise / profile).
• A short device descriptor (browser + operating system family) so we can demonstrate which device authorised what.

These records are append-only — we never edit or delete past entries. The audit value of consent history comes from its immutability. If you delete your account, the entire history is deleted with your other data.

What we don't do

We do not use cookies for cross-site advertising, behavioural targeting, or third-party analytics. We do not load fingerprinting scripts. The service runs without any third-party tracker; the consent chooser exists to keep that true as we grow, not because we're using these categories today.

Data retention

We keep your data as long as your account is active. If you delete your account, we wipe your protocol, compound, dose-log, activity, and cookie-history records within 30 days. Account authentication records (email + sign-in timestamps) are kept for an additional 90 days to handle any disputed deletion requests, then fully purged.

Backup snapshots may retain deleted data for up to 90 additional days before being overwritten by the rolling backup window.

Support emails sent to support@peptideaix.com are kept in our support inbox for 2 years for reference, then deleted.

Security

We use industry-standard practices to protect your data:

• TLS 1.2+ encryption in transit; AES-256 encryption at rest.
• Passwords are stored only as one-way salted hashes — we never see plaintext, and a database leak does not expose passwords in usable form.
• Server-side authorisation rules enforce that you can only read and write your own data — no client can access another user's records, even with a forged request.
• Privileged actions (changing roles, granting admin) are server-side only; no client can elevate its own privileges.
• Account access is gated by our authentication provider; we don't maintain our own password store.

No system is perfectly secure. If we ever detect a breach affecting your data, we'll notify you within 72 hours of becoming aware (consistent with GDPR Article 33 timing) with what happened, what data was affected, and what steps we're taking.

Children's privacy

PeptideAIx is intended for users 18 years of age and older. We do not knowingly collect data from anyone under 18. If you believe a minor has created an account, email support@peptideaix.comand we'll delete the account and associated data.

International data transfers

PeptideAIx data is stored in the United States. If you're accessing the service from outside the US (the European Union, the UK, Australia, etc.), your data is transferred to and processed in the US.

For EU/UK users, this transfer is covered by Standard Contractual Clauses (SCCs)included in our hosting provider's data-processing terms — the same legal framework used by most US-hosted SaaS products.

For Australian users, our handling complies with APP 8 (cross-border disclosure) — our processors are contractually bound to security standards equivalent to or exceeding Australian requirements.

Changes to this policy

We may update this Privacy Policy from time to time as the service evolves. Every change is logged in the Version history at the bottom of this page with the date, version, and a summary of what changed.

Material changes (new data uses, new third-party processors, jurisdiction shifts, retention changes) trigger an email notification to your registered address. Cosmetic updates (typo fixes, broken-link repairs, clarifying wording) are not versioned and do not trigger notification.

During the public-beta period we may ship material updates with shorter notice than the post-launch standard, including individual outreach (Discord DM, in-app message) instead of a bulk email to small early-cohort groups. This applies only while the service is in beta (currently v0.x); once v1.0 ships, the standard 14-day pre-effect email notice kicks in for every material change going forward.

Contact us

Questions about this policy, or want to exercise a right above? Email support@peptideaix.com and a real person will reply, usually within one business day.

For data-protection-specific requests (GDPR, APP, CCPA), put "Privacy request" in the subject line so we can route it correctly. Include the email address associated with your account so we can verify the request.