Privacy Policy

Effective Date: April 16, 2026 (v2)

PeptideOS+ ("the App," "we," "us") is built with privacy as a core principle. We do not collect, store, or process personally identifiable information (PII). This policy explains what data we handle, where it is stored, and how you consent to that handling.

1. Your Consent

You may withdraw your consent at any time by using Settings > Data > Delete All Data or by uninstalling the App.

2. No Personal Information Collected

PeptideOS+ does not collect your name, email address, phone number, physical address, date of birth, or any other personally identifiable information. Your identity within the App is represented solely by a pseudonymous UUID and a randomly generated anonymous handle (e.g., Swift-Falcon-2847).

3. Sign in with Apple (Optional)

If you choose to sign in with Apple, authentication is handled exclusively through Apple's Sign in with Apple service. We encourage the use of Apple's "Hide My Email" feature. We receive only the opaque user identifier provided by Apple and do not request name or email scopes. Sign in with Apple is optional — the App is fully functional without it, using anonymous authentication.

4. What We Store on Our Servers

After you consent, the following is stored on our servers (hosted by Supabase) under your pseudonymous UUID:

• Your anonymous authentication session — a UUID and refresh token. No email, name, or identifier that could be traced back to you.
• Community posts, comments, and upvotes you publish — published under your anonymous handle with no link to your real identity.

That is the full list. We do not upload or store your protocols, dose logs, compliance data, daily check-in entries, supply counts, or calculator history.

5. What Transits Our Server but Is Not Retained

Certain features require data to pass through our server in real time to reach a third party. This data is not stored by us after the request completes:

• AI assistant messages. When you use the AI chat feature, your message is POSTed to our Supabase Edge Function, which forwards it to Anthropic's Claude API and returns the reply. Requests are logged for rate-limiting and abuse-prevention purposes only (no request or response bodies are retained).
• AI context snapshot. To make the AI aware of your current protocol, we include in the forwarded payload the names, doses, and frequencies of peptides in your active protocol, plus your latest wellness check-in ratings, if any. This context is ephemeral and not persisted on our servers.

6. What Stays On Your Device

Everything below is stored locally using SwiftData and iOS FileManager. It is never transmitted to our servers:

• Your protocols, dose schedules, logged doses, compliance records, and supply counts.
• Daily check-in data (energy, sleep, mood, recovery ratings and free-text journal notes).
• Progress photos.
• Calculator history and saved reconstitution calculations.
• Lab-result entries, if you use that feature.
• Your AI chat history (the message text transits our server once during generation, but the persistent log lives only on your device).
• User preferences, theme, and default settings.

Progress photos are especially protected: they are stored exclusively in the App's local sandbox via iOS FileManager and are never uploaded to any service.

7. HealthKit Integration

If you grant permission, PeptideOS+ reads HealthKit data (sleep, heart rate, weight) to enhance wellness tracking. This data is read-only and processed on-device. We do not write to HealthKit and we do not upload HealthKit data to our servers.

8. Third-Party Services

• Supabase (supabase.com) hosts our backend database and authentication. Data is stored in PostgreSQL with row-level security. All data is associated with pseudonymous UUIDs, not personal identifiers.
• Anthropic (anthropic.com) powers the AI assistant feature. When you use AI chat, your message and active-protocol context are sent to Anthropic's Claude API for processing. Anthropic's data retention policies apply to those interactions.
• Apple handles subscription payments via the App Store. We do not process or store payment information.

9. Your Rights & Controls

• Export. Pro subscribers can export all on-device data (protocols, dose logs, check-ins, saved calculations) as JSON or CSV at any time from Settings.
• Delete. You can delete all data at any time from Settings > Data > Delete All Data. This wipes all local data, deletes your community posts, comments, and upvotes from our servers, and signs you out. The action is permanent and cannot be undone.
• Opt out of AI. The App is fully functional without using the AI chat. No AI requests are sent unless you initiate a chat.
• Opt out of Community. You can use the App without opening the Community tab. Community content is only fetched when you browse that tab, and you post only when you explicitly tap Publish.

10. Data Security

All network communication uses TLS encryption. Database access is protected by Supabase row-level security policies ensuring users can only access their own data. Authentication tokens are stored in the iOS Keychain with kSecAttrAccessibleWhenUnlockedThisDeviceOnly. Local data is protected by iOS device encryption.

11. Children's Privacy

PeptideOS+ is rated 13+ and is not intended for use by children under 13. We do not knowingly collect data from children under 13.

12. Changes to This Policy

We may update this privacy policy from time to time. Material changes will be posted within the App and on our website, and you will be prompted to review and re-consent if the changes materially expand our data handling. Continued use of the App after non-material changes constitutes acceptance.

13. Contact

For privacy-related questions or data deletion requests, contact us at privacy@peptideos.app.