Privacy Policy

We collect the minimum data needed to run Pepdex: your email + password hash, your stack entries, your AI Coach conversations, and your billing history. We do not sell your data. We do not run third-party ad tracking on logged-in member pages.

• Account: email address and a salted password hash (managed by Supabase Auth). We never see your plaintext password.
• Membership: plan tier, status, Stripe customer ID, current period end. Card details are stored by Stripe, never by us.
• Personal Stack: peptides, doses, frequency, start dates, vial sizes, and notes that you choose to log.
• AI Coach: the messages you send the Coach and the responses it generates, used to answer your questions and improve the service.
• Server logs: IP address, user agent, and request paths, retained for up to 30 days for abuse detection and debugging.
• Analytics: we run no third-party analytics scripts and no behavioral tracking on the site. The only signals we look at are server logs (above) and Stripe's built-in dashboard for subscription health.
• Google Ads measurement: if you reach Pepdex from one of our Google ads and then sign up, or subscribe, we send that ad click's ID, the time, and, for a paid subscription, the amount, back to Google Ads so we can tell which ads work. We do this from our server, not with a tag in your browser, and we never send your email, name, or stack.

• To deliver the service you signed up for.
• To process payments via Stripe and manage your subscription.
• To send transactional email (welcome, payment failure, cancellation, password reset).
• To improve product features and fix bugs.
• To prevent abuse and enforce our Terms of Service.

We do not use your data to train any third-party AI model. Your AI Coach conversations are sent to Google's Gemini API for inference and are subject to Google's API data-use terms.

We rely on a small set of vetted vendors to run Pepdex. Each is listed below with what data they touch and the role they play. None of them sell your data.

• Supabase, authentication + Postgres database (US-region project). Stores your email, hashed password, stack entries, and Coach conversation log.
• Stripe, payment processing. Stores your card details on their PCI-compliant infrastructure. Pepdex never sees your card.
• Google (Gemini API), AI Coach inference. Receives your message + your stack as context for each turn. API content is not used to train Google models per the Gemini API terms.
• Resend, outbound transactional + digest email delivery (welcome, payment, cancel, weekly digest).
• ImprovMX, inbound mail forwarding for support@pepdex.co.
• Vercel, site hosting + edge runtime. Logs IP + request metadata for security and abuse prevention.
• Amazon Associates, when you click a product link on the Supplements or Supplies pages, your browser navigates to amazon.com with our affiliate tag. Amazon, not Pepdex, sees your purchase. Pepdex is paid a small commission only if you buy.
• Google Search Console + sitemap, for SEO indexing. Public site only.
• Google Ads, ad-performance measurement. If you arrive from one of our ads and convert, we send Google that click's ID, the time, and (for a paid plan) the amount, so Google can attribute the conversion. No email, name, or stack is shared.

Each processor has its own privacy policy and data-processing terms. We use them under their standard data processing agreements. If you want this list updated for any reason, email support@pepdex.co.

We use first-party cookies for authentication (Supabase session) and for keeping you logged in. We do not run third-party advertising cookies or behavioral-analytics cookies. If you arrive from a Google ad, we store the click ID Google adds to the link in a first-party cookie, so we can later measure whether the ad led to a signup. It is our own cookie, not Google's, and it holds no personal information.

We send transactional email related to your account (signup confirmation, payment failures, cancellations, password resets) and occasional product updates. You can unsubscribe from product updates at any time using the link in those emails. Transactional emails cannot be unsubscribed because they are part of the service you paid for.

You can request the following at any time by emailing support@pepdex.co:

• A copy of all data associated with your account.
• Deletion of your account and all associated data (Supabase row + Stripe customer + email logs).
• Correction of any inaccurate data.
• Export of your Personal Stack as JSON or CSV.

We will respond to verified requests within 30 days. If you are in California, EU, or UK, you have additional rights under CCPA, GDPR, and UK-GDPR respectively, which we honor for all users by default.

• Account data: retained while your account is active.
• Stack and Coach history: retained while your account is active or until you delete the entries.
• Server logs: 30 days.
• Billing records: retained for 7 years to comply with US tax law.
• After account deletion: all non-billing data is purged within 30 days.

All connections are TLS-encrypted. Database access is restricted by Supabase Row-Level Security policies, your stack and conversations are accessible only to your own session. Passwords are hashed with bcrypt by Supabase Auth. Card data never touches our servers.

No system is perfectly secure. If we ever experience a breach affecting your data, we will notify you by email within 72 hours and report to applicable authorities as required.

Pepdex is not intended for users under 18. We do not knowingly collect data from anyone under 18. If you believe a minor has created an account, contact us and we will delete it.

We may update this policy from time to time. Material changes will be announced by email and posted here with a new “Last updated” date.

Questions or requests? support@pepdex.co.

See also our Terms of Service.