Privacy Policy

We collect the minimum data needed to run Pepdex: your email + password hash, your stack entries, your AI Coach conversations, and your billing history. We do not sell your data. We do not run third-party ad tracking on logged-in member pages.

• Account: email address and a salted password hash (managed by Supabase Auth). We never see your plaintext password.
• Membership: plan tier, status, Stripe customer ID, current period end. Card details are stored by Stripe, never by us.
• Personal Stack: peptides, doses, frequency, start dates, vial sizes, and notes that you choose to log.
• AI Coach: the messages you send the Coach and the responses it generates, used to answer your questions and improve the service.
• Server logs: IP address, user agent, and request paths, retained for up to 30 days for abuse detection and debugging.
• Analytics (anonymized): aggregate page views and feature usage via PostHog, configured to mask sensitive form input. We do not share this with advertisers.

• To deliver the service you signed up for.
• To process payments via Stripe and manage your subscription.
• To send transactional email (welcome, payment failure, cancellation, password reset).
• To improve product features and fix bugs.
• To prevent abuse and enforce our Terms of Service.

We do not use your data to train any third-party AI model. Your AI Coach conversations are sent to Anthropic for inference and are subject to Anthropic's zero-retention API policy.

• Supabase — auth + database (US-region project).
• Stripe — payment processing.
• Anthropic — AI Coach inference (Claude).
• Resend — transactional email.
• Vercel — hosting.
• PostHog — anonymized product analytics.

Each processor has its own privacy policy and data-processing terms. We use them under their standard data processing agreements.

We use first-party cookies for authentication (Supabase session) and for keeping you logged in. We do not run third-party advertising cookies. The PostHog cookie is anonymized and respects Do Not Track.

We send transactional email related to your account (signup confirmation, payment failures, cancellations, password resets) and occasional product updates. You can unsubscribe from product updates at any time using the link in those emails. Transactional emails cannot be unsubscribed because they are part of the service you paid for.

You can request the following at any time by emailing support@pepdex.co:

• A copy of all data associated with your account.
• Deletion of your account and all associated data (Supabase row + Stripe customer + email logs).
• Correction of any inaccurate data.
• Export of your Personal Stack as JSON or CSV.

We will respond to verified requests within 30 days. If you are in California, EU, or UK, you have additional rights under CCPA, GDPR, and UK-GDPR respectively, which we honor for all users by default.

• Account data: retained while your account is active.
• Stack and Coach history: retained while your account is active or until you delete the entries.
• Server logs: 30 days.
• Billing records: retained for 7 years to comply with US tax law.
• After account deletion: all non-billing data is purged within 30 days.

All connections are TLS-encrypted. Database access is restricted by Supabase Row-Level Security policies — your stack and conversations are accessible only to your own session. Passwords are hashed with bcrypt by Supabase Auth. Card data never touches our servers.

No system is perfectly secure. If we ever experience a breach affecting your data, we will notify you by email within 72 hours and report to applicable authorities as required.

Pepdex is not intended for users under 18. We do not knowingly collect data from anyone under 18. If you believe a minor has created an account, contact us and we will delete it.

We may update this policy from time to time. Material changes will be announced by email and posted here with a new “Last updated” date.

Questions or requests? support@pepdex.co.

See also our Terms of Service.