Your data, your rules.

Who we are

PepStak is owned and operated by PepStak LLC, a Delaware limited liability company and a wholly owned subsidiary of Tempered Labs LLC. In this Privacy Policy, "PepStak," "we," "us," and "our" refer to PepStak LLC. "You" and "your" refer to any person who downloads, installs, or uses the PepStak application.

Contact: support@pepstak.io · PepStak LLC, 8 The Green, STE B, Dover, DE 19901

Information we collect & affirmative opt-in consent

2.0Explicit and informed affirmative consent

Under the Delaware Personal Data Privacy Act (DPDPA) and the Texas Data Privacy and Security Act (TDPSA), the health-related data you enter into PepStak is classified as "Sensitive Data" requiring heightened protection. We are legally prohibited from processing this information without your Explicit and Informed Affirmative Consent.

This consent is obtained through a mandatory, dedicated "Privacy Opt-In" screen presented during onboarding, before any health data can be entered. This screen will clearly state: (a) the categories of sensitive data to be collected; (b) the specific purposes for which the data will be used; (c) your right to withdraw consent at any time; and (d) the consequences of withdrawal (account deletion and data removal).

This consent is freely given, specific, informed, and unambiguous. By proceeding past the Privacy Opt-In screen, you are providing your Explicit and Informed Affirmative Consent. You may withdraw this consent at any time by deleting your account via Settings → Account → Delete Account, which will result in the immediate and irreversible deletion of all sensitive records.

2.1Information you provide directly

• Email address (used to create and authenticate your account)
• Display name (optional, captured only if you sign in with Apple and elect to share your name)
• Body weight entries (lbs or kg, as entered by you)
• Body fat percentage entries
• Peptide dose logs (peptide name, dose amount, injection site, date and time)
• Reconstitution records (peptide, BAC water volume, vial details)
• Daily check-in responses (nausea, appetite, energy, mood, sleep quality, and pain level — each rated 0–10)
• Protocol and schedule settings (goal type, titration schedule, dose frequency)
• Progress photos (stored locally on your device — not uploaded to our servers)

2.2Information collected automatically

• Authentication session tokens (managed by Supabase; used to keep you logged in securely)
• Crash reports via Firebase Crashlytics. To help us reproduce and fix bugs, crash reports include your user ID, the screen you were on, your active protocol name, and your subscription tier. Crash reports do not include your dose logs, check-in responses, weight entries, or other health entries.
• Product analytics via PostHog. We capture which features you use and which screens you visit (for example: "dose logged," "check-in completed," "paywall viewed"). Events are tied to your account ID. We do not send the contents of your dose logs, check-ins, weight entries, or other personal health entries to PostHog.

2.3Information we do not collect

We do not collect: your phone number, date of birth, physical address, payment card details, Social Security number, government-issued ID, or biometric data other than what you voluntarily enter as body weight and body fat percentage. We do not collect location data.

2.4Apple HealthKit data

If you enable HealthKit integration, PepStak will request permission to:

• Write your body weight and body fat percentage entries to Apple Health
• Read your body fat percentage and sleep data from Apple Health for use in trend reports and daily check-ins

HealthKit data is never shared with third parties and is never uploaded to our servers. Data we read from HealthKit is used only on your device to display your trends and pre-fill your check-ins; it is not sent anywhere else.

How we use your information

We use the information you provide solely to operate and improve the app:

• To create and authenticate your account
• To sync your data securely across devices via Supabase cloud storage
• To power the app's core features: dose logging, protocol tracking, trend analysis, weight charting, and check-in analytics
• To send you push notifications you have explicitly enabled (such as dose reminders and check-in prompts)
• To generate your data export reports when you request them
• To identify and fix crashes via crash reports
• To understand which features are used and where users encounter friction, via PostHog product analytics

We do not use your data for advertising. We do not sell your data. We do not use your data to train machine learning models. We do not share the contents of your health entries (dose logs, check-ins, weight, body fat) with third-party analytics providers.

How we store your data

4.1Local storage

Most of your data is stored locally on your device, protected by your device's built-in security (Face ID, Touch ID, or passcode). Progress photos are stored locally and are not uploaded to cloud storage.

4.2Cloud storage (Supabase)

Your account data and health tracking records are synced to Supabase with the following security measures:

• AES-256 encryption for all data at rest
• TLS 1.2 or higher encryption for all data in transit
• Row-level security (RLS) ensuring your data is accessible only to your authenticated user account
• Infrastructure hosted on AWS with SOC 2 Type II compliance

For Supabase's data practices, see supabase.com/privacy.

4.3Breach notification and the Health Breach Notification Rule

In the event of an "Unauthorized Disclosure" of your personal health records — defined as any unauthorized acquisition of unsecured individually identifiable health information — the Company shall comply with all applicable breach notification requirements, including: (a) the Federal Trade Commission's Health Breach Notification Rule (16 CFR Part 318); (b) the Delaware Personal Data Privacy Act (DPDPA) breach notification requirements; and (c) the Texas Data Privacy and Security Act (TDPSA) breach notification requirements, to the extent applicable.

Notification to affected users shall be provided without unreasonable delay and no later than sixty (60) calendar days following discovery of the breach. Notification shall be provided via the email address associated with your account and via an in-app notice. Where required by law, notification shall also be provided to the Federal Trade Commission, the Delaware Department of Justice (privacy@delaware.gov), and any other applicable regulatory authority within the timeframes mandated by law.

4.4Data retention

We retain your data for as long as your account is active. If you delete your account, all associated data is permanently deleted from our servers immediately. This deletion is irreversible.

Subscriptions & payment processing

All payment processing is handled by RevenueCat, which interfaces with Apple's in-app purchase system. PepStak does not receive, store, or have access to your financial information. All billing is managed entirely by Apple. See revenuecat.com/privacy for RevenueCat's privacy policy.

Third-party services

We do not integrate with any advertising networks, data brokers, or social media tracking platforms. No third-party SDK in the application shares identifiable health information with advertisers.

Your rights & choices

7.1Access and export

You can export a summary of your data at any time from within the app via Settings → Export Data.

7.2Correction

You can edit or delete individual entries directly within the app at any time.

7.3Deletion

You can permanently delete your account and all associated data at any time via Settings → Account → Delete Account. This action is irreversible and removes all your data from our servers immediately.

7.4Portability

You have the right to receive a copy of your personal data in a portable, structured, and readily usable format suitable for transfer to another data controller. Request a portable export via Settings → Export Data or contact us at support@pepstak.io.

7.5Right to appeal

If we deny your request to exercise any privacy right described in this section, you have the right to appeal our decision within forty-five (45) days of receiving our denial. To appeal, contact us at support@pepstak.io with the subject line "Privacy Right Appeal." We will respond within sixty (60) days. If your appeal is denied, you may contact the Delaware Department of Justice at privacy@delaware.gov to file a complaint.

7.6Push notifications

You can enable or disable notification types in Settings → Notifications, or revoke all notification permissions in your device's iOS Settings.

7.7HealthKit

You can disable HealthKit integration at any time in Settings → Health, or revoke specific HealthKit permissions in iOS Settings → Health → Data Access & Devices → PepStak. Disabling stops future reads and writes; it does not delete data already written to Apple Health.

7.8Rights for California residents

If you are a California resident, the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA) give you specific rights regarding your personal information. These include the right to know what personal information we collect, the right to delete your personal information, the right to correct inaccurate personal information, the right to limit the use of sensitive personal information, and the right to non-discrimination for exercising any of these rights.

To exercise these rights, contact us at support@pepstak.io with the subject line "California Privacy Request." We will respond within forty-five (45) days as required by California law.

We do not sell your personal information. We do not share your personal information for cross-context behavioral advertising. As a result, we do not provide a "Do Not Sell or Share My Personal Information" link, because there is nothing to opt out of.

Children's privacy

PepStak is rated 17+ on the App Store and is not directed at minors. We additionally require users to confirm their adult status during onboarding. We do not knowingly collect personal information from anyone under 18. Pursuant to 2026 state age-assurance laws in Texas, California, Utah, and other applicable jurisdictions, we rely on App Store age rating signals to restrict access to minor users. If we become aware that a user under 18 has created an account, we will delete the account and associated data promptly.

Not medical advice

Changes to this Privacy Policy

We may update this Privacy Policy from time to time. We will update the "Last Updated" date at the top of this document. For material changes, we will notify you via an in-app notice or email. Continued use of the app after changes take effect constitutes your acceptance of the revised policy.

Contact us

For privacy right appeals and DPDPA, TDPSA, or CCPA-related requests, include "Privacy Request" or "Privacy Right Appeal" in your subject line.