Privacy Policy

This Privacy Policy explains how the operator of PepTalk ("PepTalk," "we," "us") handles information in connection with the PepTalk website and web application (the "Service"). PepTalk is built to be privacy-first by architecture: we designed the system so that, for your personal data, there is very little we are even able to know. This policy describes that design honestly, including its limits.

Plain-language summary. No email, no real name, no IP logging, no device fingerprinting, no cookies, no tracking analytics. Your personal tracking data is encrypted on your device with a key derived from your password, so our servers store only data we cannot read. Contributing to the aggregate is optional. If you choose to contribute, an anonymous structured version of your entries joins a worldwide aggregate; those contributions are anonymous, permanent, and may be included in anonymised datasets licensed to third parties. Payments are handled by Lemon Squeezy, which holds your payment details, so we never see them. You can export or delete your data; deletion crypto-shreds your personal store and destroys the link to your contributions.

1. A note on HIPAA and "health data"

PepTalk is a consumer self-tracking tool. We are not a healthcare provider, health plan, or healthcare clearinghouse, and we do not provide services on behalf of one. PepTalk is therefore generally not a "covered entity" or "business associate" under HIPAA, and HIPAA generally does not apply to the data you enter. That does not mean your data is unprotected. It means the protection comes from our architecture and from general consumer-privacy laws (such as the GDPR and California's CCPA/CPRA where applicable), not from HIPAA. We treat the categories of data you enter as sensitive regardless.

2. Who we are / data controller

For the purposes of the GDPR and similar laws, the controller is the operator of PepTalk, which operates pseudonymously and publishes no operator name or address, contactable at the in-app feedback form (we operate no support email). An EU/UK representative may need to be appointed if the Service targets those markets and meets the relevant threshold.

3. What we collect, and what we don't

What we deliberately do NOT collect:

• No email address. Accounts are pseudonymous (auto-generated username plus password). There is no email anywhere in the system, and therefore no password-reset email and no email-based recovery.
• No real name or real-world identity.
• No IP address logging. IP logging is disabled.
• No device fingerprinting.
• No cookies for tracking, advertising, or analytics.
• No third-party tracking analytics, advertising pixels, or data brokers.
• No free-text prose in the dataset. Your private notes and qualitative descriptions never leave your device.

What we do hold: an account record (auto-generated username, hashed password, a per-account secret, entitlement state); an encrypted personal store (your logs, protocols, notes, and profile, encrypted on your device before upload, which we store only as ciphertext we cannot decrypt); anonymous aggregate contributions (structured data points such as compound, dose, route, source category, outcomes, side effects with timing, weight, age range, sex, height, and country, keyed by a derived, severable identifier and carrying no username or real identity); entitlements (access state and expiry, with no payment PII); and segregated side channels (catalog-gap label suggestions and feature-request submissions, never joined to your account or contributions).

Account-level attributes (age range, sex, height, country) live inside your encrypted personal store; a copy is included, in anonymous aggregate form, in your contributions only if you choose to contribute. We do not knowingly collect data from anyone under 18.

4. How encryption protects your personal data (server-blind)

The non-negotiable design rule is that your raw password never reaches our server in usable form. On your device, your password is run through a key-derivation function to produce (a) an authentication verifier we store as a hash, and (b) an encryption key that never leaves your browser. That key wraps the key that encrypts your personal store. A second wrapping is derived from your one-time recovery kit.

The result: our servers, our backups, and anyone who breaches them hold only ciphertext we cannot read. This is also why aggregate contributions are derived on your device. We can't read the source data server-side, so the structured extraction happens client-side before anything is sent.

Trade-off you must understand: because there is no backdoor, if you lose both your password and your recovery kit, your personal data is permanently unrecoverable, even by us. (See the Terms of Use.)

5. Why we process data (legal bases)

We process your account record and encrypted store to provide accounts and cross-device sync (performance of a contract). We process account and request signals for anti-abuse, integrity, and security (legitimate interests). We process aggregate contributions to power the dataset, dashboards, and licensing of anonymised data, and this rests on your consent, which is optional and given only if you opt in; once anonymised and unlinkable, that data falls outside the scope of personal-data law. Entitlement state is processed to provide paid access (performance of a contract), and side-channel submissions rest on legitimate interests and your voluntary submission.

You can withdraw consent to future contributions at any time by turning off contribution sharing in your account. Withdrawal does not affect contributions already made, which are anonymous, permanent, and irrevocable (see Sections 7 and 9).

6. Pseudonymous vs anonymous (an honest distinction)

While your account is live, your account record and the link to your contributions are best understood as pseudonymous: not directly identifying, but the operator could recompute the link. We treat this as personal data and protect it accordingly. After deletion, we destroy the per-account secret used to derive the contribution link, at which point the contributions become anonymous and unlinkable, with no remaining means, including for us or anyone with our backups, to tie them back to you.

We are transparent that contributions include a calendar date and some coarse demographics. Combined, these create a low but non-zero re-identification risk while an account is live. We mitigate it with per-query small-cohort suppression (statistics are withheld when the underlying cohort is below a minimum size), by never publishing or licensing row-level data tied to identity, and by destroying the link on deletion. We assess the residual risk as low; you should weigh it before deciding whether to contribute.

7. Aggregate contributions and data licensing

Contributing is optional: you can use the free dashboards and your personal tracking without contributing anything. If you do choose to contribute, structured, anonymous versions of your tracking events are added to the worldwide aggregate. Contributions carry no username and no real identity, and never include your free-text notes.

• We use the aggregate to power free top-line dashboards, paid multivariate insights, and anonymised datasets and statistical products licensed to researchers and companies for compensation.
• Contributions are permanent and irrevocable. Deleting your account severs the link to them but does not delete the contributions themselves; they remain as anonymous, unlinkable data points.
• We license and publish only aggregated, de-identified outputs, with enforced minimum cohort sizes. We do not sell or publish row-level data tied to an identity.

8. Cookies, local storage, and tracking

We do not use cookies for tracking, advertising, or analytics, and we do not use third-party trackers or fingerprinting. To keep you logged in for daily use we may store a device token in your browser's local storage; this is strictly necessary for the Service to function and is not used to track you across sites.

9. Your rights

Depending on where you live (for example GDPR for the EU/UK, CCPA/CPRA for California, and similar laws elsewhere), you may have rights to access or know what we hold, export your personal data at any time from within the app, delete your account (we crypto-shred your personal store and destroy the contribution-linking secret), correct your own tracking data directly, object to or restrict processing, withdraw consent to future contributions, and opt out of any "sale" or "sharing" of personal information including via a Global Privacy Control signal. We do not sell personal information; we license only anonymised aggregate data, which is not personal information once unlinkable.

Honest limits of these rights: because the personal store is encrypted under your password and we hold no email or identity, we often cannot identify or authenticate you outside the app, and we cannot read your personal data to fulfil an access request server-side. The practical way to exercise access, export, correction, and deletion is from within your logged-in session. Already-made aggregate contributions are anonymous and permanent and cannot be individually retrieved or deleted; this is by design and disclosed when you opt in. To make a rights request you cannot complete in-app, contact us via the in-app feedback form (we operate no support email); we will respond within the period required by applicable law ( generally within 30 days (GDPR) or 45 days (CCPA)). We do not discriminate against you for exercising your rights.

10. Payments (Lemon Squeezy)

Paid access is sold through Lemon Squeezy acting as merchant of record. When you pay, Lemon Squeezy collects and holds your payment information (such as name, billing address, email, and card details) under its own privacy policy. PepTalk never receives or stores this payment PII. We receive only a license/entitlement signal that we attach to your pseudonymous account. Review Lemon Squeezy's privacy policy at https://www.lemonsqueezy.com/privacy.

11. Sharing and disclosure

We do not sell your personal data and do not share it with advertisers or data brokers. We may disclose information to service providers and sub-processors strictly necessary to run the Service (see Section 12); as part of licensed anonymised aggregate datasets (no personal data, unlinkable aggregates only, per Section 7); if required by law, valid legal process, or to protect rights, safety, and the integrity of the Service (noting that for your personal store we can only ever produce ciphertext we cannot read, and we hold no email, IP, or identity to hand over); and in a merger, acquisition, or asset sale, in which case anonymised datasets and account systems may transfer, subject to this policy and the Terms.

12. Sub-processors / infrastructure

We use the following providers to operate the Service: Railway (Railway Corp., United States) runs the application and stores the encrypted personal blobs, contribution records, and entitlements; Railway also stores encrypted blobs and dataset snapshots; Cloudflare (Cloudflare, Inc., United States) serves static public dashboards; Lemon Squeezy is the merchant of record for payments (it holds payment PII, we do not); and Cloudflare (Turnstile and bot protection) provides anti-abuse at signup and submission. Data may be processed in the United States and other countries where these providers operate. Where transfers from the EU/UK occur, we rely on Standard Contractual Clauses or an equivalent transfer mechanism.

13. Data retention

• Encrypted personal store: retained while your account is live; crypto-shredded on deletion.
• Aggregate contributions: retained indefinitely as anonymous data (permanent and irrevocable; unlinkable after account deletion).
• Entitlements: retained as needed for access and basic financial record-keeping (no payment PII).
• Side-channel submissions: retained for up to 24 months for catalog and product purposes, segregated from identity.
• We do not retain IP logs; any transient request metadata is kept coarse and is not joined to your records.

14. Security

We use encryption-at-rest under a password-derived key (server-blind personal store), hashed passwords, rate-limited login, anti-abuse controls, and severable contribution linkage destroyed on deletion. No system is perfectly secure; the architecture is designed so that a breach exposes ciphertext we cannot read and no email, IP, or identity. The custom client-side cryptography is custom and has not yet undergone independent external security review.

15. Children

The Service is for adults 18+. We do not knowingly collect data from anyone under 18. If you believe a minor has used the Service, contact us via the in-app feedback form (we operate no support email).

16. International users

The Service may be accessed worldwide and is operated from an undisclosed location. By using it, you understand your data is processed as described here. Some compounds discussed may be regulated differently where you live; complying with your local law is your responsibility (see Terms).

17. Changes to this policy

We may update this policy; the "Last updated" date will change and material changes will be surfaced in-product where practical. Because we hold no email, we cannot notify you individually, so please review periodically. Continued use after changes take effect constitutes acceptance where permitted by law.

18. Contact

Privacy questions or rights requests: the in-app feedback form (we operate no support email). EU/UK users may also lodge a complaint with their local supervisory authority.