Privacy Policy

Effective date: April 2026 — Version 1.0

1. Who We Are

PeptideWise (this website, at getpeptidewise.com) and PeptideTracker (our mobile app, on iOS and Android) are operated by Jonathan Amparo ("we," "us," "our"). This Privacy Policy explains how we collect, use, and protect your information across both products.

Contact: contact@getpeptidewise.com

2. Information We Collect

PeptideWise (This Website)

PeptideWise is a static informational website. We do not require user accounts, logins, or any form of registration. We do not collect personal information such as names, addresses, or payment details. If you subscribe to our newsletter, we collect only your email address. All calculator inputs are processed in your browser and are never transmitted to our servers.

PeptideTracker (App)

All health data you enter into PeptideTracker — including injection logs, protocols, vial inventory, bloodwork results, progress photos, side effects, and body measurements — is stored exclusively on your device, encrypted with SQLCipher (AES-256). We have no servers that receive, store, or process your health information. We cannot access your data.

The only data that leaves your device is subscription information (processed by RevenueCat) and authentication (via Sign in with Apple).

3. How We Use Information

Website: To deliver educational content, send newsletters (if you subscribe), and understand aggregate traffic patterns via anonymous analytics.

App: To provide the tracking features you use and to manage your subscription. We do not use your data for advertising, profiling, or data mining.

4. Analytics

We use Plausible Analytics on PeptideWise. Plausible is a privacy-first analytics service that sets no cookies, collects no personal data, does not track individual users, and is fully GDPR, CCPA, and PECR compliant without requiring cookie consent. No analytics SDK is used within PeptideTracker.

5. Third-Party Services

We use a limited number of third-party services:

• Plausible Analytics — anonymous website traffic (no personal data)
• RevenueCat — app subscription management (anonymous user ID, purchase history)
• Sign in with Apple — app authentication (relay email, not your real email)
• Microsoft Azure — website hosting (standard server logs)
• Apple App Store / Google Play — app distribution and billing

We do not use Google Analytics, Facebook Pixel, or any advertising SDK. We do not participate in ad networks or share data with data brokers.

6. Data Sharing

We do not sell your personal information. We do not sell, rent, trade, or otherwise share your personal data or health data with any third party for their own purposes. The only data sharing occurs with the service providers listed above, solely to operate the website and app.

7. Cookies

PeptideWise does not set first-party tracking cookies. Plausible Analytics does not use cookies. The hosting platform (Azure) may set essential cookies for security and performance. No advertising or third-party tracking cookies are used.

8. Data Security

App:All health data is encrypted at rest using SQLCipher (AES-256). The encryption key is stored in your device's secure enclave (iOS Keychain / Android Keystore).

Website: Served over HTTPS (TLS 1.2+). No user health data is collected or stored on our servers.

9. Data Retention and Deletion

Concrete retention windows for each category of data we handle:

• On-device health data (app): Until you delete it or uninstall the app. We do not have a copy.
• RevenueCat purchase records: Retained per the RevenueCat Data Processing Agreement, typically up to 7 years for tax and financial-compliance purposes.
• Plausible analytics (aggregate only): 12 months. No individual-user records are generated or retained.
• Newsletter emails: Until you unsubscribe.
• Support email correspondence: 24 months from the last message in the thread, after which messages are deleted.
• Hosting server logs (Azure): 90 days, used for abuse and performance diagnostics only.

If your subscription expires, you retain full read access and export capability for all your on-device data. We never lock you out of your own health data.

10. Your Rights

Washington Residents — My Health My Data Act (MHMDA)

Washington residents have additional rights regarding consumer health data under RCW 19.373, including the right to confirm, access, delete, withdraw consent, and appeal. Because MHMDA requires a separate, distinct consumer health data privacy policy, we publish one at /consumer-health-data-privacy/. See that page for the full disclosure and request process.

California Residents — CCPA/CPRA

You have the right to know what personal information we collect, the right to delete your personal information, and the right to opt out of the sale of personal information. We do not sell or share your personal information as defined by the CCPA/CPRA. Health data logged in PeptideTracker is classified as sensitive personal information under CPRA and is stored on your device only.

Connecticut Residents — CTDPA

Under the Connecticut Data Privacy Act, Connecticut residents have the right to access, correct, delete, and obtain a portable copy of their personal data, and to opt out of targeted advertising, sale, and profiling. We do not engage in targeted advertising, sale of personal data, or profiling that produces legal or similarly significant effects. To exercise these rights, email contact@getpeptidewise.com. We will respond within 45 days.

Nevada Residents — SB 220

Nevada residents have the right to submit a verified request directing us not to sell their covered personal information. We do not sell personal information, so no such sale is occurring. To submit a verified request regardless, email contact@getpeptidewise.com with the subject line [NV SB 220 Request].

European Economic Area / United Kingdom — GDPR

Our lawful basis for processing is: consent (newsletter), legitimate interest (anonymous analytics), and contract performance (subscriptions). You have the right to access, rectify, erase, and port your data, to withdraw consent at any time, and to lodge a complaint with your local supervisory authority. RevenueCat processes subscription data on AWS servers in the United States under Standard Contractual Clauses.

All Users

You can request access to, correction of, or deletion of your personal data by emailing contact@getpeptidewise.com. We will respond within 45 days.

11. Breach Notification

Because consumer health data never leaves your device, a breach of our servers cannot expose your health records. If we nonetheless become aware of an incident affecting any personal information we do handle (e.g., newsletter email addresses, support correspondence, subscription records at our processors), we will:

• Notify affected individuals by email within 60 days of discovery, per the FTC Health Breach Notification Rule (16 CFR Part 318).
• Notify the Federal Trade Commission within 10 business days if the breach affects 500 or more individuals, or with the annual filing otherwise, at HBNRnotice@ftc.gov.
• Notify any applicable state attorneys general as required by state breach-notification laws.
• Publish a post-incident summary on this page describing what happened, what information was affected, and the remediation steps taken.

Report a suspected security issue to contact@getpeptidewise.com or via our security.txt.

12. Children's Privacy

PeptideWise and PeptideTracker are not directed at children. The app requires users to be at least 18 years old. We do not knowingly collect personal information from anyone under 18.

12. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated through an updated effective date on this page and, where feasible, a notice within the app. Your continued use of the website or app after changes constitutes acceptance of the revised policy.

13. Contact

For privacy-related questions or data requests: contact@getpeptidewise.com