PepCue · Pep Labs Inc.
Privacy Policy & Health Data Privacy Notice
Effective date: June 1, 2026 Last updated: June 16, 2026
Consumer Health Data note: Section 6 (Health Data Privacy Notice) is also our Consumer Health Data Privacy Policy for the purposes of Washington's My Health My Data Act and similar laws. Where required, link to it separately and prominently (for example, a homepage link titled "Consumer Health Data Privacy Policy" pointing to that section).
Plain-Language Summary
Pep Cue is an app for tracking, organizing, and learning about peptide and GLP-1–related information. (Adjust to match what Pep Cue actually does.) It is not a medical device and does not provide medical advice, diagnosis, treatment recommendations, or dosing instructions.
We collect account details, the health-related information you choose to track, subscription details, and device/usage information. We use it to run the app, sync your data, provide tracking tools, personalize your experience, manage subscriptions, improve and secure the app, and answer support requests.
We do not sell your personal information or consumer health data. We do not share them for targeted advertising. We do not use your personal health data to train our own AI models. Any data read from a device health platform (such as Apple Health or Health Connect) is handled under that platform's rules and is not used for advertising.
You can access, correct, export, and delete your data — including deleting your account from inside the app — and you may have additional rights depending on where you live (including U.S. state rights described below). This summary is for convenience only; the full policy governs.
1. Overview
Pep Cue is owned and operated by Pep Labs Inc. ("Pep Cue," "Pep Labs," "we," "us," or "our"), based in Ontario, Canada. This Privacy Policy & Health Data Privacy Notice explains how we collect, use, store, disclose, transfer, and protect information when you use Pep Cue, our website, and related services. By creating an account or using the app, you agree to this Policy, which is incorporated into our Terms of Service.
Accountability / controller. Pep Labs Inc. is the organization accountable for the personal information processed under this Policy (the "controller," "business," or "data controller" as those terms apply). Contact our Privacy Officer at support@pepcue.app.
2. Medical Disclaimer
Pep Cue provides tracking, organization, educational, and informational features only. It is not a healthcare provider, medical device, pharmacy, telehealth service, emergency service, or substitute for professional medical advice. Nothing in the app — including any AI-generated text, summaries, scan results, calculations, estimates, reminders, or insights — is medical advice, diagnosis, treatment recommendation, prescription guidance, or dosing instruction. Always consult a qualified healthcare professional before making any health-related decision.
3. Key Terms
- Personal information / personal data — information that identifies, relates to, describes, or could reasonably be linked to an individual or household.
- Health data — information about your health, body, peptide or medication use, dose logs, injection sites, side effects, weight, bloodwork, nutrition, hydration, sleep, progress photos, notes, and similar information you enter, upload, scan, import, or generate in Pep Cue.
- Sensitive personal information — information treated as sensitive under applicable law, including health data, consumer health data, precise geolocation, account credentials, and body-related photos.
- Consumer health data — health-related information protected under laws such as Washington's My Health My Data Act, Nevada SB 370, and similar laws.
- Sale / Share / Targeted advertising / Profiling — as defined under applicable U.S. state privacy laws.
- De-identified data — data processed so it cannot reasonably be linked to a specific person. Aggregated data — summary statistics or trends combined across users.
4. Where This Policy Applies
| Service | How it works |
|---|---|
| iOS app | Create an account, track information, manage subscriptions, use available features, and optionally connect Apple Health. (Edit to your iOS feature set.) |
| Android app | Create an account, track information, manage subscriptions, and use supported features (including Health Connect, if offered). |
| Website | Marketing information, links, legal pages, and support contact. |
| Support communications | If you contact us, we process the information you choose to send. |
5. Information We Collect
Account information — name (if provided), email, phone number (if provided), authentication provider (such as Apple or Google), account ID, profile photo (if provided), and basic settings. Source: you, and your sign-in provider.
Onboarding information — goals, starting weight, experience level, products used (if provided), and preferences. Source: you.
Tracking data you enter — peptide or GLP-1 names, inventory and vial details, dose logs and history, injection sites, side effects, hydration, nutrition, weight, sleep, bloodwork, progress photos, daily check-ins, notes, reminders, and custom entries. (Trim to what Pep Cue actually collects.) Source: you.
Photos and uploaded images — progress, vial, or other images you save, stored with your account and treated as sensitive where required. Please don't include unnecessary personal, medical, or identifying details.
AI feature data — when you use PepCue AI, your message text and a limited summary of your tracking (your active peptides and their dose/schedule, adherence, recent side-effect summaries, daily check-in ratings, saved calculations, and inventory alerts) are sent to our AI provider to generate a relevant response. We do not send your progress photos, free-text notes, bloodwork, or Apple Health / Health Connect data to the AI. A safety filter blocks medical-advice, dosing, sourcing, and diagnosis prompts before any AI call. AI features are educational only and are not medical advice. We do not use these messages or your personal health data to train our own AI models.
Device health-platform data (Apple Health / Health Connect) (if applicable) — with your permission we may read metrics such as steps, workouts, or active energy. Read locally; not stored on our servers; never used for advertising or marketing; handled under the platform's rules (Section 11).
Subscription information — subscription/entitlement status, product identifiers, renewal status, and purchase metadata, via Apple, Google, and our subscription provider. We do not receive full payment-card details. Source: the app stores and subscription provider.
Analytics and attribution data — feature usage, onboarding, performance, crash data, and (if used) install attribution. We do not intentionally send health entries, dose logs, side effects, bloodwork, notes, injection sites, or peptide/GLP-1 details to analytics or attribution providers. Source: automatic.
Device and technical information — device type, OS, app version, crash reports, performance logs, diagnostics, and network metadata such as IP address (used for routing, security, fraud, and abuse prevention). Source: automatic.
Support communications — anything you include when you contact us; treated as sensitive where it contains health information.
6. Health Data Privacy Notice (Consumer Health Data Privacy Policy)
This section explains how we handle health data and consumer health data and serves as our Consumer Health Data Privacy Policy under applicable U.S. state laws.
Categories of consumer health data we may collect: the tracking data, photos, and AI-feature inputs listed in Section 5 that relate to your health, body, or use of peptides, GLP-1s, medications, or supplements.
Sources: you (entries, uploads, scans, imports) and, with your permission, device health platforms.
Purposes: to provide core tracking, organization, history, inventory, and reminder features; sync your data across devices; provide AI features you request; personalize your experience; improve reliability; maintain security and prevent misuse; respond to support; and comply with law.
Who we share consumer health data with: only the service providers/processors needed to deliver these features (Section 9), each bound to use it only for us; and as required for legal, safety, consent-based, or business-transfer reasons described below. We do not share a list of specific employees, contractors, or affiliates here, but will identify categories of recipients on request where required by law.
We do not sell consumer health data, do not share it for targeted advertising, and do not use geofencing around healthcare facilities. Where a sale of consumer health data would require valid authorization (for example, under Washington's My Health My Data Act), we will obtain and retain that authorization as required (Washington requires the seller and purchaser to retain the authorization for six years). If we ever materially change how we use, disclose, license, or sell consumer health data, we will update this Policy and provide any notices, consents, written authorizations, or opt-outs required by law.
Your consumer-health-data rights: confirm whether we collect, share, or sell it; access it; delete it; and withdraw consent. To exercise these, email support@pepcue.app (Section 16).
7. How We Use Information
To operate and maintain Pep Cue; create and authenticate accounts; sync data across devices; provide tracking, logging, reminder, and history features; provide AI features you request; process uploaded photos where applicable; personalize your experience; manage subscriptions and entitlements; send notifications you enable; respond to support; improve reliability and fix crashes; understand general usage; prevent fraud, abuse, and unauthorized access; enforce our Terms; comply with legal obligations; and protect the rights, safety, and security of users, Pep Labs, and others.
We also use information for these business and commercial purposes under U.S. state law: providing the service, security and fraud prevention, debugging, internal research and analytics, quality and safety, and legal compliance.
8. Future Uses We May Consider
We may consider research partnerships; de-identified or aggregated trend analysis; product or AI improvement using de-identified, aggregated, or consented data; data licensing involving de-identified or aggregated information; and business-transfer-related uses. We do not currently sell personal information or consumer health data. Before starting any future practice requiring notice, consent, authorization, or opt-out, we will update this Policy and implement the required mechanisms. Device health-platform commitments (Section 11) always override broader future-use language.
9. How We Share Information
We do not sell your personal information, and we never share your health data for advertising. We use a limited set of advertising and measurement partners to run and understand our own marketing campaigns; in the app these run in a privacy-preserving mode (Apple SKAdNetwork / aggregated events, no IDFA and no tracking prompt), and on our website they may set cookies subject to your choices (Section 24). We disclose information as follows.
Service providers / processors — vendors that help us run PepCue, permitted to use information only to provide services to us, under contract and applicable law. These are the providers we currently use:
| Provider | Purpose | Data involved |
|---|---|---|
| Supabase (Supabase, Inc.) | Account authentication, cloud database and storage, and hosting of the function that routes PepCue AI requests | Account data (email/identifier when you sign in), any data you choose to sync to your account, and AI message text in transit. Your day-to-day tracking data (protocols, doses, inventory, weights, check-ins, calculations) is stored locally on your device, not on our servers. |
| Google (Google LLC — Gemini API) | Powers PepCue AI chat responses | The text of the messages you send to PepCue AI, plus a limited summary of your tracking so answers are relevant to you: your active peptides and their dose and schedule, adherence, recent side-effect summaries, daily check-in ratings (such as energy, sleep, and mood), saved calculations, and inventory alerts. A safety filter blocks medical-advice, dosing, sourcing, and diagnosis prompts before they reach the model. We do not send your progress photos, free-text notes, bloodwork, or any Apple Health / Health Connect data to the AI model, and your inputs are not used to train Google's models. |
| Anthropic (Anthropic, PBC) | Optional vision analysis for progress-photo features, if and when you use them | A progress photo you choose to have analyzed, plus the measurement request. We do not send your peptide details, notes, or identity with it, and your inputs are not used to train Anthropic's models. (Inactive unless a photo-analysis feature is enabled in your version of the app.) |
| Sentry (Functional Software, Inc. dba Sentry) | Crash and error diagnostics so we can fix bugs | Crash/error reports, device and app context (OS version, app version, technical state). We do not intentionally send health entries, dose logs, side effects, notes, photos, or peptide details to Sentry. |
| PostHog (PostHog, Inc.) | Product analytics — screen views, feature usage, retention, performance, and crash diagnostics | Non-health usage data, device/app context, and a privacy-preserving anonymous device ID. We do not send peptide names, dose amounts, side-effect details, weights, photos, notes, or other health entries to PostHog. |
| RevenueCat (RevenueCat, Inc.) | Subscription and entitlement management | Subscription status, purchase metadata, and an anonymized subscriber ID. No full payment-card data. |
| AppsFlyer (AppsFlyer Ltd.) | Install attribution and measuring ad campaigns (privacy-preserving; uses Apple's SKAdNetwork, no IDFA/ATT tracking prompt) | Install source and aggregated, non-health device/app context. No health entries. |
| Apple App Store | iOS billing and subscriptions | Subscription and purchase data |
| Google Play | Android billing and subscriptions | Subscription and purchase data |
| FormSubmit / email (support@pepcue.app) | Customer support | Information you choose to send |
Advertising and measurement partners — we use the following to run, attribute, and measure our own marketing. In the app they operate in privacy-preserving mode (Apple SKAdNetwork / aggregated event measurement) with no IDFA-based tracking and no ATT prompt; on our website they may operate as cookies/pixels subject to your consent (Section 24). We do not send your health entries (peptide names, doses, side effects, bloodwork, photos, notes, injection sites) to any of them, and we do not use them to target ads based on your health.
- AppsFlyer — install attribution and campaign measurement. Privacy policy.
- Google Ads — campaign delivery and conversion measurement. Privacy policy.
- Google Analytics — usage and conversion measurement. Privacy policy.
- Meta / Facebook Pixel — website conversion measurement. Privacy policy.
- Meta / Facebook SDK — app campaign measurement (SKAdNetwork mode). Privacy policy.
- Instagram (Meta) — ad delivery and measurement. Privacy policy.
- TikTok Ads / Pixel / SDK — ad delivery and measurement (SKAdNetwork mode in-app). Privacy policy.
- LinkedIn — ad delivery and measurement. Privacy policy.
- Twitter / X — ad delivery and measurement. Privacy policy.
- PostHog — product and marketing analytics. Privacy policy.
Categories of third parties to whom we may disclose personal information: service providers/processors; app stores and payment/subscription processors; analytics and (if used) attribution providers; AI providers (for features you use); legal, regulatory, and law-enforcement bodies where required; and a successor entity in a business transfer.
Legal and safety — to comply with law, subpoena, court order, legal process, or a government/regulator request, or to protect the rights, safety, property, or security of Pep Labs, our users, or others.
With your consent — when you direct us to share or give explicit consent.
Business transfers — in a merger, acquisition, financing, reorganization, bankruptcy, sale of assets, or change of control, your information may transfer to the successor, subject to applicable law, this Policy, required notices, and your rights. If the successor intends to materially change how personal, sensitive, or consumer health data is used, sold, licensed, or shared, it will provide notice and obtain any consent, authorization, or opt-out required by law first. Device health-platform data is excluded from any business-transfer use that would violate the platform's rules or applicable law.
10. What We Do Not Currently Do
Pep Cue does not currently: sell personal information or consumer health data; share or use your health data for advertising or marketing of any kind; show third-party ads inside the app; use your personal health data to train our own AI models; provide medical advice, diagnosis, treatment recommendations, or dosing instructions; use geofencing to identify or track users near health-service locations; or store device health-platform data on our servers. If any of these change, we will update this Policy and provide notice, consent, written authorization, or opt-out rights where required by law.
11. Device Health-Platform Commitments (Apple HealthKit / Google Health Connect)
(Include only the platforms Pep Cue actually integrates with.)
If you connect Apple Health (HealthKit), PepCue reads weight and body-composition data (body fat percentage and lean body mass) to keep your Progress charts and stats up to date, and can optionally write your weight and logged doses back to Apple Health. We comply with Apple's HealthKit rules. HealthKit data: will not be sold; will not be used for advertising, marketing, or use-based data mining; will not be disclosed to third parties except as permitted by Apple and applicable law; will only be accessed with your permission and only for data types relevant to app functionality; and is processed on your device — it is not sent to our analytics, attribution, or AI providers, and is not stored on our servers unless a future feature clearly states otherwise and obtains the required permissions.
If you connect Google Health Connect, we comply with Google's Health Connect permissions and data-use requirements, request access only to data types relevant to functionality, use it only to provide the features you enable, and do not use it for advertising. You can revoke access at any time in your device settings.
These commitments override any broader future-use or business-transfer language in this Policy.
12. Where and How We Store Data
| Data type | Storage | Notes |
|---|---|---|
| Tracking data (protocols, doses, inventory, weights, check-ins, calculations) | Local device only (on-device database) | Stored on your device; not uploaded to our servers |
| Account data | Supabase | Login and account management when you sign in |
| Uploaded photos | Supabase Storage (private, per-user) | Stored only if you use a feature that saves them |
| AI message text | Supabase (in transit) and Google Gemini (for processing) | Used only to generate your AI response |
| Device health-platform data (Apple Health) | Local device only | Read with your permission; not stored on our servers |
| Subscription status | RevenueCat, Apple, Google | No full payment-card data |
| Analytics and diagnostics | PostHog (analytics), Sentry (crash diagnostics), AppsFlyer (attribution) | Non-health usage data only |
| Support messages | Email (support@pepcue.app) | Only what you choose to send |
We use reasonable administrative, technical, and organizational safeguards designed to protect information, including encryption in transit and at rest where supported by our providers, access controls, and least-privilege practices. No system is completely secure.
13. Data Retention and Deletion
We keep information only as long as reasonably necessary for the purposes in this Policy, unless a longer period is required or permitted by law.
| Data type | Retention |
|---|---|
| Account data | While your account is active |
| Tracking data | While your account is active, unless you delete it |
| Saved photos | Until you delete them or your account |
| Subscription records | As needed for billing, support, fraud prevention, and legal compliance |
| Support records | As long as reasonably necessary for support and legal obligations |
| Crash/performance logs | A limited period for debugging, then deleted or aggregated |
| Anonymous, aggregated, or de-identified data | May be retained indefinitely |
On an account-deletion request, active system data is deleted or deactivated within a reasonable period (generally within 30 days). Backups may persist for a limited time before being overwritten. Some information may be retained for legal, security, fraud-prevention, dispute-resolution, tax, accounting, or compliance reasons. Data already processed by third-party providers remains subject to their retention schedules and our agreements with them.
14. Security and Breach Notification
We maintain safeguards designed to protect information against loss, theft, and unauthorized access, use, or disclosure. If a breach of security safeguards involving your personal information creates a real risk of significant harm (Canada) or otherwise triggers notification under applicable law (including U.S. state breach-notification laws), we will notify affected individuals and the relevant authorities as required and within the timeframes the law sets.
15. Your Privacy Rights (Overview)
Depending on where you live, you may have rights to: access your information; correct inaccurate information; delete your information; obtain a portable copy; withdraw consent; opt out of sale, sharing, targeted advertising, or profiling that produces legal or similarly significant effects; limit the use and disclosure of sensitive personal information; appeal a denied request; and obtain information about categories of third parties to whom we disclosed personal information. You can manage many choices in the app — editing or deleting entries, disabling AI features, revoking device-health access, managing notifications, and deleting your account (Section 17).
16. How to Exercise Your Rights
Submit a request by emailing support@pepcue.app, or by using the in-app controls where available.
Verification. To protect you, we may verify your identity before responding — typically by confirming control of the email on your account or other information we hold. We will not use verification information for any other purpose.
Authorized agents. You may use an authorized agent where the law allows. We may require proof of authorization and may still ask you to verify your identity directly.
Timing. We respond within the timeframe each applicable law requires (for example, 45 days under most U.S. state laws, extendable where permitted; without undue delay under Canadian law).
No discrimination / no retaliation. We will not discriminate or retaliate against you for exercising your rights.
Appeals. If we deny a request, you may appeal by replying to our response or emailing support@pepcue.app with the subject line "Privacy Appeal." If you remain unsatisfied, you may contact your state Attorney General, the Office of the Privacy Commissioner of Canada, or your applicable regulator.
17. Account Deletion
You can delete your account and associated personal information at any time from within the app ([describe the in-app path, e.g., Settings → Account → Delete Account]), or by emailing support@pepcue.app. This satisfies the Apple App Store and Google Play requirement that account-creating apps offer in-app account deletion and a deletion-request method. Deletion is processed as described in Section 13. Some information may be retained where the law allows or requires.
18. Canadian Users (PIPEDA)
We collect, use, and disclose personal information with your consent (express or implied, depending on sensitivity and context). You may withdraw consent subject to legal or contractual limits, though this may limit your use of the app. You may access and correct your personal information and may direct unresolved concerns to the Office of the Privacy Commissioner of Canada.
19. California Residents (CCPA/CPRA)
Notice at collection. We collect the categories below for the business and commercial purposes in Section 7; we retain them as described in Section 13; and we do not sell or share personal information as defined by California law.
Categories of personal information we may collect (last 12 months):
| Category | Examples | Collected |
|---|---|---|
| Identifiers | Name, email, phone, account ID, device ID, IP address | Yes |
| Customer records | Account profile, subscription details | Yes |
| Protected classifications | Age-related information, if provided | Limited |
| Commercial information | Subscription tier, purchase history | Yes |
| Biometric information | Not used to identify you or build templates | Not intentionally |
| Internet/network activity | App interactions, feature usage, crash logs | Yes |
| Geolocation | Approximate region from IP or storefront | Limited |
| Sensory data | Photos you upload or scan | Yes |
| Professional/employment | — | No |
| Education | — | No |
| Inferences | Preferences and goals from your inputs | Limited |
| Sensitive personal information | Health data, credentials, body-related photos | Yes |
Sources (Section 5), business/commercial purposes (Section 7), and categories of third parties (Section 9) are described above.
Your California rights: to know/access; to delete; to correct; to opt out of "sale" or "sharing" (we do neither); to limit the use and disclosure of sensitive personal information (we use it only for permitted purposes such as providing the service); and to non-discrimination. Sensitive personal information is used only to provide the app and for purposes that do not require an offered "limit" right; we do not use or disclose it to infer characteristics.
If we ever sell or share personal information as defined by California law, we will provide a "Do Not Sell or Share My Personal Information" link and honor opt-out preference signals such as Global Privacy Control. Shine the Light: California residents may request information about disclosures to third parties for their direct-marketing purposes; we do not make such disclosures. We do not offer financial incentives. To exercise rights, see Section 16.
20. Washington Residents (My Health My Data Act)
This Policy, together with the Consumer Health Data Privacy Notice in Section 6, describes our handling of consumer health data. Washington residents may: confirm whether we collect, share, or sell their consumer health data; access it; delete it; and withdraw consent to its collection or sharing. We do not sell consumer health data and do not use geofencing around healthcare facilities. If we ever sell consumer health data, we will obtain valid written authorization beforehand and retain it as required. To exercise these rights, see Section 16. Nevada and Connecticut residents have comparable consumer-health-data rights, addressed here and in Sections 21–22.
21. Nevada Residents
Nevada residents may have rights regarding the sale of covered information and consumer health data under Nevada law (including SB 370). We do not currently sell consumer health data. To submit a request, email support@pepcue.app with the subject line "Nevada Privacy Request."
22. Other U.S. State Privacy Rights
Residents of states with comprehensive privacy laws — including Virginia, Colorado, Connecticut, Utah, Texas, Oregon, Montana, Delaware, Iowa, Nebraska, New Hampshire, New Jersey, Minnesota, Maryland, Tennessee, Indiana, Kentucky, and Rhode Island, as those laws take effect — may have rights to access, correct, delete, and obtain a portable copy of personal data, and to opt out of targeted advertising, the sale of personal data, and certain profiling. Several of these laws require opt-in consent to process sensitive data (including health data); where required, we rely on your consent to process the sensitive/health data you provide. To exercise rights or appeal a denial, see Section 16. Where a state law grants additional rights not listed here, we honor them as required.
23. International Users and Legal Bases (GDPR / UK GDPR)
Pep Cue is operated from Canada and serves users in the United States and elsewhere; your information may be transferred to and processed in Canada, the United States, and other locations where our providers operate. If you are in the EEA, UK, or another region requiring a legal basis, we rely on: contract (to provide the app and requested services); consent (for optional features such as device-health access, certain AI features, and notifications, and to process sensitive/health data); legitimate interests (to secure the app, prevent abuse, and improve performance); and legal obligation. Where required, we use appropriate safeguards for cross-border transfers, such as Standard Contractual Clauses. You may lodge a complaint with your local supervisory authority.
24. Cookies, Tracking, and Opt-Out Signals
The app does not use traditional website cookies. Our website may use essential cookies and basic analytics; our website uses, with your consent where required, analytics and advertising cookies/pixels from the partners in Section 9 (such as Meta, Google, TikTok, LinkedIn, and X) to measure our marketing — never with your health data. You can accept or decline non-essential cookies in our cookie banner or your browser. There is no uniform standard for "Do Not Track," and we do not respond to it; however, where required by law we honor recognized opt-out preference signals such as Global Privacy Control for applicable web activity. Our mobile apps may include analytics/attribution SDKs as described in Section 5; you can limit ad tracking through your device settings (for example, iOS App Tracking Transparency or Android ad-ID controls).
25. Children's Privacy
Pep Cue is intended only for users 18 or older. We do not knowingly collect personal information from anyone under 18, and we do not knowingly collect information from children under 13 in violation of the U.S. Children's Online Privacy Protection Act (COPPA). If we learn we have collected such information, we will delete it as required by law.
26. Third-Party Links and Services
Pep Cue may link to third-party websites, products, or services we do not control. This Policy does not apply to them, and we are not responsible for their content or practices.
27. Changes to This Policy
We may update this Policy from time to time. The current version is posted at https://pepcue.app/privacy. If we make material changes, we will provide notice where required by law (for example, by email, in-app notice, or website notice). Continued use after the effective date means you accept the updated Policy, except where additional consent or authorization is required by law.
28. Contact Us
Pep Labs Inc. (Privacy Officer) Operator of Pep Cue Ontario, Canada Email: support@pepcue.app Privacy Policy: https://pepcue.app/privacy Terms of Service: https://pepcue.app/terms
© 2026 Pep Labs Inc. · PepCue is a product of Pep Labs Inc. · pepcue.app · support@pepcue.app