Privacy Policy

1. Introduction

qlabs LLC (“we,” “our,” or “us”) is a Texas limited liability company. We operate the Pepty mobile application (the “App”) and the website at pepty.app (the “Website”), together with related features such as the AI Visualization scan, AI Chat, referral program, and creator program (collectively, the “Services”).

This Privacy Policy explains what information we collect, how we use it, who we share it with, how long we retain it, and what rights you have. By using the Services you agree to the practices described here. If you do not agree, please do not use the Services.

This Privacy Policy is incorporated by reference into our Terms and Conditions and uses defined terms from that document.

2. Information We Collect

2.1 Information You Provide Directly

Depending on how you use the App, you may provide us with the following types of information:

• Account information. When you sign in with Apple or Google, the provider gives us your name (if you share it) and an email address (real or relay). We assign you an internal account identifier (a UUID).
• Profile preferences. Theme, language, time format, notification preferences, and similar settings.
• Optional demographics. During onboarding you may share your age range (e.g., 18–24, 25–34) and biological sex (male, female, or prefer not to say). Both fields are optional. We use them only to personalize content within the App.
• Research-tracking data. Peptide protocols, vial inventory, administration logs, journal entries, favorites, and Learn lesson progress that you enter into the App.
• AI Visualization photos. If you choose to use the AI Visualization feature, you submit a photo of your face or body, the “mode” (face or body), and a small set of pre-defined concern tags. See Section 3 for a detailed description of how this data is handled.
• AI Chat messages. Text you type into the in-app AI Chat. See Section 3.3.
• Referral inputs. A referral code you enter during onboarding, if any, and (for affiliates and creators) the unique code that we issue to you.
• Support communications. If you email us or contact us through the App, we receive your name, contact details, and the content of your message.
• Website forms. If you sign up as an affiliate or creator, complete a contact form, or join a waitlist on pepty.app, we receive whatever you submit through that form (typically name, email, social handles, and a payout method).

2.2 Information Collected Automatically

When you use the Services, certain information is collected automatically:

• Device information. Device type, operating system version, app version, locale, time zone, and mobile carrier (where exposed by the OS).
• Usage data. Features used, screens viewed, taps, session duration, navigation paths, and similar product-analytics events.
• Crash and performance data. Stack traces, device state at the time of an error, and short pre-crash session replays from our error-monitoring provider.
• Affiliate-link interactions. When you tap an affiliate link to a third-party vendor we record the link, time, and a click identifier so we can attribute any resulting commission.
• Scan metadata. For each AI Visualization request we keep a metadata-only audit row (timestamp, mode, concerns selected, which AI provider served the request, our internal cost, and a list of compound IDs suggested for that scan). The photo and the generated image are not stored.
• IP address and approximate location. Network requests inherently expose an IP address to our hosting provider; this is used for security, abuse prevention, and rough country-level localization.

2.3 Information from Third Parties

• Authentication providers. Apple and Google share your name (if you share it) and email address with us when you sign in.
• Subscription provider. Apple and our paywall provider Superwall send us subscription lifecycle events (purchase, renewal, refund, cancellation, expiry) tied to your account identifier.
• Affiliate networks. Affiliate networks send us transaction confirmation data (typically limited to whether a purchase was completed and the commission amount) so we can attribute commissions.
• Analytics providers. Aggregated usage metrics from PostHog and crash signal data from Sentry.

2.4 What We Do Not Collect

• We do not collect or store your payment-card or bank-account information. All in-app purchases are processed by Apple; any affiliate-side payouts are processed by Stripe.
• We do not access your device's contacts, microphone, health database (Apple Health / Google Fit), location services, or photo library other than the specific photo you choose to submit to the AI Visualization feature.
• We do not generate or store biometric templates derived from your photos. See Section 3 for the specific scope of what AI Visualization does and does not do with photo data.
• We do not sell your personal information, and we have not sold personal information in the preceding twelve months.

3. AI Features: Photo and Message Handling

This section describes precisely what happens to data you submit to the AI features (AI Visualization and AI Chat). These features are optional — the App works without them.

3.1 AI Visualization — Photo Pipeline

When you tap “Scan” and choose a photo (or capture one with the camera), the following happens:

1. Your device sends the photo bytes, the selected mode (face or body), and the selected concern tags over HTTPS to our backend (a serverless function hosted on Supabase Edge Functions).
2. Our backend forwards the photo to a third-party AI image model. The primary provider is Google's Gemini generative-image API. If Gemini refuses or fails, we fall back to Black Forest Labs' FLUX Kontext Pro API.
3. The provider returns a generated image to our backend. Our backend returns that generated image to your device.
4. Your device receives the generated image. Your device then displays it, optionally lets you save or share it, and discards the network response from memory when you leave the result screen.

What we store. We store a metadata-only row in our database (the “scans” table) containing: your account identifier, mode, concerns, generation provider, our internal cost in USD, the list of compound IDs suggested for that scan, and a timestamp. This row is used for quota enforcement, abuse detection, and product analytics.

What we do not store. We do not write your input photo or the generated output image to any database, disk, log, or persistent storage controlled by us. Both exist only transiently in the memory of the serverless function that handles the request, for the seconds required to round-trip the call.

Where photos travel. Your photo is sent to, and the generated image is produced by, one of the following third-party providers. Each operates under its own privacy policy and terms; please review them:

• Google LLC — Gemini API (policies.google.com/privacy, Gemini API terms).
• Black Forest Labs GmbH — FLUX Kontext Pro API (blackforestlabs.ai/privacy-policy).

Each provider processes the photo on its own infrastructure (typically in the United States or the European Economic Area) under the terms of our API agreement with them. We require, where contractually available, that providers act as data processors on our behalf, apply content-safety filtering, and not use the photo to train general-purpose models. We cannot, however, audit a provider's internal handling and you submit your photo subject to that residual risk.

Sharing. If you choose to save or share a generated image (for example via the iOS share sheet), the image leaves the App through your device's own sharing system. We do not see or store the recipients, channels, or any social-media uploads of generated images.

3.2 AI Visualization — Biometric Privacy

Several U.S. states regulate the collection and use of biometric identifiers, including Illinois (BIPA), Texas (Capture or Use of Biometric Identifier Act), and Washington (Chapter 19.375 RCW). We have designed the AI Visualization pipeline to minimize biometric-privacy exposure:

• We do not extract, generate, store, sell, or trade “biometric identifiers” or “biometric information” (e.g., face geometry templates, fingerprints, iris scans, voiceprints) from your photos.
• We do not use your photo for identity verification, identification, or one-to-many matching of any person.
• The AI providers we use generate a new image from your input. To the extent any internal embedding is created by a provider in the course of producing that output, we do not receive it, request it, or store it.
• You may decline to use the AI Visualization feature at any time. The App is fully functional without it.

By submitting a photo, you provide informed consent to the ephemeral processing described in Section 3.1. To withdraw consent and request deletion of associated metadata, see Section 9.

3.3 AI Chat — Message Pipeline

When you send a message in the in-app AI Chat:

1. Your message is sent over HTTPS to our backend (a Supabase Edge Function).
2. Our backend applies content moderation and rate limits, then forwards your message text to DeepSeek (platform.deepseek.com/privacy) for a model response.
3. The response is returned to your device.
4. We log a metadata-only row (your account identifier, timestamp, token count, and a moderation outcome). We do not retain the message text or the model response beyond what is needed to generate the reply, except where required for fraud, abuse, or legal-compliance investigations.

Do not include personal information about any other person in chat messages without that person's consent, and do not send protected health information about anyone other than yourself.

4. How We Use Your Information

• Providing and maintaining the Services. Running peptide tracking, scheduling, reminders, price comparison, Learn lessons, AI Visualization, and AI Chat.
• Improving the Services. Understanding how Users interact with the App, identifying issues, and developing new features.
• Personalization. Tailoring content based on optional demographics, your selected compounds, and your in-app behavior.
• Affiliate attribution. Tracking affiliate link clicks and attributing commissions from third-party vendor purchases.
• Referral program. Validating referral codes, attributing referrer–referee relationships, and granting bonus benefits.
• Subscriptions and billing administration. Granting or revoking Pepty Premium entitlements based on subscription events from Apple and Superwall.
• Communications. Responding to your inquiries, sending transactional emails (e.g., subscription receipts on the affiliate side, account-deletion confirmation), and, with your consent, occasional product updates.
• Security and abuse prevention. Detecting, preventing, and responding to fraud, abuse, scraping, and security incidents.
• Legal compliance. Complying with applicable laws, regulations, court orders, and legal process.

We do not use your personal information for advertising outside the App, for cross-context behavioral advertising, or to train our own AI models.

5. How We Share Your Information

We do not sell your personal information. We share information only with the following categories of recipients and only for the purposes described.

5.1 AI Model Providers

As detailed in Section 3, we route your AI Visualization photos and AI Chat messages to third-party model providers:

• Google LLC — Gemini generative-image API.
• Black Forest Labs GmbH — FLUX Kontext Pro API (fallback).
• DeepSeek — large language model for AI Chat.

5.2 Infrastructure and Service Providers

Each of the following acts as a data processor on our behalf under contractual confidentiality terms:

• Supabase (supabase.com/privacy) — managed Postgres database, authentication, and serverless function hosting. Stores your account information, profile preferences, peptide protocols, inventory, administration logs, favorites, scan metadata, Learn progress, referral attributions, and affiliate configuration.
• Superwall (superwall.com/privacy) — subscription paywall and entitlement management. Receives subscription events and your account identifier when you view a paywall or subscribe.
• Apple Sign In and Google Sign In — authentication providers. When you sign in with Apple or Google we receive your name (if you share it) and email address. Your interactions with those providers are governed by Apple's and Google's privacy policies.
• Vercel (vercel.com/legal/privacy-policy) — hosting provider for the Website at pepty.app, including Vercel Analytics and Speed Insights for aggregated, cookie-less Website telemetry.
• Cloudflare Turnstile (cloudflare.com/privacypolicy) — bot-protection challenge on Website forms (affiliate signup, contact). Receives challenge metadata but not your form contents.
• Stripe (stripe.com/privacy) — payment processor for affiliate / creator payouts. We do not handle your payout-method details directly; Stripe collects and stores them under its own policy.
• Resend (resend.com/legal/privacy-policy) — transactional email delivery (e.g., affiliate signup confirmation, support replies).
• Apple Push Notification service — delivery of local-only research reminders and protocol notifications. Push tokens are stored on Apple's infrastructure.

5.3 Analytics and Diagnostics

We use the following third-party processors to understand how the Services are used and to diagnose problems:

• PostHog (posthog.com/privacy) — product analytics. Collects screen views, feature interactions, and aggregated usage events. May also include sampled session replays that capture screen taps, navigation, and the visual layout of in-app screens. Replays may include the names of compounds you have added and your dosage amounts when those screens are open, so we can debug user-reported issues with protocols and inventory tracking. Free-text inputs and sensitive screens (including the AI Chat composer and AI Visualization result screen) are masked. Linked to your account identifier when you are signed in.
• Sentry (sentry.io/privacy) — error and performance monitoring. Collects crash reports, error stack traces, performance metrics, and short session replays of the moments leading up to an error. Text content is masked in replays. Linked to your account identifier when you are signed in.

These analytics services act as data processors on our behalf and do not use your data for their own marketing or third-party advertising.

5.4 Affiliate Networks

When you tap an affiliate link in the App, technical data (click identifier, timestamp, link target, anonymized device information) may be shared with our affiliate network partners to track referrals and attribute commissions. This data does not include your health, research-tracking, or AI Visualization data.

5.5 Legal Requirements

We may disclose your information if we believe in good faith that disclosure is required to comply with applicable law, regulation, legal process, governmental request, subpoena, or court order, or to enforce our Terms, protect our rights, property, or safety, or those of our Users or the public.

5.6 Business Transfers

In the event of a merger, acquisition, reorganization, financing, bankruptcy, or other sale of all or a portion of our assets, your information may be transferred as part of that transaction. We will notify you of any change in ownership or use of your personal information.

6. Third-Party Links and Vendors

The Services contain links to third-party websites and services, including peptide vendor websites. This Privacy Policy does not apply to those third-party services. We are not responsible for their privacy practices or content. We encourage you to review the privacy policies of any third-party services before providing them with information or completing any transactions.

7. Cookies and Similar Technologies

7.1 Website

Our Website uses a small number of cookies and similar technologies:

• Strictly necessary cookies — required for the Website to function (e.g., affiliate signup, security challenge via Cloudflare Turnstile).
• Affiliate / referral cookies — short-lived first-party cookies that capture a creator or referral code from the URL so it can be attributed when you install the App.
• Analytics — Vercel Analytics and Speed Insights, which are cookie-less and use aggregated signals only.

We do not use third-party advertising cookies or cross-context behavioral advertising on the Website.

7.2 Mobile App

Within the App we use device identifiers, analytics SDKs (PostHog, Sentry), and the IDFV (Apple's identifier for vendor) as exposed by the operating system. We do not use the Apple IDFA (Identifier for Advertisers) and do not show the App Tracking Transparency prompt because we do not track you across other companies' apps or websites.

7.3 Do Not Track / Global Privacy Control

Because we do not engage in cross-context behavioral advertising or sell personal information, we treat browsers sending a “Do Not Track” or Global Privacy Control (GPC) signal the same as any other visitor and do not change our practices in response to those signals.

8. Data Storage, Retention, and Security

8.1 Cloud Storage

Most data you provide through the App is stored on our Postgres database hosted by Supabase, including:

• Account information (name, email, account identifier).
• Profile preferences (theme, language, optional demographics).
• Peptide protocols, vial inventory, administration logs, favorites, and Learn lesson progress.
• Scan metadata (no photos), AI Chat metadata (no message text beyond what is needed to generate a reply), referral attributions, and subscription events.

This means:

• Your data syncs across devices when you sign in to the same account.
• Data persists even if you uninstall the App, until you request deletion.
• Data is encrypted in transit (HTTPS / TLS) and at rest at the database layer.
• We use row-level security so each account can only read and write its own records, and the scan / chat backends run as service-role functions that enforce per-user access at the API boundary.

8.2 Local Storage

Some preferences and transient state are stored locally on your device using AsyncStorage. This includes onboarding state, theme and locale defaults before sign-in, the Learn-reminder schedule, and similar session-level data. Local data is removed when you uninstall the App or clear its data through your device's OS settings.

8.3 Retention

We retain personal information only as long as needed for the purposes described in this Privacy Policy, unless a longer retention period is required or permitted by law. Typical retention periods:

• Account data and research-tracking data — for the life of your account; deleted within 30 days of an account-deletion request, subject to legal retention requirements.
• AI Visualization photos and generated images — not stored. Held in memory by our backend only for the seconds required to make the third-party API call.
• Scan metadata — up to 24 months, or until account deletion, whichever is sooner. Used for quota enforcement and product analytics.
• AI Chat messages — not retained beyond what is needed to generate the reply, except metadata (timestamp, token count, moderation outcome) kept for up to 24 months for rate-limiting and abuse prevention.
• Subscription and billing records — up to 7 years to meet tax and financial-records obligations.
• Analytics events — retained in anonymized or aggregated form for up to 24 months.
• Affiliate-tracking data — retained for the duration required by our affiliate network agreements, typically 30 to 90 days after a transaction.
• Support communications — up to 24 months after the issue is resolved.

8.4 Account Deletion

You can request full deletion of your account and associated cloud data from within the App (Profile → Delete Account) or by emailing support@pepty.app. Deletion is permanent and removes the personal data we hold about you, except records we are required to retain by law (such as financial records related to subscriptions) and any de-identified or aggregated analytics that can no longer be linked back to you.

8.5 Security Measures

We implement administrative, technical, and physical safeguards designed to protect your information, including encryption in transit and at rest, scoped service-role credentials, row-level access controls, principle-of-least- privilege backend functions, and routine security review. However, no method of transmission over the internet or electronic storage is 100% secure, and we cannot guarantee absolute security. If we become aware of a security incident that materially affects your personal information we will notify you and the appropriate regulators where required by law.

9. Your Rights and Choices

9.1 Universal Rights

Regardless of where you live, you may:

• Access the personal information we hold about you.
• Request correction of inaccurate personal information.
• Request deletion of your personal information, subject to legal exceptions.
• Request a portable copy of your personal information.
• Decline to use, or stop using, the AI Visualization and AI Chat features at any time.
• Opt out of optional product communications.

To exercise these rights, email support@pepty.app from the email address associated with your account. We will respond within 30 days. We will not discriminate against you for exercising any of these rights.

9.2 Opt-Out of Analytics

You may opt out of optional analytics collection through the App's Settings menu, where available. Essential logging (e.g., crash reports needed to keep the App running) cannot be disabled.

9.3 Notifications

You can manage push-notification preferences through your device's system settings at any time.

10. California Privacy Rights (CCPA / CPRA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act, as amended by the California Privacy Rights Act:

• Right to Know — the categories of personal information we collect, the sources of that information, the business purposes for collection, the third parties with whom we share it, and the specific pieces of information we hold about you.
• Right to Delete — subject to certain exceptions.
• Right to Correct — inaccurate personal information.
• Right to Limit Use of Sensitive Personal Information — we treat AI Visualization photos as sensitive personal information. We use them only for the purpose for which you submitted them (generating a visualization).
• Right to Opt-Out of Sale or Sharing — we do not sell personal information and do not share it for cross-context behavioral advertising.
• Right to Non-Discrimination.

Notice of Collection (last 12 months). We collected the following categories of personal information from California residents: identifiers (name, email, account identifier, IP address); customer-records information; commercial information (subscription and affiliate transactions); internet or other electronic network activity (App usage, click data); geolocation (approximate, from IP); sensory data (photos you submit to AI Visualization); inferences drawn from any of the above (e.g., concern tags). We do not collect government identifiers, financial-account numbers, precise geolocation, or biometric identifiers as defined by CCPA.

To exercise your California privacy rights, email support@pepty.app with the subject line “California Privacy Request.” You may authorize an agent to make a request on your behalf with verifiable written authorization.

11. Other U.S. State Privacy Rights

Residents of other U.S. states — including Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Utah (UCPA), Texas (TDPSA), Oregon (OCPA), Montana (MCDPA), and Delaware (DPDPA) — have similar rights, including the right to access, correct, delete, and obtain a portable copy of personal data, and the right to opt out of targeted advertising, the sale of personal data, and certain profiling. We do not engage in those activities.

Texas residents. Texas's Capture or Use of Biometric Identifier Act (Tex. Bus. & Com. Code §503.001) prohibits capture of certain biometric identifiers without informed consent. As described in Section 3.2, we do not generate biometric identifiers from your photos; the AI Visualization pipeline produces a new illustrative image and does not extract face geometry, fingerprints, retina or iris scans, hand geometry, or voiceprints from your input. To exercise your rights, email support@pepty.app.

12. EEA, UK, and Swiss Users (GDPR)

If you are located in the European Economic Area, the United Kingdom, or Switzerland, the following applies in addition to the rights above.

• Controller. qlabs LLC is the controller of your personal data for the Services. Contact support@pepty.app.
• Legal bases. We process personal data on the bases of: (i) performance of a contract (to provide the Services you request, including AI features); (ii) legitimate interests (security, abuse prevention, product improvement); (iii) consent (where required, such as your decision to submit a photo to AI Visualization); and (iv) legal obligation.
• Special-category data. Photos of your face or body submitted to AI Visualization may constitute special-category data under Article 9 GDPR. We process such photos only with your explicit consent (your submission constitutes that consent) and only for the purpose for which you submitted them.
• International transfers. We are based in the United States and our service providers operate in the United States and other jurisdictions. Where required, transfers rely on Standard Contractual Clauses or other approved transfer mechanisms.
• Rights. You have the right of access, rectification, erasure, restriction, portability, objection, and the right to withdraw consent at any time. You also have the right to lodge a complaint with your local supervisory authority.
• No automated decisions with legal effect. We do not make decisions about you that produce legal or similarly significant effects solely on the basis of automated processing.

13. Children's Privacy

The Services are not directed to, and may not be used by, anyone under 18. We do not knowingly collect personal information from anyone under 18, and minors may not submit photos to the AI Visualization feature under any circumstance. If we become aware that we have collected personal information from a child under 18 we will delete it promptly. If you believe a child under 18 has submitted personal information, please contact us at support@pepty.app and we will act on the report.

14. International Users

The Services are operated from the United States. If you access the Services from outside the United States, please be aware that your information may be transferred to, stored, and processed in the United States and in any country in which our service providers operate, where data-protection laws may differ from those in your jurisdiction. By using the Services you consent to such transfer, storage, and processing.

15. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. When we make material changes, we will update the “Last Updated” date at the top, provide notice within the App, and, where appropriate, send an email to your registered email address. Your continued use of the Services after the effective date of any change constitutes your acceptance of the updated Privacy Policy.

16. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

qlabs LLC
Email: support@pepty.app

For California-specific requests, use the subject line “California Privacy Request.” For deletion-of-account requests, use “Account Deletion.”