Privacy
Policy
Effective: June 6, 2026
Overview
PepChamp ("we", "us", "our") is a peptide protocol tracking application. This Privacy Policy explains how we collect, use, and protect your information when you use our mobile application. By using PepChamp, you agree to the practices described in this policy.
Information We Collect
We collect only the information necessary to provide the app's features:
- Account information (email address for authentication)
- Profile data you provide (name, phone number, physical address, city, state, ZIP code, weight, age, height, gender, experience level)
- Peptide protocols and dose logs you create
- Community forum posts and replies
- Device push notification tokens (if you opt in)
- Calendar data (if you grant access for dose reminder scheduling)
- Nurse consultation bookings (scheduled date/time, selected practitioner, status)
- Camera and microphone streams during scheduled nurse consultation video calls (these are transmitted live to the third-party Jitsi Meet service; PepChamp does not record, store, or transcribe call content)
How We Use Your Information
Your data is used solely to:
- Provide and maintain the app's features
- Display your protocols, logs, and progress
- Enable community forum participation
- Send push notifications you've opted into
- Schedule dose reminders on your device calendar (if you grant access)
We do not sell, rent, or share your personal information with third parties for marketing purposes.
Data Storage & Security
Your data is stored on Supabase, our database provider. Supabase's underlying infrastructure (AWS) provides encryption at rest and in transit at the network and storage layer. PepChamp does not add a separate application-layer encryption on top of this. Row Level Security (RLS) policies on every table ensure you only ever access your own data, and authentication tokens are kept in your device's secure storage.
Health & Sensitive Data
PepChamp collects health-related data including peptide dose logs, injection site records, blood work entries, and protocol schedules. This data is:
- Stored on Supabase, which encrypts data at rest and in transit at the infrastructure layer (PepChamp does not add separate application-layer encryption)
- Accessible only to you via Row Level Security policies
- Never shared with third parties for advertising or marketing
- Never used to make medical decisions on your behalf
- Permanently deleted when you delete your account
We treat all health-related data with the highest level of protection. PepChamp is not a HIPAA-covered entity but follows industry best practices for health data security.
Device Permissions
- Calendar — Used to create dose reminder events on your device calendar. Calendar data is accessed only when you explicitly grant permission and is used solely to schedule reminders. We do not read, store, or transmit your existing calendar events.
- Push Notifications — Used to send dose reminders, consultation reminders, and app updates you opt into.
- Camera — Used only during a scheduled nurse video consultation, and only while the call is active. The camera turns on when you join a call and off when you leave. Video is streamed peer-to-peer via Jitsi and is not recorded by PepChamp.
- Microphone — Used only during a scheduled nurse video consultation, and only while the call is active. Same peer-to-peer treatment as Camera; not recorded.
- Photos — Used only by verified nurse practitioners to choose a professional profile photo from their library. The selected photo is resized on your device, stripped of EXIF/location metadata, and uploaded to secure storage; patients see it on the consultation booking screen. Consumer accounts are never prompted for photo access, and PepChamp never reads your photo library beyond the single image you pick.
You can revoke any device permission at any time through your device's Settings app.
AI Data Sharing (Google Gemini)
PepChamp offers three AI-powered features that send data to Google Gemini AI for processing: the AI Q&A Assistant, the AI Research Helper, and the Cycle Insights. No other feature in the app sends data to any AI service.
The Interaction Checker does NOT use AI — it queries a local research-backed database and does not send your data anywhere.
Recipient: Google Gemini AI (ai.google.dev), operated by Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, United States.
Data Sent to Google Gemini
- Text you type into the AI Q&A Assistant (questions, follow-ups, and the conversation context within that session)
- Questionnaire selections you make in the AI Research Helper (goals, experience level, route preference, frequency, complexity)
- Protocol metadata you submit to Cycle Insights (protocol name, peptide names, cycle length, days elapsed, adherence percentage — your specific doses and frequency are NOT sent)
Data NOT Sent to Google Gemini
- Your email, name, phone, address, or account details
- Your stored dose logs or injection site history
- Your blood work values, weight, or body measurements
- Any other personally identifiable information
How It Is Used
Google Gemini processes your text to generate a response, which is returned to the app and displayed to you. Data is transmitted over encrypted HTTPS. Google's use of this data is governed by Google's Privacy Policy and the Google API Terms of Service, which provide equal or equivalent privacy protection to this policy. PepChamp does not retain or share this data with any other third parties.
Your Consent
The first time you open any of the three AI features, the app shows a full-screen consent modal that identifies Google Gemini as the recipient, lists exactly what will be sent, what will not be sent, and requires you to tap "I Agree." If you tap "Cancel," no data is sent and the feature is not used. You can withdraw consent at any time by signing out — the next sign-in will require consent again before using AI features.
Third-Party Services
We use the following third-party services that may process your data. Each provides equal or equivalent privacy protection to this policy through its own privacy terms.
- Supabase Inc. (supabase.com) — Authentication, database hosting, and cloud functions. Your account data, dose logs, protocols, blood work entries, wellness entries, measurements, and forum posts are stored in a Postgres database hosted in the United States. Supabase uses AWS as its underlying cloud provider. See supabase.com/privacy.
- RevenueCat, Inc. (revenuecat.com) — Subscription and in-app purchase management. Processes purchase receipts and subscription status. See revenuecat.com/privacy.
- Google LLC — Google Gemini AI powers three features only: AI Q&A Assistant, AI Research Helper, and Cycle Insights. Data sent is limited to what is described in the "AI Data Sharing" section above. See policies.google.com/privacy.
- Expo, Inc. (expo.dev) — Push notification delivery and over-the-air update distribution. See expo.dev/privacy.
- Apple — App distribution, in-app purchase processing, and (if you use Sign In with Apple) authentication. See apple.com/privacy.
- Licensed Nurse Practitioners — When you book a consultation, the assigned nurse practitioner can see, for the duration of that booking, the following information so she can have an informed, on-topic educational conversation with you:
- Identity: your display name, gender, age, state of residence.
- Goals: your stated tracking goals.
- Active protocols: peptide names, doses, and frequency for protocols you've marked active.
- Recent activity (last 14 days): the count of doses you've logged and any free-text side-effect notes you attached to those logs.
- Recent wellness scores (last 7 days): your self-reported 1–10 ratings for sleep, energy, recovery, and mood — shown to the nurse as averages, not individual entries.
- Most recent weight entry: your most recent weight and the date of that entry. Body-fat percentage, waist, and any other measurements you log are NOT shared.
- Most recent blood-work entry: only the date you saved it. The lab name, panel type, and individual marker values are NOT shared.
- Booking history: a count of your prior completed or no-show consultations with that same nurse.
- Topic / notes: any optional "what is this call about?" topic and any free-text notes you write at booking time (both capped at 280 characters). These appear on the nurse's dashboard so she can prepare for the call.
- 8x8, Inc. / Jitsi Meet (meet.jit.si) — Live video and audio infrastructure for scheduled nurse consultations. When you join a call, your camera and microphone streams are transmitted to Jitsi Meet so you and your nurse can communicate. PepChamp does not record or store these streams. The room URL uses a randomly generated identifier that is unique to your consultation and functions as the access credential — anyone with that URL can join the room, so you should treat it like a password and never share it with third parties. Calls are intended as educational conversations and we ask that you avoid sharing identifying personal health information on these calls. See jitsi.org/security and 8x8.com privacy.
- Stripe, Inc. (stripe.com) — Payment processing for nurse consultation bookings. When you book a consultation, Stripe receives your payment card details, billing name and email, and the amount of the transaction. PepChamp does not see or store your full payment card number; we only retain a Stripe identifier for the charge so we can issue refunds if you cancel. Per Apple App Store Guideline 3.1.3(d), live person-to-person services are not required to use in-app purchase. See stripe.com/privacy.
Each service has its own privacy policy. We encourage you to review them.
Your Rights
You have the right to:
- Access all data we store about you
- Request export of your data
- Delete your account and all associated data
- Opt out of push notifications
- Withdraw consent for data processing
Account deletion is available in Settings > Account Actions > Delete Account. This permanently removes all your data from our servers.
For data export requests, contact us at [email protected].
GDPR Rights (European Users)
If you are in the European Economic Area, you have additional rights under the General Data Protection Regulation:
- Right to access your personal data
- Right to rectification of inaccurate data
- Right to erasure ("right to be forgotten")
- Right to restrict processing
- Right to data portability
- Right to object to processing
To exercise these rights, contact us at [email protected]. We will respond within 30 days.
CCPA Rights (California Users)
If you are a California resident, you have the right to:
- Know what personal information we collect
- Request deletion of your personal information
- Opt out of the sale of personal information (we do not sell your data)
- Non-discrimination for exercising your rights
Contact us at [email protected] to exercise these rights.
Children's Privacy
PepChamp is not intended for use by anyone under the age of 18. We do not knowingly collect information from children under 18.
Medical Disclaimer
PepChamp is for informational purposes only and does not provide medical advice. Always consult a qualified healthcare provider before starting, changing, or stopping any protocol. We are not responsible for health decisions made based on information in this app.
Changes to This Policy
We may update this Privacy Policy from time to time. Changes will be reflected in the app with an updated effective date. Continued use of PepChamp after changes constitutes acceptance of the updated policy.
Contact Us
If you have questions about this Privacy Policy or your data, contact us at [email protected].