Privacy policy

Peptide IA is operated by Alex Kem, a registered small business under § 19 UStG, based in Bad Salzuflen, Germany. As the data controller within the meaning of Art. 4(7) GDPR, we are responsible for the processing of personal data described in this Policy.

Postal address and legal details: see the imprint.

Privacy contact: akremagency@gmail.com

• The Peptide IA mobile app (iOS and Android)
• The Peptide IA website (peptideia.app)
• Support communications you send us

Peptide IA provides tracking, organisation, educational, and informational features only. Peptide IA is not a healthcare provider, medical device, pharmacy, or telehealth service. Any information provided through the App — including educational summaries, calculations, estimates, reminders, or tracking insights — is for informational and organisational purposes only. Always consult a qualified healthcare professional before making health-related decisions.

Account information (only if you create an account)

• Name (if provided), email address, authentication provider (Apple/Google), account ID, basic settings.

Onboarding choices

• Goals, baseline metrics, peptide experience, preferences.

Tracking data (on-device by default)

• Peptide and protocol names; vial inventory and reconstitution details; dose logs; injection sites; side effects / symptoms / journal entries; sleep, recovery, body metrics; bloodwork values and attached reports; progress photos and daily check-ins; notes, reminders, custom entries.

Tracking data lives on your device. Cloud backup is opt-in and uses your own iCloud / Google Drive — not our servers.

Subscription & payment information

Apple, Google, or Stripe processes your payment. We never see your card number. We receive a billing identifier so we can grant the entitlement you paid for.

Device & diagnostic information

• Device model, OS version, app version, anonymised crash reports via Sentry (≤ 90 days), basic request logs for security (≤ 30 days), IP at the time of request.

Contact form

When you contact us via the website form we receive your name, email, subject category, and message. Delivery is handled by FormSubmit.co on our behalf.

What we do NOT collect

We do not collect special categories of data (race, ethnicity, religion, sexual orientation, biometric identifiers). We do not knowingly collect data from anyone under 16.

• Performance of contract — Art. 6(1)(b): providing the App and subscription you purchased.
• Legitimate interest — Art. 6(1)(f): anti-abuse, anonymised diagnostics, security monitoring. You may object — see “Your rights”.
• Consent — Art. 6(1)(a) / Art. 9(2)(a): optional features (e.g., cloud backup, optional analytics). Any processing of health data beyond what is essential to provide the service relies on your explicit consent.
• Legal obligation — Art. 6(1)(c): retaining purchase records as required by German tax and consumer law.

We do not use your personal health data to train AI models, sell it, share it for cross-context behavioural advertising, or process it for any purpose beyond what is described in this Policy.

We do not sell, rent, or share personal data with brokers. We use a minimal set of processors strictly to operate the service:

• Apple App Store / Google Play — app distribution and in-app purchases.
• Stripe — web payments where applicable (PCI-DSS Level 1).
• Vercel — website hosting and edge functions.
• Sentry — anonymised crash diagnostics (event IDs only).
• FormSubmit.co — contact-form delivery.
• Optional cloud backup — stored in your own iCloud or Google Drive, not ours.

Each processor is bound by contract (Auftragsverarbeitungsvertrag / DPA + Standard Contractual Clauses where applicable). We do not use Google Analytics, Firebase Analytics, Mixpanel, AppsFlyer, Meta Pixel, TikTok Pixel, or any advertising SDK.

Some processors may store data outside the European Economic Area. Where this happens, transfers are protected by the European Commission's Standard Contractual Clauses (SCCs) together with supplementary measures as required by the EDPB and the CJEU's Schrems II decision.

• On-device tracking data: kept until you delete it. Wipe in-app under Settings → Account → Delete account.
• Account record: deleted within 30 days of an account-deletion request.
• Subscription records: retained for the period required by German tax law (typically 10 years per § 147 AO).
• Crash diagnostics: up to 90 days, then auto-deleted.
• Anti-abuse logs: up to 30 days, then auto-deleted.
• Support emails: up to 24 months from last interaction.

Under GDPR and UK GDPR, you have the right to:

• Access (Art. 15) — request a copy of your data.
• Rectification (Art. 16) — correct inaccurate data.
• Erasure (Art. 17) — “right to be forgotten”.
• Restriction (Art. 18) — limit how we use your data.
• Portability (Art. 20) — receive your data in a machine-readable format.
• Object (Art. 21) — to processing based on legitimate interest.
• Withdraw consent (Art. 7(3)) — at any time, without affecting prior processing.
• Lodge a complaint with your supervisory authority. In Germany this is your state DPA (for North Rhine-Westphalia: LDI NRW) or the BfDI for federal matters.

To exercise any right, email akremagency@gmail.com or use the account-deletion page. We respond within 30 days as required by Art. 12(3) GDPR.

Where Peptide IA is available outside the EU, we honour comparable rights granted by your local law:

• United Kingdom: UK GDPR rights as listed above; complaints to the ICO.
• California (CCPA / CPRA): right to know, delete, correct, opt out of sale/sharing (we do neither), limit use of sensitive personal information (we don't collect any), non-discrimination.
• Washington & Nevada: rights under the Washington My Health My Data Act and Nevada consumer-health-data law apply to users in those states; we do not sell consumer health data.
• Brazil (LGPD), Canada (PIPEDA / Quebec Law 25), Australia (Privacy Act 1988), other countries: comparable rights of access, correction, deletion, and consent are honoured.

To exercise any of these rights, use the same email address. We honour Global Privacy Control (GPC) signals where applicable.

We do not sell personal information. We do not share personal information for cross-context behavioural advertising. We do not engage in cross-site tracking.

Data on your device is protected by your device's OS-level encryption. Server infrastructure uses TLS 1.2+ in transit and AES-256 at rest. We follow industry-standard administrative, technical, and physical safeguards. In the unlikely event of a breach affecting your data, we will notify the relevant supervisory authority and you in line with Art. 33–34 GDPR.

Peptide IA is intended for adults. We do not knowingly collect data from anyone under 16. If you believe a child has provided us data, contact us and we will delete it.

We do not make decisions that significantly affect you using solely automated processing (Art. 22 GDPR). We do not profile you for advertising.

If Peptide IA or substantially all of its assets are involved in a merger, acquisition, financing, sale of assets, or similar transaction, user information may transfer to the acquiring or successor entity. Any future use of personal data remains subject to applicable law, required notices, your rights, and any consent or opt-out required.

Material changes will be surfaced in-app and reflected in an updated effective date. For substantive changes that affect your rights, we will seek fresh consent where required.

Email: akremagency@gmail.com

Web form: peptideia.app/contact

Postal address & legal entity: see the imprint.