Privacy Policy — Peplab ai

AT A GLANCE

The short version.

Plain languageWe collect what we need to run the app. We don't sell data. Health data is encrypted. You can delete everything.

01

No selling. Ever.

We do not sell your personal or health data to advertisers or data brokers. There is no third-party ad SDK in the app.

02

Encrypted end-to-end

Health data (logs, bloodwork, symptoms) is encrypted in transit with TLS 1.2+ and at rest with AES-256.

03

Private AI

AI insights are processed by us or vetted vendors under a Data Processing Agreement. Your data is not used to train public models.

04

HealthKit stays on-device

Apple HealthKit data remains on your iPhone unless you explicitly opt in to cloud sync.

05

Export or delete anytime

Settings → Account. CSV export for any log. Full account deletion completes within 30 days.

06

You have rights

Access, correct, delete, export, object. CCPA, GDPR, and state privacy laws apply. We'll honor requests within 30–45 days.

01

Information We Collect

Account info: Email, name (optional), password hash, subscription status.
Health & research data: Compounds logged, doses, timing, cycle info, symptoms, mood/energy/sleep ratings, bloodwork uploads, attached photos, and free-text notes.
Device data: Device model, OS version, app version, crash logs, and diagnostic signals needed to keep the app working.
Usage data: Which features you use and when, so we know what to improve. We use privacy-preserving analytics and do not use third-party advertising SDKs.
Apple Health / HealthKit: Only the categories you explicitly authorize (e.g., weight, steps, sleep, heart rate).

02

How We Use It

To operate, maintain, and improve the Service.
To generate your personal insights, reports, and trends.
To provide customer support.
To send transactional and important service emails. We do not send marketing without opt-in.
To detect, prevent, and address fraud, abuse, or security incidents.
To comply with legal obligations.

03

Health Data & HealthKit

Apple HealthKit rulesApple Health data is never used for ads, never sold, and only synced to our servers if you opt in.

Peplab follows Apple's HealthKit requirements. HealthKit data is:

Not used for advertising or data-broker purposes.
Not disclosed to third parties for their marketing.
Only synced to Peplab servers if you explicitly enable cloud sync; otherwise it remains on your device.

04

How We Share Information

Plain languageOnly with service providers running the app, or when legally required.

Service providers — cloud hosting, email, crash analytics, payment processing, and customer support tools, each under a written Data Processing Agreement.
Legal — if required by law, subpoena, or to protect rights, safety, or property.
Business transfers — in connection with a merger, acquisition, or asset sale, with notice to you.
With your consent — e.g., exporting a PDF to share with your clinician.

We do not sell personal information as defined by the CCPA or share it for cross-context behavioral advertising.

05

AI Processing

Plain languageAI insights are generated with vendors under contract. Your data doesn't train their public models.

Some AI-generated insights are produced with third-party large-language-model providers under a Data Processing Agreement that prohibits use of your data to train their public models. Where possible, we process insights on-device or with de-identified inputs. You can turn off AI insights at any time in Settings.

06

Data Retention & Deletion

Plain languageKeep it as long as you want. Delete it whenever. We'll honor it within 30 days.

We keep your data while your account is active. You can delete your account and all associated data from Settings → Account → Delete Account. We will complete deletion within 30 days, except where retention is required by law (e.g., tax or billing records).

07

Security

Plain languageEncryption in transit + at rest. Nothing is perfect, but we take it seriously.

We use TLS 1.2+ in transit, AES-256 at rest, access controls, audit logging, and periodic security review. No system is perfectly secure; if we detect a breach affecting your data, we will notify you as required by applicable law.

TLS 1.2+

In transit

AES-256

At rest

SOC 2

Cloud hosts

On-device

HealthKit default

08

Your Rights CCPA · GDPR · state laws

Plain languageAccess, correct, delete, export, object. Ask us and we'll help.

Depending on your jurisdiction, you may have the right to:

Access the personal information we hold about you.
Correct inaccurate data.
Delete your data.
Export your data in a portable format.
Object to or restrict certain processing.
Opt out of sale or sharing (we don't do either, but you can confirm).
Lodge a complaint with your local data protection authority.

Contact privacy@peplab.ai to exercise any of these rights. We verify requests and respond within 30–45 days.

09

Children's Privacy

Plain languageNot for anyone under 18.

The Service is not intended for anyone under 18. We do not knowingly collect personal information from children. If you believe we have, contact privacy@peplab.ai and we will delete it.

10

International Users

Peplab is operated from the United States. If you use the Service from outside the U.S., your information will be transferred to, stored, and processed in the U.S. under standard contractual clauses where applicable.

11

Changes to This Policy

We may update this Privacy Policy. Material changes will be announced in-app and by email. The "Last updated" date at the top of this page always reflects the current version.

12

Contact

Privacy

privacy@peplab.ai

EU / UK representative

dpo@peplab.ai

Security

security@peplab.ai

Mailing

Peplab Labs, Inc.
Attn: Privacy
[Mailing address]