Privacy Policy

1. Introduction

PeptidePal LLC ("PeptidePal," "we," "us," or "our") operates the PeptidePal Provider Portal (portal.peptidepal.app) and the PeptidePal mobile application (collectively, the "Services"). This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our Services. We are committed to protecting the privacy and security of all personal information and Protected Health Information (PHI) entrusted to us.

2. HIPAA Compliance

PeptidePal functions as a Business Associate under the Health Insurance Portability and Accountability Act of 1996 (HIPAA). We maintain administrative, physical, and technical safeguards to protect PHI in accordance with HIPAA Security Rule requirements. We enter into Business Associate Agreements (BAAs) with covered entity healthcare providers who use our platform. All PHI is encrypted at rest and in transit, access is logged with immutable audit trails, and role-based access controls enforce the minimum necessary standard.

3. Information We Collect

3.1 Information You Provide

When you register for an account or use our Services, you may provide us with:

• Account information: name, email address, professional credentials, clinic name, and contact details.
• Patient data (PHI): patient identifiers, treatment protocols, lab results, medication dosages, injection logs, side effect reports, appointment records, and messaging content between providers and patients.
• Billing information: subscription plan selection and payment method details (processed and stored by Stripe; we do not store full payment card numbers).
• Consent and intake forms: digital signatures, consent records, and patient intake responses.

3.2 Information Collected Automatically

• Usage data: pages visited, features used, timestamps, and interaction patterns.
• Device information: device type, operating system, browser type, and app version.
• Log data: IP address, access times, and referring URLs.

4. How We Use Your Information

• Provide, maintain, and improve our Services.
• Enable provider-patient communication and treatment management.
• Generate AI-powered lab analysis summaries to assist clinical decision-making (using Anthropic's Claude API; PHI is transmitted securely and not used to train AI models).
• Process subscription payments through Stripe.
• Send transactional communications (appointment reminders, refill notifications, system alerts).
• Monitor platform security and detect unauthorized access.
• Comply with legal obligations, including HIPAA requirements.

5. How We Share Your Information

We do not sell your personal information or PHI. We may share information with:

• Service providers: Supabase (database and authentication), Anthropic (AI lab analysis), Stripe (payment processing), and Vercel (hosting). Each operates under contractual obligations to protect your data.
• Healthcare providers: PHI is shared between patients and their linked providers as necessary for treatment purposes.
• Legal requirements: when required by law, court order, or governmental regulation.
• Business transfers: in connection with a merger, acquisition, or sale of assets, with equivalent privacy protections maintained.

6. Data Security

We implement industry-standard security measures including: encryption of data at rest (AES-256) and in transit (TLS 1.2+); row-level security policies enforcing data isolation between clinics and patients; role-based access controls with the principle of least privilege; immutable audit logging of all PHI access events; regular security assessments and vulnerability monitoring; and multi-factor authentication support.

7. Data Retention

We retain your information for as long as your account is active or as needed to provide Services. PHI is retained in accordance with applicable medical record retention laws (typically 6-10 years depending on jurisdiction). Upon account deletion, personal information is removed within 30 days, while anonymized and aggregated data may be retained for analytics. Audit logs are retained for a minimum of 6 years as required by HIPAA.

8. Your Rights

Depending on your jurisdiction, you may have the right to:

• Access and receive a copy of your personal data.
• Request correction of inaccurate information.
• Request deletion of your personal data (subject to legal retention requirements).
• Object to or restrict certain processing activities.
• Data portability — receive your data in a structured, machine-readable format.
• For patients: request an accounting of disclosures of your PHI as provided under HIPAA.

To exercise these rights, contact us at privacy@peptidepal.app.

9. Children's Privacy

Our Services are not intended for individuals under 18 years of age. We do not knowingly collect personal information from children. If you believe we have collected information from a minor, please contact us immediately.

10. Third-Party Services

Our platform integrates with the following third-party services:

• Supabase: database hosting, authentication, and real-time data synchronization. Data is stored in the US East region.
• Anthropic (Claude AI): AI-powered lab result analysis. PHI is transmitted via encrypted API calls; Anthropic does not retain or train on this data.
• Stripe: payment processing. PeptidePal does not store credit card numbers; all payment data is handled by Stripe in compliance with PCI DSS.
• Vercel: web application hosting and content delivery. No PHI is stored at the hosting layer.
• Apple App Store: distribution of the PeptidePal mobile application.

11. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on this page with a revised "Last updated" date and, where appropriate, by email notification. Your continued use of the Services after changes are posted constitutes acceptance of the revised policy.

12. Contact Us

If you have questions about this Privacy Policy or our data practices, contact us at: