Privacy Policy & Data Practices

Peptalk is a software platform for organizing wellness protocols and supporting clinician review. It does not diagnose, treat, prescribe, dispense, or provide medical advice. Peptalk is not a pharmacy and does not e-prescribe. All clinical decisions are made by your licensed healthcare provider.

Peptalk is multi-tenant and patient-portable: you own your record at the platform level, and clinics are granted scoped access through a relationship you control.

• Account data — your name, email, phone, and authentication credentials (your password is stored only as a hash; we never store it in plain text).
• Health & protocol data (PHI) — protocols, doses, vials, injection-site history, weights and metrics, labs you upload, check-ins, and the consents and information requests you create.
• Relationship data — which clinics you share with, each relationship's status, and the sharing scopes you have enabled per clinic.
• Audit & security logs — an append-only record of clinically and compliance-relevant actions (sign-ins, record access, protocol changes, access grants and revocations) used for security and accountability.

• To provide the core record-keeping product: tracking doses, vials, metrics, and protocols, and surfacing reminders.
• To let clinics you connect to review the scopes you share with them.
• To secure the platform, detect abuse, and maintain the audit trail.

We practice data minimization: we collect only what the product needs, and we do not sell your data.

The patient owns the record. Clinics see only the scopes you have explicitly shared with them. When you revoke a clinic's access, that access is cut immediately — enforced at the database with Row-Level Security (RLS), not just in the application. Active protocols from a clinic you remove are paused and must be reviewed by a new provider before continuing.

We share your data only in two ways:

• Clinics you connect to — and only within the sharing scopes you enable for each relationship.
• Infrastructure subprocessors that operate the platform on our behalf:
  • Vercel — application hosting.
  • Neon — managed PostgreSQL database.
  • Expo — push notification delivery. Push payloads carry no PHI — only generic prompts to open the app.

We do not sell your data or share it with advertisers.

• Encryption in transit for all traffic.
• Two-scope Row-Level Security isolating data by tenant and by patient relationship, enforced at the database.
• Hashed passwords (argon2) — never stored in plain text.
• Audited access — record access and changes are written to an append-only audit log.

We retain your data for as long as your account is active or as needed to provide the service. When you request deletion (see Your Data Rights), we close your account and remove your personal record on the schedule described there. Clinics may be legally required to retain copies of medical records they hold; those are the clinic's records and are subject to the clinic's own retention obligations.

Peptalk is not directed to children and is not intended for anyone under 18. We do not knowingly collect data from minors. If you believe a minor has created an account, please contact us via Contact.

You can access and export your record, request correction or deletion, control what each clinic sees, and revoke a clinic's access at any time. See Your Data Rights for how, and Contact for where to send requests.