Privacy Policy
Last updated: 16 July 2026
My Peptide Protocol (“we”, “us”) is operated from British Columbia, Canada. This policy explains what we collect, why, and the control you have over it. We have tried to write it in plain language rather than legalese. If anything is unclear, email support@mypeptideprotocol.app.
The short version
- You can use the calculator and peptide library with no account and no tracking of who you are.
- If you create an account, we store only what you enter and what we need to run the service.
- Your data is stored in Canada and isolated per-user at the database level.
- We never sell your data, and we do not run advertising trackers.
- You can export everything or delete your account and all data at any time, from Settings.
What we collect
If you never sign up: nothing that identifies you. The calculator runs in your browser and the library is public.
If you create an account:
- Account: your email address, an encrypted password hash (we never see your password), and your confirmation that you are 18 or older.
- Data you enter: protocols, dose logs, vial and source records (vendor, price, batch, photos), and journal entries (mood, energy, weight, side effects, notes).
- Reminders: the times you choose, so we can email you.
- Timezone: stored in a cookie so dates and streaks are correct for you.
- Theme preference: stored in your browser only.
Some of this — journal entries, weight, side effects — is sensitive health-related information. We treat it that way. We do not use it for anything except showing it back to you.
What we do NOT collect
- Payment card details. These go directly to Stripe and never touch our servers. We store only a Stripe customer reference and your plan status.
- Advertising or cross-site tracking cookies. We do not use Meta, Google Ads, or similar pixels.
- Your location, contacts, or device identifiers.
Where your data lives
Your database and uploaded vial photos are hosted with Supabase in the ca-central-1 (Canada)region. Data is encrypted in transit (HTTPS) and at rest. Every table enforces row-level security keyed to your user ID, which means the database itself will refuse to return one user’s records to another — it is not merely an application-level check. Vial photos are held in a private bucket that is not publicly accessible.
Who we share it with
We do not sell your data or share it for marketing. We use a small number of service providers who process data strictly on our behalf:
- Supabase — database, authentication, and photo storage (Canada).
- Vercel — application hosting and delivery.
- Stripe — subscription payments. Stripe receives your email and payment details directly.
- Resend — sends reminder and account emails. Receives your email address and the message.
Some of these providers operate infrastructure outside Canada, which means data may be processed in other countries and could be subject to their laws. We may also disclose information if required by law, or to protect our rights or someone’s safety.
Your rights and control
Under Canadian privacy law (PIPEDA) — and consistent with GDPR principles — you can:
- Access and export everything, any time, from Settings (CSV and printable formats).
- Correct anything by editing it in the app.
- Delete your account and all associated data from Settings. This is immediate and permanent.
- Withdraw consent by turning off reminders or closing your account.
- Complain to the Office of the Privacy Commissioner of Canada if you believe we have mishandled your data.
How long we keep it
We keep your data for as long as your account exists. When you delete your account, your records are removed from our live database immediately; residual copies may persist in encrypted backups for a short period before being overwritten. Limited billing records are retained by Stripe where tax and accounting law requires it.
Cookies
We use only what the app needs to function: a secure session cookie to keep you signed in, a timezone cookie so your dates are right, and a theme preference stored locally. No advertising or analytics cookies that identify you personally.
Age requirement
This service is for adults aged 18 or older. We do not knowingly collect information from minors. If you believe a minor has created an account, contact us and we will remove it.
Changes and contact
If we make a material change to this policy we will update the date above and, where the change is significant, notify account holders by email. Questions, requests, or complaints: support@mypeptideprotocol.app.
See also our Terms of Service.