Privacy Policy

Peptide Tracker is designed to collect as little personal data as possible. No data sales, no profile trail, and no email required for account access.

Last updated: February 2026

Information We Collect

Data You Provide

  • Access Code: A randomly generated 12-character code used to identify your account. We store a secure hash of your code for lookup and an encrypted copy for on-demand display. The full code is shown only when created, rotated, or revealed in settings.
  • Peptide Data: Peptide names, schedules, dosing information, and settings you create.
  • Dose Logs: Dates, times, amounts, and optional notes you record.
  • Feedback: If you submit feedback, we collect your message and optionally your email if you provide one. The feedback form does not require browsing history fields.

Automatically Collected

  • Timezone: Your browser's timezone is detected automatically to ensure dose reminders are sent at the correct local time.
  • Abuse-Prevention Data: For security and rate limiting, some endpoints process IP address information.

Push Notifications (Optional)

  • If you enable dose reminders, we store your push subscription which includes a unique endpoint URL and encryption keys
  • This data is used solely to send you dose reminder notifications
  • You can disable reminders at any time, which deletes your push subscription
  • Push notifications are delivered via your browser's push service (e.g., Google for Chrome, Apple for Safari)

How We Use Your Data

  • To provide and operate the Peptide Tracker service
  • To save and sync your peptides and dose logs
  • To respond to feedback or support requests
  • To maintain reliability and security, and to fix bugs

Data Storage & Security

  • Your data is stored on servers located in the United States
  • All connections are encrypted using HTTPS/TLS
  • We use Cloudflare for additional security and DDoS protection
  • Access codes are the only identifier - we don't store emails or passwords

Data Retention & Deletion

  • Your data is retained as long as your account exists
  • You can export all your data at any time in JSON or CSV format
  • You can delete your account from the dashboard, which permanently removes all your data

Third-Party Services

We use the following third-party services:

  • Cloudflare: CDN and security infrastructure. Their Privacy Policy
  • Internal Monitoring: Feedback and operational errors are reviewed through restricted internal application logs.
  • Browser Push Services: If you enable dose reminders, notifications are delivered through your browser's push notification service (Google FCM for Chrome, Apple Push for Safari, Mozilla Push for Firefox).

Your Rights

You have the right to:

  • Access: View all your data in the dashboard
  • Export: Download your data in JSON or CSV format
  • Delete: Permanently delete your account and all associated data
  • Portability: Take your data with you using the export feature

Cookies & Local Storage

We use essential cookies and browser storage to provide functionality:

Cookies

  • Access Token: HTTPOnly cookie containing your encrypted JWT token (expires after 7 days)
  • Refresh Token: HTTPOnly cookie for extending your session (expires after 30 days)

Local Storage

  • Theme Preference: Your light/dark mode selection is stored locally
  • Offline Queue: When offline, pending actions are temporarily stored until connection is restored

Service Worker Cache

  • Static Assets: CSS, JavaScript, and images are cached for offline use
  • API Responses: Recent peptide and calendar data is cached for offline viewing
  • Cache is automatically updated when new versions are released
  • You can clear the cache by clearing your browser data or uninstalling the PWA

We do not use tracking cookies or third-party advertising cookies. All storage is for essential functionality only.

Offline Functionality

Peptide Tracker works offline through Progressive Web App (PWA) technology:

  • When offline, you can view your cached peptides and calendar data
  • Dose logs created offline are queued and automatically synced when you reconnect
  • Queued data is stored locally on your device until successfully synced
  • Failed syncs may be retried when connectivity returns

Data Processing

The following calculations are performed on your data:

  • Inventory Tracking: We calculate remaining doses based on your logged amounts and reconstitution settings
  • Unit Conversions: If you dose in mL, we convert to mg using your vial concentration for inventory tracking
  • Schedule Calculations: We determine upcoming doses based on your peptide frequency and cycle settings
  • Statistics: Compliance rates and usage patterns are calculated from your log history

All calculations happen on our servers using only the data you've entered. No data is shared externally for processing.

Children's Privacy

Peptide Tracker is not intended for use by individuals under 18 years of age. We do not knowingly collect data from minors.

Changes to This Policy

We may update this Privacy Policy from time to time. Changes are posted on this page with a revised date. If you continue to use the service after updates are posted, you accept the updated policy.

International Data Transfers

Your data may be transferred to and processed in the United States where our servers are located. By using the Service, you consent to this transfer. We take steps to ensure your data is protected in accordance with this Privacy Policy regardless of where it is processed.

California Privacy Rights (CCPA)

If you are a California resident, you have specific rights regarding your personal information:

  • Right to Know: You can request information about the categories and specific pieces of personal information we have collected about you
  • Right to Delete: You can request deletion of your personal information (available via account deletion in the dashboard)
  • Right to Non-Discrimination: We will not discriminate against you for exercising your privacy rights
  • No Sale of Data: We do not sell personal information to third parties

European Privacy Rights (GDPR)

If you are located in the European Economic Area (EEA) or United Kingdom, you have additional rights:

  • Legal Basis: We process your data based on your consent (by creating an account) and our legitimate interest in providing the Service
  • Right to Rectification: You can correct inaccurate data through the app
  • Right to Restriction: You can request restriction of processing in certain circumstances
  • Right to Object: You can object to processing based on legitimate interests
  • Right to Lodge a Complaint: You can file a complaint with your local data protection authority

Data Security Measures

We implement appropriate technical and organizational measures to protect your data:

  • All data transmission is encrypted using TLS 1.2 or higher
  • Access codes are hashed before storage and stored encrypted for on-demand display
  • Session authentication uses signed JWT cookies with CSRF protection
  • Rate limiting is used on sensitive endpoints to reduce abuse

Data Breach Notification

In the unlikely event of a data breach affecting your personal information, we will notify affected users through available channels as required by applicable law. Because email is not required for account access, in-app and public notices may be used where appropriate.

Contact

If you have questions about this Privacy Policy or your data, please use the feedback widget in the app to contact us.