Privacy Policy

1. Information We Collect

When you use peppy, we collect information you provide directly: email address, display name, and the health data you choose to log (protocol details, check-ins, lab results, and wearable metrics).

We also collect basic usage analytics (screen views, feature usage) to improve the app. We do not collect precise location data.

2. How We Use Your Data

Your health data is used exclusively to power your personal insights and timeline. We never use your health data for advertising, and we never sell it to third parties.

3. Data Storage & Security

All health data is encrypted at rest using AES-256 and in transit using TLS 1.3. OAuth tokens for wearable integrations are encrypted with Fernet symmetric encryption. Our infrastructure runs on HIPAA-eligible services with a Business Associate Agreement (BAA).

4. Wearable Integrations

When you connect Oura, Whoop, or Apple Health, we request only the data categories needed to generate insights (sleep, HRV, resting heart rate, recovery). You can disconnect at any time and we will delete the associated tokens and synced data.

5. Data Retention & Deletion

You can export all your data or request full account deletion at any time. Upon deletion, all personal data is permanently removed within 30 days.

6. Third Parties

We use essential infrastructure providers (hosting, database, email delivery) under strict data processing agreements. We do not share your health data with any third party for their own purposes.

7. Contact

Questions about this policy? Reach us at legal@get-peppy.com.