1. Introduction
Welcome to Peptino ("App", "Service"). Peptino is a research-tracking and personal organisation tool that helps users log and monitor their own compound protocols, inventory, and progress metrics. It is not a medical device and does not provide medical advice.
This Privacy Policy explains how GENERAL OFFICE SP. Z O.O. ("we", "us", "our", "Company"), a company incorporated under Polish law (KRS registered; NIP: 5252873150, REGON: 389731305), with its registered office at Plac Bankowy 2, 00-095 Warszawa, Poland, collects, uses, stores, and protects your personal data when you use Peptino.
By installing or using the App you acknowledge that you have read and understood this Policy. If you do not agree, please discontinue use and delete the App.
2. Data Controller
| Field | Details |
|---|---|
| Controller | GENERAL OFFICE SP. Z O.O. |
| Registered address | Plac Bankowy 2, 00-095 Warszawa, Poland |
| NIP | 5252873150 |
| REGON | 389731305 |
| Contact e-mail | contact@peptino.app |
For all privacy-related requests, write to contact@peptino.app with the subject line "Privacy Request".
3. Data We Collect
3.1 Data you provide directly
| Category | Examples | Where stored |
|---|---|---|
| Account data | E-mail address, name (optional) | Supabase (cloud) + device |
| Protocol & dose data | Compound names, dose amounts, schedules, dose logs | Device (primary); Supabase (sync, if enabled) |
| Inventory data | Vial details, amounts, expiry dates | Device (primary); Supabase (sync, if enabled) |
| Progress metrics | Body weight, body-fat percentage, personal goals | Device (primary); Supabase (sync, if enabled) |
| Profile preferences | Units of measure, language, app theme | Device (primary); Supabase (sync, if enabled) |
3.2 Data collected automatically
| Category | Examples | Purpose |
|---|---|---|
| Analytics events | Screen views, feature interactions (no PII) | Product improvement |
| Crash & diagnostic data | Error messages, device OS version | Stability monitoring |
| Purchase data | Subscription status, transaction identifiers | Entitlement management |
| Device identifiers | Anonymous device ID | Analytics, fraud prevention |
We do not collect precise location data, contacts, photos, or any camera/microphone data.
4. Special Category Data
Dose logs, weight, and body-composition records may constitute health-related data within the meaning of Article 9 GDPR. We process such data on the basis of your explicit consent (Art. 9(2)(a) GDPR), which you grant by accepting this Policy and actively entering the data. You may withdraw consent at any time by deleting your data (see §9).
5. Legal Bases for Processing
| Purpose | Legal basis (GDPR Art. 6) |
|---|---|
| Providing the App and its core features | Art. 6(1)(b) — performance of a contract |
| Cloud sync and backup | Art. 6(1)(a) — consent |
| Analytics and product improvement | Art. 6(1)(f) — legitimate interests |
| Subscription and payment management | Art. 6(1)(b) — performance of a contract |
| Legal obligations (e.g. accounting) | Art. 6(1)(c) — legal obligation |
| Security monitoring and fraud prevention | Art. 6(1)(f) — legitimate interests |
6. How We Use Your Data
- To operate the App: store and synchronise your protocols, inventory, and progress across your devices.
- To manage subscriptions: verify your subscription entitlement and process in-app purchases via RevenueCat.
- To improve the product: analyse aggregated, anonymised usage patterns via PostHog analytics.
- To communicate with you: respond to support requests sent to contact@peptino.app.
We do not sell, rent, or share your personal data with third parties for marketing purposes.
7. Third-Party Services
| Service | Provider | Purpose | Data sent |
|---|---|---|---|
| Supabase | Supabase Inc. (USA) | Authentication, cloud database sync | Account data, synced protocol/inventory/progress data |
| RevenueCat | RevenueCat Inc. (USA) | Subscription management | Purchase receipts, anonymous app user ID |
| PostHog | PostHog Inc. (USA / EU cloud) | Product analytics | Anonymous usage events, device OS |
| Apple / Google | Apple Inc. / Google LLC | App distribution, in-app payments | As per platform policies |
All data transfers to processors outside the EEA are governed by Standard Contractual Clauses (SCCs) or an equivalent adequacy mechanism.
8. Data Storage and Security
- Local storage: all primary data is stored in an AES-256 encrypted SQLite database on your device. The encryption key is generated on-device and stored in the iOS Keychain / Android Keystore — it never leaves your device.
- Cloud storage: data synced to Supabase is encrypted in transit (TLS 1.2+) and at rest. Access is restricted by Row-Level Security policies so only your authenticated account can read your data.
Despite these measures, no system is perfectly secure. We recommend using a strong, unique password for your account.
9. Data Retention
| Data type | Retention period |
|---|---|
| Account & synced data | Until you delete your account |
| Local device data | Until you uninstall the App or use "Delete all data" |
| Analytics events | 24 months (anonymised; no individual deletion possible) |
| Support correspondence | 3 years from last contact |
| Accounting/transaction records | 5 years (legal obligation under Polish law) |
10. Your Rights Under GDPR
As a data subject under the GDPR, you have the following rights:
- Access (Art. 15): request a copy of all personal data we hold about you.
- Rectification (Art. 16): correct inaccurate data directly within the App or by contacting us.
- Erasure (Art. 17): delete your account and all associated data. In the App: Settings → Data & Privacy → Delete Account & Data. This wipes local data and all Supabase records. Note: anonymised analytics data cannot be individually deleted.
- Data portability (Art. 20): export your data in JSON/CSV format. In the App: Settings → Data & Privacy → Export My Data.
- Restriction (Art. 18): request restriction of processing in certain circumstances.
- Objection (Art. 21): object to processing based on legitimate interests.
- Withdraw consent (Art. 7(3)): at any time, without affecting the lawfulness of prior processing. Withdrawal means the relevant feature (e.g. cloud sync) will stop working.
- Lodge a complaint: with the Polish supervisory authority, Urząd Ochrony Danych Osobowych (UODO), ul. Stawki 2, 00-193 Warszawa — uodo.gov.pl.
To exercise any right, e-mail contact@peptino.app with the subject "GDPR Request — [Right]". We will respond within 30 calendar days.
11. Children's Privacy
Peptino is intended for adults only. We do not knowingly collect data from individuals under the age of 18. If you believe a minor has provided personal data, please contact us immediately and we will delete it.
12. Changes to This Policy
We may update this Policy from time to time. Material changes will be notified via an in-app notice or e-mail at least 14 days before taking effect. Continued use of the App after the effective date constitutes acceptance of the revised Policy.
13. Contact
GENERAL OFFICE SP. Z O.O.
Plac Bankowy 2, 00-095 Warszawa, Poland
E-mail: contact@peptino.app
This document was prepared in accordance with Regulation (EU) 2016/679 (GDPR) and the Polish Act on Personal Data Protection of 10 May 2018.