Privacy Policy

PepStash ("we", "us") operates pepstash.com, a health and fitness tracking software tool. We are a United States–based software business. You can contact us any time at support@pepstash.com.

• Account data — email address, name, hashed password (we never store plaintext passwords), and any OAuth identifiers from Google or Apple if you choose those providers.
• User-created content — cycles, inventory items, dose logs, purity test records, protocol preferences, and any notes you enter.
• Billing data — subscription plan, billing status, Stripe customer ID, and Stripe event history. We do not store your full credit card number; all card data is handled by Stripe.
• Usage data — basic logs (request time, IP, user-agent) and, only after you opt in via the cookie banner, product analytics through PostHog.

• To provide the service you signed up for.
• To process payments and manage your subscription (Stripe).
• To send transactional email (password resets, billing receipts, export-ready notifications). We only send marketing email if you explicitly opt in.
• To improve the product (only with anonymized analytics, and only after your consent).

We only share data with the processors we need to run the service:

• Stripe — payments and subscription management.
• Vercel — web hosting.
• Neon — Postgres database hosting.
• Cloudflare R2 — secure storage for file uploads and data exports.
• Resend — transactional email delivery.
• Anthropic — Claude models power AI features you trigger (e.g., protocol summaries). Your inputs are sent to Anthropic only when you use those features.
• Sentry / PostHog — error tracking and optional product analytics (consent-gated).

We do not sell your personal data. We do not share your content with any third party beyond the processors listed above.

You can export a full copy of your data at any time from Settings → Privacy → Export. You can also request deletion of your account and all associated data from the same screen. Deletions start a 14-day grace window, after which your records are permanently removed from our database. We also cancel any active Stripe subscription and delete your Stripe customer record as part of the deletion flow.

If you are in the European Economic Area or the United Kingdom, you have additional rights under the GDPR including access, correction, objection, and portability. Contact us at support@pepstash.com to exercise these rights.

We keep account and content data while your account is active. After deletion, we retain a minimal audit record (user id, event type, timestamp) for up to 12 months to satisfy legal and accounting obligations.

Traffic is served over HTTPS. Passwords are hashed with modern salted schemes. Sensitive columns are encrypted at rest. We rate limit authenticated endpoints and never write personal data to our application logs.

PepStash is not intended for anyone under 18. We do not knowingly collect data from minors.

We will update the "Last updated" date at the top of this page whenever we revise the policy. Material changes will also be announced via email to account holders.