PeptideMonitor.

Privacy Policy

Effective: April 27, 2026 · Version 5.0

This policy explains what personal data PeptideMonitor collects, how it is used, who it is shared with, and what rights you have over it. We try to write clearly and keep collection to the minimum needed to run the Service.

Contents

Who we are
Scope of this policy
Information we collect
How we use your data
Legal bases (EU / UK / Swiss users)
Health and biometric data
Wearable and device integrations
Apple integrations
AI-powered features
Service providers
International data transfers
Data sharing
Data retention
Cookies and analytics
Data security
Your rights
Children's privacy
Changes to this policy
Governing law
Contact

1. Who we are

PeptideMonitor is operated by Tomas Sniukas, an individual sole proprietor based in the Republic of Lithuania. In this policy we refer to ourselves as "PeptideMonitor," "we," "us," or "our."

The data controller responsible for your personal data under the EU General Data Protection Regulation (GDPR), the UK GDPR, and equivalent laws is Tomas Sniukas, contactable at the details in section 20 below.

2. Scope of this policy

This Privacy Policy applies to your use of the PeptideMonitor mobile application, the website at peptidemonitor.app, and any related services (together, the "Service"). By using the Service you acknowledge the practices described here.

This policy does not apply to third-party services you separately connect to PeptideMonitor. Those services (such as WHOOP, Oura, Apple Health, and your Apple ID) are governed by their own privacy policies.

3. Information we collect

3.1 Information you provide

Email address and account credentials
Display name and profile details you enter
Protocol and tracking data: compounds, doses, timing, schedules, notes
Vial and inventory records you enter
Injection site records where applicable
Manually entered biometric values (for example weight, sleep, recovery)
Goal data, including target weight and primary objectives
Laboratory results you choose to upload (PDFs, images, or manually entered values)
DEXA scan results you choose to upload
Symptom logs and severity ratings
Body progress photos you choose to upload
Support messages, feedback, and survey responses

3.2 Information collected automatically

Device type, operating system, and app version
App usage events (which screens you visit, when, how often)
Crash logs and performance diagnostics
IP address (used for approximate location and security)
Push-notification tokens, if you enable notifications

3.3 Information received from connected services

If you choose to connect a wearable or third-party service, we receive data from that service based on the permissions you grant. See sections 7 and 8 for specifics on WHOOP, Oura, and Apple HealthKit.

4. How we use your data

We use personal data to:

Operate, maintain, and secure the Service
Provide core features including protocol tracking, dose logging, biometric import, lab and DEXA parsing, and analytical summaries
Generate personalised insights and statistical correlations between your protocols and biometric data
Send reminders and notifications you have enabled
Respond to support requests and communicate important updates about the Service
Improve performance, reliability, and user experience
Detect, prevent, and investigate fraud, abuse, and security incidents
Comply with legal and regulatory obligations

We do not sell your personal data. We do not rent it. We do not operate as a data broker.

5. Legal bases (EU / UK / Swiss users)

If you are located in the European Economic Area, the United Kingdom, or Switzerland, we process your personal data on the following legal bases under the GDPR and equivalent laws:

Contract — to provide the Service you have requested, including account management and core tracking features
Consent — for health and biometric data, wearable integrations, optional notifications, AI-powered processing of lab and compound data, and any marketing communications
Legitimate interests — to operate, secure, and improve the Service, prevent abuse, and develop new features, where those interests are not overridden by your rights and freedoms
Legal obligation — where processing is required by applicable law

You may withdraw consent for consent-based processing at any time without affecting the lawfulness of processing carried out before withdrawal.

6. Health and biometric data

PeptideMonitor processes information that may be classified as "special category data" under Article 9 GDPR, including health data, biometric measurements, and information about supplements or substances you track. We treat this data with elevated care.

The legal basis for processing special category data is your explicit consent, given when you create an account and when you connect wearables or upload lab and DEXA results. You may withdraw this consent at any time by disconnecting integrations, deleting specific records, or deleting your account.

Health data is stored in encrypted form and is accessible only through your authenticated account.

7. Wearable and device integrations

PeptideMonitor currently supports three wearable integrations: Apple HealthKit, WHOOP, and Oura. No other wearable integrations are supported, and we do not have plans to add others.

7.1 WHOOP

If you connect your WHOOP account, the Service requests data from WHOOP via the WHOOP Developer API based on the permissions you grant during authorisation. Scopes that may be requested include:

Recovery — recovery score, HRV, and resting heart rate
Cycles — daily physiological cycles, strain, and heart-rate metrics
Sleep — sleep duration, performance, efficiency, stages, and respiratory rate
Profile — basic identity to link your WHOOP account with your PeptideMonitor account
Body measurement — height and maximum heart rate (when available)

To maintain the connection we store your WHOOP OAuth access token and refresh token in encrypted form on our backend. These tokens are used only to sync your WHOOP data into PeptideMonitor and are never shared with third parties.

You can disconnect WHOOP at any time from the Wearables screen in the app. Disconnecting revokes the token and stops further syncing. You can also revoke access directly from your WHOOP account settings. See whoop.com/privacy for how WHOOP itself handles your data.

7.2 Oura

If you connect your Oura account, the Service requests data from Oura via the Oura Cloud API v2 based on the permissions you grant during authorisation. Scopes that may be requested include:

Daily sleep — sleep score, duration, efficiency, stages, and timing
Daily readiness — readiness score and contributing factors
Heart rate — resting heart rate and HRV measurements
Profile — basic identity to link your Oura account with your PeptideMonitor account

To maintain the connection we store your Oura OAuth access token and refresh token in encrypted form on our backend. These tokens are used only to sync your Oura data and are never shared with third parties.

You can disconnect Oura at any time from the Wearables screen in the app. Disconnecting revokes the token and stops further syncing. You can also revoke access directly from your Oura account settings. See ouraring.com/privacy-policy for how Oura itself handles your data.

7.3 Disconnection

You can disconnect any wearable integration at any time from the Wearables screen in the app. Disconnecting revokes stored tokens for that service and stops further data collection. Biometric data previously imported remains in your account unless you delete it separately.

8. Apple integrations

8.1 Apple HealthKit

If you enable the Apple HealthKit integration, we access only the health data categories you explicitly authorise on your device. In line with Apple's HealthKit requirements:

HealthKit data is used only to provide the functionality of the Service
HealthKit data is never sold, shared with third parties, or used for advertising or marketing
HealthKit data is never used for research without your separate, explicit consent
You can revoke HealthKit access at any time via your device's Settings → Privacy & Security → Health

8.2 Apple Watch

When Apple HealthKit integration is enabled, data collected by Apple Watch that you have authorised for sharing with the Health app will flow into PeptideMonitor through HealthKit. This may include heart rate, HRV, activity, workouts, sleep, body weight, and other metrics your Apple Watch tracks. The same HealthKit privacy rules in 8.1 apply to Apple Watch data.

8.3 Sign in with Apple

If you choose to sign in using Sign in with Apple, Apple may share your name and a relay email address with us. You can choose to share or hide your real email address; if you hide it, Apple provides a private relay email that forwards to your real address. We use this information solely to create and maintain your account.

9. AI-powered features

PeptideMonitor uses two AI service providers to deliver specific features. Each is used only for the purposes described below.

9.1 Mistral AI — optical character recognition

We use Mistral AI's OCR API to convert uploaded laboratory PDFs and DEXA scan PDFs into machine-readable text. When you upload a lab or DEXA document:

The PDF is transmitted to Mistral AI for text extraction
Mistral AI returns extracted text and structural information
The extracted output is then processed locally and via Google Gemini (see 9.2) to identify markers, values, and reference ranges
We do not transmit your account credentials, payment data, or direct identifiers (full name, email) to Mistral AI

Mistral AI is based in France (European Union). Per Mistral's published terms, customer data submitted to its API is not used to train Mistral's models.

9.2 Google Gemini — structured extraction and compound enrichment

We use Google Gemini to:

Parse OCR output from lab and DEXA documents into structured marker data (marker name, value, unit, reference range)
Enrich the compound database with mechanism-of-action descriptions, clinical-trial indications, and adverse-event frequencies, drawn from public sources such as ChEMBL, Open Targets, and ClinicalTrials.gov

When Gemini is used:

For lab and DEXA parsing: extracted text is transmitted to Gemini for structured extraction. We do not transmit your account credentials, payment data, or direct identifiers.
For compound enrichment: only public compound names and identifiers are sent. No personal data is involved.

Per Google's published terms for the Gemini API, prompt and response data submitted via the paid API tier are not used to train Google's models.

9.3 Future AI providers

If we change AI service providers in the future (for example, replacing Gemini with Anthropic's Claude or another model), we will update this policy and, where consent is required under applicable law, request your consent in-app before activating the new provider.

We will not transmit personal data to any AI provider beyond what is described in 9.1 and 9.2 without first updating this policy.

10. Service providers

We rely on a small number of service providers to operate the Service. Each has been selected for its security posture and legal compliance. Current service providers include:

Supabase, Inc. — authentication, database, and backend hosting (primary storage of your personal data; US East region)
WHOOP, Inc. — wearable data integration, if you choose to connect WHOOP
Oura Health Oy — wearable data integration, if you choose to connect Oura
Apple Inc. — App Store distribution, HealthKit integration, Sign in with Apple, and payment processing for iOS subscriptions
Mistral AI — optical character recognition for laboratory and DEXA documents (see section 9)
Google LLC — Gemini AI processing for structured data extraction and compound enrichment (see section 9); email form submissions from the landing page; Sign in with Google authentication
RevenueCat, Inc. — subscription management and entitlement checks for in-app purchases
Expo, Inc. (EAS) — mobile build infrastructure, over-the-air updates, and push-notification delivery
Hostinger International Ltd. — website hosting for peptidemonitor.app

We share only the minimum data necessary for each provider to perform its function, under contractual obligations requiring appropriate confidentiality and security measures.

11. International data transfers

Your primary account data is stored in Supabase's US East region (Northern Virginia, United States). Some of our other service providers are also based in the United States or may process data there.

When personal data of users located in the European Economic Area, the United Kingdom, or Switzerland is transferred outside those regions, we rely on appropriate legal safeguards, which may include:

Standard Contractual Clauses adopted by the European Commission
Adequacy decisions where applicable (including the EU-U.S. Data Privacy Framework where the recipient is certified)
Supplementary technical measures such as encryption in transit and at rest

Mistral AI processing occurs in the European Union; no transfer outside the EU is involved for OCR processing.

By using the Service, you acknowledge that your data may be processed in the United States and other countries that may have different data-protection standards than your home jurisdiction.

12. Data sharing

We share personal data only in the following limited situations:

With the service providers listed in section 10, solely to operate the Service
When required by law, court order, or governmental request
To protect the security, rights, property, or safety of PeptideMonitor, our users, or the public
In connection with a business transition such as a merger, acquisition, or sale of assets, subject to continued obligations under this policy
With your explicit consent for any other purpose

We do not sell, rent, or license your personal data to third parties.

13. Data retention

We retain your personal data for as long as your account is active and for the following periods:

Account and profile data — until you delete your account, plus up to 30 days in backups
Protocol, dose, and biometric data — retained with your account; deleted when you delete your account
Lab and DEXA documents — retained with your account; deleted when you delete your account or remove specific documents
Wearable OAuth tokens — until you disconnect the integration or delete your account
Subscription records (RevenueCat) — retained for the lifetime of your subscription plus the period required by tax and accounting law
Support communications — up to 2 years, to resolve issues and improve the Service
Crash logs and diagnostics — up to 90 days
Payment and tax records — as required by applicable tax and accounting law (typically 10 years in Lithuania)

You can request account deletion at any time from within the app or by contacting info@peptidemonitor.app. Valid deletion requests are processed within 30 days, subject to any legal obligation to retain specific records.

14. Cookies and analytics

The website peptidemonitor.app uses minimal cookies or local storage only where necessary for the site to function (for example, to remember your theme preference). We do not use cross-site tracking, advertising cookies, or third-party advertising trackers.

The mobile application may collect limited analytics and crash data to understand how the app is used and to improve performance. These analytics do not identify you personally.

If we introduce additional analytics or advertising tools in the future, we will disclose them in an updated version of this policy and, where required, request your consent.

15. Data security

We use reasonable technical and organisational safeguards to protect your personal data, including:

Encryption of data in transit (TLS / HTTPS)
Encryption of sensitive credentials such as OAuth tokens at rest
Row-level security and least-privilege access controls on our backend database
Restricted access to production systems
Regular security reviews and dependency updates

No system is completely secure. If we become aware of a data breach affecting your personal data, we will notify you and relevant supervisory authorities as required by applicable law.

16. Your rights

16.1 EU, UK, and Swiss users

If you are located in the European Economic Area, the United Kingdom, or Switzerland, you have the right to:

Access the personal data we hold about you
Request correction of inaccurate or incomplete data
Request erasure of your data (the "right to be forgotten")
Request restriction of processing
Object to processing based on legitimate interests
Request data portability (a copy of your data in a structured, machine-readable format)
Withdraw consent at any time for processing based on consent
Lodge a complaint with your national data-protection supervisory authority — in Lithuania, this is the State Data Protection Inspectorate (Valstybinė duomenų apsaugos inspekcija), vdai.lrv.lt

16.2 California users

California residents have rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA), including the right to know, delete, correct, and opt out of the "sale" or "sharing" of personal information. We do not sell or share your personal information as defined by the CCPA.

16.3 Other U.S. states

Residents of other U.S. states with comprehensive privacy laws (such as Virginia, Colorado, Connecticut, Utah, Texas, and Oregon) have similar rights to access, correct, and delete personal data.

16.4 Exercising your rights

To exercise any of these rights, contact us at info@peptidemonitor.app. We may ask you to verify your identity before acting on a request. We will respond within the timeframes required by applicable law (typically 30 days under the GDPR; 45 days under the CCPA).

17. Children's privacy

PeptideMonitor is intended for adults only. The Service is not directed to children under 18. We do not knowingly collect personal data from children. If we become aware that a child has provided personal data, we will delete it as soon as possible. If you believe a child has provided us with personal data, please contact us at info@peptidemonitor.app.

18. Changes to this policy

We may update this Privacy Policy from time to time. When we make material changes, we will update the "Effective" date at the top of this page and, where appropriate, notify you in-app or by email. Your continued use of the Service after an update constitutes acceptance of the revised policy.

19. Governing law

This Privacy Policy is governed by the laws of the Republic of Lithuania and applicable EU privacy regulations. Nothing in this policy limits rights that cannot be waived under applicable mandatory law, including rights under the GDPR, the CCPA, or other consumer-protection statutes.

20. Contact

For questions, requests, or complaints about this Privacy Policy, or to exercise your data rights, contact us at:

Tomas Sniukas
Status: Individual sole proprietor
Address: Drugeliu 6, LT-13100 Vilnius, Lithuania
Email: info@peptidemonitor.app
Website: peptidemonitor.app

For App Store purchase and subscription support, including refund requests, please contact Apple directly at reportaproblem.apple.com.

PeptideMonitor is operated by Tomas Sniukas, a sole proprietor based in Vilnius, Lithuania. This Privacy Policy should be read alongside our Terms of Service.