How the PepBear app handles your data.

What We Collect

PepBear collects the minimum data needed to help you track your protocols and see what's working:

• Email address — for account authentication via magic link (one-time sign-in email). We do not store passwords.
• Protocol entries — compounds, doses, schedules, cycle dates, and notes you manually enter.
• Dose logs — records of when you logged a dose, amount taken, and any notes.
• Health metrics from Apple HealthKit — with your explicit permission: steps, heart rate, HRV, resting heart rate, sleep stages, respiratory rate, active energy, flights climbed.
• Wearable data from connected services — Oura, WHOOP, and Withings via OAuth. We pull recovery, sleep, strain, and body composition data that you authorize.
• AI Coach conversations — messages you send to the Coach and the Coach's replies.
• Body composition entries — weight, body fat, and related metrics you log.
• Lab results — values you manually enter from bloodwork.

How We Store It

All data is stored securely on Supabase infrastructure in the United States. Data is encrypted in transit (TLS) and at rest. We use row-level security policies so each account can only access its own data.

Access tokens for connected wearable services (Oura, WHOOP, Withings) are stored encrypted and used only to sync your authorized data.

Third-Party Data Sources

PepBear integrates with services on your behalf. You grant access; you can revoke any time.

• Apple HealthKit — we read the health metrics listed above from your device. Granted and revoked in iOS Settings → Privacy & Security → Health → PepBear.
• Oura — we pull readiness, sleep, and activity data. Revoke in your Oura account settings or by disconnecting inside PepBear.
• WHOOP — we pull recovery, sleep, strain, and workouts. Revoke in your WHOOP account or by disconnecting inside PepBear.
• Withings — we pull body composition measurements. Revoke in your Withings Health Mate account or by disconnecting inside PepBear.

AI Coach

PepBear's AI Coach is powered by large language models accessed through OpenRouter. When you send a message, your message and relevant context from your account (recent metrics, active protocols, recent doses) are sent to the model provider for inference. Model providers do not use this data to train their models. Conversations are stored in your account and visible only to you.

What We Don't Do

• We do not sell your data to third parties.
• We do not display advertisements.
• We do not train AI models on your data.
• We do not share your health data with employers, insurers, or advertisers.
• We do not collect location, browsing history, or device identifiers beyond what's needed to run the app.

Medical Disclaimer

PepBear is not a medical device and does not provide medical advice, diagnosis, or treatment. The peptides, supplements, and protocols you track in PepBear may not be approved by the FDA for human use. Information surfaced by the app — including the AI Coach — is for informational and educational purposes only. Consult a licensed healthcare provider before starting, stopping, or changing any protocol, medication, or supplement.

You are solely responsible for what you log and what you take. PepBear is a tracking tool; it does not recommend, prescribe, source, or endorse any specific compound.

Data Deletion

To request deletion of your account and all associated data, email support@pepstarllc.com. We will delete all associated data within 30 days.

You can also revoke access to any connected wearable service at any time via the service's own account settings — doing so stops PepBear from pulling any new data from that source, but does not delete data already synced.

Changes to This Policy

We may update this policy as the app evolves. Material changes will be announced in-app. The "Last updated" date at the top reflects the most recent revision.

Contact

PepStarLLC (publisher of PepBear)
Wyoming, United States
support@pepstarllc.com