Privacy Policy

1 Information We Collect

Provider Information

When a provider registers an account or claims a listing, we collect:

• Business name and practice name
• NPI number (National Provider Identifier)
• Contact information: email address, phone number, website URL
• Business address (state, city, ZIP, street)
• Professional credentials and specialty information
• Services offered (as provided by the provider)
• Payment information (processed by Stripe — PepKey does not store card numbers)

We also collect publicly available information about providers from sources including the NPPES NPI registry, Google Places, and public websites, for purposes of building and maintaining the provider directory.

Patient Data

Patients do not create accounts with PepKey. The only patient-associated data PepKey servers receive is:

• An anonymous PKP ID (a randomly generated token with no inherent connection to identity)
• Medication list (compound names, doses, schedules) linked to the PKP ID
• Questionnaire responses linked to the PKP ID
• Dose log entries linked to the PKP ID

We do not collect patient names, dates of birth, addresses, phone numbers, email addresses, or any other identifying information. We are architecturally unable to link a PKP ID to a real-world person.

Pharmacy Information (PepKey Pharmacy — Coming Soon)

PepKey Pharmacy is not yet live. When launched, when a pharmacy registers or claims a listing, we will collect:

• Business name and license number
• Contact information and address
• Certificate of Analysis (COA) documents (batch-level pharmacy data, no patient data)
• State licensure information

Website Visitors

When you visit pepkey.org, we collect standard analytics data including:

• Pages visited and time on page
• Referring URL and search terms
• Browser type and operating system
• General geographic location (country, state) — not precise location
• IP address (anonymized in analytics)

We use Google Analytics 4 on public-facing provider-oriented pages. We do not load any third-party analytics in patient-facing app features.

Cookies

We use cookies and similar technologies for:

• Session management (keeping you logged in to provider accounts)
• Analytics (Google Analytics, on provider-facing pages only)
• Preference storage (such as remembered search filters)

We do not use advertising cookies, behavioral tracking pixels, or cross-site tracking cookies. Patient app sessions do not use persistent cookies.

2 How We Use Information

We use the information we collect to:

• Provide and operate the Services — maintaining the provider directory, processing subscriptions, authenticating accounts, and delivering API responses.
• Calculate Trust Scores — using NPI data, review data, and profile completeness signals to generate provider transparency scores per our published methodology.
• Improve the platform — analyzing usage patterns to identify bugs, improve features, and optimize performance.
• Generate anonymous aggregate analytics — producing de-identified statistics about the peptide therapy market (e.g., state distributions, average scores) for research and public reporting.
• Communicate with providers and pharmacies — sending account notifications, billing communications, product updates, and (for opted-in users) marketing emails. You may unsubscribe from marketing emails at any time.
• Enforce our Terms of Service — investigating and acting on suspected violations.
• Comply with legal obligations — responding to lawful requests from law enforcement or regulators.

We do not use patient data for any marketing, advertising, or commercial profiling purpose. Patient data is used solely to operate the anonymous medication tracking and clinic management features.

3 Information We Do NOT Collect

PepKey does not collect, store, or process any of the following about patients:

• Patient names or legal names
• Dates of birth or age
• Home addresses, mailing addresses, or ZIP codes
• Phone numbers or email addresses
• Social Security Numbers (SSNs)
• Health insurance information or insurance IDs
• Medical record numbers
• Account numbers
• Certificate or license numbers
• Vehicle identifiers or device serial numbers
• URLs or IP addresses (IP addresses are stripped from patient endpoints)
• Biometric identifiers including finger and voice prints
• Full-face photos or other identifying photographs
• Health conditions, diagnoses, or clinical assessments
• Any other unique identifying information

This list corresponds directly to the 18 identifiers enumerated in the HIPAA Safe Harbor de-identification standard (45 CFR § 164.514(b)(2)). We do not collect any of them for patients. See our HIPAA Disclosure for the full technical explanation.

4 Anonymous Patient Data Model

The PepKey Clinic system uses a privacy-by-design architecture that separates patient identity from clinical data at the architectural level:

What is a PKP ID?

A PKP ID (PepKey Patient identifier) is a randomly generated, cryptographically unique token assigned to a patient by their clinic. It looks like: pkp_a7f3b2c1d9e4. It has no mathematical relationship to any personal attribute of the patient. Two patients at the same clinic will have different, unrelated PKP IDs.

What PepKey Servers Can See

When a clinic's patient accesses their medication data, PepKey servers see: the PKP ID, the medication request, and the response. PepKey cannot determine the patient's name, age, address, diagnosis, or any other identifying characteristic from this interaction.

IP Address Stripping

Patient-facing API endpoints are configured to strip and not log the client IP address at the load balancer level. This means even our server logs cannot be used to attempt to identify patients through network traffic analysis.

De-Identification Standard

Our patient data model satisfies the HIPAA Safe Harbor de-identification method under 45 CFR § 164.514(b). Because none of the 18 enumerated identifiers are present, the data is legally de-identified and does not constitute Protected Health Information (PHI) under HIPAA.

5 Encrypted Clinic Backups

PepKey offers an optional encrypted cloud backup feature for clinic data. This feature is designed so that PepKey is physically incapable of reading the backed-up data:

• Clinic data is encrypted on the clinic's device using AES-256-GCM encryption before being transmitted.
• The encryption key (derived from the clinic's master password) never leaves the clinic device. PepKey receives only the encrypted ciphertext.
• PepKey stores the encrypted blob and metadata (clinic ID, backup timestamp, size) — but cannot decrypt or read the contents.
• If a clinic loses their master password, the backup cannot be recovered — by design. This is a security feature, not a limitation.
• Upon clinic account termination or request, encrypted backups are permanently deleted from PepKey storage.

6 HIPAA Alignment

HIPAA (the Health Insurance Portability and Accountability Act) applies to "covered entities" (healthcare providers, health plans, and healthcare clearinghouses) and their "business associates." PepKey is neither.

PepKey Is Not a Covered Entity

PepKey does not provide healthcare services, process health insurance claims, or operate as a health plan. We are a transparency and information platform.

PepKey Is Not a Business Associate

A Business Associate is an entity that creates, receives, maintains, or transmits PHI on behalf of a covered entity. PepKey does not receive or transmit PHI. Our architecture ensures that PHI never reaches our servers:

• Patient identities are stored only on clinic devices (covered entity controlled systems)
• PepKey cloud stores only anonymous, de-identified data
• Encrypted backups are unreadable blobs — we cannot access PHI within them

De-Identification Per HIPAA Safe Harbor

The anonymous patient data we store (PKP ID + medications + questionnaire responses) satisfies the HIPAA Safe Harbor de-identification standard at 45 CFR § 164.514(b)(2) because none of the 18 enumerated identifiers are present. De-identified data is not PHI and is not subject to HIPAA's privacy or security rules.

Encryption Safe Harbor

For encrypted clinic backups, even if identifiable information were somehow included (which clinic operators should prevent), the HIPAA encryption safe harbor at 45 CFR § 164.402 provides that the use or disclosure of encrypted data does not constitute a "breach" requiring notification under HIPAA, provided the data was encrypted with approved NIST methods. PepKey uses AES-256-GCM, which is a NIST-approved encryption standard.

For a more detailed technical explanation of our HIPAA position, see our dedicated HIPAA Disclosure page.

7 Data Sharing

We Share Data With

• Service providers: Stripe (payment processing), Google (analytics on provider-facing pages, NPI lookup assistance), hosting providers. These vendors are bound by data processing agreements and may not use your data for their own purposes.
• The provider's clinic: If you are a patient, your clinic can see your medication data linked to your PKP ID through the clinic's authorized access.

Aggregated Analytics

We may publish or share de-identified, aggregated analytics about the peptide therapy market — such as the number of scored providers per state, average trust scores, or market trend data. This data cannot be used to identify any individual provider, patient, or pharmacy.

API Data

Provider data accessible through our API (as described in the API documentation) is shared with authorized API subscribers per their subscription tier. This data is limited to provider directory information and trust scores — no patient data is ever accessible via the API.

Law Enforcement Requests

We will comply with valid legal process (subpoenas, court orders, or other legally binding requests) from law enforcement agencies. However:

• For patient data: We can only provide anonymous PKP IDs and de-identified medication data. We cannot identify patients from this data.
• For encrypted backups: We can only provide encrypted ciphertext that we cannot decrypt. Without the clinic's master password, the data is unreadable.
• We will notify affected account holders of legal requests where permitted by law.

Business Transfers

In the event of a merger, acquisition, or sale of all or substantially all of our assets, user data may be transferred to the acquiring entity, subject to the terms of this Privacy Policy. We will notify registered users via email prior to any such transfer.

8 Data Retention

• Provider account data: Retained while the account is active and for 90 days after account deletion, then permanently deleted. Billing records may be retained for up to 7 years as required by law.
• Anonymous patient data (PKP records): This applies to PepKey Clinic™ (currently in development). When launched: retained while the associated clinic's subscription is active. Upon clinic subscription cancellation, patient data is retained for 30 days (to allow for reactivation), then permanently deleted.
• Encrypted clinic backups: Retained per the clinic's backup schedule configuration. Deleted permanently within 30 days of a clinic deletion request or subscription termination.
• Website analytics data: Retained for 24 months in Google Analytics, then automatically purged.
• Server logs: Retained for 90 days, then deleted. Patient endpoint logs do not contain IP addresses.
• Lead tracking data: Anonymous session leads retained for 24 months, then aggregated or deleted.

9 Your Rights

Providers and Pharmacies

If you have a provider or pharmacy account, you have the right to:

• Access: Request a copy of the personal information we hold about you by emailing [email protected].
• Correct: Update your information directly through your account dashboard, or request corrections via email.
• Delete: Request deletion of your account and associated personal data. We will process deletion requests within 30 days, subject to legal retention obligations.
• Port: Request a machine-readable export of your profile data.
• Object: Object to certain uses of your data, such as marketing communications (opt-out via unsubscribe link in any email).

Patients

Because PepKey cannot identify patients from PKP IDs, we are unable to fulfill direct patient access or deletion requests. Patients who wish to access or delete their data should contact their clinic directly — the clinic has the identity mapping and the authority to request data deletion on the patient's behalf.

California Residents (CCPA)

California residents have additional rights under the California Consumer Privacy Act (CCPA), as amended by the CPRA:

• Right to Know: Request disclosure of the categories and specific pieces of personal information we have collected about you.
• Right to Delete: Request deletion of personal information we have collected from you, subject to certain exceptions.
• Right to Correct: Request correction of inaccurate personal information.
• Right to Opt-Out of Sale: We do not sell personal information, so this right is satisfied by our existing practices.
• Right to Non-Discrimination: We will not discriminate against you for exercising your CCPA rights.

To exercise your CCPA rights, email [email protected] with "CCPA Request" in the subject line. We will respond within 45 days.

10 Security Measures

PepKey employs industry-standard technical and organizational security measures, including:

• AES-256-GCM encryption for clinic backup data (client-side, key never transmitted)
• TLS 1.2+ (SSL/HTTPS) for all data in transit between clients and PepKey servers
• No third-party analytics SDKs in patient-facing application features
• IP address stripping on all patient-facing API endpoints at the load balancer level
• Hashed and salted passwords using bcrypt for provider accounts
• API key scoping and rotation with short-lived session tokens
• Regular security reviews of platform architecture and dependencies
• Access controls limiting PepKey employee access to production data on a need-to-know basis
• Separate production environments for patient-facing and provider-facing systems

No security system is impenetrable. In the event of a data breach affecting personal information, we will notify affected users and relevant regulators as required by applicable law. Because of our anonymous patient architecture, a breach of PepKey systems would not expose identifying patient data.

11 Children's Privacy (COPPA)

PepKey's Services are not directed to children under the age of 13. We do not knowingly collect personal information from children under 13. Provider accounts require users to be at least 18 years of age.

If you believe we have inadvertently collected information from a child under 13, please contact us immediately at [email protected] and we will take prompt action to delete such information.

If you are a parent or guardian and believe your child is accessing peptide therapy services through a provider listed on PepKey, please consult with that provider directly.

12 Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will:

• Update the "Last updated" date at the top of this page
• Notify registered account holders via email at least 14 days before changes take effect
• Post a notice on pepkey.org

We encourage you to review this Privacy Policy periodically. Your continued use of the Services after the effective date of changes constitutes acceptance of the updated policy.

13 Contact

If you have questions about this Privacy Policy, want to exercise your privacy rights, or have a concern about our data practices, contact us:

For HIPAA-related questions, see our HIPAA Disclosure. For API data usage questions, see the API documentation.