Skip to content
yes i take peptides.
Privacy Policy

Your data, plainly.

We collect the minimum needed to run the product, never sell it, and never use your private data to train models. Last updated May 11, 2026.

The short version

  • We collect the minimum data needed to run the site.
  • We never sell your data.
  • We never use your private data to train models.
  • We never run ads.
  • You can export all of your data and delete your account at any time.
  • Health data you log (journal, bloodwork, goals) is encrypted at rest.

1. What we collect

1.1 Account data

When you create an account, our auth provider Clerk stores your email, password hash, and a unique user ID. We mirror your user ID and email into our database to associate purchases and user-generated content with you.

1.2 Purchase data

Stripe stores your payment method and processes charges. We receive only what Stripe's webhook gives us — a customer ID, transaction ID, subscription status, and renewal date. We never see your full card number.

1.3 User-generated content

If you log a journal entry, bloodwork result, goal, saved stack, or progress photo, we store that content in our database and (for photos) in Backblaze B2 object storage. This content is private to your account.

1.4 Legal attestations

When you tick the safety attestation in the Stack Builder, we store a hash-chained, append-only legal record including your email, first name, version of the attestation, timestamp, IP address, user agent, and the list of checkboxes you confirmed. This record is archived to Backblaze B2 under Object Lock with seven-year compliance retention.

1.5 Analytics

We use Vercel Analytics, which is cookie-free, anonymized, and aggregates only page views and basic referrers. We do not use Google Analytics, Facebook Pixel, or any other behavioral tracker.

1.6 Error monitoring

We use Sentry to capture JavaScript errors so we can fix bugs. Sentry receives a stack trace, the URL where the error happened, and (sometimes) a user ID for the affected session. Sentry data is purged on a rolling 30-day window.

1.7 Cookies

We use first-party cookies for: authentication (Clerk), CSRF protection (Next.js), and Sentry session-id correlation. We do not use third-party advertising or behavioral-tracking cookies.

2. How we use your data

  • To deliver the product (show you reports, run the OS, send transactional email)
  • To process payments and prevent fraud
  • To maintain legal records (attestations, refund history)
  • To monitor and improve site reliability (anonymized analytics, error tracking)
  • To respond to support requests

We never use your private content (journal entries, bloodwork, goals, photos) to train models, generate site content, or share with third parties.

3. Who we share data with

We share the minimum amount of data needed with the following service providers ("sub-processors"):

  • Clerk — authentication and account storage
  • Stripe — payment processing
  • Supabase — primary application database
  • Backblaze B2 — file storage for photos + legal archives
  • Resend — transactional email delivery
  • Upstash — rate-limiting and ephemeral cache
  • Vercel — hosting and anonymized analytics
  • Sentry — error monitoring

We do not sell or rent personal data to anyone. We do not share your data with advertisers. We respond to lawful government requests only when legally compelled.

4. How long we keep it

  • Account data: until you delete your account, then within 30 days from our active systems and within 90 days from backups.
  • Purchases / receipts: 7 years for tax and financial-record purposes.
  • Legal attestations: 7 years under Object Lock compliance retention. If you delete your account, the PII in the attestation (email, name, IP) is scrubbed to null while the hash-chained record remains.
  • Analytics / error logs: 30 days.
  • Email logs (delivery / opens): 90 days.

5. Your rights

You can, at any time:

  • Access your data — log in to your account to view it.
  • Export your data — request a JSON export from account settings.
  • Correct your data — edit your profile, log entries, goals, etc. directly in the account UI.
  • Delete your account and all associated private data from account settings. Legal attestations are kept as a hash-only record after PII scrub.
  • Opt out of non-essential email at the bottom of any email we send.

California (CCPA / CPRA), EU / UK (GDPR), and other applicable jurisdictions grant additional rights including the right to know, the right to delete, and the right to non-discrimination. We honor all of them globally.

6. Children

The site is not directed at and not intended for use by anyone under 18. We do not knowingly collect information from minors. If you believe we have, contact us and we will delete it.

7. International transfers

Our service providers operate in the United States, the European Union, and other regions. By using the site you consent to transfer of your data to and processing in those regions, with appropriate safeguards (Standard Contractual Clauses for EU transfers).

8. Security

We use industry-standard practices: TLS in transit, encryption at rest, row-level security on the database, rate-limiting, hash-chained legal records, and a security disclosure path at security@yesitakepeptides.com.

No system is 100% secure. If we become aware of a breach affecting your data we will notify you and the relevant authorities within the timelines required by applicable law.

9. Changes to this policy

We may update this policy occasionally. Material changes will be posted here with a new "last updated" date. For significant changes that affect how we use your data, we'll email you.

10. Contact

Privacy questions: hi@yesitakepeptides.com. Security disclosures: security@yesitakepeptides.com.

Last updated May 11, 2026.