Privacy Policy

1. Privacy at a glance

The notices below give a simple overview of what happens to your personal data when you use the "PepStack" app or visit our website. Personal data is any data that can be used to personally identify you.

Data processing in this app is carried out by the app operator. Their contact details are provided in the imprint and in this privacy policy.

2. Data controller

The party responsible for data processing is:

Maximilian Berktold
Hartmannstraße 26
96050 Bamberg
Germany

Email: support@pepstack.net
Website: pepstack.net

Note: Where applicable, a commercial or association registry number can be added here.

3. Data collection and the zero-knowledge principle

We follow a data-minimisation approach. A core aspect of PepStack is the zero-knowledge principle for your research logs.

Local storage (Hive DB)
Your personal logs (stacks, dosages, timings) are stored primarily on your device in an encrypted database.

Encrypted cloud backup
If you use the backup feature, this data is encrypted on your device before being transferred to our servers. The decryption key is generated locally from your unique user ID. We have no access to this key or to the contents of your logs at any time.

Vital values (blood markers from the lab-result scan)
Your vital values are stored unencrypted in the cloud. Standard database security (Supabase Row-Level Security) ensures that only you can read them — and, in the future, optionally coaches to whom you explicitly grant access.

4. Hosting and third-party services

We use specialised service providers to deliver the app safely and reliably:

Supabase (backend & database)
We use Supabase for authentication and to store encrypted backups.
Provider: Supabase Inc., 1101 Marina Village Parkway, Alameda, CA 94501, USA.
Server location: EU region (Frankfurt), so your data is stored within the European Union.
Purpose: providing the infrastructure and user management.
Legal basis: Art. 6 (1) (b) GDPR (performance of contract).

RevenueCat (subscription management)
We use RevenueCat to manage in-app purchases and subscriptions.
Provider: RevenueCat, Inc., 1032 Elwell Ct Ste 243, Palo Alto, CA 94303, USA.
Data: RevenueCat receives transaction data (purchase ID, timestamp, subscription status). No credit card data is processed via PepStack.
Legal basis: Art. 6 (1) (b) GDPR.

Sentry (error monitoring)
To ensure the stability of the app and the website and to analyse errors, we use Sentry.
Provider: Functional Software Inc., 1501 Folsom St, San Francisco, CA 94103, USA.
Data: in case of an error, technical data (device type, operating-system version, browser, location of the error in the code) is transmitted. For errors on the website, an anonymised session replay may also be recorded covering mouse clicks and page navigation — form inputs and text inputs are automatically masked.
Server location: EU (Frankfurt region).
Legal basis: Art. 6 (1) (f) GDPR (legitimate interest in an error-free app and website).

Vercel Analytics & Speed Insights (website analytics)
Our website uses Vercel Analytics to record anonymised page views and Vercel Speed Insights to measure load times (Core Web Vitals).
Provider: Vercel Inc., 440 N Barranca Ave #4133, Covina, CA 91723, USA.
Data: no cookies are set and no personal data is collected. Tracking is privacy-friendly and does not build individual user profiles.
Legal basis: Art. 6 (1) (f) GDPR (legitimate interest in improving website performance).

5. Lab-result scan (AI value detection)

Premium users can photograph lab results or upload them as PDFs to import the values into PepStack automatically. To do so, we send the image extracts of the report to an AI provider (OpenAI, GPT-4o). The transmitted images are used solely for value detection in this single request.

What we send to OpenAI
The image or rasterised PDF page (max. 10 pages per scan) and the list of our supported blood markers (public wiki data).

What is NOT sent
Your name, email address or other account data. Other contents of your cycle or logbook entries. Other previously recorded blood values.

Retention at OpenAI
OpenAI states that API requests are retained for up to 30 days for abuse monitoring and are not used for model training. Details: openai.com/policies/api-data-usage-policies.

Retention on our side
We do not permanently store the image or the rasterised PDF pages. From the extracted result, only the structured values (marker name, value, unit, reference range) are saved in your PepStack account. These vital values are stored unencrypted in the cloud — Supabase Row-Level Security ensures that only you can read them (see section 3, "Vital values").

Anonymised logs
Markers we don't yet know in our wiki database are stored internally (admin-only) to extend our wiki — only the marker name, value, unit, and your user identifier (for deduplication) are kept. These logs are not accessible to you.

Limit
Premium accounts may run up to 30 scans per calendar month (reset on the 1st of the following month).

Withdrawal / opt-out
You can choose not to use the scan feature at any time. It is inactive unless you start it yourself.

Legal basis
Art. 6 (1) (b) GDPR (performance of contract — the feature is part of the premium subscription), in conjunction with Art. 9 (2) (a) GDPR (explicit consent to process health-related data on the first scan).

6. Sign-up via social login

In our app you can register via "Sign in with Apple" or "Sign in with Google". We receive your name (if shared) and your email address from the respective provider in order to verify your account. The legal basis for this is Art. 6 (1) (b) GDPR.

7. Legal bases for processing

Consent (Art. 6 (1) (a), Art. 9 (2) (a) GDPR)
For processing health-related data (your research logs), we ask you for explicit consent on the first launch of the app.

Performance of contract (Art. 6 (1) (b) GDPR)
Processing is necessary to provide the app's features and manage your user account.

Legitimate interest (Art. 6 (1) (f) GDPR)
We have a legitimate interest in operating the app reliably and sustainably (e.g. error analysis via Sentry, subscription management via RevenueCat).

8. Data security and transfers to third countries

Where data is transferred to service providers based in a third country (e.g. the USA), this is done on the basis of Standard Contractual Clauses of the European Commission or equivalent safeguards. Thanks to client-side encryption of your logs, they are additionally protected against access by third parties (including service providers and ourselves).

9. Your rights as a data subject

Under applicable law, you have the right to:

• Access (Art. 15 GDPR)
• Rectification (Art. 16 GDPR)
• Erasure (Art. 17 GDPR)
• Restriction of processing (Art. 18 GDPR)
• Data portability (Art. 20 GDPR)
• Withdrawal of consent (Art. 7 (3) GDPR)

You can delete your account and all associated data at any time in the app settings. For further enquiries, please contact us by email.

10. Right to lodge a complaint with a supervisory authority

In the event of data protection violations, you have the right to lodge a complaint with the competent supervisory authority. For data protection matters, the competent authority is the data protection commissioner of the federal state of Bavaria:

Bavarian State Office for Data Protection Supervision (BayLDA)
Promenade 18
91522 Ansbach
Germany

11. Referral programme

PepStack offers a voluntary referral programme. Each user account is assigned a unique, randomly generated invitation code.

What data is processed?
When you redeem another user's invitation code, a reference (internal user ID) to the inviting user is stored in your profile. Only anonymised user IDs (no names, no email addresses) are linked.

Purpose of processing
The link is used solely to count successful referrals and to grant the inviting user free premium access automatically when milestones are reached.

Legal basis
Art. 6 (1) (b) GDPR (performance of contract, as the programme is an optional feature of the service).

Storage period
The referral link is stored for as long as both user accounts exist. When you delete your account, all associated referral data is irrevocably removed.

12. Updates and changes to this privacy policy

We reserve the right to amend this privacy policy so it always meets current legal requirements or to reflect changes to our services in the privacy policy.

Last updated: May 2026