ProtoPep is a personal organizational tool, not medical advice. The app does not diagnose, treat, recommend, or prescribe — it only records what you choose to track. Always consult a qualified healthcare provider before starting, changing, or stopping any protocol. The Terms of Service contain the full liability waiver.
The data controller responsible for ProtoPep under the EU General Data Protection Regulation (GDPR), the UK GDPR, and equivalent laws is:
Anthony Le, an individual developer based in California, United States.
Mailing address: 2818 Kramer Lane, Austin, TX 78758, United States.
Email: aanthonyle28@gmail.com
Apple Developer Program identifier 3DA26945KY; bundle identifier com.anthony.ProtoPep.
We are not required to designate a Data Protection Officer under GDPR Article 37 because our core activities do not consist of large-scale processing of special-category data or large-scale systematic monitoring. We have not appointed an EU representative under GDPR Article 27 because our processing of EU resident data is occasional and does not include large-scale special-category data processing. We will re-evaluate as the app scales.
ProtoPep has no backend server, no user accounts, and no login. Almost everything you do in the app stays on your device.
| Data | Where it lives | Why | Legal basis |
|---|---|---|---|
| Schedules, vials, dose logs, weight history, side-effect logs, notes, onboarding answers, calculator inputs | Your device (SwiftData). Optionally your iCloud private database via CloudKit. | Provide the tracking features you installed the app to use. | GDPR Art. 6(1)(b) contract; Art. 9(2)(a) explicit consent for health entries. |
| Body weight via HealthKit (opt-in) | Your device only. Never transmitted. | Render weight trends in the Progress tab. | Art. 6(1)(a) and 9(2)(a) explicit consent. |
| Anonymous product analytics (opt-in, default off) | PostHog Cloud EU (Frankfurt). | Understand which features are used. | Art. 6(1)(a) consent. |
| In-app purchase records (transaction ID, product ID, subscription state) | Apple StoreKit. We never see payment details. | Unlock Pro features. | Art. 6(1)(b) contract and 6(1)(c) legal obligation. |
| Feedback emails (only if you send one) | Your device's Mail app to the developer's personal Gmail. | Reply to your feedback. | Art. 6(1)(a) consent. |
| Local dose-reminder notifications | Your device. No push service involved. | Remind you about doses you scheduled. | Art. 6(1)(b) contract. |
| Status-check request (IP only, GitHub CDN log) | GitHub Pages logs, ~30 days. | Emergency kill-switch. | Art. 6(1)(f) legitimate interest. |
Data you enter is stored locally using Apple's SwiftData framework, protected by iOS Data Protection class NSFileProtectionComplete while your device is locked. It does not leave your device unless you enable iCloud sync or use the Export feature.
If you sign into iCloud and enable iCloud Drive for ProtoPep, your data replicates between your devices via Apple's CloudKit private database (container iCloud.com.anthony.protopep). The data lives in your iCloud account; we never created a public, shared, or cross-account database. Per Apple's documented architecture, neither Apple nor we can read your private database contents. Disable sync at any time in iOS Settings, or delete iCloud data via Settings → Delete all data → "Also delete from iCloud."
On-device and iCloud data is retained until you delete it. Uninstalling removes the local copy; the iCloud copy persists until you remove it. PostHog analytics events, when opt-in is on, are retained for up to 12 months and then deleted automatically. You may request immediate erasure of PostHog events by emailing us with your distinct ID (visible in Settings → Privacy → Diagnostics).
This section satisfies Apple App Store Review Guideline §5.1.3(i).
With your explicit permission via Apple's HealthKit permission sheet, ProtoPep reads and writes only one HealthKit data type:
HKQuantityTypeIdentifier.bodyMass)This data is used only on your device to render weight trends. It is not transmitted off your device, not shared with any third party, not used for advertising or marketing, not used for data mining, and not stored on any server we control. No HealthKit-read value is propagated to CloudKit. Revoke HealthKit access at any time in iOS Settings → Health → Data Access & Devices → ProtoPep.
Anonymous product analytics, opt-in, default off. Operated by PostHog Inc.; data hosted in the European Union (Frankfurt) at eu.i.posthog.com. When enabled, the app sends count events such as app_opened, calculator_used, dose_logged, paywall_viewed, and the App Store product identifier on purchase. Events use an anonymous PostHog distinct ID generated on your device; we never call identify(), alias(), or setPersonProperties().
Events never contain peptide names, dose values, weight values, schedule contents, vial contents, HealthKit data, your name, your email, or free-text notes. The event allowlist is enforced by typed Swift code and verified by automated build tests. PostHog is our processor under GDPR; our DPA with PostHog is at posthog.com/dpa and incorporates EU Standard Contractual Clauses. See posthog.com/privacy and posthog.com/subprocessors.
Apple Inc. is a processor for data stored in your iCloud private database, for StoreKit billing, and for HealthKit infrastructure. Apple's privacy policy: apple.com/legal/privacy. The relationship is governed by the Apple Developer Program License Agreement.
GitHub Pages hosts this policy, the Support page, and the kill-switch JSON the app fetches on launch. The fetch is an unauthenticated HTTPS GET with no body, no identifying headers, and no cookies. GitHub logs IP addresses for CDN abuse-prevention for up to 30 days per its general privacy statement. We do not access these logs.
When you send feedback, your email is delivered via your own email account to a personal Gmail inbox the developer reads. That mail is governed by Google's privacy policy. We use the email only to respond to your feedback.
No advertising SDKs. No analytics other than PostHog (opt-in). No CDN beyond GitHub Pages. No cloud functions, no third-party auth. New processors will be added to this list with a policy update before integration.
ProtoPep is operated from the United States. To the extent personal data of EU, EEA, UK, or Swiss residents is processed in the US, transfers rely on the EU–US Data Privacy Framework (and UK and Swiss extensions) where the recipient is self-certified — Apple Inc. is certified — and on Standard Contractual Clauses (Commission Decision 2021/914) with supplementary measures where the recipient is not. PostHog hosts EU user data in the European Union, so EU analytics data does not leave the EU; our DPA with PostHog includes the SCCs as a fallback.
You can request a copy of the transfer safeguards that apply to your data by emailing aanthonyle28@gmail.com.
Regardless of where you live, you can access all your data via Settings → Export, correct any record by editing it in the app, delete everything via Settings → Delete all data (with optional iCloud propagation), revoke any permission in iOS Settings, and email us with any privacy question. We respond within 30 days for general questions and 45 days for formal CCPA, CPRA, or MHMDA requests, with one possible 45-day extension.
You have the rights to be informed (this policy), access (Art. 15), rectification (Art. 16), erasure (Art. 17), restriction (Art. 18), data portability (Art. 20), objection (Art. 21), withdrawal of consent (Art. 7(3)), and to be free from automated decision-making (Art. 22 — we do none).
You also have the right to lodge a complaint with your national supervisory authority. The list of EU and EEA authorities is at edpb.europa.eu; UK residents may complain to the Information Commissioner's Office.
Providing data is optional. Declining analytics means analytics is off; there are no other consequences. The app functions normally with all optional permissions denied.
Categories of personal information we collect (Cal. Civ. Code §1798.140):
Sources: directly from you. Purposes: providing the app's features; product improvement when analytics is on; processing payments via Apple. Disclosed to: PostHog (opt-in only) and Apple (storage, billing). Not "sold" or "shared" as defined in CPRA. We have not sold or shared personal information in the past 12 months and do not intend to.
Your CCPA/CPRA rights: to know, delete, correct, opt out of sale or sharing (we don't do either, so no opt-out link required), limit use of sensitive personal information (we don't use SPI beyond providing the service, so no link required), non-discrimination, and data portability. Exercise these by emailing aanthonyle28@gmail.com. We honor Global Privacy Control where technically applicable.
If you reside in Virginia, Colorado, Connecticut, Utah, Texas, Oregon, Montana, Tennessee, Iowa, Indiana, Florida, Nebraska, Delaware, New Hampshire, New Jersey, Kentucky, Maryland, Minnesota, Rhode Island, or any other state with a comprehensive privacy law, you have substantially similar rights. Because we do not sell, share, or use your personal information for targeted advertising, most state-specific opt-out mechanisms do not apply. To exercise any state-law right, email us.
This section supplements the rest of this policy to comply with the Washington My Health My Data Act (RCW 19.373). If you are a Washington resident, it governs our processing of your "consumer health data" as defined by the Act.
Purposes: providing the personal-tracking functionality you installed the app to use. Sources: your input; HealthKit if you grant access; StoreKit on purchase. Sharing: we do not share consumer health data with any third party. None of this data is sent to PostHog or any other analytics service; none is sent to the developer; iCloud sync is end-to-end protected between your devices and your iCloud account.
Affiliates with whom CHD is shared: none. Categories of third parties with whom CHD is shared: none. Sale of CHD: we do not and will not sell consumer health data.
ProtoPep does not implement any geofence and does not use location data of any kind, complying with RCW 19.373.060 by default.
Right to confirm we are processing your CHD; access it; withdraw consent to collection or sharing; and delete it. Exercise via Settings → Delete all data, Settings → Export, or by emailing us. We respond within 45 days, extendable once by 45 days with notice.
By tapping "Continue" during onboarding after reviewing this notice, you provide opt-in consent for the collection and on-device or iCloud processing of consumer health data as described above. This consent is separate from any consent for sharing — and because we do not share CHD with any third party, no sharing consent is sought. You may withdraw consent at any time by deleting your data; the app will reset to its first-launch state.
ProtoPep is not directed to children. We do not knowingly collect personal information from anyone under 16 in the EU, EEA, or UK (GDPR Article 8), or under 13 in the United States (COPPA, 16 CFR Part 312). The App Store age rating reflects this. If you believe a child has used the app, email us and we will delete the data.
ProtoPep is built around a defense-in-depth model fundamentally limited by the no-server architecture. On-device data is protected by iOS file protection (NSFileProtectionComplete) while your device is locked. iCloud sync is protected by Apple's CloudKit private-database encryption between your devices and Apple's servers per Apple's documented architecture. All network traffic uses HTTPS with TLS 1.2 or higher; the app makes exactly three kinds of outbound requests — the status JSON kill-switch fetch, PostHog event delivery when opt-in is on, and StoreKit and CloudKit traffic to Apple. The PostHog event allowlist is enforced by typed code and build-time tests; a bug that accidentally sent identifying data would fail the build. No user accounts, passwords, or API keys belonging to you exist on our side because there is no "our side" beyond your device. If you discover a security issue, please report it to aanthonyle28@gmail.com.
In the unlikely event of a breach, we commit to the following. For EU, EEA, and UK residents (GDPR Articles 33 and 34): notify the competent supervisory authority within 72 hours of becoming aware where required, and notify affected individuals without undue delay if the breach is likely to result in a high risk to your rights and freedoms. For all users (FTC Health Breach Notification Rule, 16 CFR Part 318): notify affected consumers, the FTC, and where 500 or more residents of a state or jurisdiction are affected, prominent media outlets, within 60 calendar days of discovering a breach involving identifiable health information.
We will notify you by email (if we have one), an in-app notice on next launch, and a notice posted at aanthonyle28.github.io/protopep-status. Realistic vectors: compromise of our PostHog account (anonymous event counts only) or our Apple Developer account.
We will update this policy when our data practices change. Material changes — for example, adding a new third-party SDK or data category — will be announced via a new effective date and version at the top of this page, an in-app notice on the next launch after the change takes effect, and a row in the revision history below. For changes that materially expand our processing of your personal data, we will seek renewed opt-in consent before the change applies to you. Prior versions are available on request.
This Privacy Policy is governed by the laws of the State of California and the United States, without regard to conflict-of-laws principles. Disputes are subject to the exclusive jurisdiction of the state and federal courts located in California, except that EU, EEA, UK, and Swiss residents retain the protections of mandatory local law and may bring claims in the courts of their habitual residence (Brussels Ia Regulation Art. 18 where applicable); Washington residents retain the protections of the My Health My Data Act and may exercise the private right of action under RCW 19.373; and California residents retain rights under the CCPA and CPRA enforceable in California courts.
This policy describes our data practices. It is not a warranty of any specific outcome. ProtoPep is a personal organizational tool and does not provide medical advice, diagnosis, or treatment. See the Terms of Service for the full liability waiver.
If any provision is found unenforceable, the remaining provisions continue in full force and effect.
Anthony Le
2818 Kramer Lane, Austin, TX 78758, United States
aanthonyle28@gmail.com
Response times: 30 days for general inquiries; 45 days for formal CCPA, CPRA, or MHMDA requests with one possible 45-day extension on notice.
To remove any ambiguity, ProtoPep does not use advertising SDKs of any kind, does not use the Apple Advertising Identifier or any equivalent, does not fingerprint your device, does not track you across apps or websites (we answer "No" to tracking on the App Store nutrition label), does not sell or share your personal information for monetary or other valuable consideration, does not operate any server-side code or backend service that processes your data, does not maintain user accounts or passwords, does not process payment information directly (Apple handles billing), does not use cookies (this is a native iOS app), does not engage in automated decision-making, profiling, or scoring as defined by GDPR Article 22, and does not sell or share consumer health data as defined by Washington MHMDA.
| Version | Date | Change |
|---|---|---|
| 1.0 | 2026-05-23 | Initial publication for ProtoPep v1.0.0 App Store submission. Covers GDPR, UK GDPR, CCPA/CPRA, Washington MHMDA, COPPA, FTC HBNR, and Apple App Store §5.1 requirements as of this date. |