Privacy Policy

Peptide Injections AI ("Platform," "we," "us," or "our") is operated by Riley Ventures LLC, DBA Acme Studio. This Privacy Policy describes how we collect, use, disclose, and protect your personal information when you visit peptideinjections.ai (the "Site") or use our services.

By using the Site, you consent to the data practices described in this policy. If you do not agree with this policy, please do not use the Site.

1. Information We Collect

1.1 Information You Provide Directly

• Quiz Responses: When you use our peptide matching quiz, you voluntarily provide health-related information including symptoms, health goals, treatment preferences, budget, and location. This data is used to generate personalized provider recommendations.
• Contact Information: When you request a provider consultation, submit a contact form, or sign up for email communications, you provide your name, email address, and optionally your phone number.
• Email Address: When you request quiz results be emailed to you, we collect your email address for transactional delivery only.
• Provider Inquiries: If you contact a provider through our platform, we may collect information about the referral for quality assurance and to facilitate the connection.

1.2 Information Collected Automatically

• Usage Data: Pages visited, time spent on pages, click patterns, referral sources, search queries, and interactions with site features.
• Device & Browser Information: IP address, browser type and version, operating system, device type, screen resolution, and language preferences.
• Location Data: Approximate geographic location derived from your IP address (city/state level, not precise GPS). This is used to show relevant providers in your area.
• Outbound Click Data: When you click an outbound link to a provider on this Site, we record the click event, the page you were on, the provider you selected, and a timestamp. This data is used to attribute referrals for our affiliate and partnership programs and to monitor link quality. No personal health information is transmitted through outbound link redirects.
• Affiliate Tracking Identifiers:Our affiliate partners and networks may assign click identifiers and set cookies when you visit a provider's website through our outbound links. These identifiers are used solely to attribute a referral to our platform for commission purposes. We do not receive or store any information about subsequent purchases you make on a provider's site beyond the fact that a conversion occurred.
• Cookies & Similar Technologies: See Section 5 below for our detailed cookie policy.

2. How We Use Your Information

We use the information we collect for the following purposes:

• Provider Matching: To analyze your quiz responses using algorithmic and AI-powered tools and generate personalized provider recommendations.
• Referral Facilitation: To transmit your consultation request to selected providers.
• Affiliate Attribution: To track outbound clicks and attribute referrals to our platform for commission purposes under our affiliate and partnership programs.
• Transactional Communications: To send you quiz results, consultation confirmations, and other service-related emails you have requested.
• Platform Improvement: To analyze usage patterns, improve our matching algorithm and AI models, optimize content, and enhance user experience.
• Analytics: To understand aggregate usage trends, measure content performance, and inform editorial decisions.
• Security: To detect, prevent, and respond to fraud, abuse, or security incidents.
• Legal Compliance: To comply with applicable laws, regulations, legal processes, or governmental requests.

3. How We Share Your Information

3.1 With Healthcare Providers

When you initiate a consultation request through our platform, we share your contact information and relevant quiz responses with the selected provider(s) so they can evaluate your inquiry and reach out to you. Once your information is transmitted to a provider, their use of that information is governed by their own privacy policy.

3.2 With Service Providers

We share information with trusted third-party service providers who assist us in operating the Site, including:

• Hosting: Vercel (website hosting and deployment)
• Database: Supabase (data storage and management)
• Analytics: Google Analytics (usage tracking and reporting)
• Email: Resend (transactional email delivery)
• Payment Processing: Stripe (if applicable, for provider-related transactions)

These providers are contractually obligated to use your information only to provide services to us and in accordance with this policy.

3.3 With Affiliate Networks & Partners

When you click an outbound link to a provider, your click may be routed through a third-party affiliate network (such as MaxBounty, ShareASale, Impact, or similar) or a direct partner tracking system. These networks receive limited data — typically a click identifier, the referring page, and the provider selected — to attribute the referral for commission purposes. We do not transmit your name, email address, health information, or quiz responses to affiliate networks. The data shared is limited to anonymized click-level events.

Affiliate networks may set their own cookies on your browser when you arrive at a provider's website. The use of those cookies is governed by the respective network's privacy policy, not ours.

3.4 We Do Not Sell or Share Your Personal Information

We do notsell, rent, or trade your personal information to third parties for their marketing purposes. We do not participate in data broker networks. We do not "share" personal information for cross-context behavioral advertising as defined under the California Privacy Rights Act (CPRA).

Our revenue comes from affiliate commissions, referral fees, and direct provider partnerships — not from the sale or monetization of user data. The limited click-level data shared with affiliate networks (described in Section 3.3) is used solely for referral attribution and does not constitute a "sale" or "share" of personal information under applicable privacy laws.

3.5 Legal Requirements

We may disclose your information if required by law, regulation, legal process, or governmental request, or if we believe disclosure is necessary to protect our rights, your safety, or the safety of others, or to detect and prevent fraud or security issues.

4. Health Information

Our quiz collects health-related information (symptoms, goals, preferences) that you voluntarily provide. Important clarifications:

• Peptide Injections AI is not a covered entity under HIPAA (Health Insurance Portability and Accountability Act). We are an informational and referral platform, not a healthcare provider, health plan, or healthcare clearinghouse.
• The health-related information you provide through our quiz is self-reported and voluntary. It is not a medical record, diagnosis, or clinical assessment.
• Despite not being subject to HIPAA, we treat all health-related information with heightened care and apply appropriate technical and organizational safeguards to protect it.
• Once your information is shared with a healthcare provider at your request, that provider may be subject to HIPAA and their own privacy obligations.

5. Cookies & Tracking Technologies

We use the following cookies and similar technologies:

You can control cookies through your browser settings. Disabling certain cookies may affect the functionality of the Site. We do not currently use advertising or retargeting cookies.

6. Data Retention

• Quiz data: Retained for up to 24 months to improve our matching algorithm and provide historical results if you return.
• Contact information: Retained as long as necessary to fulfill the purpose for which it was collected, or as required by law.
• Analytics data: Retained in aggregate form indefinitely. Individual-level analytics data is retained for up to 26 months per Google Analytics defaults.
• Email communications: Transactional email records are retained for up to 12 months.

You may request deletion of your personal data at any time by contacting us (see Section 13).

7. Data Security

We implement appropriate technical and organizational measures to protect your personal information, including:

• TLS/SSL encryption for all data transmitted between your browser and our servers.
• Encrypted database storage with row-level security policies.
• Access controls limiting employee and contractor access to personal data on a need-to-know basis.
• Regular security reviews of our infrastructure and third-party service providers.

No method of electronic transmission or storage is 100% secure. While we strive to use commercially acceptable means to protect your personal information, we cannot guarantee absolute security.

8. Your Rights

Depending on your jurisdiction, you may have the following rights regarding your personal information:

8.1 All Users

• Access: Request a copy of the personal information we hold about you.
• Correction: Request correction of inaccurate personal information.
• Deletion: Request deletion of your personal information, subject to legal retention requirements.
• Opt-Out: Unsubscribe from marketing emails at any time using the link in any email we send.

8.2 California Residents (CCPA/CPRA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA):

• Right to know what personal information is collected, used, shared, or sold.
• Right to delete personal information held by us and by extension, our service providers.
• Right to opt out of the sale or sharing of personal information. We do not sell personal information.
• Right to non-discrimination for exercising your privacy rights.
• Right to correct inaccurate personal information.
• Right to limit the use of sensitive personal information.

To exercise these rights, contact us at hello@peptideinjections.ai. We will respond within 45 days as required by law.

8.3 EU/EEA Residents (GDPR)

If you are located in the European Economic Area, you have rights under the General Data Protection Regulation (GDPR), including the right to access, rectify, erase, restrict processing, data portability, and object to processing. Our legal basis for processing is your consent (quiz data) and legitimate interest (analytics, security). Contact us to exercise these rights.

9. Washington My Health My Data Act

If you are a Washington State resident, you have rights under the Washington My Health My Data Act (MHMDA) regarding "consumer health data," which may include the health-related information you voluntarily provide through our quiz (e.g., health goals, symptoms, treatment preferences).

• We collect consumer health data only when you voluntarily provide it through our quiz or contact forms.
• We use consumer health data solely to provide provider matching recommendations and to improve our platform.
• We do not sell consumer health data or use it for advertising purposes.
• We share consumer health data with healthcare providers only at your explicit request when you initiate a consultation.
• You may request access to, deletion of, or withdrawal of consent for your consumer health data at any time.

To exercise your rights under the MHMDA, contact us at hello@peptideinjections.ai. We will respond within 45 days.

10. AI & Algorithmic Processing

Peptide Injections AI uses algorithmic and artificial intelligence tools in the following ways:

• Provider Matching: Your quiz responses are processed by our matching algorithm to generate personalized provider recommendations. No human reviews your individual quiz responses during the matching process.
• Content Generation: AI tools may assist in generating or refining editorial content, provider summaries, and educational materials. All AI-assisted content is reviewed by our editorial team before publication.
• Price Monitoring: Automated systems monitor and update provider pricing data displayed on the Site.

You have the right to understand how automated decisions affect you. If you have questions about how our algorithms process your data, contact us at hello@peptideinjections.ai.

11. Mobile App, Goal Visualizer & Photo Uploads

Our mobile application ("Mobile App") — including any web view, iOS app, or Android app — collects and processes data in addition to the categories described above. This section governs that processing.

11.1 On-Device Data

The Mobile App stores most data locally on your device (Capacitor Preferences / iOS UserDefaults), including injection logs, protocol configurations, dose calculations, biomarker entries, body-map injection sites, and progress notes. This data does not leave your device unless you explicitly choose a feature that requires server processing (e.g., the Goal Visualizer). We do not sync, back up, or transmit on-device tracking data without your action.

11.2 Camera & Photo Library Permissions

The Mobile App requests access to your camera and photo library only when you initiate a feature that requires a photo (e.g., the Goal Visualizer or Progress photo logging). You may grant or deny these permissions in your device settings at any time. If you deny permission, the affected features will not function.

11.3 Goal Visualizer — Photo Processing & AI Generation

The Goal Visualizer is an optional feature that generates AI-rendered illustrations of your appearance at a hypothetical lower body weight, anchored to published clinical-trial means for FDA-approved GLP-1 medications (semaglutide, tirzepatide, retatrutide). When you use this feature:

• Photo upload:Your selected photo is transmitted via TLS to our server and forwarded to OpenAI's image-edit API for processing. OpenAI does not retain Goal Visualizer images for model training under the terms of our enterprise API agreement (zero data retention is the default for API customers).
• Storage: Your baseline photo and the AI-generated milestone images are stored in our private Supabase Storage bucket (visualizations) and accessible only via expiring signed URLs (default 30-day expiry). Storage is encrypted at rest.
• Retention: Goal Visualizer photos and generated images are automatically deleted from our servers no later than 90 days after upload. You may request earlier deletion at any time by contacting us.
• Audit trail: When you complete the consent attestation, we log the timestamp, your IP address, and your user-agent string against the generated session ID. This record is retained for up to 24 months for legal-defense purposes and is not used for any commercial purpose.
• Sensitive data minimization: We do not perform facial recognition, biometric matching, or persistent identity linking on photos you upload. We do not associate uploaded photos with your name, email, or any other identifying profile information unless you provide it separately.

11.4 Photos of Other People

You agree to upload only photos of yourself. You may not upload photos of other identifiable people (including but not limited to friends, family members, public figures, models, or other users) without their explicit prior consent, and in any case never of children. Uploading a photo of someone else may violate that person's right of publicity, our Terms of Service, and applicable law (including state and federal anti-impersonation, deepfake, and non-consensual-intimate-imagery statutes). Violations may result in immediate account termination, removal of generated content, and reporting to law enforcement.

11.5 Push Notifications

If you enable push notifications, the Mobile App registers an Apple Push Notification service (APNs) token and/or Firebase Cloud Messaging (FCM) token with our servers. We use these tokens solely to deliver dose reminders, protocol updates, and relevant product news you have opted into. You may disable push notifications at any time in your device settings.

11.6 Crash & Diagnostic Data

We may receive aggregate, non-identifying crash and performance data through Apple App Analytics (if you opted in via iOS) or our hosting provider's diagnostic logs. This data is used solely to debug issues and improve stability.

11.7 Apple Privacy Manifest

In compliance with Apple's App Store requirements, our app ships a Privacy Manifest (PrivacyInfo.xcprivacy) declaring the categories of data collected and the reasons for required-API usage. The manifest is the canonical machine-readable disclosure for Apple's App Privacy labels and is consistent with this Privacy Policy.

12. Children's Privacy

The Site is not intended for individuals under the age of 18. We do not knowingly collect personal information from children. If we become aware that we have collected personal information from a child under 18, we will take steps to delete that information promptly. If you believe we may have collected information from a child, please contact us.

13. Contact Information

For questions, concerns, or requests regarding this Privacy Policy or your personal information:

14. Changes to This Policy

We may update this Privacy Policy from time to time. Changes will be posted on this page with an updated effective date. For material changes, we may provide additional notice (such as a banner on the Site or an email notification). Your continued use of the Site after any changes constitutes your acceptance of the updated policy.