Privacy Policy

Last Updated: April 10, 2026

By using our Site, you agree to the collection and use of information in accordance with this Policy. This Policy is incorporated into and subject to our Terms of Service.

Information you provide:

• Account registration: When you create an account, we collect your email address, password (stored as a bcrypt hash — never in plain text), and optionally your name, institution or organization, and stated research purpose.
• Order information: When you place an order, we collect your shipping address, billing information, and order details. Payment card data is handled by our payment processor and is not stored on our servers.
• Disclaimer acknowledgment: We record your acknowledgment of the research-use disclaimer, including timestamp, IP address, and user-agent string, to maintain a compliance record. For authenticated users, this record is linked to your account.
• Contact and support inquiries: When you contact us, we retain the content of your communications and your contact information.

Information collected automatically:

• Log data: Our servers automatically record information including your IP address, browser type, operating system, referring URL, pages visited, and timestamps.
• Cookies and session tokens: See Section 5 (Cookies) for a detailed description of the cookies and local storage mechanisms we use.

• Process and fulfill your orders and send related communications;
• Create and maintain your account and authenticate your sessions;
• Send transactional emails including order confirmations, shipping notifications, and account verification messages;
• Maintain a record of your research disclaimer acceptance for compliance purposes;
• Respond to your inquiries and provide customer support;
• Detect, prevent, and address fraud, abuse, and security incidents;
• Improve and optimize our Site and services;
• Comply with applicable laws and regulations.

We do not use your personal information for targeted advertising, behavioral profiling, or sale to third parties.

• Supabase (database and storage): User accounts, profiles, order records, cart data, and disclaimer acceptance logs are stored in a PostgreSQL database managed by Supabase, Inc. Supabase infrastructure is hosted on AWS. Data is protected by row-level security (RLS) policies that ensure each user can access only their own records. For more information, see Supabase’s Privacy Policy.
• Clerk (authentication & account management): User authentication, session management, sign-in/sign-up flows, and account data (email address, name, and profile metadata) are handled by Clerk, Inc. Clerk issues and verifies session tokens used to authenticate requests across the Site. For more information, see Clerk’s Privacy Policy.
• Vercel (web hosting and edge network): Our website is hosted on Vercel, Inc.’s infrastructure. Vercel processes request logs and may temporarily store IP addresses as part of normal web serving operations. Vercel’s servers are located in the United States and in distributed edge locations globally. For more information, see Vercel’s Privacy Policy.
• Resend (transactional email): Transactional emails (order confirmations, shipping updates, and account verification) are sent via Resend, Inc. When we send you an email, your email address and the content of that email are transmitted to Resend for delivery. Resend does not use your email address for marketing purposes. For more information, see Resend’s Privacy Policy.

• Authentication session cookie (HTTP-only, Supabase): When you log in, Supabase issues a session token stored as an HTTP-only cookie. This cookie cannot be accessed by JavaScript and is used solely to authenticate your requests to the server. It expires when you log out or after a period of inactivity. The associated refresh token is also stored in an HTTP-only cookie and is used to obtain new session tokens transparently. These cookies are set by our server middleware and are essential for the functioning of authentication.
• Research disclaimer acknowledgment cookie: When you accept the research-use disclaimer, we set a first-party cookie (“disclaimer_accepted”) with a one-year expiration. This cookie is version-stamped to allow us to re-present the disclaimer if its content materially changes. For authenticated users, this acknowledgment is also recorded in the database linked to your account.
• Cart data (localStorage — not a cookie): If you add items to your cart before logging in, cart data is stored in your browser’s localStorage. This data never leaves your device until you proceed to checkout. It is not a cookie and is not transmitted to our servers until you log in or place an order. Upon login, your guest cart is merged into your account’s server-side cart.

We do not use analytics cookies, advertising pixels, or any third-party tracking scripts on this Site. You may manage cookie preferences in your browser settings; however, disabling authentication cookies will prevent you from logging in.

• Infrastructure providers: As described in Section 4 (Data Storage and Hosting), your data passes through Supabase, Clerk, Vercel, and Resend to support core site functions. Each provider is bound by data processing agreements and their own privacy commitments.
• Legal requirements: We may disclose your information if required to do so by law or in response to a valid court order, subpoena, or government request. We will attempt to notify you of such requests unless prohibited by law.
• Business transfer: In the event of a merger, acquisition, or sale of all or substantially all of our assets, your information may be transferred as part of that transaction. We will provide notice before your information is subject to a different privacy policy.
• Protection of rights: We may disclose information where necessary to protect the rights, property, or safety of Pepti Health LLC, our users, or the public.

• Access: Request a copy of the personal data we hold about you.
• Correction: Request correction of inaccurate or incomplete data.
• Deletion: Request deletion of your account and associated personal data, subject to our legal obligations to retain certain records (such as order history and compliance logs).
• Data portability: Request a machine-readable export of your personal data.
• Withdrawal of consent: Where processing is based on consent, you may withdraw consent at any time without affecting the lawfulness of prior processing.
• Non-discrimination: We will not discriminate against you for exercising any of your privacy rights.

To exercise any of these rights, contact us at privacy@pepti-health.com or by mail at the address in Section 11. We will respond within 30 days. We may require verification of your identity before processing requests.

• Right to Know: You may request that we disclose the categories and specific pieces of personal information we have collected about you, the categories of sources, the business purpose for collecting it, and the categories of third parties with whom we share it.
• Right to Delete: You may request deletion of personal information we have collected from you, subject to certain exceptions (e.g., completing a transaction, legal obligations).
• Right to Correct: You may request that we correct inaccurate personal information.
• Right to Opt Out of Sale or Sharing: We do not sell or share your personal information for cross-context behavioral advertising. No opt-out is required, but you may contact us to confirm this practice.
• Right to Limit Use of Sensitive Personal Information: We do not use sensitive personal information for purposes beyond those necessary to provide our services.

To submit a verifiable California consumer request, contact us at privacy@pepti-health.com or by mail at the address in Section 11. You may designate an authorized agent to submit requests on your behalf; we may require written proof of authorization. We will respond within 45 days, extendable by an additional 45 days with notice.

• HTTPS: All data transmitted between your browser and our servers is encrypted using TLS (HTTPS).
• Password hashing: Passwords are never stored in plain text. Supabase uses bcrypt with a per-user salt to hash all passwords before storage.
• JWT authentication: Session tokens are JSON Web Tokens (JWT) signed with asymmetric keys. Server-side verification uses the public key to confirm token integrity without trusting user-supplied data.
• Row-level security (RLS): All database tables are protected by Supabase RLS policies. These policies enforce at the database layer that each authenticated user can read and write only their own records, preventing data leakage between accounts even in the event of an application-layer bug.

No method of electronic transmission or storage is 100% secure. We cannot guarantee absolute security, but we will notify affected users of any data breach as required by applicable law.

• Email: privacy@pepti-health.com
• Mailing Address: Pepti Health LLC, 11 E Hubbard St, Suite 501, Chicago, IL 60611