Privacy Policy

For the purposes of this Privacy Policy, the following terms have the meanings given here.

• “Service” means the PepScan mobile application, this website at pepscan.ai, the embedded Studio, and any related features we make available.
• “You” means the individual who uses the Service, whether on their own behalf or on behalf of another person.
• “Personal Data” means any information that relates to an identified or identifiable individual.
• “Account” means a unique identifier created on your device when you first open the Service so we can store your scans and preferences.

The Service is designed to work without requiring you to share your real identity. We collect the following categories of information.

• Anonymous account identifiers. A random identifier created on your device the first time you launch the app. It is not linked to your name, email, or phone number unless you provide one separately when contacting us.
• Onboarding answers. The goal you select, the concerns you tap, your declared sex, approximate age, height, and weight, and the peptide you choose for your scan. These are stored against your anonymous identifier so we can tailor projections and recommendations.
• Photos you submit. The face or body photo you capture or upload, plus the AI-generated transformation we return. These are stored privately and accessible only to your account.
• Subscription metadata. Your subscription status and a stable identifier so we can grant scan credits. We do not collect or store your card number, your Apple ID, or your Google account.
• Diagnostic data. Standard server access logs (IP address, timestamps, request paths) used for security and debugging, retained for no longer than thirty days.

We use the information we collect to:

• Run the AI pipeline that produces your transformation.
• Cache results so we do not regenerate the same image for the same input within a short window.
• Enforce per-user generation limits and refresh them on schedule.
• Fulfill subscriptions and one-time purchases.
• Respond to reports of inappropriate or inaccurate output and improve moderation.
• Debug, monitor, and secure the Service.
• Comply with legal obligations.

We do not sell your information. We do not use your photos to train third-party models. We do not share your photos with advertisers or data brokers.

If you are located in the European Economic Area or the United Kingdom, we rely on the following legal bases under the GDPR:

• Performance of a contract. To deliver the Service you asked for, including running generations and managing your subscription.
• Legitimate interests. To keep the Service secure, prevent abuse, and improve quality.
• Consent. For any processing that requires it. We will ask first.
• Legal obligation. Where we must process information to comply with applicable law.

We share information only in the limited circumstances below, and only with parties bound by confidentiality and data protection obligations.

• Service providers. Trusted infrastructure partners who help us host the Service, run the AI pipeline, deliver email, and process payments. They may only use your information to perform tasks on our behalf and may not use it for their own purposes.
• Legal compliance. When required by law, court order, or to protect our rights, the safety of our users, or the integrity of the Service.
• Business transfers. If PepScan is involved in a merger, acquisition, or sale of assets, your information may be transferred as part of that transaction. We will notify you before that happens.

You retain ownership of the photos you submit. By submitting a photo to the Service, you grant us a limited, worldwide, royalty-free license to process, store, transmit, and display that photo solely for the purpose of providing the Service to you. You may revoke this license at any time by deleting the scan or your account.

The transformations the Service generates are provided for your personal use. You may share them on social media (the app includes tooling for that) provided you do not present them as unaltered photographs.

• Anonymous accounts and profile data persist until you delete the account.
• Photos and generated transformations persist until you delete the scan or the account.
• Generation cache entries expire automatically within forty-eight hours.
• Server access logs are rotated within thirty days.
• Subscription records are retained for as long as required by tax and consumer-protection law.

PepScan is operated from the United States. If you use the Service from another jurisdiction, you understand that your information will be transferred to and processed in the United States and the jurisdictions in which our service providers operate. Where required, we rely on Standard Contractual Clauses or other lawful transfer mechanisms with our processors.

Depending on where you live, you may have the right to:

• Access the Personal Data we hold about you.
• Correct inaccurate or incomplete information.
• Delete your information.
• Object to or restrict certain processing.
• Receive your information in a portable format.
• Withdraw consent at any time, where consent is the legal basis.
• Lodge a complaint with your local data protection authority.

To exercise any of these rights, email support@pepscan.ai. We will respond within the timeframes required by applicable law.

You can delete your account at any time from inside the app under Settings → Account → Delete account. When you do, we permanently remove your profile, every scan you have created, every stored image associated with your account, and your authentication record. There is no restore.

Information moving between your device, our servers, and our processors is encrypted with TLS. Photos are held in private storage with row-level access controls that restrict reads and writes to your account only. Database access is gated by signed requests scoped to your user identifier.

No system is perfect. If you believe your account has been compromised, contact us immediately at support@pepscan.ai.

The Service is not directed to children under seventeen and we do not knowingly collect information from anyone under seventeen. Age enforcement is handled by app store content ratings. If you believe a child has used the Service, contact us and we will delete the associated account.

The Service may contain links to websites or services we do not operate. This Privacy Policy does not cover the practices of those third parties. We encourage you to review their privacy policies before sharing information with them.

We may update this Privacy Policy from time to time. When we make a material change we will update the effective date at the top of this page and, where appropriate, surface a notice in the app. Continued use of the Service after a change constitutes acceptance of the updated policy.

For questions or requests related to this Privacy Policy, email support@pepscan.ai.