Privacy Policy

For the purposes of this Privacy Policy, the following terms have the meanings given here.

• “Service” means the PepScan mobile application, this website at pepscan.ai, the embedded Studio, and any related features we make available.
• “You” means the individual who uses the Service, whether on their own behalf or on behalf of another person.
• “Personal Data” means any information that relates to an identified or identifiable individual.
• “Account” means a unique identifier created on your device when you first open the Service so we can store your scans and preferences.

The Service is designed to work without requiring you to share your real identity. We collect the following categories of information.

• Anonymous account identifiers. A random identifier created on your device the first time you launch the app. It is not linked to your name, email, or phone number unless you provide one separately when contacting us.
• Onboarding answers. The goal you select, the concerns you tap, your declared sex, approximate age, height, and weight, and the peptide you choose for your scan. These are stored against your anonymous identifier so we can tailor projections and recommendations.
• Photos you submit. The face or body photo you capture or upload, plus the AI-generated transformation and aesthetic-analysis results we return. Photos are stored privately and accessible only to your account. To produce your results, your photos are sent to the third-party AI providers named in Section 5 (OpenAI and fal.ai). The app asks for your explicit consent before any photo is sent, and you can decline.
• Subscription metadata. Your subscription status and a stable identifier so we can grant scan credits. We do not collect or store your card number, your Apple ID, or your Google account.
• Diagnostic data. Standard server access logs (IP address, timestamps, request paths) used for security and debugging, retained for no longer than thirty days.

We use the information we collect to:

• Run the AI pipeline that produces your transformation.
• Cache results so we do not regenerate the same image for the same input within a short window.
• Enforce per-user generation limits and refresh them on schedule.
• Fulfill subscriptions and one-time purchases.
• Respond to reports of inappropriate or inaccurate output and improve moderation.
• Debug, monitor, and secure the Service.
• Comply with legal obligations.

We do not sell your information. We do not use your photos to train third-party models. We do not share your photos with advertisers or data brokers.

If you are located in the European Economic Area or the United Kingdom, we rely on the following legal bases under the GDPR:

• Performance of a contract. To deliver the Service you asked for, including running generations and managing your subscription.
• Legitimate interests. To keep the Service secure, prevent abuse, and improve quality.
• Consent. For any processing that requires it. We will ask first.
• Legal obligation. Where we must process information to comply with applicable law.

We share information only in the limited circumstances below, and only with parties contractually bound to provide the same or equal level of data protection described in this policy. Each provider may use the data we share solely to deliver its service to us — not for its own purposes, not to build its own products, and not to train its models on your content.

Third-party AI providers. Pepscan AI is an AI product. To generate your results we transmit the face and body photos you capture, together with the onboarding context you provided (such as your goal and selected peptide), to the following AI services. The app asks for your explicit consent before any photo is sent.

• OpenAI (OpenAI, L.L.C.).We send your photos (via short-lived signed URLs) and onboarding context to OpenAI’s GPT-4o vision model to produce your Aesthetic Analysis (scoring facial harmony, symmetry, proportions, and bone structure, and generating personalized recommendations). Per OpenAI’s API data-usage policy, data submitted through the API is not used to train OpenAI’s models. OpenAI’s privacy policy: openai.com/policies/privacy-policy.
• fal.ai (Features & Labels, Inc.).We send your before-image (via a signed URL that expires within one hour) and a generation prompt to fal.ai to render your projected transformation image. fal.ai processes the image only for the duration of the generation request and does not retain it to train models. fal.ai’s privacy policy: fal.ai/legal/privacy.

We also rely on the following non-AI service providers:

• Supabase (Supabase Inc.). Authentication, database, and private file storage. Your account, scans, analyses, and subscription record live here.
• Superwall (Superwall Labs Inc.). Paywall presentation and subscription/entitlement state. Superwall receives your subscription status and a stable identifier; it never receives your card details.
• Apple. Processes all in-app purchase billing and, if you choose Sign in with Apple, provides your name and a real or relay email. We never see your Apple ID password or payment details.
• Legal compliance. We may disclose information when required by law, court order, or to protect our rights, the safety of our users, or the integrity of the Service.
• Business transfers. If Pepscan AI is involved in a merger, acquisition, or sale of assets, your information may be transferred as part of that transaction. We will notify you before that happens.

We do not sell your personal information, we do not share it with advertisers or data brokers, and we do not use your photos to train any models — ours or our providers’.

You retain ownership of the photos you submit. By submitting a photo to the Service, you grant us a limited, worldwide, royalty-free license to process, store, transmit, and display that photo solely for the purpose of providing the Service to you. You may revoke this license at any time by deleting the scan or your account.

The transformations the Service generates are provided for your personal use. You may share them on social media (the app includes tooling for that) provided you do not present them as unaltered photographs.

• Anonymous accounts and profile data persist until you delete the account.
• Photos and generated transformations persist until you delete the scan or the account.
• Generation cache entries expire automatically within forty-eight hours.
• Server access logs are rotated within thirty days.
• Subscription records are retained for as long as required by tax and consumer-protection law.

PepScan is operated from the United States. If you use the Service from another jurisdiction, you understand that your information will be transferred to and processed in the United States and the jurisdictions in which our service providers operate. Where required, we rely on Standard Contractual Clauses or other lawful transfer mechanisms with our processors.

Depending on where you live, you may have the right to:

• Access the Personal Data we hold about you.
• Correct inaccurate or incomplete information.
• Delete your information.
• Object to or restrict certain processing.
• Receive your information in a portable format.
• Withdraw consent at any time, where consent is the legal basis.
• Lodge a complaint with your local data protection authority.

To exercise any of these rights, email support@pepscan.ai. We will respond within the timeframes required by applicable law.

You can delete your account at any time from inside the app under Settings → Account → Delete account. When you do, we permanently remove your profile, every scan you have created, every stored image associated with your account, and your authentication record. There is no restore.

Information moving between your device, our servers, and our processors is encrypted with TLS. Photos are held in private storage with row-level access controls that restrict reads and writes to your account only. Database access is gated by signed requests scoped to your user identifier.

No system is perfect. If you believe your account has been compromised, contact us immediately at support@pepscan.ai.

The Service is not directed to children under seventeen and we do not knowingly collect information from anyone under seventeen. Age enforcement is handled by app store content ratings. If you believe a child has used the Service, contact us and we will delete the associated account.

The Service may contain links to websites or services we do not operate. This Privacy Policy does not cover the practices of those third parties. We encourage you to review their privacy policies before sharing information with them.

We may update this Privacy Policy from time to time. When we make a material change we will update the effective date at the top of this page and, where appropriate, surface a notice in the app. Continued use of the Service after a change constitutes acceptance of the updated policy.

For questions or requests related to this Privacy Policy, email support@pepscan.ai.