← Back to Pepti

Privacy Policy

Version 1.4 (v1.4) · Pre-launch policy draft dated May 30, 2026 (2026-05-30) · Replaces the v1.3 draft of May 28, 2026 — see Section 14 for the change summary.

We built Pepti because we take medication ourselves and wanted a tracker that respects our privacy. This page explains exactly what we collect, why, who helps us process it, and how you control it. Plain language, no legalese we can avoid.

If you only have thirty seconds: Pepti is local-first for your health records. Weight, dose history, measurements, manual biomarker entries, journal notes, progress photos, and settings stay on your phone unless you explicitly export them, choose cloud backup, connect an OS health store, or use a store/purchase flow that needs entitlement validation. Product analytics is off until you consent. When enabled, analytics uses a pseudonymized installation ID and documented coarse/bucketed payloads. Operational services run separately: Crashlytics receives crash diagnostics, RevenueCat manages purchases, and optional Health Connect / Apple Health sync reads or writes only health types you authorize. During the Pepti Premium free trial, we process a pseudonymized device token to prevent benefit abuse (see Section 4). We do not sell personal data or use advertising identifiers.

1. Who Operates Pepti (Controller)

Pepti is operated by andremilk solutions in Brazil. For privacy requests and to exercise your rights, contact privacy@pepti.app.

2. Privacy Contact

For any privacy question, request, or concern, write to privacy@pepti.app. We respond within 15 days, the LGPD default. There is no third party between you and us — your message reaches the privacy contact directly. If a request is unusually complex, we will say so and propose a longer window before doing the work.

3. Legal bases for processing

Pepti processes your data under two distinct purposes, each with its own legal basis:

Purpose A — Health data and product improvement

Legal basis: specific and explicit consent (LGPD art. 11, I). Applies to: (a) personal tracking of your medication protocol, stored locally on your device; (b) optional OS health-store sync through Health Connect or Apple Health, only after OS permission; (c) pseudonymized and bucketed product analytics (PostHog), only if you explicitly consent on the onboarding completion screen or under Settings → Privacy.

You can revoke this consent at any time in Settings → Privacy without losing access to the app. Revocation stops new analytics events; previously sent events are deleted from PostHog on request (see Section 9).

Purpose B — Trial abuse prevention

Legal basis: legitimate interest (LGPD art. 7º, IX, combined with art. 10). Applies to the processing of a pseudonymized device token during the 14-day free trial period, for the exclusive purpose of preventing repeated reinstallations of the app on the same device to abuse the benefit. The Legitimate Interest Assessment (LIA) is documented and may be made available upon request at privacy@pepti.app.

You may object to this processing at any time at privacy@pepti.app (LGPD art. 18, §2º). If your objection prevents anti-fraud validation, the free trial may not be available on that device (LGPD art. 9º §3º + art. 10 §2º). Technical details in Section 4.

4. Data we collect

We split this into local data, optional user-directed transfers, optional OS health-store sync, paid-service data, consented analytics, crash diagnostics, and the trial anti-fraud token.

On-device data (local-first by default)

Pepti stores weight logs, dose history, measurements, manual biomarker entries, journal notes, nutrition entries, intestine logs, side effects, progress photos, app settings, local notification schedules, and health-store data imported with your permission on your device. This data does not leave the device unless you choose an export, choose a cloud-backup provider, connect an OS health store, or make an in-app purchase that needs entitlement validation.

Optional exports and cloud backup

If you export a PDF/CSV or share a report, the export is created at your direction. If you turn on cloud backup, Pepti sends the backup file to the provider you choose in the app, such as Google Drive or Dropbox when available and configured.

Health Connect / Apple Health (optional local health-store sync)

If you connect Health Connect on Android or Apple Health / HealthKit on iOS, Pepti asks for OS permission before reading or writing. The current app requests permission to read weight, steps, blood glucose, heart rate, heart-rate variability, and sleep data, and to write weight entries only. We use this data to show your health trends and sync records you choose to sync. Raw Health Connect / Apple Health values are not sent to product analytics; product analytics remains limited to documented coarse/bucketed or closed-vocabulary fields when you consent.

Paid access

RevenueCat manages paid access for Pepti Premium through in-app purchases. If you buy or restore Premium inside the app, RevenueCat and the app stores process purchase identifiers, receipts, product IDs, and entitlement state so the app can unlock the correct features.

Product analytics (only after consent)

When you opt in, Pepti sends product analytics to PostHog using a pseudonymized Pepti installation identifier. We use a release allowlist of broad categories and ranges to understand onboarding progress, reminder and settings interactions, nutrition and hydration usage, bowel-movement logging, side-effect logging, inventory and schedule changes, in-app education cards, and app stability.

We do not send raw weights, raw measurement values, exact dose amounts or exact dose times, photo files, journal text, meal names, or free-text symptom or meal notes in product analytics. Where analytics is based on health-related entries, Pepti reduces precision before sending it; examples include dose amount buckets, weight buckets, measurement site names, medication type or pseudonym, side-effect category/severity, rounded nutrition values, and steps buckets. PostHog may receive technical request metadata such as IP-derived coarse location or SDK system properties; Pepti does not use this data for advertising.

Trial anti-fraud token

During the 14-day free trial period of Pepti Premium, we generate a pseudonymized identifier derived from your Android device, to prevent the same device from abusing the trial through repeated reinstallations.

5. Data we do not collect

The categories below are not received by Pepti's analytics pipeline and are not sent to Pepti servers as part of normal local-first tracking:

Important exception: if you choose cloud backup, your selected storage provider receives the backup file. That is a user-directed action.

6. Why we collect (Purpose)

7. Data Retention

8. Operators and user-selected providers

Current operators used when you enable the relevant app features:

User-selected storage/account providers may also process data when you enable them:

8-bis. Crash reports

When the app crashes or hits a non-fatal error, Firebase Crashlytics receives the technical information needed to diagnose the problem, such as stack traces, relevant app state, device metadata, Crashlytics/Firebase installation identifiers, and time of the crash. Pepti routes reports through a safe wrapper that sanitizes custom keys, logs, and reason strings so sensitive health data such as weight, symptoms, medications, journal entries, and photos are not added by Pepti to crash reports.

9. Your rights under LGPD Art. 18

  1. Confirmation that processing exists.
  2. Access to data we hold about you.
  3. Correction of incomplete, inaccurate, or outdated data.
  4. Anonymization, blocking, or deletion of unnecessary or excessive data.
  5. Portability where technically feasible.
  6. Deletion of data processed under consent.
  7. Information about public/private entities with which we shared data.
  8. Information about the option to refuse consent and the consequences of refusal.
  9. Revocation of consent at any time.
  10. Objection to processing under legitimate interest (Art. 18 §2º) — specifically applicable to the trial anti-fraud token (Section 4 — Purpose B).

10. How to exercise your rights

Use Settings → Privacy to turn off analytics immediately. For access, deletion, portability, correction, objection to processing under legitimate interest, or a question about an operator, email privacy@pepti.app. We respond within 15 days (LGPD art. 19, II) for confirmation or access; unusually complex requests are answered within the applicable legal timeframe, with prior explanation if more time is needed.

11. International data transfer

The operators listed in Section 8 primarily process data in the United States. Optional Google Drive or Dropbox backup data is processed under the terms of the provider you choose.

The legal bases for international transfer combine: (a) your specific consent (LGPD art. 33, I) for consent-based purposes; (b) necessity for contract execution (art. 33, IX) for account/subscription; and (c) standard contractual clauses (art. 33, II) per ANPD Resolution 19/2024, applicable to all operators. Each operator operates under a DPA compatible with LGPD.

12. Security

  1. In transit: network calls use TLS 1.2 or newer.
  2. Local-first storage: health records live in app storage on your device unless you export or back them up. Android Auto Backup is disabled by the app (allowBackup=false) to prevent replication of health data to Google Drive without your explicit choice. Premium purchase data is handled separately by the app stores and RevenueCat.
  3. Pseudonymization: product analytics uses a Pepti installation identifier; the trial anti-fraud token uses a pseudonymized device code. Both are kept separate from raw health records.
  4. Data minimization: analytics uses broad categories and ranges instead of raw health entries wherever possible. Technical request metadata such as IP-derived coarse location may be processed by infrastructure providers, but Pepti does not use it for advertising.
  5. Crash sanitization: Crashlytics is configured to not capture sensitive health data in error logs.

13. Children and adolescents

Pepti is not directed at users under 18 years of age. We do not knowingly collect data from individuals under 18. If you are a guardian of a minor who accessed the application, please contact privacy@pepti.app so we can arrange the deletion of any data that may have been collected. Because the data lives on the phone and not on our servers, the cleanest path is almost always uninstalling the app.

This position aligns with LGPD (art. 14) and with the Brazilian framework for integral protection of children and adolescents in the digital environment.

14. Policy Changes and Version History

When we change this policy in a way that affects what we collect, why we collect it, or who we share it with, we will re-version the document and show the new version before the new collection begins. Cosmetic edits do not trigger a new version. The entries below track policy drafts, not app releases; Pepti has not had a public app launch yet.

Version history

15. Effective date and version

Version 1.4 (v1.4) — pre-launch policy draft dated May 30, 2026 (2026-05-30). Replaces Version 1.3 of May 28, 2026.

16. Jurisdiction

This policy is governed by Brazilian law — the LGPD (Lei nº 13.709/2018), the Marco Civil da Internet, and the Consumer Defense Code (CDC). Disputes are resolved in the comarca of the data subject's foro (consumer's home court) when the relationship is governed by the CDC, which it is for individual users of Pepti.

← Back to Pepti · Política de Privacidade (PT) · privacy@pepti.app

© 2026 Pepti. Version 1.4 · 2026-05-30.