Privacy

Privacy Policy

How Pep handles your information. The short version: we collect the minimum we need, we don't sell it, and we don't use third-party trackers.

Last updated: April 14, 2026

Who we are

Pep is an evidence-graded peptide research platform, operated by Rachel Gerrish, doing business as Pep. We publish educational compound profiles, regulatory tracking, and editorial content. We are not a healthcare provider, pharmacy, or telehealth service. We do not diagnose, treat, prescribe, or sell any products.

What we collect

When you browse (no account required)

  • An anonymous device identifier (a random ID stored in a cookie called pep_aid), used to connect your browsing sessions across visits. This is not linked to your identity unless you provide your email.
  • Pages you visit, how far you scroll, and which compounds you view. This helps us understand which content is useful.
  • Your country and state (from Vercel's server-side geolocation of your IP — not GPS, not street-level). Country is used to restrict access to US visitors only. State is used to understand which parts of the country our visitors come from, at the same resolution Vercel provides (a two-letter code like “CA” or “NY”). We do not store city, postal code, latitude/longitude, or any more precise location.
  • A hashed version of your IP address. We never store your raw IP. The hash uses a monthly-rotating salt, meaning it becomes unrecoverable after 13 months even if our database were compromised.
  • Your browser type and operating system family (not a full fingerprint).

When you subscribe to emails

  • Your email address.
  • Which page you subscribed from (so we can send relevant updates).
  • Which compounds you expressed interest in (if subscribing from a compound page).

When you take the quiz

  • Your quiz answers: which health goals you selected, what you've tried before, and your evidence preference. We treat this as personal health information.
  • Your email address (required to receive your results).
  • Your explicit consent (timestamp and IP address of when you checked the consent box). This is stored for our audit trail.

Quiz answers are only submitted after you actively check the consent checkbox and click submit. Your answers stay in your browser until that point.

What we don't collect

  • Diagnosed health conditions, symptoms, or biomarkers
  • Prescription medications
  • Date of birth or age
  • City-level or more precise geolocation (no GPS, no street-level data, no latitude/longitude)
  • Raw IP addresses (only salted hashes, rotated monthly)
  • Browser fingerprints
  • Payment or financial information

How we use your information

  • To send you what you signed up for. If you subscribed from the BPC-157 page, you'll hear about BPC-157 updates. If you took the quiz, you'll receive your matched compounds. We don't spam.
  • To improve the site. We track which compounds get the most views, where people drop off in the quiz, and which articles are read to the end. This helps us write better content.
  • To connect your devices. If you take the quiz on your laptop and open the results email on your phone, we link those sessions so your matches appear on both. This uses signed, single-use tokens, not tracking cookies.
  • To restrict access to US visitors. We use country-level geolocation to block non-US traffic. This is a regulatory decision, not a tracking decision.

Who we share your data with

We use three services to run Pep. Your data is shared with these services only for the purposes described:

  • Vercel (hosting and analytics): Hosts the site and provides basic operational analytics (page views, funnel metrics). No cookies, no fingerprinting, no cross-site tracking. If you have Global Privacy Control enabled, even this is disabled. As our hosting provider, Vercel processes all HTTP requests to the site and may independently collect data such as IP addresses, request metadata, and server logs under their own privacy policy. You can review Vercel's privacy policy for details on what they collect as an infrastructure provider.
  • Resend (email delivery): Sends transactional and newsletter emails. Receives your email address and first name only. Processes email events (delivered, opened, bounced) which we log for deliverability. You can review Resend's privacy policy for details.
  • Neon (database hosting): Hosts our PostgreSQL database. All data described on this page is stored in Neon's infrastructure. You can review Neon's privacy policy for details.

These services act as subprocessors on our behalf. They process your data only to provide the services described above. We do not sell your data. We do not share it with advertisers, data brokers, or any parties not listed above. We do not use Google Analytics, Meta Pixel, or any third-party tracking scripts.

Cookies

We use a small number of cookies. All are first-party, server-set, and HttpOnly (meaning JavaScript on the page cannot read them):

NamePurposeDuration
pep_aidAnonymous device identifier. Links your browsing sessions. Not tied to your identity unless you provide your email.1 year
pep_entry_refStores the referring website (if any) that brought you to Pep, captured from the standard HTTP Referer header on your first page load. Used exclusively to understand where our traffic comes from — e.g., search engines, social media. Cleared automatically after your first page interaction completes.1 hour (or until first page interaction, whichever comes first)

No third-party cookies. No cookie consent banner is required because these are strictly functional first-party cookies under US law.

Global Privacy Control

We honor the Global Privacy Control (GPC) signal. If your browser sends the Sec-GPC: 1header, we disable Vercel Analytics for your session. Your browsing events are still recorded in our database (for site functionality) but marked as “no track” and excluded from all analytics reporting. We treat GPC as a legally binding opt-out signal.

How long we keep your data

  • Browsing events: Stored in monthly partitions. We retain event data for analytics purposes. IP hashes become unrecoverable after 13 months (when the salt used to create them is deleted).
  • Email and account data: Retained until you unsubscribe or request deletion.
  • Quiz submissions: Retained until you request deletion. Your consent record (timestamp, IP, policy version) is retained for compliance audit purposes.
  • Verification tokens: Expire after 24 hours. Only hashes are stored; they are cleaned up by an automated daily job.

Your rights

  • Unsubscribe from emails at any time using the link in any email we send, or from your email preferences page.
  • Request deletion of your account, quiz data, and email subscription by emailing privacy@feelpep.co. We will delete your data within 30 days and confirm by email.
  • Request a copy of the data we hold about you by emailing the same address.
  • Clear your anonymous ID by deleting the pep_aid cookie from your browser. A new anonymous ID will be created on your next visit, unlinked from your previous browsing history.

Geographic scope

Pep is intended for users in the United States only. We use server-side geolocation to redirect non-US visitors to an informational page. We do not knowingly collect data from users outside the United States.

State-specific rights

California (CCPA/CPRA)

If you are a California resident, you have the following rights under the California Consumer Privacy Act and the California Privacy Rights Act:

  • Right to know what personal information we collect, use, and disclose. This page describes all of it.
  • Right to delete your personal information. Email privacy@feelpep.co and we will delete your data within 30 days.
  • Right to opt out of the sale of personal information. We do not sell personal information to third parties, as defined under the CCPA.
  • Right to non-discrimination. We will not treat you differently for exercising your privacy rights.
  • Right to correct inaccurate personal information. Contact us to update your information.
  • Right to limit use of sensitive personal information. The only sensitive information we collect is quiz answers (health goals), which are collected with your explicit consent and used solely to provide your results.

Washington, Connecticut, and Nevada

These states have health data privacy legislation (Washington My Health My Data Act, Connecticut CTDPA, Nevada SB 370) that imposes additional requirements on the collection of health-related information. To comply, the Pep quiz is not currently available to visitors in these states. All other content on the site (compound profiles, regulatory tracker, journal, goal pages) remains fully accessible. We are working toward full compliance and will enable the quiz in these states when we meet the requirements.

Children

Pep is not intended for anyone under 18. We do not knowingly collect personal information from minors. If you believe a minor has provided us with personal information, contact us at privacy@feelpep.co and we will delete it.

Changes to this policy

We will update this page when our practices change. Material changes (new data collection, new third parties, or changes to how we use health-related data) will be communicated by email to subscribers. The “last updated” date at the top reflects the most recent revision.

Contact

For privacy questions, data requests, or concerns: privacy@feelpep.co