Privacy Policy

At a glance

1. Introduction

This Privacy Policy describes how PinPal Technologies LLC (“PinPal,” “we,” “us,” or “our”) collects, uses, discloses, and protects information when you use the PinPal iOS app (bundle ID ai.pinpal.app), the website at pinpal.ai, and any related services (collectively, the “Service”).

By using the Service you accept and agree to the practices described here. If you do not agree with this policy, do not use the Service.

A note on HIPAA. PinPal is a consumer wellness app. It is nota “covered entity” or a “business associate” under the U.S. Health Insurance Portability and Accountability Act (“HIPAA”), and the information you enter is not“protected health information” as HIPAA defines it. HIPAA applies to healthcare providers, health plans, and healthcare clearinghouses; PinPal is none of these. Your information is protected by this policy and the consumer-privacy laws it describes — not by HIPAA. We do not describe PinPal as “HIPAA-compliant” or “HIPAA-certified.”

2. What we collect

Information you provide directly

Account.When you sign in with Apple or Google we receive a stable user identifier and an email address. If you use Apple's private email relay we receive a relay address only. We do not collect passwords.

Protocol data. Peptide or compound names (from our library or your custom entries), dose, frequency, scheduled and actual injection timestamps, reconstitution calculator inputs, and any notes you add.

Check-in data. Symptom selections, severity ratings, manually entered weight values, and optional notes.

Journal entries and bulk import. Any text you write in the journal or paste into the bulk import feature.

Support correspondence. If you email [email protected], we keep a record of that exchange.

Information collected automatically

Basic technical information (device model, OS version, App version, language/region) for bug diagnosis. Authentication metadata (sign-in events, access tokens) managed by our backend provider. We do not use any advertising SDK, analytics SDK, or crash-reporting service.

3. Apple HealthKit

What we read (with your explicit permission): resting heart rate, heart rate variability (HRV), body weight, sleep (total duration and REM / deep / light / awake stages), dietary macros (food energy/calories), blood pressure, and blood glucose.

What we write to HealthKit: body weight and blood pressure entries you log in the App may be written back to HealthKit.

Where HealthKit values are stored: the actual numbers read from HealthKit — your specific heart rate, HRV, weight, sleep, glucose, and blood pressure readings — are read into memory on your device. Correlation and overlay computations happen entirely on your iPhone. These absolute readings are notuploaded to PinPal's servers and not sent to any AI provider.

The one exception — Daily Insights: Daily Insights is an optional AI feature you choose to use. When you generate a Daily Insight, the App sends a third-party AI provider a summary of how your biomarkers changed over the analysis window. It does not send the underlying readings themselves: not your actual heart rate, weight, glucose, or any individual measurement. The change summary and the resulting analysis are saved to your Daily Insights history so you can review past insights, and that history is deleted when you delete your account. If you never use Daily Insights, nothing derived from your HealthKit data leaves your device.

Your control:revoke access any time via iOS Settings → Privacy & Security → Health → PinPal. Revoking HealthKit access does not delete your PinPal account or protocol data.

Per Apple's Developer Program License Agreement and App Store Review Guidelines (5.1.3), HealthKit data may not be used for advertising, sold, or shared with third parties for purposes beyond those you have explicitly authorized. We follow these rules.

4. How we use your information

We use the information we collect to: authenticate you and maintain your session; provide the core App features (protocol logging, reconstitution math helper, check-ins, history); generate AI-assisted informational guidance; diagnose bugs; and respond to support requests.

AI guidance specifically. When you use the chat or Daily Insights feature, the request is sent through our backend to a third-party AI provider. The request never contains your name, email address, or any identifier, and we do not use AI responses to train or fine-tune any model. The chat request carries only a context summary — your current symptom selections and an abstracted protocol description — and no HealthKit data. The Daily Insights request adds a summary of how your biomarkers changed over the analysis window; it does not contain the underlying HealthKit readings.

We do not use your information for advertising, automated decision-making with legal effects, building lookalike audiences, training third-party models, or selling to data brokers.

5. How we share your information

We do not sell your personal information. We share information only with the vendors listed below, each contractually limited to processing your data on our instructions.

We may also disclose information in response to a lawful legal request, or as part of a merger or acquisition (with advance notice if materially different handling would result).

6. Retention

Account, protocol, check-in, journal data, and Daily Insights history are retained until you delete your account, at which point they are removed from our production database immediately. Backup snapshots rotate on a 30-day cycle; security and audit logs are retained for up to 90 days. The actual HealthKit readings are never stored by PinPal — only the biomarker change figures inside your Daily Insights history, which is deleted with your account.

7. Security

We use TLS 1.3 in transit, AES-256 at rest, row-level security in our database, and server-side gating of all AI provider API keys. No AI provider keys are on the client. No method of transmission or storage is 100% secure; if we learn of a breach affecting your data we will notify you as required by law.

8. Your rights

Depending on where you live, you may have rights to access, correct, delete, or port your personal information, to object to or restrict certain processing, and to withdraw consent. We honor these rights for all users regardless of residence.

To exercise your rights: use Settings → Delete Account in the App for deletion (fastest, most complete), or email [email protected] for any other request. We respond within the timeframe required by applicable law (generally 45 days under CCPA, one month under GDPR, 45 days under MHMDA).

California residents: we do not sell or share personal information as defined by CCPA/CPRA. Washington residents: we do not sell consumer health data as defined by MHMDA, and you can also see our Consumer Health Data Privacy Policy.

9. Children

The Service is not directed to anyone under 18. We do not knowingly collect personal information from anyone under 18. If you believe a child under 18 has provided us with personal information, please contact us and we will delete it.

10. Changes to this policy

Material changes will be announced by in-app banner and email at least 30 days before taking effect. Non-material changes are reflected in the date at the top of this page. Continued use after changes become effective constitutes acceptance of the revised policy.

Contact

Questions or requests about this policy: [email protected]

PinPal Technologies LLC · California, USA