Get started
Legal · Last updated April 17, 2026

Pepps Privacy Policy

Pepps is a healthcare-adjacent platform. The data you share with us — especially your biomarkers, prescription details, and messages with your physician — is sensitive, and we treat it that way. This policy explains what we collect, how we use it, who we share it with, and the rights you have.

The short version:
  • We do not sell your personal information or Protected Health Information.
  • We do not use your PHI for advertising without your explicit written authorization.
  • Your clinical data is stored in HIPAA-compliant systems accessed only by authorized personnel.
  • You can export, correct, or delete your data at any time from your member portal.

1. Overview & your rights at a glance

Pepps, Inc. ("Pepps," "we," "us," "our") respects your privacy and is committed to protecting your personal information. This Privacy Policy ("Policy") describes the categories of information we collect, how we use it, who we share it with, and the rights you have over your data. It applies to your use of the Pepps website, mobile applications, member portal, and related services (collectively, the "Services").

Depending on where you live, you may have specific rights under laws like HIPAA, the California Consumer Privacy Act ("CCPA/CPRA"), Virginia's Consumer Data Protection Act, or similar state privacy laws. Those rights are summarized below and detailed in Sections 12–14.

2. Scope of this policy

This Policy covers information collected through Pepps's website, member portal, mobile apps, and any related Services. It does not cover the independent practices of our pharmacy partners, lab partners, or third-party services, which have their own privacy policies that govern their collection and use of information.

For Protected Health Information ("PHI") created or received in connection with your patient-physician relationship with a Pepps-affiliated physician, additional HIPAA protections apply. See Section 4 and Section 13.

3. Information we collect

Information you give us directly

  • Account information — name, email, password, phone number, date of birth, shipping address;
  • Payment information — billing address and payment-method details (processed by our payment processor, not stored directly by Pepps);
  • Medical intake — health history, medications, allergies, goals, consent documentation;
  • Biomarker results — lab values you authorize us to receive from our lab partners;
  • Communications — messages to your physician, support inquiries, survey responses;
  • Content you choose to submit — testimonials (if provided), referrals, uploaded documents.

Information we collect automatically

  • Device and browser type, IP address, operating system, approximate location;
  • Pages viewed, links clicked, time on page, referring/exit URLs;
  • Cookies, pixels, and similar technologies (see Section 8);
  • Product-usage events in the member portal (logins, feature use, errors).

Information from third parties

  • Lab results from our clinical-laboratory partners;
  • Prescription-fulfillment and shipment-tracking data from our pharmacy partners;
  • Identity-verification and fraud-prevention signals from our vendors;
  • Marketing attribution and advertising performance (aggregated, non-PHI).

4. Protected Health Information (PHI)

Certain information Pepps creates, receives, or stores in connection with your clinical relationship with a Pepps-affiliated physician is Protected Health Information under HIPAA. This includes your medical intake, prescriptions, physician notes, biomarker results, and messages with your physician.

PHI is treated with additional protections required by HIPAA. We use and disclose PHI only for treatment, payment, and healthcare operations, or as otherwise permitted or required by law. We do not use PHI for marketing, sell PHI to third parties, or disclose PHI to advertisers. For a complete description of your HIPAA rights, see Section 13.

5. How we use information

We use the information we collect to:

  • Provide, maintain, and improve the Services;
  • Facilitate the clinical relationship between you and your Pepps-affiliated physician;
  • Coordinate lab testing, prescription fulfillment, and shipment;
  • Process payments, subscriptions, and refunds;
  • Send transactional communications (order confirmations, shipping notices, clinical reminders);
  • With your consent, send marketing communications you can unsubscribe from at any time;
  • Detect, prevent, and respond to fraud, security incidents, and abuse;
  • Comply with legal obligations and enforce our Terms of Use;
  • Improve the Services and develop new features using de-identified or aggregated data.

6. How we share information

We share information only as described in this Policy, including with:

  • Pepps-affiliated physicians — your medical intake, biomarker results, and messages, so your physician can provide care;
  • Pharmacy partners — prescriptions and shipping details, so compounded products can be prepared and delivered;
  • Lab partners — test orders and results, so biomarker testing can be completed;
  • Service providers — payment processors, hosting, customer support, email delivery, analytics, and security vendors who contractually agree to protect your data;
  • Legal & safety — when required by law, subpoena, or court order, or to protect the rights, property, or safety of Pepps, our members, or others;
  • Business transfers — in a merger, acquisition, financing, or sale of assets, with appropriate protections for your privacy.

We do not sell your personal information or PHI. We do not share PHI with advertising networks. We do not use PHI to build advertising profiles.

7. Service providers & third parties

Pepps uses carefully-vetted service providers to operate the Services. Categories include: cloud infrastructure, payment processing, compounding pharmacy, laboratory services, shipping carriers, telehealth platform, identity verification, email/SMS delivery, analytics, customer support, and security monitoring. Each provider is bound by a Business Associate Agreement (BAA) or Data Processing Agreement (DPA) as appropriate.

8. Cookies & similar technologies

Pepps uses cookies and similar technologies for essential site functions (authentication, security, preferences) and for analytics, performance, and marketing. You can control cookies through your browser settings or our cookie-preferences tool. Blocking certain cookies may affect Service functionality.

We honor Global Privacy Control (GPC) signals and treat them as an opt-out of the "sale" or "sharing" of personal information where applicable under state law.

9. Advertising & analytics

We use analytics and advertising tools to understand how people find and use Pepps. We configure these tools to avoid transmitting PHI. You can opt out of personalized advertising through the Digital Advertising Alliance (optout.aboutads.info) and Network Advertising Initiative (optout.networkadvertising.org), and through device-level settings on iOS and Android.

10. How we protect your data

Pepps uses administrative, technical, and physical safeguards designed to protect your information — including encryption in transit and at rest, access controls based on least-privilege principles, logging and monitoring, regular security reviews, and employee training. PHI is stored and processed in HIPAA-compliant infrastructure.

No system is perfectly secure. If you suspect unauthorized access to your account, contact us immediately at security@pepps.com.

11. Data retention

We retain your information for as long as your account is active or as needed to provide Services. Clinical records are retained as required by state medical-records laws (typically 7–10 years after the last date of service). Marketing contact data is retained until you opt out. You may request deletion at any time; we will delete or de-identify your data except where retention is required by law.

12. Your privacy rights

You have the right to:

  • Access the personal information we hold about you;
  • Correct inaccurate or incomplete information;
  • Delete your information, subject to legal retention requirements;
  • Port your data in a commonly used, machine-readable format;
  • Opt out of marketing communications at any time;
  • Opt out of "sale" or "sharing" of personal information as defined by state law (Pepps does not sell PHI);
  • Withdraw consent where processing is based on your consent.

To exercise any of these rights, email privacy@pepps.com or use the "Privacy Rights Request" form in your member portal. We will verify your identity before responding and aim to respond within 30 days (or as otherwise required by law).

13. Your HIPAA rights

When Pepps creates, receives, or stores Protected Health Information in connection with your clinical care, you have additional HIPAA rights, including:

  • The right to access your medical records and receive a copy;
  • The right to request amendments to inaccurate or incomplete records;
  • The right to an accounting of disclosures of your PHI;
  • The right to request restrictions on how your PHI is used or disclosed;
  • The right to receive confidential communications at a specific location or method;
  • The right to be notified of any breach of unsecured PHI;
  • The right to file a complaint with Pepps's Privacy Officer or with the U.S. Department of Health and Human Services Office for Civil Rights.

A full HIPAA Notice of Privacy Practices is provided before any clinical relationship is established and is available at any time from our Privacy Officer (see Section 18).

14. State-specific rights

California (CCPA/CPRA)

California residents have the right to know, delete, correct, and opt out of the "sale" or "sharing" of personal information, and the right to limit the use of "sensitive" personal information. Pepps does not sell personal information. To exercise your rights, contact privacy@pepps.com. California residents may designate an authorized agent to submit requests.

Virginia, Colorado, Connecticut, Utah (and similar state laws)

Residents of states with comprehensive consumer-privacy laws have similar rights of access, correction, deletion, data portability, and opt-out of targeted advertising and profiling. Use the same contact channels listed above to exercise these rights.

Nevada

Nevada residents may submit a verified request that Pepps not sell their covered information. Pepps does not sell personal information as that term is used under Nevada law.

15. Children's privacy

The Services are not directed to anyone under 18. We do not knowingly collect personal information from children. If you believe a child has provided us information, contact us immediately at privacy@pepps.com and we will delete it.

16. Users outside the United States

Pepps operates and stores information in the United States. Services are available only to U.S. residents in states where Pepps is licensed. If you access the Services from outside the U.S., your information will be transferred to and processed in the U.S. subject to this Policy.

17. Changes to this policy

We may update this Policy from time to time. When we do, we will update the "Last updated" date at the top of this page and, for material changes, notify you by email or through the member portal. Your continued use of the Services after the effective date constitutes acceptance of the updated Policy.

18. Contact us & Privacy Officer

Questions about this Policy, your data, or your rights? Our Privacy Officer is responsible for our privacy practices and HIPAA compliance.

Privacy & HIPAA requests privacy@pepps.com
Security incidents security@pepps.com
Mail Pepps, Inc.
Attn: Privacy Officer
[Mailing Address]

You also have the right to file a complaint with the U.S. Department of Health and Human Services, Office for Civil Rights at hhs.gov/hipaa/filing-a-complaint.