Privacy Policy

1. Who we are

TidenUp ("TidenUp", "we", "us") is operated by TidenUp, Inc., a Delaware corporation with a registered office at 1209 Orange Street, Wilmington, DE 19801. For privacy questions, contact admin@tidenup.com. EU/UK data subjects may contact our Data Protection contact at admin@tidenup.com.

2. What we collect

• Account data — email, display name, password hash, date of birth.
• Regimen data — peptides you log, schedules, dosages, notes, attachments. This may include health-related information.
• Device & usage data — IP address, browser/OS, page interactions, crash logs.
• Communications — support messages and email correspondence.

3. How we use your data

To provide and secure the service, authenticate you, send transactional notifications you opt into, prevent abuse, comply with legal obligations, and (with your consent) improve TidenUp through aggregated analytics.

4. Legal bases (GDPR)

Contract (account & service delivery), Consent (marketing, optional analytics, health-data processing), Legitimate interests (security, fraud prevention), and Legal obligation (records retention, lawful requests).

5. Sharing

We do not sell your personal information. We share only with infrastructure processors (hosting, email, and analytics providers), professional advisors under confidentiality, and authorities when legally compelled. A current sub-processor list is available on request.

6. International transfers

Data may be processed in the United States and other regions where our processors operate. Transfers from the EEA/UK rely on Standard Contractual Clauses and the UK Addendum where applicable.

7. Retention

Account and regimen data are retained while your account is active and deleted within 30 days of account deletion (longer where required by law). Backups are purged on a rolling 90-day schedule.

8. Your rights

Depending on your jurisdiction (GDPR, UK GDPR, CCPA/CPRA, others) you may request access, correction, deletion, portability, restriction, and objection. Submit requests in-app via Settings → Privacy, or email admin@tidenup.com. We respond within 30 days.

9. Children

TidenUp is not intended for anyone under 18. We do not knowingly collect data from minors.

10. Security

Encryption in transit (TLS 1.2+) and at rest, row-level access controls, bcrypt-hashed passwords (via Supabase Auth) and SHA-256-hashed invite tokens, least-privilege secrets management, audit logging of clinician access to patient data, and ongoing security review. No system is perfectly secure; report concerns to admin@tidenup.com.

11. Our HIPAA status

TidenUp is not a HIPAA-covered entity and does not act as a business associate of a covered entity. We are a consumer-facing personal-health-record-adjacent service. We follow HIPAA-aligned best practices — encryption, audit logging, access controls, and breach-notification commitments — but the protections of the Health Insurance Portability and Accountability Act do not legally apply to data you enter into TidenUp directly. If your clinician shares records with you through TidenUp, those records leave their HIPAA-protected systems when they reach our service.

12. FTC Health Breach Notification Rule

As a personal-health-record-adjacent service, we are subject to the Federal Trade Commission’s Health Breach Notification Rule (16 CFR Part 318). In the event of a breach of unsecured PHR-identifiable health information, we will notify affected users without unreasonable delay and in no case later than 60 calendar days after discovery, and will notify the FTC and, where applicable, prominent media outlets, in accordance with the Rule.

13. AI processing

Some features (Ask Pep, peptide reference, protocol builder, doctor-note OCR, vial image scan) send your inputs to a third-party AI gateway for processing. We do not include your account email or full name in AI prompts. Before any AI call, free-text you type is scrubbed server-side on a best-effort basis for common direct identifiers — email addresses, phone numbers, Social Security numbers, street addresses, URLs, dates, medical-record numbers, and names written with an honorific (for example “Dr Smith”). This reduces, but does not guarantee removal of, every identifier in the sense of the HIPAA Safe Harbor standard (45 CFR §164.514(b)), so please avoid typing names or contact details you do not want processed. When the "Use my protocol context" toggle is enabled in Ask Pep, your active stack summary, the last 30 days of side-effect journal entries, and the next 7 days of scheduled doses are included with that single message. The image-based features (doctor-note OCR and vial-image scan) send the image itself to the AI gateway and cannot be text-scrubbed, so please do not upload images showing names or other identifiers. Inputs are sent solely to generate your response; how the gateway retains or uses them is governed by our sub-processor’s terms. AI outputs are educational only; see our Medical Disclaimer. You may disable AI surfaces per-feature in Settings, and the personal-context toggle is off by default.

We list every AI sub-processor on our Sub-processors page.

14. Changes

We post material changes here and notify account holders by email at least 14 days before they take effect.