Privacy Policy
This Privacy Policy describes how Peptalk ("Peptalk," "we," "us," or "our") collects, uses, and shares information when you use the Peptalk mobile application and related services (the "Service"). If you have questions, contact us at privacy@getpeptalk.app.
1. Who we are
Peptalk is operated by Ryan Som, a sole trader based in Australia (ABN registration pending). The Service helps you build habits through scheduled voice calls with an AI coach and habit tracking.
Our postal address for privacy correspondence is available on request via the contact email in Section 13.
2. Information we collect
2.1 Information you provide
- Account information. Email address, name, and authentication credentials when you sign up.
- Onboarding survey. Goals, habit preferences, coaching style preferences, schedule, and other responses you give during onboarding.
- Phone number. If you opt into phone-based coach calls, we collect the number you provide so we can place calls to you.
- Habit data. The habits you add, the check-ins you log, streaks, skip reasons, and any notes you enter. This is the core data needed to run the Service.
- Communications. Messages you send to support.
2.2 Voice and call data
When you take a coach call, we process:
- Audio of the call. The live audio stream between you and the AI coach, handled by our voice and telephony providers (see Section 4).
- Transcripts. Text transcripts of calls, which we store so the coach can reference prior conversations and so you can review call history.
- Call metadata. Start and end time, duration, call outcome (completed, missed, failed), and phone number used.
You will be prompted for microphone permission on iOS before the first call. You can revoke it at any time in iOS Settings.
2.3 Information collected automatically
- Device and app data. Device model, OS version, app version, language, time zone, and coarse usage events (e.g., screens viewed, buttons tapped).
- Diagnostic data. Crash reports, error traces, and performance data.
- Identifiers. A pseudonymous user ID and, where applicable, a device install ID. We do not use IDFA for advertising.
We do not sell your personal information and we do not use your data to train third-party AI models outside what is strictly required to deliver your coach calls.
3. How we use your information
We use your information to:
- Provide the Service — place coach calls, run habit tracking, compute streaks, send reminder notifications.
- Personalize your coaching — the AI coach uses your habits, check-ins, goals, and prior call transcripts as context so sessions are relevant.
- Maintain and improve the Service — diagnose crashes, measure feature usage, fix bugs.
- Communicate with you — transactional messages (call summaries, reminders) and, if you opt in, product updates.
- Keep the Service safe and legal — fraud prevention, enforcement of our Terms, and compliance with legal obligations.
Legal bases (for users in the EEA/UK)
We rely on: performance of a contract (to deliver the Service you signed up for), legitimate interests (to secure and improve the Service), consent (for microphone access, optional analytics, and marketing where required), and legal obligation where applicable.
4. Third parties that process your data
We use a small number of subprocessors to run the Service. Each receives only the data necessary for its role.
| Provider | Role | Data they process |
|---|---|---|
| Supabase | Database, authentication, and file storage | Account, habit data, call metadata, transcripts, and any uploaded assets |
| Vapi | AI voice coach — orchestrates the conversation | Call audio (in real time), transcripts, and context we pass in (e.g., your goals, recent check-ins) |
| Twilio | Telephony — carries the phone call between you and Vapi | Your phone number, call audio in transit, call metadata |
| Apple | App Store and TestFlight distribution, push notification delivery (APNs) | Pseudonymous push token, crash logs (if you opt in via iOS), app install/update events |
These providers act as processors on our behalf under written data processing terms. They may store data outside your country — see Section 7.
We plan to introduce additional subprocessors — a crash-reporting service and a product-analytics service — before moving out of the alpha phase. We will update this policy and the list above before any such provider begins processing your data.
5. Sharing your information
We share personal data only:
- With the subprocessors listed above, to run the Service.
- With you — you can export or view your own data.
- For legal reasons — to comply with a valid legal request, enforce our Terms, or protect rights, safety, and property.
- In a business transfer — if we are involved in a merger, acquisition, or asset sale, your data may transfer subject to this policy.
We do not share your data with advertisers. We do not sell your data.
6. Data retention
- Account and habit data — retained while your account is active.
- Call transcripts — retained while your account is active so the coach can reference prior sessions. You can delete individual calls from within the app.
- Call audio recordings — retained for up to 90 days from the call date to support quality, safety review, and support requests, then deleted from our systems and our voice/telephony providers. If you delete the call earlier from within the app, the audio is deleted sooner.
- Call metadata (times, duration, outcome) — retained while your account is active to compute streaks and history.
- Diagnostic and analytics data — once crash-reporting or analytics subprocessors are introduced (see Section 4), diagnostic data will be retained for no more than 90 days and product-analytics event data for no more than 12 months, unless a shorter period is configured. Until then, we collect only limited first-party app events stored with the rest of your account data.
- Backups — deleted data may persist in encrypted database backups for up to 30 days before being overwritten.
When you delete your account, we delete or de-identify your personal data within 30 days, except where we are required to retain specific records for legal, tax, fraud-prevention, or audit reasons (in which case we retain the minimum necessary for the minimum required time).
7. International transfers
Our providers (Supabase, Vapi, Twilio, Apple) may store and process data in the United States and other countries. Where required (e.g., for users in the EEA/UK), we rely on appropriate safeguards, including European Commission Standard Contractual Clauses (SCCs) and the providers' documented data processing agreements. A copy of the relevant safeguards is available on request via the contact email in Section 13.
8. Security
We use industry-standard measures including TLS in transit, encryption at rest with our providers, authenticated access via Supabase Auth, and row-level security policies on our database. No system is perfectly secure; we cannot guarantee absolute security.
If we become aware of a breach affecting your personal data, we will notify you and applicable regulators as required by law.
9. Your rights
Depending on where you live, you may have the right to:
- Access the personal data we hold about you
- Correct inaccurate data
- Delete your data ("right to erasure")
- Export your data in a portable format
- Object to or restrict certain processing
- Withdraw consent you previously gave
- Lodge a complaint with your local data protection authority
You can delete your account and associated data from within the app (Settings → Account → Delete Account), or email privacy@getpeptalk.app. We will respond within the timeframes required by applicable law.
California residents: you have rights under the CCPA/CPRA including the right to know, delete, correct, and opt out of "sharing" for cross-context behavioral advertising. We do not share personal information for cross-context behavioral advertising.
10. Children's privacy and age rating
The Service is not directed to children under 13 (or the equivalent minimum age in your jurisdiction), and we do not knowingly collect personal data from them. If you believe a child has provided us with personal data, contact us and we will delete it.
Peptalk is rated 12+ on the App Store. The rating reflects that the Service delivers AI-generated conversational content which, despite moderation, may occasionally include themes unsuitable for younger audiences. The Service is not intended for use by children under the applicable minimum age.
11. Notifications and permissions
- Microphone — required for coach calls; requested on first call.
- Notifications — optional; used for reminders and call alerts. You can disable them in iOS Settings.
- Phone calls — if you enable phone coach calls, we initiate calls to the number you provide via Twilio. Standard carrier charges may apply.
12. Changes to this policy
We may update this policy from time to time. If changes are material, we will notify you in the app or by email before they take effect. The "Last updated" date at the top reflects the most recent version.
13. Contact us
Questions or requests: privacy@getpeptalk.app
Postal address: Available on request via the email above. (Peptalk is operated by a sole trader; we do not publish a residential address for privacy reasons.)
Data Protection contact (EEA/UK): The Service is not actively offered to residents of the EEA/UK during the alpha/beta phase. EEA/UK residents with data protection questions may use the contact email above. We will appoint an EU/UK representative under Article 27 GDPR if and when we begin offering the Service in those jurisdictions.