Halflife Privacy Policy

Last updated: May 1, 2026 · Halflife Peptide & GLP-1 Log

Your personal health data never leaves your device. This is a deliberate architectural decision, not just a policy statement.

1. Introduction

This Privacy Policy explains how Halflife ("the App", "we", "us") collects, uses, stores, and protects information when you use the App. We take privacy seriously given the sensitive nature of health-related data. By using the App, you agree to the practices described here.

2. Core Privacy Principle

All dose logs, weight entries, injection sites, side effect notes, protocol details, and personal health metrics you enter into Halflife are stored exclusively on your device's local storage. This data is not transmitted to our servers, not stored in the cloud, and not accessible to us.

3. What Data the App Stores — And Where

3.1 On-Device Only (Never Transmitted)

Compound protocols (names, doses, frequency, start dates)
Dose logs (dates, amounts, injection sites, side effect selections, notes)
Weight entries and history
Vial inventory details
Onboarding answers, goals, preferences
App settings and preferences

This data is never sent to any server. We cannot access it. We do not have it.

3.2 Anonymous Identifier (UUID)

On first launch, the App generates a random UUID using a cryptographic random number generator. This UUID is stored locally, is not linked to your identity, and is used only to prevent duplicate votes in the Discover tab.

3.3 Discover Tab Poll Votes

When you vote, the following anonymous data is sent to our database: your UUID, the question ID, your answer (A or B), and a timestamp. This cannot be linked back to you.

3.4 Anonymous Research Data (Opt-In Only)

If you opt in via the toggle in your Profile screen, the following anonymised data may be sent when you log a dose:

Your UUID (not linked to identity)
Compound name, dose amount, week number of protocol (not calendar date)
Weight in kg (if logged), side effect selections from preset list only
Energy and appetite scores (if logged)
Country code from device locale (e.g. "US") — not city or region

Not collected even when opted in: free text notes, exact dates or timestamps, device identifiers, IP address, location data, name, or any identifying information.

This opt-in is entirely voluntary. The App functions identically whether you opt in or not. You can change this setting at any time.

4. What We Do NOT Collect

We do not collect your name, email address, Apple ID, device identifier (IDFA/IDFV), IP address, precise or approximate location, contacts, crash reports (beyond Apple's App Store standard), advertising identifiers, or browsing history.

5. Apple Health / HealthKit

If you enable Apple Health integration (Pro feature), the App reads specific data types (body weight, step count, sleep data) locally on your device. This data is never transmitted to our servers. You can revoke permissions at any time via iOS Settings → Privacy & Security → Health → Halflife.

6. Payments and Subscriptions

All payment processing is handled by Apple through In-App Purchases. Halflife does not receive, store, or process your payment information. RevenueCat is used to manage subscription status, receiving your anonymous UUID and purchase receipt only. RevenueCat Privacy Policy

7. Why Week Numbers Instead of Dates

For any data transmitted to our servers, we use week numbers rather than calendar dates (e.g. "Week 8 of protocol" not "March 3, 2026"). This prevents re-identification by eliminating the ability to cross-reference health data with calendar events.

8. Data Security

All transmitted data uses HTTPS (TLS encryption). Database access is restricted and logged. Data is stored without personally identifying fields. Local data is as secure as your device passcode/biometrics.

9. Data Retention

Local data: Retained until you delete the App or clear storage.
Poll votes: Individual records deleted after 12 months; aggregate counts retained indefinitely.
Research data (opt-in): Retained for research purposes. Because it contains no identifying information, it cannot be deleted on individual request — by opting in you acknowledge this limitation.

10. Children's Privacy

Halflife is not directed at users under 17. We do not knowingly collect information from users under 17.

11. Your Rights

Because almost all data is stored locally on your device, most privacy rights are exercised by you directly — by deleting the App or clearing its data. California residents (CCPA): We do not sell personal information. EU/UK residents (GDPR): Legal basis for poll vote processing is legitimate interest; for research data, explicit consent (the opt-in toggle).

12. Third-Party Services

Service	Purpose	Data Shared
RevenueCat	Subscription management	Anonymous UUID + purchase receipt
Apple App Store	App distribution + payments	Per Apple's policies
Supabase	Poll votes + research data	Anonymous UUID + vote/log data

We do not use advertising networks, tracking SDKs, or analytics platforms.

13. Changes & Contact

We may update this policy and will update the "Last updated" date when we do. For privacy questions: contact@halflife-labs.com

Halflife Labs B2B Data Privacy Policy

Last updated: May 1, 2026 · Halflife Labs — B2B Partners & Data Licensing

This policy applies to organisations accessing Halflife Labs data, APIs, or research datasets — not individual app users. For the consumer app policy, use the App tab above.

1. Scope

This B2B Privacy Policy governs the relationship between Halflife Labs ("we", "us", "Halflife Labs") and partner organisations ("Partner", "you") that access our services, APIs, datasets, or research outputs under a separate commercial or research agreement. It does not apply to individual users of the Halflife mobile application.

2. Data We Provide to Partners

Depending on your agreement type, Halflife Labs may provide:

Research Dataset Access: Anonymised, aggregated population-level data on GLP-1, peptide, and hormone protocol adherence, outcomes, and behavioural patterns. No individual-level records are provided without specific IRB-compliant data use agreement.
API Integration Data: Pharmacokinetic computation outputs (concentration curves, half-life calculations, syringe calculator results) for your patient-facing applications. No patient identity data is transmitted to Halflife Labs through the API.
Custom Analytics Reports: Aggregated, de-identified analysis of specific protocol combinations, adherence rates, or outcome correlations as specified in your statement of work.

3. Data We Do NOT Provide

We never provide individual-level user records, linkable personal health information, device identifiers, or any data that could be used to identify a specific user of the Halflife app.

All data provided to partners has been aggregated and de-identified in accordance with HIPAA Safe Harbor provisions and GDPR pseudonymisation requirements. We do not license raw individual-level data under any commercial terms.

4. How Partners May Use Our Data

Data provided to partners under a commercial agreement may be used for:

Internal research, product development, and clinical decision support
Regulatory submissions and real-world evidence studies (with appropriate IRB approval)
Patient engagement tools and protocol tracking features within your own platforms
Academic publications, subject to co-authorship discussion and data use agreement terms

Partners may not use Halflife Labs data to:

Attempt to re-identify individual users
Sell or sub-license the data to third parties without written consent
Train commercial AI/ML models intended for standalone resale without separate agreement
Create directly competing products using our data infrastructure

5. Partner Data Security Requirements

Partners receiving dataset access must maintain:

Encryption at rest (AES-256 or equivalent) and in transit (TLS 1.2+)
Access controls limiting data access to personnel with demonstrated need
Incident response procedures with mandatory notification to Halflife Labs within 72 hours of any suspected breach
Annual security review or certification (SOC 2 Type II, ISO 27001, or equivalent)

6. API Integration Partners — Data Flow

For telehealth and EMR integration partners using the Halflife API:

Halflife Labs receives only the compound parameters, doses, and timestamps necessary to compute pharmacokinetic outputs
Patient identifiers must never be transmitted to Halflife Labs APIs — use anonymised patient tokens only
Computation outputs (curve data, half-life results) are returned and not retained by Halflife Labs beyond the immediate API response
API logs are retained for 30 days for debugging and billing purposes only

7. GDPR / HIPAA Compliance

Halflife Labs operates as a data processor under GDPR for EU/EEA partners and complies with HIPAA de-identification standards for US healthcare partners. We will execute a Data Processing Agreement (DPA) or Business Associate Agreement (BAA) as required by applicable law. Contact us at contact@halflife-labs.com to request these agreements.

8. Data Retention — Partner Agreements

Dataset licenses are time-limited as specified in your commercial agreement. Upon expiration or termination, partners must certify destruction of all received datasets within 30 days. API access is terminated immediately upon agreement expiration. Audit logs of partner data access are retained by Halflife Labs for 3 years.

9. Changes & Contact

Material changes to this policy will be communicated to active partners with 30 days notice. For all data privacy inquiries: contact@halflife-labs.com