← Back

Privacy Policy

Last updated: 18 April 2026

The short version

  • ✓ Your health tracking data is yours. We never sell it or use it to target advertising at you.
  • ✓ You can download everything we hold about you at any time.
  • ✓ You can delete your account and all your data permanently at any time.
  • ✓ We use industry-standard encryption in transit and at rest.
  • ✓ We do not require an account - you can use peripal as a guest.

1. Who we are

peripal ("we", "our", or "us") is a perimenopause companion app designed to help women understand and navigate hormonal changes. The app is operated by Stephanie von Franck, based in New York, United States. For privacy inquiries, data requests, or to exercise your rights, please contact us at stephanie@peripal.co.

2. What data we collect

Account data (if you create an account)

  • Email address (used only for authentication and account recovery)
  • Password (stored as a one-way bcrypt hash - we cannot read your password)
  • Account creation date

Health tracking data (only if you choose to log it)

  • Daily mood scores and symptom logs
  • Medication and supplement records
  • Period/cycle tracking data
  • Personal notes you add to logs

Community data (if you post in the forum)

  • Forum threads and replies you author
  • Display name (if you set one)

Ask Pal queries (only if you use the feature)

  • The text of questions you submit to the Ask Pal search feature
  • These are transmitted to Anthropic's API to generate a response - see section 8
  • We recommend not including your name or contact details in Ask Pal queries

Technical data (automatically)

  • Session cookies (necessary for authentication - see below)
  • Standard server logs (IP address, browser type, pages visited) - retained for 30 days

3. How we store your data

Account data and health tracking data are stored in Supabase, a PostgreSQL database provider. Supabase stores data in the US (AWS us-east-1) by default and is SOC 2 Type II certified.

All data is encrypted in transit via TLS 1.2+ and at rest using AES-256. Row-level security (RLS) ensures your data can only be accessed by your own authenticated session - not by other users. Internal access to user data by peripal personnel is restricted and logged, and occurs only to resolve a support request you have submitted or to investigate a reported security incident.

If you use peripal as a guest (no account), all data is stored only in your browser's localStorage on your device. It never leaves your device until you choose to create an account.

4. How we use your data

We use your data only to:

  • Provide the app features (syncing logs, generating your doctor report, etc.)
  • Send account-related emails (email verification, password reset)
  • Improve the app through aggregated, anonymised analytics (no individual data used)

We never:

  • Sell your personal health tracking data (logs, symptoms, medications, cycle data)
  • Share your health tracking data with insurers, employers, or data brokers
  • Use your health tracking data to target or personalize advertising
  • Use your data to train AI models

Advertising and affiliate links: peripal may display contextual advertising or include affiliate links in content (such as links to products or services that may earn us a commission). Any advertising or affiliate content will be clearly labeled. Your health tracking data is never used to target, select, or personalize these. See our Terms of Service for more detail.

5. Cookies and sessions

Strictly necessary cookies

Secure session cookies issued by Supabase Auth to keep you signed in. These are:

  • HttpOnly (not accessible to JavaScript)
  • Secure (HTTPS only)
  • SameSite=Lax (CSRF protection)

Sessions automatically expire after 30 minutes of inactivity to protect your health data.

Analytics cookies

We use Google Analytics 4 (GA4) to understand how the app is used in aggregate (e.g., which pages are visited, session duration). GA4 sets cookies named _ga and _ga_*, which persist for up to 2 years. We have enabled IP anonymization - your full IP address is never stored by Google. GA4 data is used only to improve the app and is never linked to your health data.

You can opt out of Google Analytics at any time using the Google Analytics opt-out browser add-on, or by enabling your browser's built-in tracking protection.

We do not use advertising cookies or any other third-party tracking.

Do Not Track

Some browsers offer a "Do Not Track" (DNT) signal. We do not currently alter our data collection practices in response to DNT signals, as no uniform standard for responding to DNT has been adopted. You can use the opt-out mechanisms above to limit analytics tracking.

6. Data retention

Your account and health data are retained for as long as your account is active. Server logs are retained for 30 days.

When you delete your account, all your data (health logs, medications, period data, forum posts, and profile) is permanently deleted within 24 hours. This cannot be undone.

Backup copies are encrypted, access-controlled, and purged within 30 days of deletion. During that window your data exists only in secure backup storage and is not used for any purpose. Some data may be retained in aggregated, de-identified form (e.g., total number of users) that cannot be linked back to any individual.

7. Your rights

Under the California Consumer Privacy Act (CCPA), California Privacy Rights Act (CPRA), and applicable US state privacy laws (Virginia CDPA, Colorado CPA, Connecticut CTDPA, Texas TDPSA, and others), you have the following rights:

Right to know

Request disclosure of the categories and specific pieces of personal information we have collected about you, the purposes for collection, and the categories of third parties with whom we share it.

Right of access

Download all your data any time from Settings → Download my data (JSON).

Right to rectification

Edit your data within the app at any time.

Right to erasure (right to be forgotten)

Delete your account and all data permanently from Settings → Danger zone.

Right to data portability

Export your data as machine-readable JSON from Settings.

Right to limit use of sensitive personal information

Your health data (symptoms, medications, cycle data) is sensitive personal information under California law. You may request that we limit its use to only what is necessary to provide the service. Contact us at stephanie@peripal.co to exercise this right.

Right to opt out of sale or sharing

We do not sell or share your personal information as defined under California law. No opt-out action is required.

Right to non-discrimination

We will not deny you service, charge you different prices, or provide a lower quality of service because you exercised any of your privacy rights.

To exercise any right not covered above, email stephanie@peripal.co. We will respond within 45 days. If we need additional time, we will notify you within the initial 45-day period.

8. Third-party services

Supabase (database & auth)

Stores account and health data. SOC 2 Type II, ISO 27001. Data hosted in US (AWS us-east-1). Privacy policy

Vercel (hosting)

All requests to peripal.co are served through Vercel's infrastructure. Vercel processes IP addresses and request metadata (pages visited, response times) to operate the service. This data is not linked to your account or health data. Privacy policy

Anthropic (Ask Pal)

The "Ask Pal" search feature sends your question to Anthropic's Claude API to generate a response. This means health-related questions you submit via Ask Pal are transmitted to and processed by Anthropic. Anthropic's API terms prohibit them from training models on API inputs. We recommend not including personally identifying information (your name, contact details, etc.) in Ask Pal queries. Privacy policy

Google Analytics 4

Collects anonymized usage data (pages visited, session duration, device type) to help us improve the app. IP anonymization is enabled. Does not receive your health data. See section 5 for opt-out options. Privacy policy

HaveIBeenPwned API

Used during signup to check if your password has appeared in known data breaches. We use k-anonymity - only the first 5 characters of a SHA-1 hash are sent. Your password never leaves your device in readable form. Privacy policy

Google Fonts

Loads the Comfortaa and Open Sans typefaces. Google may log font requests. No personal data beyond your IP is shared. Privacy policy

9. Security

We implement the following security measures to protect your data:

  • TLS encryption for all data in transit
  • AES-256 encryption at rest
  • Row-level security (database-level access control)
  • Passwords hashed with bcrypt (never stored in plaintext)
  • Breach-detected password blocking via HIBP at signup
  • Session inactivity timeout (30 minutes)
  • Strict Content Security Policy headers
  • Server-side rate limiting on authentication endpoints

Data breach notification

In the event of a data breach involving your personal health information, we will notify affected users by email within 60 days of discovering the breach, consistent with the FTC's Health Breach Notification Rule. If a breach affects 500 or more individuals in a state, we will also notify prominent media outlets in that state and the FTC as required by law.

If you discover a security vulnerability, please report it responsibly to stephanie@peripal.co.

10. Children's privacy

peripal is designed for adults (18+) experiencing perimenopause. We do not knowingly collect data from anyone under 18. If you believe we have inadvertently collected data from a minor, please contact us at stephanie@peripal.co.

11. Changes to this policy

We will notify signed-in users by email of material changes to this privacy policy at least 30 days before they take effect. The "Last updated" date at the top of this page reflects the most recent revision.

Contact & data requests

For privacy questions, data requests, or to exercise your rights:

stephanie@peripal.co
← Back to Settings