BioHackrBioHackr← Back to app

Privacy Policy

Effective June 9, 2026

Last updated: June 9, 2026

1. Introduction

Biohackr LLC ("Biohackr," "we," "us," or "our") operates the Biohackr application and website at biohackr.pro (the "Service"). This Privacy Policy explains how we collect, use, disclose, and protect information about users of the Service ("you," "your," or "user").

By accessing or using the Service, you acknowledge that you have read, understood, and agree to the practices described in this Privacy Policy. If you do not agree with this Privacy Policy, you must not access or use the Service.

This Privacy Policy applies to all users of the Service worldwide. Specific provisions may apply to users in certain jurisdictions as outlined in Section 14.

Biohackr is not a healthcare provider. The Service is an educational and tracking platform for personal use. Biohackr is not subject to the Health Insurance Portability and Accountability Act ("HIPAA") because we are not a covered entity. However, we recognize the sensitivity of health-related information and apply enhanced privacy practices accordingly.

2. Information We Collect

We collect information in three categories: (a) information you provide directly, (b) information we collect automatically, and (c) information we receive from third parties.

2.1 Information You Provide Directly

When you create an account and use the Service, you may provide:

Account Information:

  • Email address
  • Password (stored as a cryptographic hash; we never store passwords in readable form)
  • Display name (optional)

Profile Information:

  • Date of birth or age
  • Biological sex
  • Height, weight, body composition
  • Country of residence
  • Time zone

Health and Compound Information:

  • Compounds you log in your protocols (medications, supplements, peptides, hormones, etc.)
  • Doses, frequency, and routes of administration
  • Injection sites and rotation patterns
  • Bloodwork results (lab markers, values, dates)
  • Body composition measurements
  • Workout and recovery logs
  • Side effect observations
  • Free-text notes and journal entries

Payment Information:

We do not store payment card information directly. Payment information is collected and processed by Stripe, Inc. ("Stripe"), our third-party payment processor. We receive only limited information about your subscription, such as plan type, status, and last four digits of your payment method.

2.2 Information We Collect Automatically

When you use the Service, we automatically collect:

Device and Usage Information:

  • Browser type and version
  • Operating system
  • IP address (used for general location and security purposes)
  • Device type (desktop, mobile, tablet)
  • Screen resolution
  • Time zone
  • Referring website

Service Usage Data:

  • Pages and features you access
  • Actions you take in the Service (e.g., logging a dose, viewing a compound)
  • Date and time of access
  • Duration of sessions
  • Crash reports and error logs

Cookies and Similar Technologies:

We use cookies and similar technologies (such as local storage, session storage, and IndexedDB) for authentication, preferences, performance, and analytics. See Section 8 for details.

Analytics Data:

We use PostHog for product analytics. PostHog collects information about how the Service is used. We have configured PostHog to:

  • Identify users only by their internal database identifier (not by name, email, or other personal information)
  • Avoid capturing content data (such as compound names, doses, bloodwork values)
  • Strip potentially sensitive properties from event data
  • Not record user sessions

2.3 Information from Third Parties

We may receive information from third-party services you connect to the Service, including:

  • Authentication providers (if implemented): basic profile information
  • Payment processor (Stripe): subscription status, payment history
  • AI service providers (Mistral AI, Anthropic): bloodwork image text extraction (see Section 5)

3. Sensitive Information

We recognize that the Service involves collection of information that may be considered sensitive, including:

  • Health information (compound use, bloodwork, body composition)
  • Information about substances that may be regulated, restricted, or illegal in your jurisdiction

You have control over what you share with us. We collect only information you choose to enter into the Service. You may use the Service without entering personal health data, although this will limit functionality.

Bloodwork uploads: When you upload bloodwork images for parsing, the image is:

  1. Temporarily stored in a private storage bucket
  2. Sent to Mistral AI for text extraction (no permanent storage by Mistral per their API terms)
  3. Processed by our systems to match against our marker database
  4. Deleted from our storage within 24 hours of upload (typically within seconds of successful processing)

The extracted data (marker names, values, dates) is stored in association with your account.

4. How We Use Information

We use the information we collect for the following purposes:

4.1 Providing the Service

  • Creating and maintaining your account
  • Storing your protocols, logs, bloodwork, and other entries
  • Generating reports and visualizations from your data
  • Sending essential service communications (e.g., password resets, billing notifications)
  • Authenticating you and securing your account

4.2 Improving the Service

  • Understanding how users interact with features
  • Identifying bugs and improving stability
  • Developing new features based on usage patterns
  • Testing changes (A/B tests) on aggregate behavior

4.3 Communications

  • Responding to your inquiries and support requests
  • Sending product updates and announcements (you may opt out at any time)
  • Notifying you of significant changes to terms or policies

4.4 Legal and Safety

  • Complying with applicable laws and legal requests
  • Enforcing our Terms of Service
  • Protecting the rights, property, and safety of Biohackr, users, and others
  • Detecting, preventing, and addressing fraud, abuse, or security issues

4.5 What We Do Not Do

We do not:

  • Sell your personal information to third parties
  • Share your personal information with advertisers
  • Use your health data to target advertising
  • Provide your personal information to data brokers
  • Use AI training on identifiable personal data without explicit consent

5. Third-Party Services

We use the following third-party services to operate the Service. Each has its own privacy practices governed by their respective privacy policies:

Infrastructure and Hosting

  • Vercel, Inc. — Application hosting and edge network. Privacy policy: vercel.com/legal/privacy-policy
  • Supabase, Inc. — Database, authentication, and file storage. Privacy policy: supabase.com/privacy
  • Cloudflare, Inc. — DNS and content delivery. Privacy policy: cloudflare.com/privacypolicy

Analytics

  • PostHog, Inc. — Product analytics with privacy-first configuration. Privacy policy: posthog.com/privacy

Payment Processing

  • Stripe, Inc. — Subscription billing and payment processing. Privacy policy: stripe.com/privacy

AI Services

  • Mistral AI — OCR processing of bloodwork images. Privacy policy: mistral.ai/terms#privacy-policy
  • Anthropic — AI-assisted features. Privacy policy: anthropic.com/privacy

Email and Communications

Transactional emails (such as account verification, password resets, and billing notices) are delivered through our infrastructure provider, Supabase. We do not currently operate a separate marketing email platform.

We require all third-party processors to maintain appropriate safeguards for your information consistent with this Privacy Policy.

International data transfers: Some of these providers may process data outside your country of residence. Where required by law, we implement appropriate safeguards (such as Standard Contractual Clauses for EU/UK transfers).

6. Sharing and Disclosure

We share information only as described in this Privacy Policy. Specifically:

6.1 With Service Providers

We share information with the third-party services listed in Section 5 strictly to operate the Service. These providers are contractually obligated to protect your information and use it only for the purposes we specify.

6.2 For Legal Reasons

We may disclose information when we believe in good faith that disclosure is necessary to:

  • Comply with applicable laws, regulations, legal processes, or governmental requests
  • Enforce our Terms of Service or other agreements
  • Protect the rights, property, or safety of Biohackr, our users, or others
  • Detect, prevent, or address fraud, security, or technical issues

When we receive law enforcement requests, we evaluate them carefully. We will:

  • Push back on overly broad requests
  • Require valid legal process (e.g., warrant for content, subpoena for basic subscriber info)
  • Notify affected users when legally permitted

6.3 With Your Consent

We may share information with your explicit consent for purposes not otherwise described in this policy.

6.4 Business Transfers

If Biohackr is acquired, merged, or sells substantially all its assets, your information may be transferred as part of that transaction. We will notify you (via email and/or a prominent notice on the Service) of any such change in ownership or control of your personal information. The acquirer will be required to honor commitments made in this Privacy Policy.

6.5 Aggregated and De-identified Information

We may share aggregated or de-identified information that cannot reasonably be used to identify you for any purpose, including research, marketing, and analytics. For example, we may share statistics about overall usage patterns, popular features, or demographic trends.

7. Data Retention

We retain your information as long as necessary to provide the Service and as required by law.

7.1 Account Data

  • While account is active: all data is retained
  • After account deletion: account data is deleted within 30 days of your deletion request, except as required by law
  • Backups: backups containing your data are retained for up to 90 days for disaster recovery purposes, then deleted

7.2 Bloodwork Images

  • Uploaded bloodwork images are deleted from temporary storage within 24 hours of upload
  • Extracted lab data is retained in your account until you delete it or your account

7.3 Analytics Data

  • Aggregated analytics data may be retained for up to 24 months
  • Identified analytics data (linked to your account) is deleted when your account is deleted

7.4 Billing Records

  • Stripe retains payment records per their policies and applicable law
  • We retain summary billing information (subscription history) for tax and accounting purposes for the period required by law (typically 7 years in the US)

7.5 Legal Holds

We may retain certain information longer if required by legal obligation, dispute resolution, or to enforce agreements.

8. Cookies and Tracking Technologies

We use the following types of cookies and similar technologies:

8.1 Essential Cookies

Required for the Service to function. These cannot be disabled without breaking functionality.

  • Authentication tokens
  • Session management
  • Security features
  • User preferences (e.g., theme)

8.2 Analytics Cookies

Used to understand how users interact with the Service. Configured to minimize personal information collection.

  • PostHog session identifier
  • Feature flag assignments
  • Aggregated usage tracking

8.3 Functional Cookies

Used to remember preferences and provide personalized features.

  • Theme preferences
  • Display settings
  • Form auto-save state

8.4 No Advertising Cookies

We do not use cookies for advertising, retargeting, or third-party tracking.

8.5 Managing Cookies

You can manage cookies through your browser settings. Note that disabling essential cookies will prevent the Service from functioning correctly.

To opt out of analytics, contact us at privacy@biohackr.pro. Our analytics are already configured to avoid collecting your health content or personally identifying details, as described in Section 2.2.

9. Data Security

We implement reasonable technical and organizational measures to protect your information:

Technical Measures

  • Encryption in transit (TLS 1.2+) for all communications
  • Encryption at rest for sensitive data
  • Database access controls and row-level security
  • Regular security updates and patches
  • Secure password storage (cryptographic hashing with industry-standard algorithms)
  • Two-factor authentication available for accounts

Organizational Measures

  • Limited access to personal information on a need-to-know basis
  • Confidentiality obligations for employees and contractors
  • Regular review of security practices
  • Incident response procedures

However, no system is completely secure. No method of internet transmission or electronic storage is 100% secure. If we become aware of a security breach that affects your personal information, we will notify you and applicable authorities as required by law.

Reporting Security Issues

If you believe you have discovered a security vulnerability in the Service, please contact us at security@biohackr.pro. We appreciate responsible disclosure and will investigate all reports.

10. Your Privacy Rights

You have the following rights regarding your personal information, subject to applicable law:

10.1 Universal Rights

All users, regardless of location, have the right to:

  • Access: Request a copy of the personal information we hold about you
  • Correction: Request that we correct inaccurate or incomplete information
  • Deletion: Request that we delete your account and associated data
  • Portability: Request your data in a portable format
  • Opt-out of marketing: Unsubscribe from marketing communications at any time

10.2 How to Exercise Your Rights

To exercise any of these rights, contact us at privacy@biohackr.pro. We will respond within the time periods required by applicable law (typically 30 days, with possible extension to 90 days for complex requests).

For account deletion, you can also delete your account directly from Settings within the Service.

We may need to verify your identity before processing certain requests to protect your information.

10.3 Right to Lodge a Complaint

If you believe we have not handled your information in accordance with applicable law, you have the right to lodge a complaint with a supervisory authority in your jurisdiction.

11. Children's Privacy

The Service is not intended for individuals under 18 years of age. We do not knowingly collect personal information from individuals under 18.

If we become aware that we have collected personal information from a person under 18 without parental consent, we will take steps to delete that information promptly.

If you are a parent or guardian and believe your child has provided us with personal information, please contact us at privacy@biohackr.pro.

12. California Privacy Rights (CCPA/CPRA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act and California Privacy Rights Act:

12.1 Right to Know

You have the right to request that we disclose:

  • The categories of personal information we have collected about you
  • The categories of sources from which we collect personal information
  • The business or commercial purposes for collecting personal information
  • The categories of third parties with whom we share personal information
  • The specific pieces of personal information we hold about you

12.2 Right to Delete

You have the right to request that we delete personal information we have collected from you, subject to certain exceptions (e.g., to complete transactions, comply with legal obligations).

12.3 Right to Correct

You have the right to request that we correct inaccurate personal information we maintain about you.

12.4 Right to Opt-Out of Sale or Sharing

We do not sell or share your personal information as those terms are defined under the CCPA/CPRA. We do not provide personal information to third parties in exchange for monetary or other valuable consideration for advertising purposes.

12.5 Right to Limit Use of Sensitive Personal Information

You have the right to limit our use of sensitive personal information to those purposes necessary to provide the goods or services you request.

12.6 Right to Non-Discrimination

We will not discriminate against you for exercising your privacy rights. We will not deny services, charge different prices, or provide a different level or quality of services solely because you exercised your privacy rights.

12.7 Authorized Agents

You may designate an authorized agent to make requests on your behalf. The agent must provide proof of authorization, and we may verify the request with you directly.

12.8 How to Exercise California Rights

Submit requests to privacy@biohackr.pro with "California Privacy Rights Request" in the subject line.

12.9 Categories of Information Collected

In the preceding 12 months, we have collected the following categories of personal information:

  • Identifiers (email, account ID)
  • Customer records (account information)
  • Commercial information (subscription history)
  • Internet activity (usage data, device information)
  • Geolocation (general location from IP)
  • Sensory data (uploaded bloodwork images)
  • Health-related information you choose to enter
  • Inferences (preferences based on usage)

13. Washington My Health My Data Act (MHMD)

If you are a Washington resident, you have additional rights under the Washington My Health My Data Act:

13.1 Consumer Health Data

Information you provide to the Service that relates to your health, including:

  • Compound use and dosing information
  • Bloodwork results
  • Body composition data
  • Health observations and notes

is considered "Consumer Health Data" under MHMD.

13.2 Your Rights Under MHMD

  • Right to confirm whether we are collecting, sharing, or selling your Consumer Health Data
  • Right to access your Consumer Health Data
  • Right to delete your Consumer Health Data
  • Right to withdraw consent for collection, sharing, or selling
  • Right to non-discrimination for exercising your rights

13.3 Consent

By creating an account and entering Consumer Health Data, you consent to our collection, storage, and use of such data as described in this Privacy Policy.

For sharing of Consumer Health Data, we obtain separate, explicit consent. We do not sell Consumer Health Data.

13.4 Exercising MHMD Rights

Submit requests to privacy@biohackr.pro with "Washington MHMD Request" in the subject line.

14. International Users

14.1 European Economic Area, United Kingdom, and Switzerland (GDPR)

If you are in the EEA, UK, or Switzerland, the General Data Protection Regulation ("GDPR") or UK GDPR applies to our processing of your personal data.

Legal Basis for Processing:

We process your personal data on the following legal bases:

  • Contract: To provide the Service you have requested
  • Consent: For optional processing activities (e.g., marketing emails)
  • Legitimate Interests: To improve the Service, ensure security, and prevent fraud, balanced against your privacy rights
  • Legal Obligation: To comply with applicable laws

Your GDPR Rights:

In addition to the universal rights in Section 10, you have the right to:

  • Restrict processing of your personal data
  • Object to processing based on legitimate interests
  • Withdraw consent at any time (where processing is based on consent)
  • Lodge a complaint with your national data protection authority

For any data protection inquiries, including those relating to the GDPR, contact us at privacy@biohackr.pro.

14.2 Other Jurisdictions

Users in other jurisdictions may have privacy rights under local law. We comply with applicable laws in jurisdictions where we operate. Contact us at privacy@biohackr.pro for information about your specific rights.

14.3 Data Transfers

By using the Service, you understand that your information may be transferred to and processed in the United States, where Biohackr is based. The US may have data protection laws different from your jurisdiction.

For transfers from the EEA, UK, or Switzerland, we rely on:

  • Standard Contractual Clauses approved by the European Commission
  • Other appropriate safeguards as required by GDPR

15. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. When we make material changes, we will:

  • Update the "Last Updated" date at the top
  • Notify you via email or prominent in-app notice for material changes
  • Provide at least 30 days' notice before material changes take effect (where required by law)

Continued use of the Service after the effective date of changes constitutes acceptance of the updated policy.

Previous versions of this Privacy Policy are available upon request to privacy@biohackr.pro.

16. Contact Us

For privacy-related questions or to exercise your rights:

Email: privacy@biohackr.pro

Mailing Address:

Biohackr LLC

2901 Cityplace W Blvd, Apt 313

Dallas, TX 75204

For general support: support@biohackr.pro

For security issues: security@biohackr.pro

17. Notice to Biohackr Users

This Privacy Policy applies in conjunction with our Terms of Service. Reading both documents is important to understand the Service and your relationship with Biohackr.

The Service is provided as an educational and tracking tool. Biohackr does not provide medical advice, diagnosis, or treatment. Information you obtain through the Service is for personal informational purposes only and should not be used as a substitute for professional medical consultation.

Use of the Service is governed by our Terms of Service, which contains important provisions regarding your responsibilities, limitations of liability, and dispute resolution.