Privacy Policy

1. Overview

Blackwell BioLabs ("Company," "we," "our," or "us") is committed to protecting your privacy. This Privacy Policy describes how we collect, use, store, share, and protect information we receive from users of blackwellbiolabs.com and the Blackwell BioLabs mobile application (collectively, the "Services").

By accessing or using the Services, you agree to this Privacy Policy. If you do not agree, please discontinue use of the Services.

2. Information We Collect

2.1 Information You Provide

• Account information: Email address, password (hashed), display name, authentication provider (Apple Sign In, Google, email)
• Demographic data (optional): Date of birth, biological sex, gender identity, height, weight, race/ethnicity, collected during onboarding to personalize benchmark comparisons. All fields are optional.
• Protocol configuration: Compound names, dosage amounts, dosage units, scheduling preferences, administration time anchors
• Dose logs: Date and time of each logged administration, optional notes
• Weekly health check-ins: Self-reported scores for pain levels, energy, mood, sleep quality, weight, and compound-specific symptom metrics
• Injury & body map data: Body region coordinates (normalized X/Y position on a body silhouette) and pain/mobility severity scores, used for tracking recovery
• Progress photographs: Photos you voluntarily upload for progress tracking purposes. Photos are stored in access-controlled private storage and are not used for marketing, advertising, or any external purpose
• Onboarding responses: Research goals, personal intent statement, and health objectives you enter during setup
• Communications: Emails or messages you send us

2.2 Information Collected Automatically

• Usage data: Pages visited, features used, time spent, tap/interaction patterns (for product improvement only)
• Device information: Device type, operating system version, app version, timezone, locale
• Log data: IP addresses, error logs, crash reports, retained for up to 90 days
• Purchase data: Order history, payment method type (not full card numbers), transaction amounts, order status, collected on the website only

2.3 Information We Do NOT Collect

• We do not collect precise GPS location data
• We do not access your contacts, microphone (beyond what required SDKs include), or calendar
• We do not use third-party advertising or behavioral tracking SDKs (no Amplitude, Firebase Analytics, Facebook SDK, AppsFlyer, etc.)
• We do not collect biometric data or integrate with Apple HealthKit or Google Health Connect

3. Cookies & Tracking Technologies

We use a limited set of cookies strictly necessary to operate the Services. We do not use advertising cookies, behavioral tracking cookies, or third-party analytics cookies.

3.1 Cookies We Use

• Session and authentication cookies: Set by our authentication provider (NextAuth.js) to keep you logged in. Essential for the Services to function; expire when you sign out or close your browser.
• CSRF security tokens: Short-lived tokens that protect form submissions from cross-site request forgery attacks. Deleted at session end.
• Referral attribution cookie (bbl_ref): Set when you arrive via a referral or affiliate link. Stores only a referral code, no personal data, and is deleted immediately after your account is created or your purchase is completed.

3.2 What We Do Not Use

• No advertising or retargeting cookies (Google Ads, Meta Pixel, etc.)
• No behavioral analytics cookies (Google Analytics, Amplitude, Mixpanel, etc.)
• No social media tracking pixels or cookies
• No persistent cross-site device fingerprinting

3.3 Managing Cookies

You may disable or delete cookies through your browser settings at any time. Disabling essential session cookies will prevent you from logging in and using authenticated features of the Services. The referral cookie can be blocked without affecting core functionality. Most browsers allow you to manage cookie preferences; refer to your browser's help documentation for instructions.

4. How We Use Your Information

• Provide, operate, and maintain the Services
• Generate your personalized progress reports, trend charts, and insights
• Compute anonymized community benchmarks (aggregated, non-identifying comparisons)
• Send protocol reminders and milestone notifications you have authorized
• Process purchases, fulfill orders, and handle refunds (website only)
• Communicate with you about your account, orders, or the Services
• Improve, develop, and personalize the Services using usage data and, where you have not opted out, User Content under the license in our Terms of Service
• Detect, investigate, and prevent fraud, abuse, and violations of our Terms
• Comply with legal obligations

5. How We Share Your Information

We do not sell your personal information to third parties. We may share your information only in the following circumstances:

5.1 Service Providers

We share data with trusted service providers who help us operate the Services, subject to confidentiality obligations. These include:

• Hosting & infrastructure: Our Services are hosted on VPS infrastructure. Data is stored in the United States.
• Payment processing: BTCPay Server (self-hosted, no data shared with third parties); CentryOS (card payment processor, processes card transaction data and billing information as required to complete your purchase)
• Email delivery: Resend (transactional email only, no marketing profiling)
• App distribution: Apple App Store and Google Play (standard distribution metadata only)

5.2 Anonymized Aggregate Data

We may publish, share, or use de-identified aggregate data (e.g., "users tracking BPC-157 report a median 38% pain reduction by Day 28") for research, marketing, or product development. This data cannot identify you individually.

5.3 Legal Requirements

We may disclose your information if required to do so by law, court order, or governmental authority, or if we believe in good faith that such disclosure is necessary to protect our rights, your safety, or the safety of others.

5.4 Business Transfers

In the event of a merger, acquisition, reorganization, bankruptcy, or sale of all or a portion of our assets, your information may be transferred as part of the transaction. We will notify you via email and/or a prominent notice on the Services prior to such transfer.

6. Data Retention

• Account & profile data: Retained while your account is active and for 90 days following deletion
• Progress photographs: Deleted within 90 days of account deletion, unless retention is required by law
• Dose logs & health metrics: Retained for the life of your account; deleted within 90 days of account closure
• Anonymized aggregate data: Retained indefinitely; this data does not identify you
• Purchase records: Retained for 7 years for tax and legal compliance purposes
• Log data & crash reports: Retained for up to 90 days

7. Your Rights & Choices

• Access & correction: You may view and update your account information at any time through account settings.
• Data portability: You may request a copy of your data by emailing privacy@blackwellbiolabs.com. We will respond within 30 days.
• Account deletion: You may delete your account from account settings or by emailing privacy@blackwellbiolabs.com. We will delete your personal data within 90 days, subject to legal retention requirements.
• Opt out of data sharing: Where sharing controls are available in account settings, you may opt out of contributing your User Content to anonymized benchmarks and product improvement on a prospective basis. Note: opting out does not apply to fully anonymized aggregate data that cannot identify you.
• Push notifications: You may disable push notifications at any time via your device settings or within the app.
• Photo deletion: You may delete individual progress photos from within the app at any time.

California Residents (CCPA)

California residents have additional rights under the California Consumer Privacy Act, including the right to know what personal information we collect, the right to delete, and the right to opt out of sale (we do not sell personal information). To exercise these rights, contact privacy@blackwellbiolabs.com.

Delaware Residents (DPDPA)

Delaware residents have rights under the Delaware Personal Data Privacy Act (Del. Code Ann. tit. 6, ch. 12A), including the right to access, correct, and delete your personal data, the right to obtain a portable copy of your data, and the right to opt out of the sale of personal data and targeted advertising. We do not sell personal data or use targeted advertising. To exercise these rights, contact privacy@blackwellbiolabs.com.

8. Security

We implement commercially reasonable technical and organizational security measures to protect your information, including:

• TLS/HTTPS encryption for all data in transit
• Access-controlled private storage for progress photographs and sensitive health data
• Auth-gated API access: progress photos are never publicly accessible
• Passwords are hashed using industry-standard algorithms (bcrypt/Argon2)
• Regular automated database backups with 14-day retention

No method of electronic transmission or storage is 100% secure. We cannot guarantee absolute security, and your use of the Services is at your own risk.

9. Children's Privacy

The Services are not directed to individuals under the age of 21. We do not knowingly collect personal information from anyone under 21. If we become aware that we have inadvertently collected such information, we will delete it immediately. If you believe we have collected information from a minor, please contact us at privacy@blackwellbiolabs.com.

10. Mobile App: Data Practices Summary

The following summarizes data collected by the Blackwell BioLabs mobile app:

11. Third-Party Links

The Services may contain links to third-party websites, including laboratory services and research references. We are not responsible for the privacy practices of third-party sites. We encourage you to review the privacy policies of any third-party sites you visit.

12. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated via email or a prominent notice within the Services at least 14 days before taking effect. Your continued use of the Services after the effective date constitutes acceptance.

13. Contact Us

If you have questions, requests, or concerns about this Privacy Policy or your personal data, contact us at: