Privacy Policy

This is a shell policy that covers the pre-launch site as it exists today: research articles, the chat bot at /chat, and the waitlist form. The full platform — checkout, order routing, account history — will publish a separate, lawyer-tightened policy when it launches. The version marker at the top of this document advances with every revision.

Last updated: April 24, 2026. Version 0.2-shell.

1. What we collect

Three things, and we want to be specific about each:

• Request metadata on every page you visit — your IP address, your user-agent string, the path you requested, the referring URL (if any), and a timestamp. This is the same thing every web server records by default; we don't dress it up.
• Your email address, if and only if you submit it to the waitlist form. The form takes an email and nothing else.
• Chat-bot conversation logs, if you use the assistant at /chat. The text of each prompt and reply is stored in our local database (titratelab_kb.db, table chat_sessions) along with a session identifier so the assistant can keep context across turns. We use these logs to debug bad answers and improve retrieval. They are not advertised, sold, or shared.

That's the entire surface. No name, no phone number, no address, no payment info, no social login, no health-history form, no account creation.

2. What we do not collect

The supplements-and-peptides space is a swamp of tracking pixels and "newsletter"-disguised affiliate funnels. We don't want to be that. So:

• No third-party analytics today. No Google Analytics. No Plausible. No Fathom. No Amplitude. No Heap. Nothing. The only "analytics" we have is whatever counting we do directly against our own server logs.
• No advertising pixels. No Facebook Pixel, no Google Ads tag, no LinkedIn Insight tag, no TikTok pixel, no Reddit pixel, no Twitter/X pixel. Open the network tab in dev-tools and check.
• No retargeting cookies. No DoubleClick, no Criteo, no Taboola, no Outbrain.
• No health data. We don't ask what you're using, what cycle you're on, what your labs say. We don't infer it from your chat-bot conversation either; the logs sit in a database, not in a profile dossier.
• No email-list sales. The waitlist database is for the limited launch announcements described below. We will not sell, rent, or trade it.

If we add an analytics tool later, this section changes first, and the change gets announced before it goes live.

3. Where the data lives

Everything we collect lives on our VPS. Server logs, the waitlist database, and the chat-bot session table are all stored in flat files and SQLite databases on the same machine that serves the site. There is no third-party data warehouse, no shared analytics cluster, no pipe into a marketing platform.

The two third parties that touch any user data are:

• Resend — our transactional email provider. When you submit the waitlist form, your email address gets handed to Resend long enough to send the confirmation. When we mail launch announcements later, the same applies. Resend stores delivery metadata (sent / bounced / opened) for the addresses it processes; their privacy policy governs that handling.
• Anthropic — the API behind the chat bot at /chat. When you ask the bot a question, your prompt plus the relevant retrieval context is sent to Anthropic's API to produce the reply. Anthropic's commercial-API terms apply to that traffic; per their published policy, API content is not used to train their models. We do not send your IP address or waitlist email along with chat queries.

We do not share data with advertisers, data brokers, marketing partners, or any of the vendors mentioned in our research.

We respond to valid legal process (subpoena, warrant) when required to. We push back on anything overbroad and we tell you we received a request unless the order forbids us from doing so.

4. Cookies

Default: essentials only. The site works without optional cookies and we don't load any analytics scripts at all today.

The cookie-consent banner that appears on first visit gives you two buttons: Accept optional and Essentials only. Whichever you pick gets recorded as a tl_cookie_consent value in your browser's localStorage so we don't ask again on every page. Picking "Accept optional" today is functionally identical to picking "Essentials only" because we have no optional analytics cookies enabled. If we ever do enable any, the existing consent value is the gate that decides whether they fire.

The banner respects dismissal: closing the tab without picking a button is not consent, and you'll see it again next visit.

5. Retention

• Chat-bot session logs are retained for 90 days, then deleted. We hold them for that window so we can investigate bad replies, debug retrieval bugs, and tune the system. If you want a session deleted sooner, see Section 7.
• Waitlist email is retained until you unsubscribe or until the waitlist closes. After platform launch, you'll get a one-time prompt to opt into the live platform; if you decline (or don't respond within 90 days), the entry gets deleted.
• Server request logs are retained for 30 days on a rolling basis, then deleted. Aggregated counts (page-view totals with no IP) may be retained longer for historical comparison.
• Support correspondence is retained as long as the conversation is useful, then archived to cold storage and deleted after 2 years.

6. Your rights

Depending on where you live (CCPA in California, GDPR in the EU/UK, similar laws elsewhere) you have a combination of the rights to know, delete, export, and correct the data we hold about you. As a matter of policy we honor these rights regardless of jurisdiction — the data surface is small enough that drawing geographic lines would be more work than just saying yes.

Specifically, you can request:

• A data export — we send back a JSON blob of everything tied to your email or chat session
• A data deletion — we remove your waitlist entry, your chat-bot session history, or both
• A correction — tell us what's wrong and we'll fix it
• Unsubscribe from the waitlist — instant; replies of "remove" to any of our emails work, or use the unsubscribe link

We don't require identity verification beyond the email address itself. If someone else has access to your inbox, that's a different problem than this policy can solve.

7. How to contact us

For privacy requests or anything else that needs a human:

• Email: press@titratelab.com (it's the inbox we read; "press" is a misnomer right now and a re-org of the inbox layout is on the to-do list)
• Discord: discord.gg/biohacking — DM any moderator with a privacy request and they'll route it

We aim to respond within 7 business days. Most data-deletion requests are processed same-day.

8. Security posture

The pre-launch site has a deliberately small attack surface:

• TLS 1.3 on every connection. No plaintext transport anywhere.
• No user passwords — there are no accounts on the pre-launch site, so no password database exists to leak.
• Minimal data collection by design. The less we hold, the less there is to lose.
• Server hardening is standard (firewall, automatic security updates, no unnecessary ports, logs monitored for anomalies).
• Incident disclosure — if a breach touches waitlist emails or chat logs, we email the affected addresses within 72 hours of confirming the incident and post a public note at the top of this policy page.

When the full platform ships (checkout, accounts, order history) the security posture expands accordingly and gets documented in a separate policy.

9. Changes to this policy

When this policy changes:

• The "Last updated" date and the version marker at the top of the document advance
• Material changes get a banner at the top of the page for at least 30 days
• If a change materially expands what we collect or how we use it, we email the waitlist about it before the change takes effect

We will not quietly revise this policy to permit something we previously said we wouldn't do. Scope expansions get announced.

10. Jurisdiction

TitrateLab operates as a Delaware LLC. Disputes touching this policy are governed by Delaware law to the extent not preempted by stronger local data-protection law (CCPA, GDPR, etc.), which we honor regardless of corporate domicile.

---

This is a shell policy under active legal review. The voice is ours; the legal precision is the lawyer's job once they have a chance to tighten it. Slogan, for the record: experiment with confidence.