Privacy Policy

Last updated: June 12, 2026

Himcules, a product of Another Dumb Idea, LLC ("we," "our," or "us"), is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our mobile application and website (collectively, the "Service").

Key points

Your health data is stored locally on your device by default.
We do not sell your data, and we do not share it for advertising.
The analytics we collect is usage-level — it never includes which compounds you track, your doses or volumes, injection sites, or your check-in scores. You can turn analytics off in Settings.
We use a small number of service providers (named below) to run sign-in, email, and analytics. Cloud backup to your own Apple iCloud account is optional and off by default.
Himcules is not a medical application.
You can delete your data at any time.

1. Information we collect

1.1 Information you provide

Account information — Email address when signing up for optional features (sign-in is via one-time email codes; there is no password).
Health tracking data — Information you manually enter to track your own protocol, stored on your device:
- Injection logs: dates, times, doses, injection sites, and injection method.
- Compound tracking: the compounds you choose to track — which may include prescription medications and substances not approved for human use — along with vial, reconstitution, schedule, and dose settings you configure.
- Daily check-ins: optional energy, mood, libido, and sleep scores (1–5) and notes.
- Supply and inventory: vial counts, remaining volume, and refill records.
Preferences — Notification settings, preferred injection sites, scheduling preferences, display options.

1.2 Information collected automatically

Device information — Device type, operating system version, app version, and an analytics identifier (see Section 1.3).
Usage data — Which features you use and when: for example, that an injection was logged, that a check-in was completed, screens viewed, session activity, streak and entry counts, schedule cadence (e.g., "every 3.5 days"), and feature on/off toggles.
Diagnostics — We may receive aggregated crash and performance diagnostics through Apple and Google's platform reporting, subject to your device's settings. We do not run a separate third-party crash-reporting tool.

1.3 What analytics does — and does not — include

We want to be precise here, because this is a health-context app.

Our analytics events are tied to your account (a random account ID — this is pseudonymized data, not anonymized data, and we treat it accordingly). The events describe how you use the app, not the medical content of what you log. Specifically:

We never collect in analytics: the names or identities of compounds you track, doses, volumes or syringe draws, injection sites, routes of administration, ester or formulation types, or your check-in scores (energy/mood/libido/sleep) or notes. Those values stay on your device.
We do collect in analytics: the fact that events happened (an injection was logged, a check-in was completed, a compound was added), counts and streaks, schedule cadence, coarse category labels (e.g., "peptide" vs. "androgen"), and feature settings.

We are also honest about this: even usage-level events from an injection-tracking app carry health context — an event named "injection logged" on your account says you log injections. We treat all analytics from this app as health-related information, share it only with the processors named in Section 4, and never use it for advertising. You can turn analytics off entirely in Settings → Analytics, at any time.

1.4 Information we do NOT collect

Your real name (unless you choose to provide it).
Your physical address.
Payment or financial information.
Location data.
Contacts or photos from your device.

2. How we use your information

We use the information we collect to:

Provide the Service: enable injection tracking, scheduling, reminders, supply tracking, and check-ins.
Sign you in: deliver one-time login codes to your email.
Improve the app: analyze usage patterns to enhance features and fix bugs.
Send notifications and email: deliver reminders you have opted into, and product/lifecycle emails you can unsubscribe from at any time.
Ensure security: detect and prevent fraud or abuse.

We do NOT:

Sell your data, or share it with third parties for their own marketing or advertising.
Create advertising profiles.
Share with insurance companies or employers.
Make medical recommendations or diagnoses.

3. Data storage and security

3.1 Local-first architecture

Himcules is designed with a local-first approach. Your health tracking data — injection logs, compound settings, check-ins, supply — is stored on your device. The app works offline, and your detailed health entries are not stored on our servers.

3.2 Security measures

We implement appropriate technical and organizational measures to protect your data, including encryption in transit, access controls, and secure development practices. No system is 100% secure, and we cannot guarantee absolute security.

3.3 Optional cloud backup (Apple iCloud)

If you turn on Backup in Settings (it is off by default), the app copies your full app state — including all injection logs, compound settings, check-in entries, and preferences — to Apple's iCloud Key-Value storage under your own Apple Account, so you can restore it on a new device. This backup:

is opt-in and can be turned off at any time;
is stored by Apple Inc. in your iCloud account and governed by your Apple Account settings and Apple's privacy terms;
is deleted from iCloud when you turn backup off and erase the backup, or when you delete it through your Apple Account;
is not readable by us — we do not operate the storage and have no server-side access to your backup.

4. Service providers (data processors)

We do NOT sell, rent, or trade your personal information. We share data only with the service providers below, who process it on our behalf and under our instructions to operate the Service, when required by law, or in a business transfer with prior notice.

Provider	What they do for us	What they receive	Where
Supabase (Supabase, Inc.)	Sign-in (email one-time codes) and the server functions that power email events	Your email address, account ID, sign-in timestamps	Hosted in the AWS Tokyo region (Japan)
PostHog (PostHog, Inc.)	Product analytics	Pseudonymized usage events tied to your account ID, as described in Section 1.3 — never compound names, doses, sites, or check-in scores	United States
Loops (Loops, Inc.)	Product and lifecycle email	Your email address and usage-level lifecycle events (e.g., signed up, streak milestone, counts) — never compound, dose, site, or check-in data	United States
Apple (Apple Inc.)	Optional iCloud backup (Section 3.3); App Store distribution and platform diagnostics	Your backup is stored in your own iCloud account; we have no access	Per your Apple Account region

5. International data transfers

We are a U.S. company and our processors operate in the United States and Japan (see the table above). If you use the Service from the European Economic Area, the United Kingdom, or Switzerland, your personal data will be transferred to these countries. Where required, we rely on safeguards recognized under applicable law, including:

the European Commission's Standard Contractual Clauses (SCCs),
the EU–U.S. Data Privacy Framework (and UK Extension) for processors certified under it, and
for Japan, the European Commission's adequacy decision for Japan, where applicable.

6. How long we keep data

Data	Retention
Health tracking data on your device	Under your control — kept until you delete entries, clear data in Settings, or uninstall the app
Optional iCloud backup	Under your control — kept until you turn backup off and erase it, or delete it via your Apple Account
Account data (email, account ID)	Until you delete your account, then deleted from our systems within 30 days
Analytics events (pseudonymized usage data)	24 months from collection, then deleted or aggregated
Email contact and lifecycle event data	Until you unsubscribe or delete your account, then deleted within 30 days
Support emails	As long as needed to resolve your request and for our records, up to 24 months

7. Your rights

Wherever you live, you can:

Access and export your data — your tracking history can be exported from the app, and you can request a copy of the data our systems hold about you.
Correct inaccurate information — directly in the app, or by contacting us for account data.
Delete your account and associated data (Section 8).
Opt out of analytics (Settings → Analytics) and marketing emails (unsubscribe link in any email).

To exercise any right, use the in-app settings or email support@himcules.com. We respond to all privacy requests within 30 days. We will need to verify the request comes from the email address on the account.

8. Deleting your data

You can delete your account at any time in Settings → Account → Delete Account. When you do, your account record (email, account ID, sign-in history) is deleted from our authentication provider. To have your analytics profile and email contact records deleted as well, email support@himcules.com and we will complete the deletion across all our processors within 30 days.

Data stored locally on your device is yours to delete at any time (Settings → Clear Data, or uninstall the app). The optional iCloud backup is deleted as described in Section 3.3. Note for analytics: events sent before June 2026 may have included additional properties that current versions no longer send; these are covered by deletion requests and age out of our 24-month analytics retention in any case.

9. For users in the EEA, UK, and Switzerland (GDPR / UK GDPR)

If you are in the European Economic Area, the United Kingdom, or Switzerland, the following applies. Another Dumb Idea, LLC is the data controller for the personal data described in this policy.

Legal bases

Processing	Legal basis
Account creation, sign-in, providing the Service	Performance of a contract (Art. 6(1)(b))
Health tracking data you enter (stored on-device; transmitted only if you enable iCloud backup)	Your explicit consent (Art. 6(1)(a) and Art. 9(2)(a)) — entering data and enabling backup are affirmative acts, and you can stop or delete at any time
Usage analytics (Section 1.3)	Analytics is on by default and you can turn it off at any time in Settings → Analytics; events are scrubbed of health specifics as described in Section 1.3. Where a specific legal basis is required, we rely on the legal bases described in this policy
Product and lifecycle email	Consent (Art. 6(1)(a)); you can withdraw by unsubscribing
Security, abuse prevention, legal compliance	Legitimate interests (Art. 6(1)(f)) / legal obligation (Art. 6(1)(c))

Your rights

You have the right to: access your personal data; rectify inaccurate data; erase your data ("right to be forgotten"); restrict processing; data portability (receive your data in a structured, machine-readable format); object to processing based on legitimate interests; and withdraw consent at any time without affecting prior processing (analytics toggle, unsubscribe link, or deleting data/account).

To exercise any of these rights, email support@himcules.com. We respond within 30 days (extendable by two months for complex requests, in which case we will tell you).

Complaints

You have the right to lodge a complaint with your local supervisory authority (in the UK, the Information Commissioner's Office; in the EEA, your national data protection authority). We would appreciate the chance to address your concern first, but you may contact them at any time.

Transfers

See Section 5 for the safeguards we use when transferring data outside the EEA/UK.

10. For California residents (CCPA / CPRA)

In the last 12 months we have collected these categories of personal information: identifiers (email address, account ID, device identifiers); internet/electronic activity (usage events described in Section 1.3); and, to the extent you enter it, sensitive personal information in the form of health information (your tracking data — stored locally on your device and, in pseudonymized usage-level form, processed by our analytics provider).

We do not sell personal information, and we do not "share" it for cross-context behavioral advertising (as those terms are defined by the CPRA). We have not done either in the preceding 12 months. We disclose personal information only to the service providers listed in Section 4 under contracts restricting their use of it.
We use sensitive personal information only for providing the Service and the purposes permitted by the CPRA (e.g., security, quality). We do not use it to infer characteristics about you.
You have the right to know/access, delete, correct, and port your personal information, and the right to non-discrimination for exercising any right. We do not offer financial incentives in exchange for personal information.
To exercise these rights, email support@himcules.com or use the in-app tools (export, delete account). We verify requests via the account email and respond within the timelines required by law (generally 45 days). You may use an authorized agent; we will require proof of authorization.

11. Children's privacy

Himcules is intended for adults. The Service is not intended for, and may not be used by, anyone under the age of 18. We do not knowingly collect personal information from anyone under 18; if we learn that we have, we will delete it and terminate the account.

12. Health information disclaimer

Himcules is NOT a medical device and is not intended to diagnose, treat, cure, or prevent any disease. The app is for personal tracking and informational purposes only. Always consult with qualified healthcare professionals regarding your treatment. Himcules is not covered by HIPAA — we are not a healthcare provider or health plan — which is why this policy, rather than HIPAA, describes how your information is handled.

13. Changes to this policy

We may update this Privacy Policy from time to time. We will notify you of any material changes by posting the new policy and updating the "Last Updated" date, and where the changes are significant, by notice in the app or by email before they take effect.

14. Contact us

If you have questions about this Privacy Policy or want to exercise any privacy right, contact us at:

Email: support@himcules.com Website: https://himcules.com Legal entity: Another Dumb Idea, LLC