Joust
Legal

Privacy Policy

Prepdex Holdings LLC (“Joust,” “we,” “us,” or “our”) operates the Joust application and website at getjoust.app (collectively, the “Service”). This Privacy Policy explains what information we collect, how we use it, and the choices you have.

Our Approach to Privacy

Joust is designed around a principle that we think matters: the company that builds your health tracking tool should not be able to read your health data.

To achieve this, Joust uses client-side encryption for your tracked health information. This means that compounds, doses, bloodwork values, vials, and related sensitive data are encrypted on your device before they leave it. Our servers receive and store this information as ciphertext that we cannot decrypt.

We can see metadata about your account (your email, when you signed up, your subscription status) and operational data needed to run the Service. We cannot see the substance of your protocols.

This architecture is deliberate. It means we cannot recover your encrypted data if you lose access to your account, and it means we cannot use your health data for any purpose, including improving the Service. The tradeoff is worth it.

What This Policy Covers

This Privacy Policy explains:

  1. What we collect and what we do not
  2. How we use what we collect
  3. Who we share information with
  4. How long we keep data
  5. Your rights and how to exercise them
  6. How to contact us

Information We Collect

1.1 Account Information

When you create an account, we collect:

  • Email address
  • Account password (stored as a hashed value, never in plaintext)
  • Date and time you created your account

This information is not encrypted with client-side keys because we need to use it to authenticate you, send you account emails, and provide the Service.

1.2 Subscription and Billing Information

When you subscribe to Joust, we collect:

  • Subscription plan and status
  • Billing dates and history
  • Stripe customer identifier

Your payment card details are handled directly by Stripe and never stored on our servers. We have access to the last four digits and card type for customer support purposes only.

1.3 Your Tracked Health Data (Encrypted)

When you use Joust to track your protocols, we receive and store the following categories of information as ciphertext only that we cannot decrypt:

  • Compounds you track (names, types, schedules, doses)
  • Vials and their reconstitution details
  • Logged doses and dose history
  • Bloodwork values and reference ranges
  • Cycles, titration steps, and protocol metadata
  • Personal notes you attach to any of the above

Encryption keys are derived from credentials available only to you. We do not have access to your keys.

1.4 Usage and Performance Data

To keep the Service working well, we collect:

  • Pages visited within the app and approximate time spent
  • Features used (such as which calculators you open, what types of compounds you create)
  • Device type, operating system, and browser version
  • IP address (used to estimate region; not used to track individuals)
  • Crash reports and error data

We use Sentry for crash reporting and PostHog for product analytics. Both services are configured to avoid capturing personally identifiable information. Crash reports include technical context (stack traces, app state) that should not contain your encrypted health data, but in rare cases this is theoretically possible — we work to minimize this.

1.5 Marketing Website Analytics

On our marketing website at getjoust.app, we use Google Analytics to understand how visitors find and use the site. Google Analytics collects:

  • Pages viewed and time spent
  • Referring website or search query
  • Device and browser type
  • Approximate location based on IP address

We have configured Google Analytics to respect IP anonymization where available. You can opt out of Google Analytics by installing Google’s browser opt-out add-on or by enabling Do Not Track in your browser.

1.6 Communications

If you contact us for support, we keep a record of your message and our response. This helps us improve the Service and resolve issues.

How We Use Information

We use the information we collect to:

  • Provide, maintain, and improve the Service
  • Process subscriptions and payments
  • Authenticate your account and protect against unauthorized access
  • Respond to your questions and provide customer support
  • Send service-related emails (account confirmations, subscription renewals, security alerts, important changes to the Service)
  • Detect and prevent fraud, abuse, and security threats
  • Analyze aggregate usage to improve the Service
  • Comply with legal obligations

We do not:

  • Sell your data to anyone
  • Use your tracked health data to train artificial intelligence or machine learning models
  • Show you ads or share your information with advertisers
  • Read or analyze your tracked health information (we cannot — it is encrypted)

How We Share Information

We share information only with the parties described below, and only for the purposes described.

Service Providers

We use third-party providers to operate the Service. These providers receive only the information they need to perform their function:

  • Supabase — backend infrastructure, database, authentication. Stores your account information and your encrypted health data ciphertext.
  • Stripe — subscription billing and payment processing. Receives your billing information.
  • Sentry — crash reporting. Receives technical error data.
  • PostHog — product analytics. Receives anonymized usage events.
  • Google Analytics — marketing website analytics. Receives anonymized website visit data.
  • Netlify — marketing website hosting. Receives standard web request data.
  • Email delivery providers — for transactional emails (account confirmation, password reset, billing notices).
  • Apple App Store — for users who subscribe through Apple, Apple handles billing and provides us with subscription status.

We have contracts with these providers requiring them to handle your information consistent with this Privacy Policy and applicable law.

We may disclose information when required by law, such as in response to a valid subpoena, court order, or government request. We will push back on overbroad requests and notify you when legally permitted.

Because we cannot decrypt your health data, any legal request seeking it would receive only ciphertext.

Business Transfers

If Joust is involved in a merger, acquisition, or sale of assets, your information may be transferred as part of that transaction. We will notify you before your information is transferred and becomes subject to a different privacy policy.

How Long We Keep Information

Account data. We keep your account information for as long as your account is active.

Encrypted health data. We keep your encrypted ciphertext for as long as your account is active. We cannot read this data, but we store it so you can.

Account deletion. When you delete your account, we immediately purge your encrypted health data and personal account information from our active systems. Residual copies may remain in backups for up to 30 days, after which they are also deleted. Account deletion is permanent and cannot be reversed.

Billing records. We retain billing records for as long as required by applicable tax and accounting laws (typically seven years in the United States).

Support communications. We retain support communications for up to two years to help us improve the Service.

Analytics data. Aggregated, non-personally-identifiable analytics data may be retained indefinitely for product improvement purposes.

Your Rights and Choices

Access and Export

You can access and export your data at any time through the Service. Because your health data is encrypted on your device, the app is the most reliable place to view it.

Correction

You can correct any information you have entered into the Service at any time through the app.

Deletion

You can delete individual entries through the app, or you can delete your entire account from the Service settings or by contacting us. Account deletion is permanent.

Subscription Cancellation

You can cancel your subscription at any time through the Service. Cancellation prevents future charges; it does not by itself delete your account or data.

Opt-Out of Marketing Emails

If we ever send you marketing emails (we currently do not), you can opt out using the unsubscribe link in any such email. We will still send service-related emails (account confirmations, billing notices, security alerts) because they are necessary for the Service.

Cookies

Our marketing website uses cookies for analytics. You can disable cookies in your browser settings. The app itself does not rely on third-party cookies.

Rights for Specific Jurisdictions

California Residents

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA):

  • Right to know what personal information we have collected about you
  • Right to delete personal information we have collected from you
  • Right to correct inaccurate personal information
  • Right to opt out of the sale or sharing of personal information (we do not sell or share personal information)
  • Right to limit use of sensitive personal information (we do not use sensitive personal information beyond providing the Service)
  • Right to non-discrimination for exercising your rights

To exercise these rights, contact us at support@getjoust.app. We will verify your identity before fulfilling requests.

European Economic Area, United Kingdom, and Similar Jurisdictions

If you are located in the European Economic Area, United Kingdom, or a jurisdiction with similar data protection laws (such as Switzerland or Brazil), you have rights under applicable law including:

  • Access to your personal data
  • Rectification of inaccurate personal data
  • Erasure (right to be forgotten)
  • Restriction of processing
  • Data portability (receive your data in a structured format)
  • Objection to processing based on legitimate interests
  • Withdrawal of consent where processing is based on consent
  • Lodging a complaint with your local data protection authority

The legal basis for our processing of your personal data is:

  • Performance of a contract — we process your account and subscription information to provide the Service you’ve signed up for
  • Legitimate interests — we process limited usage data to improve the Service and ensure its security
  • Consent — we rely on consent for marketing communications (if we ever send them) and for any optional analytics features
  • Legal obligations — we retain certain records to comply with tax and accounting laws

Joust is operated from the United States. By using the Service from outside the United States, you understand that your information will be transferred to and processed in the United States.

To exercise your rights or for questions about how we process your personal data, contact us at support@getjoust.app.

Children’s Privacy

The Service is not intended for anyone under 18. We do not knowingly collect information from individuals under 18. If we learn that we have collected information from someone under 18, we will delete it and terminate the account.

If you believe we have collected information from someone under 18, please contact us immediately at support@getjoust.app.

Data Security

We protect your information using:

  • Client-side encryption for your tracked health data
  • Encryption in transit (TLS) for all communications with our servers
  • Encryption at rest for data stored on our infrastructure
  • Access controls limiting which employees and contractors can access systems handling your data
  • Authentication safeguards including hashed passwords and session management
  • Regular security review of our systems and providers

No security system is perfect. We work to maintain reasonable safeguards, but we cannot guarantee absolute security. If we become aware of a security incident affecting your information, we will notify you as required by applicable law.

Changes to This Privacy Policy

We may update this Privacy Policy from time to time. When we make material changes, we will notify you by email and post the updated policy on our website. The “Last updated” date at the top of this policy will reflect the most recent revision.

For changes that materially expand how we use your information, we will provide notice and, where required by law, obtain your consent.

Contact Us

For questions about this Privacy Policy or our privacy practices, contact:

Prepdex Holdings LLC Attn: Privacy [BUSINESS ADDRESS] support@getjoust.app

If you are in the European Economic Area or United Kingdom and your concerns cannot be resolved by contacting us, you have the right to lodge a complaint with your local data protection authority.