Trust Center

Privacy & Security

We take privacy seriously and design for security from the start. Here's how we protect your data and your participants' information.

Our Commitments

Minimum PII

Collect only what's necessary

Encrypted Always

In transit and at rest

User Control

Opt-in consent, easy opt-out

BAA Ready

For healthcare partners

Audit Logging

Full access accountability

Clear Retention

Defined policies, easy deletion

Data Minimization

We collect only what's necessary and prefer aggregated, de-identified signals.

  • Collect minimum necessary PII for service delivery
  • De-identified signals preferred for analytics and reporting
  • No storage of raw loyalty credentials—OAuth tokens only
  • Automatic data aggregation where individual-level detail isn't needed

Encryption & Security

Industry-standard encryption protects data at every stage.

  • TLS 1.3 encryption for all data in transit
  • AES-256 encryption for data at rest
  • SOC 2 Type II compliance roadmap in progress

Data Retention

Clear retention policies aligned with program needs.

  • Active program data retained for duration of participation
  • De-identified data may be retained longer for analysis
  • User-requested deletion completed within 30 days

De-Identification

Research-ready data exports with robust privacy protections.

  • HIPAA Safe Harbor de-identification for research exports
  • No direct identifiers in cohort-level reporting
  • Audit trail for all PII data access

BAA & HIPAA

Ready to support healthcare partners with appropriate agreements.

  • Business Associate Agreements available for covered entities
  • HIPAA-aligned policies and procedures

Compliance Roadmap

Current

  • HIPAA-aligned policies
  • BAA available for partners
  • Encryption in transit and at rest

On the Roadmap

  • SOC 2 Type II certification
  • HITRUST readiness assessment
  • Third-party penetration testing

Questions about security or compliance? hello@peppermint.engineering