Science journalism · Not medical advice Regulatory window · PCAC review in 42 days

Privacy.

What we collect.

Wolverine collects the minimum data needed to operate the waitlist and editorial newsletter. We do not collect health information.

  • Email address — collected via the waitlist form and the newsletter subscription form. Required to send you confirmation, updates, and the editorial briefing.
  • US state — collected via the waitlist form only. Used to segment the waitlist by state for clinical platform launch eligibility. Not collected for newsletter subscriptions.
  • Submission attribution — page path, HTTP referrer, and UTM parameters at the time of form submission. Used to understand which content drives qualified leads. Not linked to your identity after attribution.

No PHI (protected health information) is collected in Phase 2. The clinical platform (app.wolverine.health) will have its own HIPAA-compliant data posture.

What we don't collect.

  • No information about peptide use, symptoms, or health conditions.
  • No persistent cookies for advertising or tracking.
  • No Meta Pixel, no Google Analytics 4, no third-party ad-tracking scripts.
  • No IP address storage in analytics (PostHog cookie-less mode, anonymised).
  • No cross-site tracking or fingerprinting.

Where it lives.

Waitlist and newsletter subscriber data is stored in a Supabase (Postgres) project in US-East region. This is the public-content project — it contains no PHI and operates under standard data-protection posture.

Data classification policy is documented in infra/data-classification.md. Wolverine classifies waitlist data as Tier 2 (Internal / Sensitive): non-public, no regulatory obligation in Phase 2, but treated with care given it includes personally identifiable email addresses.

Sub-processors.

Wolverine uses the following sub-processors to operate the site and email infrastructure. The full BAA audit table is in infra/vendors.md.

  • Cloudflare — hosting, CDN, and DDoS mitigation. Processes HTTP requests including IP addresses in transit; no persistent IP storage by us.
  • Supabase — database. Stores waitlist and newsletter subscriber records. US-East region. Supabase signs BAAs (Team plan + HIPAA add-on) for future clinical data.
  • Beehiiv — newsletter delivery. Receives email addresses for "The Wolverine Briefing" subscribers. Operates its own unsubscribe and data-deletion workflow.
  • Resend — transactional email. Sends waitlist confirmation and double-opt-in emails. Processes email addresses in transit.
  • PostHog — product analytics. Cookie-less mode; no persistent user identification; event data only. Self-hosted or EU-cloud options available if required.
  • Sentry — error monitoring. Receives stack traces and request metadata on application errors. Does not receive form data or subscriber PII.

Your rights.

You may request deletion or export of your data at any time. Email privacy@wolverine.health with your request. We will respond within 30 days.

To unsubscribe from the editorial newsletter, use the unsubscribe link in any Wolverine email or contact the address above.

Future clinical platform.

Phase 8 adds a regulated clinical platform at app.wolverine.health. That platform will operate under a separate HIPAA-compliant privacy policy with its own data-processing agreements, BAAs with clinical partners, and PHI-bearing database infrastructure. The current waitlist and content-site data is on a separate Supabase project from the reserved clinical project (reserved-future-phi, currently empty). The two projects will not share data.