Skip to content
Peak Streak How it works

Privacy Policy

PeakStreak (peakstreak.app) · Effective from [PLACEHOLDER: effective date]

This Privacy Policy explains how PeakStreak (the “app”, the “service”) and this website (peakstreak.app) collect, use, share and protect your personal data, and the rights you have. It is written to comply with the EU/UK General Data Protection Regulation (GDPR/UK GDPR), the California Consumer Privacy Act (CCPA/CPRA), and the privacy requirements of the Apple App Store and Google Play. [PLACEHOLDER: have this reviewed by counsel before launch.]

1. Who we are (Data Controller)

The data controller responsible for your personal data is [PLACEHOLDER: PeakStreak legal entity name, registered address and company number]. For any privacy question or to exercise your rights, contact us at hello [at] peakstreak.app. [PLACEHOLDER: EU/UK representative and Data Protection Officer, if applicable.]

2. Data we collect

Depending on how you use PeakStreak, we may process:

  • Account data — email address, a hashed password (or social-login identifier), and any display name you choose.
  • Challenge & activity data — the challenges you join, completed sets/reps, daily check-ins, streaks, progress and timestamps. This is the core data the app needs to run your plan.
  • Subscription data — your Premium status and entitlements (via RevenueCat and the app stores). We do not receive your full card or bank details.
  • Device & technical data — device model, operating system, app version, language, time zone, IP address, and a device/installation identifier.
  • Usage & diagnostics — in-app events, screens viewed, feature usage and crash/error diagnostics, used to keep the service stable and improve it.
  • Advertising & measurement identifiers — where you consent, advertising identifiers and pixel/SDK events used to measure campaigns and show relevant ads (Meta, TikTok, Google Ads, Google Analytics).
  • Communications — emails you send us and our email delivery logs (via Resend).
  • Cookies & similar technologies — see section 7.

We do not knowingly collect special-category data (e.g. detailed health diagnoses). Your fitness/activity entries are self-reported challenge data, not medical records.

3. How we use your data & legal bases (GDPR)

  • Provide the service — create your account, run challenges, track streaks and progress, sync your data. Legal basis: performance of a contract.
  • Process subscriptions — manage Premium access. Legal basis: contract.
  • Keep the service secure & working — diagnostics, abuse prevention, debugging. Legal basis: legitimate interests.
  • Improve the product — analytics on how features are used. Legal basis: your consent (analytics cookies/SDKs) or legitimate interests for aggregate, privacy-preserving statistics.
  • Marketing & advertising — measure campaigns and show relevant ads via Meta, TikTok and Google. Legal basis: your consent.
  • Communicate with you — service messages (contract) and, where you opt in, product/marketing email (consent).
  • Comply with the law — tax, accounting and legal requests. Legal basis: legal obligation.

Where we rely on consent, you can withdraw it at any time (see sections 7 and 8).

4. Who we share data with (processors & third parties)

We do not sell your personal data. We share it only with vetted service providers (“processors”) acting on our instructions, and only as needed:

  • Supabase — Account, authentication and app database (your account and challenge data). (privacy)
  • Google Firebase — App analytics, crash diagnostics and push notifications. (privacy)
  • Google Analytics 4 — Aggregated website/app usage statistics (consent-gated). (privacy)
  • Google Ads — Conversion measurement and remarketing (consent-gated). (privacy)
  • Meta Pixel — Ad conversion measurement and remarketing on Facebook/Instagram (consent-gated). (privacy)
  • TikTok Pixel — Ad conversion measurement and remarketing on TikTok (consent-gated). (privacy)
  • RevenueCat — Manages in-app subscriptions and entitlements (no card data). (privacy)
  • Resend — Transactional and product email delivery. (privacy)
  • Vercel — Hosts and serves this website. (privacy)
  • Apple App Store / Google Play — Process app purchases and subscriptions; we never receive your full payment details. (privacy)

We may also disclose data where required by law, to protect our rights, or as part of a business transfer (merger/acquisition), with notice where required.

5. International transfers

Some processors are located outside the EEA/UK (e.g. the United States). Where data is transferred, we rely on appropriate safeguards such as the EU Standard Contractual Clauses and the EU–US Data Privacy Framework where applicable. [PLACEHOLDER: confirm transfer mechanisms per processor.]

6. How long we keep your data (retention)

We keep your account and challenge data while your account is active. If you delete your account, we delete or anonymise your personal data within [PLACEHOLDER: e.g. 30] days, except where we must keep limited records to meet legal, tax or security obligations. Diagnostic and aggregated analytics data is retained for a limited period and is not used to identify you.

7. Cookies & similar technologies

On the website we use cookies and similar technologies in three categories, and on EU/UK visits we ask for your prior consent for anything beyond strictly necessary (using Google Consent Mode v2 and a granular consent banner):

  • Necessary — required for the site to work and to remember your cookie choice. Always on.
  • Analytics — Google Analytics 4 / Firebase, anonymous usage statistics. Only with your consent.
  • Marketing — Meta Pixel, TikTok Pixel and Google Ads features for conversion measurement and remarketing. Only with your consent.

You can accept or reject each category in the cookie banner, and change your choice at any time. In the app, advertising/measurement SDKs run only after the equivalent consent (including Apple App Tracking Transparency on iOS).

8. Your rights

If you are in the EU/UK (GDPR) you have the right to:

  • access a copy of your data;
  • rectify inaccurate data;
  • erase your data (“right to be forgotten”);
  • restrict or object to processing;
  • data portability;
  • withdraw consent at any time; and
  • lodge a complaint with your local supervisory authority.

California residents have equivalent rights (to know, delete, correct, and opt out of “sharing” for cross-context advertising). To exercise any right, contact hello [at] peakstreak.app. We will not discriminate against you for exercising your rights.

9. Deleting your account & data

You can delete your account and associated personal data at any time from [PLACEHOLDER: in-app path, e.g. Settings → Delete account], or by emailing hello [at] peakstreak.app. On deletion we remove your personal data from our active systems within the period in section 6.

10. Children

PeakStreak is not directed to children under [PLACEHOLDER: 13 / 16], and we do not knowingly collect their personal data. If you believe a child has provided us data, contact us and we will delete it.

11. Security

We use industry-standard measures (encryption in transit, access controls, reputable processors) to protect your data. No method is 100% secure, but we work to protect your information and will notify you and the authorities of a breach where the law requires.

12. Changes to this policy

We may update this policy as the product evolves. We will post the new version here and, for material changes, notify you in the app or by email. The current version is always at peakstreak.app/privacy.

13. Contact

Questions about your privacy? Email hello [at] peakstreak.app. The data controller is [PLACEHOLDER: PeakStreak legal entity name].