Privacy Policy

Training data: workouts, routines, exercise notes, onboarding answers and health metrics that you enter in the app. When you use Peak Health without signing in this data stays on your device so the product works offline. When you sign in we securely sync a copy to the Peak Health Supabase project so you can use the same data across devices.

Account information: when you register we collect the details required to create an account, such as email address or authentication identifiers. Authentication is handled by Better Auth running within Peak Health's own infrastructure.

Diagnostics and usage: we log event and error information through our structured logger and Sentry (for example, which onboarding step failed) and gather aggregated metrics via Vercel Analytics. This helps us monitor performance and troubleshoot issues.

Product analytics: when you are signed in we send a small set of authenticated, identified product events (for example, workout started, workout logged, onboarding completed) to PostHog Cloud EU. Event properties are deliberately coarse and never include direct PII, free-form notes, AI conversation text, or sensitive health detail. Public website pages capture a separate consent-gated funnel; the authenticated Soft-Launch Product Analytics described here is processed under legitimate interest and is subject to the opt-out below.

AI conversations: when you use the onboarding assistant we send your prompts and the conversation transcript to Vercel AI Gateway and the underlying model provider in order to deliver responses. These providers may retain logs for a limited period so we can investigate failures.

Voluntary feedback: if you submit the in-app feedback form we collect the title, description, optional contact email and user agent/device information and create an issue in our private Linear project management tool.

Local storage: offline data remains on your device. You can clear it from the settings page or by using your browser’s storage controls.

Peak Health Supabase: account holders have an encrypted copy of their training data in our Supabase project hosted with Supabase in the European Union. We retain this data while your account remains active. If you delete your account we remove the synchronized copy within 30 days.

Third-party services: Peak Health retains authentication data in its own infrastructure. Sentry stores error reports for approximately 90 days. Vercel Analytics stores aggregated metrics without identifying individual users. Vercel AI Gateway retains request logs required to operate the model. Linear stores feedback issues until we resolve or delete them. PostHog Cloud EU stores authenticated product analytics events for 12 months. When your Peak Health account is deleted we request the corresponding PostHog person to be deleted on a best-effort basis (it does not block the rest of the account-deletion flow).

Better Auth (authentication) is an open-source library running within Peak Health's infrastructure that manages sign-in and stores credentials in our own database.

Supabase (managed data platform) hosts our synchronized database and storage after you sign in.

Vercel (application hosting, analytics, edge configuration and AI Gateway) operates the infrastructure that serves Peak Health and collects aggregated telemetry.

Sentry (error monitoring) receives error reports, stack traces and limited context such as anonymized user ID so we can diagnose problems quickly.

Linear (feedback management) stores support tickets created from the feedback form.

Vercel Flags (feature flags) evaluates anonymous configuration to help us release features safely.

PostHog (product analytics) processes authenticated product events for Peak Health on PostHog Cloud EU (Frankfurt, AWS eu-central-1) under a signed Data Processing Agreement. PostHog uses a small set of operational subprocessors covered by EU Standard Contractual Clauses; the current list is available at https://posthog.com/subprocessors. Public website analytics for unauthenticated visitors is gated by your cookie / analytics consent banner; identified product events for signed-in users rely on legitimate interest (Article 6(1)(f) GDPR) and can be objected to from Settings → Privacy.

Use Peak Health without signing in if you prefer to keep data on a single device. Signed-out usage stays entirely on your device.

Delete local data from the in-app settings or by clearing your browser’s storage.

Exercise your right to object (Article 21 GDPR) to authenticated product analytics from Settings → Privacy. The opt-out suppresses both client-side and server-side PostHog capture for your account; you do not need to grant or revoke a cookie banner to exercise this right.

Request deletion of your Peak Health account by emailing privacy@peakhealth.es. We will remove the synchronized copy of your data from our Supabase project within 30 days, confirm when the process is complete, and issue a best-effort person-delete request to PostHog so your analytics history is erased as well.

You can export or delete data stored in Peak Health by contacting us. Data stored locally on your device can be cleared at any time through your browser.