Privacy Policy

Last updated: 13 May 2026

1. Who runs PeakD

PeakD (peakd.pro) is operated by Tomasz Skalski, an individual based in Poland (EU). PeakD is not yet a registered company. For any question about your data — including export, deletion, or correction requests — write to hello@peakd.pro.

PeakD is in beta. Features and processors listed below may change as the product matures; we will update this policy when they do.

2. What we collect

Only the data you give us, plus what is technically necessary to serve the page.

• Account: your email address (used to sign you in via magic link — no password).
• Profile: name, age, gender, your selected coach, and fitness baselines you choose to enter (starting body weight, body-fat %, muscle %, max push-ups, max pull-ups, max plank seconds).
• Training data: the AI-generated workout plans you create, the sets you log (reps, weight, optional notes), weekly check-ins, and any body-metric updates you add.
• Technical: standard server request logs on our API endpoints (IP address, user agent, timestamp). These are kept by our hosting provider for short-term operational purposes only.

We do not collect: location, payment information, advertising identifiers, or any data we don't explicitly list above.

3. Why we process it

• To generate personalised training plans for you (AI inference based on your profile and prior blocks).
• To sync your data across the devices you sign into.
• To produce weekly check-in coaching responses.
• To operate the site (hosting, anti-abuse rate limiting, error diagnosis).

4. Legal basis (GDPR)

We rely on two bases:

• Performance of a contract (GDPR Art. 6(1)(b)) — most processing is what we need to do to actually deliver the coaching service you signed up for.
• Consent (GDPR Art. 6(1)(a)) — given when you create your account. You can withdraw it at any time by deleting your account (see §7).

The fitness metrics you enter (weight, body composition, exercise baselines) are not processed as health data under GDPR Art. 9 — they are training inputs, not medical records, and PeakD is not a medical device.

5. Who else sees your data (sub-processors)

To run the service we use a small number of third-party providers. Each only sees what they need to do their job, and each is contractually bound to keep it confidential.

• Anthropic, PBC (United States) — provides the Claude AI that generates your training plans, chat analysis, and exercise-swap suggestions. Receives your profile fields and current training context for the duration of each request. Anthropic's API terms forbid them from training on your data.
• Vercel Inc. (United States, with EU regions available) — hosting and serverless function execution. Sees standard request metadata (IP, user agent, route).
• Supabase (EU region) — authentication (email + magic link) and primary database. Stores your account, profile, and training data.
• Upstash (EU region) — secondary cache used during the current data-migration window. Will be retired once the migration completes.

We do not sell your data, share it with advertisers, or use it for marketing.

6. International transfers

Anthropic and Vercel are US-based companies. Transfers to them rely on the EU Standard Contractual Clauses built into their data-processing agreements. Supabase and Upstash data is stored in EU regions.

7. Your rights

Under GDPR you can, at any time:

• Access and export your data. Sign in, open /account, and click "Export my data (JSON)" — you get the full dump as a downloadable file, instantly.
• Correct your data. Edit your profile inside the app at any time.
• Delete your account and everything in it. Go to /delete-account (or open /account and click "Delete account"), sign in, and confirm. This permanently wipes every plan, workout, check-in, and your auth record. There is no soft-delete or grace period.
• Restrict or object to processing — write to hello@peakd.pro.
• Lodge a complaint with a supervisory authority. For Polish users, that is the UODO (Urząd Ochrony Danych Osobowych).

8. How long we keep your data

• Active account — we keep your data for as long as your account exists.
• Deleted account — wiped immediately and permanently from our database and cache on deletion. No backup retention beyond what your sub-processors run for disaster-recovery purposes (typically 7–30 days, rolling).
• Server request logs — kept short-term by Vercel for operational diagnosis, then aged out.

9. Security

Data in transit is encrypted (HTTPS everywhere). Authentication uses Google sign-in via Supabase — there is no password for us to store or for anyone to phish. Database access is restricted by row-level security so only you can read your own rows. API endpoints rate-limit aggressive clients.

No system is bullet-proof. If we become aware of a breach affecting your data, we will notify you and the relevant supervisory authority as required by GDPR Art. 33–34.

10. Children

PeakD is not directed at children. You must be at least 16 years old to create an account. If you believe a child has registered, write to hello@peakd.pro and we will delete the account.

11. Cookies and tracking

PeakD does not use advertising cookies and does not currently run any analytics tracking. The app stores a small amount of data in your browser's localStorage so it can work offline and remember which plan you're on — this never leaves your device unless you choose to sync it via cloud sign-in.

12. Changes to this policy

When we change how we handle data, we update the "Last updated" date at the top and, for material changes, notify signed-in users by email before the change takes effect.

13. Contact

Privacy questions, data-subject requests, breach reports: hello@peakd.pro.