Peak Fit

Privacy Policy

Each document published at this address supersedes and replaces any prior version of the same document previously published by Peak Fit.

1. Introduction

Peak Fit is a fitness coaching platform that enables coaches to manage athletes, distribute training programmes, communicate via chat, and track progress. This privacy policy explains what personal data we collect, why we collect it, and how we protect it.

This policy applies to all users of the Peak Fit platform, including coaches and athletes, whether accessed via a web browser or mobile application.

2. Data Controller

The data controller for the Peak Fit platform is:

Lars Myrup Consulting Aps
Company Registration: DK44348713
Email: hej@larsmyrup.dk

3. Data We Collect

We collect and process the following categories of personal data in order to provide the Peak Fit service:

3.1 Account Data

When you create an account, we collect your email address, first name, last name, and gender. This data is necessary to create and manage your account.

  • Legal basis: Contract performance (Art. 6(1)(b) GDPR)

3.2 Authentication Data

Your password is cryptographically hashed before storage. We never store passwords in plain text. Authentication session tokens are used to maintain your logged-in state.

  • Legal basis: Contract performance (Art. 6(1)(b) GDPR)

3.3 Profile Data

You may optionally upload a profile image. This image is stored securely and used to identify you within the platform.

  • Legal basis: Contract performance (Art. 6(1)(b) GDPR)

3.4 Activity and Training Data

Coaches create training activities consisting of titles, descriptions, and scheduled dates. Athletes record completion status, notes, and may attach files (such as images or videos) to completed activities. This data forms the core of the coaching service.

  • Legal basis: Contract performance (Art. 6(1)(b) GDPR)

3.5 Chat and Messaging Data

Coaches and athletes communicate through the platform's chat feature. We store message content, timestamps, read receipts, and any file attachments shared in conversations.

  • Legal basis: Contract performance (Art. 6(1)(b) GDPR)

3.6 Organisation Data

Coaches create organisations with a name, description, and optional cover image. This data is used to structure the coaching relationship and may be publicly visible on the organisation's presentation page.

  • Legal basis: Contract performance (Art. 6(1)(b) GDPR)

3.7 Push Notification Tokens

If you use the mobile application and allow push notifications, we store a device token to deliver notifications about new messages and activity updates. You can disable push notifications at any time through your device settings.

  • Legal basis: Legitimate interest (Art. 6(1)(f) GDPR) — to keep you informed about relevant activity within the platform. You may object to this processing at any time by disabling notifications on your device.

4. Third-Party Processors

We use the following third-party service providers to operate the platform. Each acts as a data processor on our behalf:

4.1 Supabase (Supabase Inc.)

Provides database hosting, user authentication, and file storage. Your data is stored in Supabase's EU data centre. Supabase processes data under a Data Processing Agreement in compliance with GDPR.

4.2 Vercel (Vercel Inc.)

Provides application hosting and deployment. Requests are served from Vercel's EU edge network. Vercel processes data under a Data Processing Agreement in compliance with GDPR.

4.3 Expo (650 Industries, Inc.)

Provides push notification delivery for mobile users. Expo receives device push tokens and notification content (message titles and summaries). Expo is based in the United States; data transfers are safeguarded by Standard Contractual Clauses (see Section 5).

4.4 Google Fonts (Google LLC)

The platform loads the Roboto typeface from Google's font servers. When you visit Peak Fit, your browser makes a request to Google, which may receive your IP address. No other data is shared with Google.

  • Legal basis: Legitimate interest (Art. 6(1)(f) GDPR) — for consistent and performant typography.

5. International Data Transfers

Your personal data is primarily stored within the European Union (Supabase EU region, Vercel EU edge network).

Certain processors (Expo, Google) are based in the United States. Data transfers to the US are protected by:

  • The EU-US Data Privacy Framework, where the processor is certified; and/or
  • Standard Contractual Clauses (SCCs) approved by the European Commission.

6. Data Retention

We retain your personal data only as long as necessary:

  • Account and profile data: Retained while your account is active. Deleted within 30 days of an account deletion request.
  • Activity and training data: Retained while your account is active. Deleted when your account is deleted.
  • Chat messages and attachments: Retained while both conversation participants have active accounts. Deleted when either participant's account is deleted.
  • Push notification tokens: Automatically invalidated and removed when they expire or when the associated app is uninstalled.
  • Authentication sessions: Expire automatically based on session configuration.
  • Backups: Database backups may contain personal data and are retained for up to 30 days, after which they are overwritten.

7. Your Rights

Under the General Data Protection Regulation, you have the following rights regarding your personal data:

  • Right of access (Art. 15): Request a copy of all personal data we hold about you.
  • Right to rectification (Art. 16): Correct inaccurate or incomplete personal data. Most profile data can be edited directly in the application.
  • Right to erasure (Art. 17): Request deletion of your personal data ("right to be forgotten").
  • Right to restriction (Art. 18): Request that we restrict processing of your data in certain circumstances.
  • Right to data portability (Art. 20): Receive your personal data in a structured, commonly used, machine-readable format.
  • Right to object (Art. 21): Object to processing based on legitimate interest, including push notifications.
  • Right to withdraw consent: Where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of prior processing.
  • Right to lodge a complaint: You have the right to lodge a complaint with your local data protection supervisory authority.

To exercise any of these rights, contact us at hej@larsmyrup.dk. We will respond within 30 days.

8. Cookies and Session Storage

Peak Fit does not use tracking cookies, analytics cookies, or advertising cookies.

We use only essential authentication session tokens, provided by Supabase Auth, to maintain your logged-in state. These are strictly necessary for the service to function and do not require consent under GDPR (Art. 5(3) of the ePrivacy Directive).

9. Security

We implement appropriate technical and organisational measures to protect your personal data, including:

  • Encryption of data in transit (HTTPS/TLS) and at rest
  • Cryptographic password hashing
  • Row-level security policies ensuring data isolation between organisations
  • Access controls limiting data access to authorised users

10. Contact

If you have any questions about this privacy policy or our data practices, please contact us at: hej@larsmyrup.dk