← PeakFlow

Privacy Policy

Last updated: May 2026

1. Introduction

PeakFlow is a sports coaching application developed and maintained by Francesco Modesti ("we", "us", or "our"), an independent developer based in Italy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use the PeakFlow application.

By using PeakFlow you agree to the collection and use of information in accordance with this policy. If you do not agree, please discontinue use of the service.

2. Information We Collect

We collect the following categories of data:

  • Account data: name, email address, and hashed password provided at registration via Supabase Auth.
  • Athlete profile data: age, weight, resting heart rate, maximum heart rate, training availability, sport background, injuries, and fitness goals — provided voluntarily during onboarding.
  • Training logs: daily check-in data including perceived effort (RPE), session status, and coach AI feedback.
  • Usage data: pages visited, browser type, IP address, and device information collected automatically for analytics and security.

3. Telemetry Integrations (Strava, Garmin, Suunto)

PeakFlow integrates with third-party sports platforms — currently including Strava, Garmin Connect, and Suunto — to enhance the quality of your training plans. When you voluntarily connect a provider account, we request read-only access to the following data:

  • Heart Rate (bpm)
  • Power (watts)
  • Distance (km/miles)
  • Elapsed and moving time
  • Elevation gain
  • Activity type and date
  • High-resolution telemetry streams (e.g., 1Hz FIT files), including Heart Rate, Power, and GPS data where available from the connected provider.

Purpose of access: this data is used exclusively to allow the PeakFlow AI engine and your assigned human Coach to:

  • Evaluate your actual training load against your planned microcycle.
  • Calibrate your heart rate training zones using the Karvonen formula.
  • Generate and recalibrate personalised training plans based on real performance.

Data handling commitments:

  • We do not sell, rent, or share your telemetry or health data with any third party for advertising, profiling, or commercial purposes.
  • Health and biometric data (heart rate, power, GPS) is used exclusively for inference of your personal training plan. It is never used to train general-purpose AI models or sold to data brokers.
  • Telemetry data is stored in an encrypted Supabase (PostgreSQL) database hosted in the European Union (EU) and is accessible only to you and your assigned Coach.
  • We do not request write access to any connected provider. We never create, modify, or delete activities on your behalf.
  • You may disconnect any provider at any timefrom your PeakFlow profile settings. Upon disconnection, the provider's OAuth tokens are immediately revoked and all raw telemetry data obtained from that provider is deleted from our Supabase servers. The same applies upon full account deletion. Historical activity summaries already incorporated into a training plan may be retained in anonymised aggregate form solely for plan continuity.

PeakFlow's integrations comply with the applicable developer and API agreements of each provider, including the Strava API Agreement, the Garmin Connect Developer Agreement, and the Suunto API Agreement.

4. How We Use Your Data

  • To provide, operate, and improve the PeakFlow service.
  • To generate personalised AI training plans and coaching feedback.
  • To allow your assigned Coach to monitor your progress and send you guidance.
  • To communicate service updates, plan renewals, and important notices.
  • To detect fraud, abuse, and ensure platform security.
  • To comply with legal obligations.

We do not use your data to train general-purpose AI models, nor do we sell it to third-party data brokers or advertisers.

5. Data Sharing

We share your data only in the following limited circumstances:

  • Your Coach: if you are enrolled in a coaching plan, your assigned Coach can view your athlete profile, training logs, and Strava activity summaries for the sole purpose of providing coaching.
  • Service providers: we use Supabase for database and authentication, Vercel for hosting, and Google (Gemini API) for AI inference. Each provider is bound by data processing agreements and may only process your data to deliver their service to us.
  • Legal obligations: we may disclose data when required by law, court order, or to protect the rights and safety of our users.

6. Data Retention

We retain your personal data for as long as your account is active or as necessary to provide the service. You may request deletion of your account and associated data at any time by contacting francesco1000.ff@gmail.com. Deletion requests are processed within 30 days. Anonymised aggregate data (e.g., aggregate training load statistics) may be retained indefinitely.

Provider disconnection & account deletion: when you disconnect a telemetry provider (Strava, Garmin, or Suunto) or delete your PeakFlow account, the corresponding OAuth tokens are immediately revoked and all raw telemetry data obtained from that provider is permanently deleted from our Supabase servers. This deletion is irreversible.

7. Cookies & Tracking

PeakFlow uses strictly necessary cookies for authentication session management (via Supabase Auth). We do not use third-party advertising cookies or cross-site tracking pixels. You can configure cookie preferences in your browser settings.

8. Your Rights (GDPR / CCPA)

Depending on your jurisdiction, you may have the right to: access the personal data we hold about you; correct inaccurate data; request erasure; object to processing; request portability of your data in a machine-readable format; and withdraw consent at any time.

To exercise any of these rights, email us at francesco1000.ff@gmail.com.

9. Security

We implement industry-standard security measures including TLS encryption in transit, AES-256 encryption at rest, Row-Level Security (RLS) policies on all database tables, and regular security audits. No transmission over the internet is 100% secure; we cannot guarantee absolute security but are committed to protecting your data.

10. Children's Privacy

PeakFlow is not directed at children under 16. We do not knowingly collect personal information from children. If you believe a child has provided us with personal data, please contact us and we will delete it promptly.

11. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by email or via an in-app banner at least 14 days before the change takes effect. Continued use of PeakFlow after the effective date constitutes acceptance of the updated policy.

12. Contact

For questions, data requests, or concerns regarding this Privacy Policy, contact us at francesco1000.ff@gmail.com.

Developer: Francesco Modesti
Email: francesco1000.ff@gmail.com
Location: Vittorio Veneto (TV), Italy.

Terms of Service →