PPeak Hybrid
GuideHow it worksPricingPricingFAQFAQRoadmapRoadmapLog inDownload

Privacy Policy

Last updated: June 18, 2026

This Privacy Policy describes how Peak Hybrid handles your personal information. We have written this in plain English because we want you to actually read it.


1. Who we are

Peak Hybrid is operated by Suncraft Collective, LLC ("we," "us," "our"). Peak Hybrid is an iOS app for hybrid athletes, people who lift, ride, run, swim, and hike, to track training and see how their body is responding to it.

  • Website: peakhybrid.app
  • Contact: support@peakhybrid.app
  • Mailing address: 390 Morro Bay Blvd, Morro Bay, CA 93442

If you have questions about this policy or your data, email us at the address above.


2. What we collect

We collect only what we need to run the app and show you your training.

Account information

  • Email address
  • Password (stored only as a hashed value by our auth provider, we never see or store your raw password)
  • Display name
  • Optional profile fields you choose to enter: body type, bodyweight, unit system (imperial/metric), training preferences, and your preferred disciplines (lift, ride, run, swim, hike)

Workouts you log

  • Exercises, sets, reps, weights, and dates for strength sessions
  • Cardio activities you log manually: type, duration, distance, effort
  • Routines and planned workouts you build

Health and fitness baselines you enter

If you choose to enter them, we store the fitness baselines you type in so the app can reflect your current condition:

  • VO2 max (your entered estimate of aerobic capacity)
  • Resting heart rate

These are optional, are entered by you manually (we do not read them from Apple Health or any device), and are stored linked to your account so they persist across sessions. You can change or clear them at any time.

Strava data (only if you connect Strava)

If you choose to connect your Strava account, we import your activity history so it can show up alongside the workouts you log directly. This includes, where Strava provides it:

  • Activity type, date, duration, and distance
  • GPS-derived stats (elevation, pace, speed)
  • Heart rate, power, and cadence
  • Strava's "suffer score" / relative effort

We pull this data through Strava's official OAuth API using the access you grant us. You can disconnect Strava at any time from inside the app.

Apple Health data (only if you connect Apple Health)

If you choose to connect Apple Health, we read your completed workouts from HealthKit (read-only; we never write to Apple Health) so your rides and runs appear alongside the workouts you log directly and feed your training metrics and PH score. We read, where Apple Health has it:

  • Workout type, date, and duration
  • Distance and active energy
  • Heart rate recorded during the workout

We do not read your GPS route, resting heart rate, VO2 max, or any other Health data type from Apple Health. Health data is used only to show you your training and compute your scores. It is never used for advertising, never sold, and never stored in iCloud. You control this access in the iOS Health app or in Settings at any time.

Imported workout files (.fit / .tcx)

If you import a workout file you export from a device or service (for example Garmin, Coros, or Wahoo), we read the activity it contains (type, date, duration, distance, heart rate, and any GPS track or power the file itself includes) and store it linked to your account. This data comes only from files you choose to import.

Derived metrics

Some numbers we show you are computed locally or on our backend from your raw data, we don't collect them separately, but they live in our database alongside your activities:

  • Performance Management Chart values: CTL (Chronic Training Load), ATL (Acute Training Load), TSB (Training Stress Balance)
  • Estimated 1-rep max (e1RM)
  • Peak power values for cycling
  • Personal records

3. What we do NOT collect

We want to be explicit about this:

  • No location data we request ourselves. We do not request location permissions from your phone, and we do not read your GPS route from Apple Health. The only location data we ever hold is GPS already attached to a Strava activity you connect, or contained in a workout file you choose to import. We collect no additional location data.
  • No contacts, photos, microphone, or calendar access. The app does not request these permissions.
  • No advertising identifiers (IDFA). We do not track you for advertising.
  • No behavioral targeting and no cross-app tracking.
  • No selling of personal data to third parties. Ever.
  • Product analytics (PostHog) is installed but not active by default. The posthog-react-native SDK is bundled in the app, but it only sends events when a PostHog API key is configured in the release build. When it is active, we send a small, curated set of product events, things like account creation, completing onboarding, logging your first workout, viewing the paywall, and starting a subscription, so we can see which parts of the product are useful and where new users get stuck. Each event is tagged with your Supabase user ID (a random UUID) so we can correlate behavior to an account, but we never send your email address or display name to PostHog. If we add new events or new properties beyond product interaction, we will update this policy.
  • Crash diagnostics (Sentry) is installed but not active by default. The Sentry SDK is bundled in the app and sends data only when a DSN is configured in the release build. When active, it reports crashes and a sampled subset of performance traces (stack trace, device model, OS version, and the IP address inherent to any network request) so we can fix bugs. We strip your email address before sending and we do not attach your identity to error reports.

4. How we use your data

We use your data to do the things the app exists to do:

  • Show you your training history and current week
  • Compute performance metrics (CTL/ATL/TSB, e1RM, peak powers, personal records)
  • Suggest workouts and routines based on your training and preferences
  • Deliver subscription content if you subscribe to Peak Hybrid
  • Provide customer support when you contact us
  • Keep the app secure (detect abuse, prevent unauthorized access)

We do not use your data to train AI models that are sold or shared externally, and we do not sell or rent your data to anyone.


5. Who we share data with

We use a small number of service providers to actually run the app. They process data on our behalf and only for the purposes listed here.

  • Supabase: hosts our database (Postgres) and our authentication system. Your account record and all your training data live in a Supabase project we control. Supabase enforces row-level security so one user cannot read another user's rows.
  • Strava: only if you connect it. The connection is initiated by you via Strava's OAuth flow. We exchange tokens with Strava to read your activities. We do not write to your Strava account at this time; if we add the ability to push workouts back to Strava in the future, it will be opt-in and disclosed clearly.
  • Apple: when you subscribe, payment is processed by Apple's In-App Purchase system. We never see your credit card or Apple ID password. Apple sends us a receipt confirming the subscription.
  • RevenueCat: we use (or plan to use) RevenueCat as a receipt-validation processor for Apple In-App Purchase. RevenueCat receives the Apple receipt and an anonymous user identifier from our app so it can tell us whether your subscription is active.
  • PostHog: product analytics processor. PostHog receives the curated product events described in §3 ("Product analytics") tagged with your Supabase user UUID, but never your email or display name. PostHog is configured in the release build via an API key that we hold; until that key is configured the SDK is dormant and sends nothing.
  • Sentry: crash and performance diagnostics processor (a US-based service). When the app encounters an error, Sentry receives the error details (stack trace, device model, OS version, and the IP address inherent to any network request) plus a sampled subset of performance traces. We strip your email address before sending. Sentry is configured in the release build via a DSN that we hold; until that DSN is configured the SDK is dormant and sends nothing. We use this solely to find and fix crashes: it is first-party diagnostics, not advertising or tracking.

Aside from the processors listed above, we do not share your data with any other third parties, and we never sell it.

If we ever need to add a new processor (for example, an email-sending service or product analytics), we will update this policy and list them here.

We may disclose data if legally required (e.g., valid subpoena), but we will push back on overreaching requests and notify you when we are legally able to.


6. Data retention and deletion

You can delete your account from inside the app at any time:

Profile → Delete Account

When you delete your account, we cascade-remove all of the following from our database:

  • Your profile and preferences
  • Every workout you have logged (exercises, sets, durations, distances)
  • Every routine and planned workout you have built
  • Every Strava activity that was imported on your behalf
  • Personal records, custom exercises, and derived metrics
  • Connected-service tokens (including your Strava OAuth tokens)
  • Your authentication record itself

Deletion is permanent and cannot be undone. We do not keep "soft deleted" copies of your training data.

Things outside our control:

  • Apple and (where applicable) RevenueCat retain subscription receipt records for their own accounting and tax purposes. This is governed by their privacy policies, not ours, and typically runs on the order of 30+ days after cancellation. Those receipts do not contain your workout data, only the fact that a purchase was made.
  • If you connected Strava, deleting your Peak Hybrid account does not delete your data on Strava. You manage that from your Strava account directly.

7. Your rights

Regardless of where you live, you can:

  • Access the data we hold about you (most of it is visible directly in the app)
  • Correct profile information from your profile screen
  • Delete your account and all associated data using the in-app Delete Account flow described above
  • Disconnect Strava at any time, which stops further imports

We are working on a self-serve data export feature so you can download a copy of your training history. Until that ships, email us at support@peakhybrid.app and we will export your data manually within a reasonable time.

Residents of California (CCPA/CPRA), the EU/UK (GDPR), and similar jurisdictions have additional rights, including the right to know what categories of personal information we collect, the right to deletion, and the right not to be discriminated against for exercising these rights. We honor those requests for all users, not just those covered by a specific law. Send any rights request to the contact email above.

We do not sell personal information, and we do not "share" personal information for cross-context behavioral advertising as those terms are defined under California law.


8. Children

Peak Hybrid is not directed at children. We do not knowingly collect personal information from anyone under 13 (or under 16 in jurisdictions where the GDPR sets that floor). If you believe a child has created an account, contact us and we will delete it.


9. Security

We take reasonable steps to protect your data:

  • In transit: all traffic between the app and our backend uses HTTPS/TLS.
  • At rest: the database is hosted by Supabase, which encrypts data at rest.
  • Access control: Supabase Row Level Security (RLS) policies scope each row to the user who owns it, so one account cannot read another's data.
  • Passwords: stored only as bcrypt hashes by Supabase Auth. We never store or transmit plaintext passwords.

No system is perfectly secure, and we cannot guarantee absolute security. If we ever experience a breach that affects your data, we will notify you in line with applicable law.


10. International data transfers

Our backend is hosted in the United States (Supabase, default US East region). Strava is a US-based company. Apple and RevenueCat operate globally with US headquarters.

If you use Peak Hybrid from outside the United States, your data will be transferred to and processed in the United States and other countries where our service providers operate. The data-protection laws in these countries may differ from the laws in your country. By using the app, you consent to this transfer.


11. Changes to this policy

We may update this Privacy Policy from time to time. When we do, we will change the "Last updated" date at the top of this page. If the change is material, for example, adding a new processor or a new category of data collection, we will give you reasonable notice inside the app or by email before it takes effect.


12. Contact

Questions, requests, or concerns about this policy or your data:

Suncraft Collective, LLC Email: support@peakhybrid.app Mailing address: 390 Morro Bay Blvd, Morro Bay, CA 93442 Website: peakhybrid.app

How it worksPricingFAQRoadmap
SupportPrivacyTermsLog in
Suncraft Collective, LLC
Morro Bay, California
Powered by Strava