Privacy Policy

Last updated: May 16, 2026

This Privacy Policy describes how Peak Hybrid handles your personal information. We have written this in plain English because we want you to actually read it.

1. Who we are

Peak Hybrid is operated by Suncraft Collective, LLC ("we," "us," "our"). Peak Hybrid is an iOS app for hybrid athletes, people who lift, ride, run, swim, and hike, to track training and see how their body is responding to it.

Website: peakhybrid.app
Contact: jon@scoutcoffeeco.com
Mailing address: 390 Morro Bay Blvd, Morro Bay, CA 93442

If you have questions about this policy or your data, email us at the address above.

2. What we collect

We collect only what we need to run the app and show you your training.

Account information

Email address
Password (stored only as a hashed value by our auth provider, we never see or store your raw password)
Display name
Optional profile fields you choose to enter: body type, bodyweight, unit system (imperial/metric), training preferences, and your preferred disciplines (lift, ride, run, swim, hike)

Workouts you log

Exercises, sets, reps, weights, and dates for strength sessions
Cardio activities you log manually: type, duration, distance, effort
Routines and planned workouts you build

Strava data (only if you connect Strava)

If you choose to connect your Strava account, we import your activity history so it can show up alongside the workouts you log directly. This includes, where Strava provides it:

Activity type, date, duration, and distance
GPS-derived stats (elevation, pace, speed)
Heart rate, power, and cadence
Strava's "suffer score" / relative effort

We pull this data through Strava's official OAuth API using the access you grant us. You can disconnect Strava at any time from inside the app.

Derived metrics

Some numbers we show you are computed locally or on our backend from your raw data, we don't collect them separately, but they live in our database alongside your activities:

Performance Management Chart values: CTL (Chronic Training Load), ATL (Acute Training Load), TSB (Training Stress Balance)
Estimated 1-rep max (e1RM)
Peak power values for cycling
Personal records

3. What we do NOT collect

We want to be explicit about this:

No location data outside Strava. We do not request location permissions from your phone. If you connect Strava, GPS data that's already attached to your Strava activities comes across, we don't collect any additional location data.
No contacts, photos, microphone, or calendar access. The app does not request these permissions.
No advertising identifiers (IDFA). We do not track you for advertising.
No behavioral targeting and no cross-app tracking.
No selling of personal data to third parties. Ever.
Product analytics (PostHog) is installed but not active by default. The posthog-react-native SDK is bundled in the app, but it only sends events when a PostHog API key is configured in the release build. When it is active, we send a small, curated set of product events, things like account creation, completing onboarding, logging your first workout, viewing the paywall, and starting a subscription, so we can see which parts of the product are useful and where new users get stuck. Each event is tagged with your Supabase user ID (a random UUID) so we can correlate behavior to an account, but we never send your email address or display name to PostHog. If we add new events or new properties beyond product interaction, we will update this policy.

4. How we use your data

We use your data to do the things the app exists to do:

Show you your training history and current week
Compute performance metrics (CTL/ATL/TSB, e1RM, peak powers, personal records)
Suggest workouts and routines based on your training and preferences
Deliver subscription content if you subscribe to Peak Hybrid
Provide customer support when you contact us
Keep the app secure (detect abuse, prevent unauthorized access)

We do not use your data to train AI models that are sold or shared externally, and we do not sell or rent your data to anyone.

5. Who we share data with

We use a small number of service providers to actually run the app. They process data on our behalf and only for the purposes listed here.

Supabase: hosts our database (Postgres) and our authentication system. Your account record and all your training data live in a Supabase project we control. Supabase enforces row-level security so one user cannot read another user's rows.
Strava: only if you connect it. The connection is initiated by you via Strava's OAuth flow. We exchange tokens with Strava to read your activities. We do not write to your Strava account at this time; if we add the ability to push workouts back to Strava in the future, it will be opt-in and disclosed clearly.
Apple: when you subscribe, payment is processed by Apple's In-App Purchase system. We never see your credit card or Apple ID password. Apple sends us a receipt confirming the subscription.
RevenueCat: we use (or plan to use) RevenueCat as a receipt-validation processor for Apple In-App Purchase. RevenueCat receives the Apple receipt and an anonymous user identifier from our app so it can tell us whether your subscription is active.
PostHog: product analytics processor. PostHog receives the curated product events described in §3 ("Product analytics") tagged with your Supabase user UUID, but never your email or display name. PostHog is configured in the release build via an API key that we hold; until that key is configured the SDK is dormant and sends nothing.

We do not share data with any other third parties.

If we ever need to add a new processor (for example, an email-sending service or product analytics), we will update this policy and list them here.

We may disclose data if legally required (e.g., valid subpoena), but we will push back on overreaching requests and notify you when we are legally able to.

6. Data retention and deletion

You can delete your account from inside the app at any time:

Profile → Delete Account

When you delete your account, we cascade-remove all of the following from our database:

Your profile and preferences
Every workout you have logged (exercises, sets, durations, distances)
Every routine and planned workout you have built
Every Strava activity that was imported on your behalf
Personal records, custom exercises, and derived metrics
Connected-service tokens (including your Strava OAuth tokens)
Your authentication record itself

Deletion is permanent and cannot be undone. We do not keep "soft deleted" copies of your training data.

Things outside our control:

Apple and (where applicable) RevenueCat retain subscription receipt records for their own accounting and tax purposes. This is governed by their privacy policies, not ours, and typically runs on the order of 30+ days after cancellation. Those receipts do not contain your workout data, only the fact that a purchase was made.
If you connected Strava, deleting your Peak Hybrid account does not delete your data on Strava. You manage that from your Strava account directly.

7. Your rights

Regardless of where you live, you can:

Access the data we hold about you (most of it is visible directly in the app)
Correct profile information from your profile screen
Delete your account and all associated data using the in-app Delete Account flow described above
Disconnect Strava at any time, which stops further imports

We are working on a self-serve data export feature so you can download a copy of your training history. Until that ships, email us at jon@scoutcoffeeco.com and we will export your data manually within a reasonable time.

Residents of California (CCPA/CPRA), the EU/UK (GDPR), and similar jurisdictions have additional rights, including the right to know what categories of personal information we collect, the right to deletion, and the right not to be discriminated against for exercising these rights. We honor those requests for all users, not just those covered by a specific law. Send any rights request to the contact email above.

We do not sell personal information, and we do not "share" personal information for cross-context behavioral advertising as those terms are defined under California law.

8. Children

Peak Hybrid is not directed at children. We do not knowingly collect personal information from anyone under 13 (or under 16 in jurisdictions where the GDPR sets that floor). If you believe a child has created an account, contact us and we will delete it.

9. Security

We take reasonable steps to protect your data:

In transit: all traffic between the app and our backend uses HTTPS/TLS.
At rest: the database is hosted by Supabase, which encrypts data at rest.
Access control: Supabase Row Level Security (RLS) policies scope each row to the user who owns it, so one account cannot read another's data.
Passwords: stored only as bcrypt hashes by Supabase Auth. We never store or transmit plaintext passwords.

No system is perfectly secure, and we cannot guarantee absolute security. If we ever experience a breach that affects your data, we will notify you in line with applicable law.

10. International data transfers

Our backend is hosted in the United States (Supabase, default US East region). Strava is a US-based company. Apple and RevenueCat operate globally with US headquarters.

If you use Peak Hybrid from outside the United States, your data will be transferred to and processed in the United States and other countries where our service providers operate. The data-protection laws in these countries may differ from the laws in your country. By using the app, you consent to this transfer.

11. Changes to this policy

We may update this Privacy Policy from time to time. When we do, we will change the "Last updated" date at the top of this page. If the change is material, for example, adding a new processor or a new category of data collection, we will give you reasonable notice inside the app or by email before it takes effect.

12. Contact

Questions, requests, or concerns about this policy or your data:

Suncraft Collective, LLC Email: jon@scoutcoffeeco.com Mailing address: 390 Morro Bay Blvd, Morro Bay, CA 93442 Website: peakhybrid.app