PeakPeak

Peak Privacy Policy

Last Updated: 2026-06-06

Draft pending professional legal review. This policy is being prepared ahead of Peak's public launch. Items marked [in brackets] are placeholders the lawyer will finalize before public launch.

Who We Are (Data Controller)

The Peak service ("Peak", the "Service") is currently operated by 1001588189 Ontario Inc. (operating as Peak), incorporated in Ontario, Canada.

  • Operator / Data Controller: 1001588189 Ontario Inc. (operating as Peak)
  • Contact: peak.admin@peakcourt.com
  • Privacy Officer: We have designated a Privacy Officer who is accountable for our compliance with this policy and applicable privacy laws, reachable at peak.admin@peakcourt.com.

This policy explains what personal information we collect, why, how we share it, how long we keep it, and the choices and rights you have.

1. Information We Collect

1.1 Information You Provide

  • Account: Email; password (stored only in hashed form, never in plaintext).
  • Profile: Nickname, avatar, bio, sport levels, date of birth, city/region, and gender. Gender and certain profile fields are optional. We collect date of birth to confirm you meet our minimum age (see Children's Privacy).
  • Optional contact: Phone number, WeChat ID.
  • User content: Content you create on the Service — posts, comments, chat/direct messages, and photos you upload.
  • Payment: We do not collect, store, process, or transfer payment information. Peak does not process payments (see the Terms of Service for how club balances work).

1.2 Information We Collect Automatically

  • Usage data: Features used, taps, and session activity, to operate and improve the Service.
  • Device information: Device model, operating system version, and IP address (used for security and fraud prevention).
  • Crash and diagnostic logs: We may collect crash and diagnostic logs to fix problems and improve stability. We may also use analytics to understand usage and improve the product; we do not use analytics for advertising.

1.3 Permissions and Device Data

We only access the following with your permission, and you can change these permissions at any time in your device settings:

  • Push notifications: With your permission we collect a device push token (via the Apple Push Notification service and Expo) so we can send you the notifications you enable.
  • Photos and camera: With your permission we access your photo library and camera so you can upload images. We only access the specific items you select.
  • Location: We do not currently collect your location. If we later add map or venue features (for example, using Google Places), we will request permission and update this policy before doing so.

1.4 Sign-in Providers (Planned)

Today, sign-in is by email and password only. If and when we add Apple or Google Sign-in and you choose to use it, we will receive only the limited information that provider is authorized to share (such as email and name), and we will update this policy before enabling it. These options are not yet available. If you sign in with Apple and choose Hide My Email, we will use Apple's private relay email address and will not attempt to obtain your real email.

2. How We Use Information

  • Provide the Service: Create and operate your account, posts, clubs, events, chats, and follow/block/report features.
  • Improve the Service: Understand how the Service is used, fix bugs, and develop new features. If we introduce personalized recommendations of clubs, events, and players, we will not use your data for cross-context behavioral advertising.
  • Security and fraud prevention.
  • Customer support.
  • Legal compliance.

We map specific data to specific purposes, including: date of birth to verify you are old enough to use the Service; city to surface nearby clubs and events; optional gender for profile display and matching; device push token to deliver the notifications you enable; and photos only as content you choose to post.

Legal Bases for Processing (where the GDPR applies)

Where the GDPR applies to you, we rely on the following legal bases:

  • Contract (Art. 6(1)(b)): Creating and operating your account and providing core features.
  • Legitimate interests (Art. 6(1)(f)): Security and fraud prevention, IP/security logging, improving the product, and (if introduced) basic recommendations. You can object to processing based on legitimate interests (see Your Rights).
  • Consent (Art. 6(1)(a)): Push notifications, camera/photo-library access, optional phone/WeChat, and any future location features.
  • Legal obligation (Art. 6(1)(c)): Complying with applicable law.

Personalization

We may use basic profiling to recommend clubs, events, and players based on signals such as sport, level, city, and who you follow. This is not solely-automated decision-making that produces legal or similarly significant effects. You can object to or limit it via settings or by contacting support. (We will revisit this disclosure if we introduce machine-learning recommendations.)

3. How We Share Information

We do not sell your personal information, and we do not share it for cross-context behavioral advertising, as those terms are defined under the CCPA/CPRA. Because we do not sell or share, we do not provide a "Do Not Sell or Share My Personal Information" link; if this ever changes, we will update this policy and provide the required opt-out. We share information only as follows:

  • Other users: Content you post (posts, comments, photos, and profile fields) is visible to other users and may be public depending on where you post it and your settings. Your nickname, avatar, and sport levels are visible to others. Direct messages are visible to the recipient(s).
  • Service providers / contractors: Our backend provider Supabase (hosted on AWS) processes personal information on our behalf, under contract, solely to provide services to us, and is contractually restricted from using it for any other purpose. Expo and Apple (APNs) receive a device push token to deliver push notifications. We may use analytics or error-monitoring tools to improve the product; we do not name a specific provider until one is in use. If we add maps/location (Google) or Apple/Google Sign-in in the future, we will update this list. Our service providers are contractually required to protect your data with the same or equivalent safeguards described in this policy and to use it only to provide services to us. These disclosures do not constitute a "sale" or "share" under the CCPA/CPRA.
  • Legal and safety: When required by law or a valid government/court request, or to protect the rights, safety, and property of Peak, our users, or the public.
  • Enforcement: To investigate or address violations of our Terms.

We may access and review user content, including reported messages, where necessary to investigate reports, enforce our Terms, protect safety, or comply with the law.

4. Your Rights and Choices

Depending on where you live, you may have some or all of the following rights. You can exercise them in-app or by emailing peak.admin@peakcourt.com.

  • Access: Request access to the personal information we hold about you and how it has been used or disclosed.
  • Rectification / Correction: Edit your profile in-app, or ask us to correct inaccurate or incomplete information.
  • Erasure / Deletion: Permanently delete your account and personal data from within the app (Me → Settings → Account → Delete account). This is a full account deletion, not a deactivation. We delete or anonymize your personal data within 30 days, except where retention is required by law, for fraud/abuse prevention, to resolve disputes or enforce our Terms, or in routine backups (purged on the backup cycle). Content others have already received (for example, messages in their inbox) or aggregated/anonymized data may persist.
  • Restriction: Ask us to restrict processing in certain circumstances.
  • Data Portability / Export: Request a copy of your data in a portable format (peak.admin@peakcourt.com).
  • Object: Object to processing based on legitimate interests, including recommendations/profiling.
  • Withdraw Consent: You may withdraw consent to our collection, use, or disclosure of your personal information at any time, subject to legal or contractual restrictions and reasonable notice — including by turning off device permissions (push, photo library, camera) or deleting your account. Withdrawing consent does not affect processing already carried out, and withdrawing some consents may mean we can no longer provide parts of the Service.
  • Right to Lodge a Complaint: You may complain to a supervisory authority. In Canada, that is the Office of the Privacy Commissioner of Canada (OPC) at www.priv.gc.ca; you may also contact your local data protection authority.

We may decline a request only where permitted by law and will explain why. We verify your identity (by matching information to the account/email on file) before fulfilling access, deletion, or correction requests.

Response timing: We respond without undue delay and within one month (30 days) of receipt. For complex or numerous requests we may extend by up to two further months and will tell you within the first month. (California-specific timing is described in the California section below.)

5. Data Storage, Security, and Breach Notification

  • Storage: Data is stored using Supabase (hosted on AWS). See Cross-Border Data Transfer below.
  • Safeguards: We protect your personal information with organizational and technical safeguards appropriate to its sensitivity, including bcrypt password hashing (a strong one-way hash, so we never see your plaintext password), HTTPS/TLS in transit, access controls limiting who on 1001588189 Ontario Inc. (operating as Peak) can access user data, and confidentiality obligations for anyone with access.
  • No system is fully secure: While we work to protect your information, no method of transmission or storage is 100% secure.
  • Breach notification: If a breach of security safeguards involving your personal information occurs and creates a real risk of significant harm, we will notify you and report it to the Office of the Privacy Commissioner of Canada as soon as feasible, will keep records of breaches as required by PIPEDA, and (where the GDPR applies) will comply with our notification obligations under Articles 33–34.

6. Data Retention

We retain personal information only as long as needed to provide the Service and for the purposes described in this policy, or as required by law. General guidance:

  • Account and profile: Retained while your account is active; deleted or anonymized within 30 days of account deletion.
  • Backups: Residual copies in routine backups are purged on the normal backup cycle (typically within ~30–90 days).
  • Server, IP, and security logs: Retained for a limited period for security and fraud prevention [retention period to be finalized by lawyer; criteria: shortest period needed for security/fraud purposes].
  • Crash logs / analytics: Retained for a limited period to diagnose and improve the product [period to be finalized].
  • Chat / direct messages: Retained while your account is active.
  • Legal-hold / fraud records: Retained as required to meet legal obligations, resolve disputes, prevent fraud, or enforce our Terms.

Where we cannot give a fixed period, we use criteria such as legal obligation and legitimate operational need.

7. Cross-Border Data Transfer

Peak is based in Canada. We use Supabase (hosted on AWS); your data may be stored or processed in Canada or the United States, and we are migrating primary storage to a Canadian region (Supabase ca-central-1).

  • Canada benefits from an EU adequacy decision for commercial data covered by PIPEDA.
  • Where we transfer data internationally (for example, to the US), we rely on appropriate safeguards such as standard contractual clauses and/or, where a sub-processor is certified, the EU-US Data Privacy Framework. [Lawyer to confirm the exact transfer mechanism / SCC module / DPF status before any EU/UK launch.] You may request a copy of the relevant safeguards via peak.admin@peakcourt.com.
  • While your data is in another country, it is subject to that country's laws and may be accessed by its courts, governments, and law-enforcement or national-security authorities. We remain accountable for your personal information and require our service providers to protect it to a comparable standard.

8. Your Privacy Rights by Region

Canada (PIPEDA) — Home Jurisdiction

We handle your personal information in accordance with Canada's Personal Information Protection and Electronic Documents Act (PIPEDA) and applicable provincial laws. Challenging our compliance: if you have a privacy concern, contact us first at peak.admin@peakcourt.com. If you are not satisfied with our response, you may file a complaint with the Office of the Privacy Commissioner of Canada (OPC) at www.priv.gc.ca.

Quebec residents have additional rights under Quebec's Law 25, including data portability and the right to contact our designated person responsible for the protection of personal information at peak.admin@peakcourt.com, and may complain to the Commission d'accès à l'information du Québec (CAI).

United States — California (CCPA/CPRA)

This section applies to California residents. We do not sell or share personal information.

Categories of personal information we collect, sources, purposes, and recipients:

  • Identifiers (email, nickname, IP address, device identifiers, push token) — collected directly from you and automatically from your device.
  • Customer records (hashed password, optional phone/WeChat) — directly from you.
  • Internet/network activity (usage events, crash/diagnostic logs) — automatically from your device.
  • Geolocation — general/IP-based only; we do not collect precise location.
  • Audio/visual (photos you upload) — directly from you.
  • Professional/sport profile and demographic data (sport levels, city, date of birth/age, optional gender) — directly from you.
  • Inferences (basic recommendations) — derived from the above.

Sources: directly from you; automatically from your device; and (if/when you enable Apple/Google sign-in) from those providers. Business/commercial purposes: to provide and improve the Service, recommendations, security and fraud prevention, support, and legal compliance. Categories of recipients: service providers/contractors (Supabase/AWS; Expo/APNs) and legal/government recipients.

Sensitive Personal Information (SPI): Account log-in credentials (email and password) and the contents of your private direct messages are SPI. We use SPI only to provide and secure the Service and prevent fraud. We do not use or disclose SPI to infer characteristics, so we do not provide a "Limit the Use of My Sensitive Personal Information" link. You may still contact us at peak.admin@peakcourt.com.

Your California rights: Right to Know/Access, Delete, Correct, Opt-Out of Sale/Sharing, Limit Use/Disclosure of Sensitive PI, and Non-Discrimination. We will not discriminate against you for exercising your rights — we will not deny you the Service, charge different prices, or provide a different level or quality of service.

How to submit a request: Use in-app deletion or email peak.admin@peakcourt.com (Peak operates primarily online, so email is our designated method). We verify your identity by matching information to the account/email on file before fulfilling a request. You may use an authorized agent with written authorization, and we may still verify your identity. California response timing: we acknowledge receipt within 10 business days and respond within 45 calendar days, extendable by an additional 45 days with notice.

We do not sell or share personal information at all, and in particular we do not sell or share the personal information of any user we know to be under 16.

European Union / United Kingdom

The Service is intended for users in Canada and the United States and is not directed at the EU/UK. If you access it from the EU/UK, you may contact us at peak.admin@peakcourt.com, and the GDPR rights and legal bases described in this policy apply to you to the extent the GDPR applies. [Lawyer note: if EU/UK users are ever specifically targeted, an Article 27 EU/UK representative must be appointed.]

China

The Service is offered in Canada and the United States and is not directed to users in mainland China.

9. Cookies and Similar Technologies

  • App: We store a login token on your device to keep you signed in.
  • Website: We use only the storage strictly necessary to keep you signed in and make the site work.
  • We do not use third-party advertising or cross-site tracking cookies.

10. Children's Privacy

The Service is not directed to children under 13 (in the United States and Canada), and we do not knowingly collect personal information from children under 13.

  • Age screening: During registration we ask for your date of birth to confirm you meet the minimum age. Accounts indicating an age under 13 are not permitted to register.
  • Parents/guardians: If you are a parent or guardian and believe your child under 13 has provided us with personal information, please contact us at peak.admin@peakcourt.com. We will verify the request, delete the child's account and associated personal information promptly, and in any case within 30 days, and respond within 30 days.
  • Teens (13–17): If you are between 13 and 17, you may use the Service only with the knowledge and consent of a parent or legal guardian, who agrees to our Terms on your behalf. We encourage parents and guardians to be involved in their teen's use of the Service.

11. Changes to This Policy

We may update this policy from time to time. We will revise the "Last Updated" date above, and material changes will be notified via the app or email. Your continued use of the Service after an update means you accept the revised policy.

12. Contact Us

For privacy questions or to exercise your rights:

  • Email: peak.admin@peakcourt.com
  • Privacy Officer: accountable for our compliance, reachable at the email above.
  • Operator: The Service is currently operated by 1001588189 Ontario Inc. (operating as Peak), Ontario, Canada. Reach us at the email above. [Lawyer to insert the registered office mailing address before public launch.]
  • We respond without undue delay and within 30 days (subject to the extensions described above and California-specific timing).

This document is a draft pending professional legal review. The registered office mailing address remains an outstanding pre-launch item.