Privacy Policy
1. Introduction
PeakDork ("we", "us") is a hiking and mountaineering app that lets you track climbs, plan trips, and connect with the mountain community. This Privacy Policy explains what information we collect, how we use it, and the choices you have.
By creating an account or using PeakDork (the "Service"), you agree to the practices described here.
2. Information We Collect
Information you give us
- Account information: email address, display name, year of birth, and the password you use to sign in.
- Profile information: bio, avatar photo, location text (e.g. "Denver, CO"), and any optional certifications you list.
- Content you create: check-ins, trip reports, photos, planned climbs, peak suggestions, and any other content you submit through the Service.
- Photo metadata: when you upload a photo or an avatar, the original file on your device may contain EXIF metadata such as the date and time it was taken, the camera model, and the GPS coordinates of where it was captured. Before storing the image on our servers, we re-encode it as a fresh JPEG, which drops the EXIF dictionary entirely. The stored copy carries no camera model, no GPS coordinates, no original timestamp, and no other EXIF fields. For peak photos, the date associated with the photo is the summit date you select on the upload screen, not anything extracted from the file.
- Rights attestation: when you upload a photo, the app asks you to confirm that you are the photographer or have permission to share the photo. The timestamp of your confirmation is stored alongside the photo so we have a record that you agreed at the moment of upload. This is used solely for rights and moderation purposes and is not shared with other users.
- Safety information: emergency contacts and trip plan details that you choose to enter.
Information we collect automatically
- Location: GPS coordinates of your check-ins and recorded tracks, when you choose to record them. Location is used only to render your activity on maps and tag your contributions to the right peaks.
- Device information: device model, operating system version, app version, language preference, and time zone — used for compatibility and crash diagnostics.
- Analytics events: we use Firebase Analytics (a Google service) to collect aggregated information about how the Service is used — for example, sign-in actions, peak views, saves, check-ins, planned-climb actions, trip-report submissions, photo uploads, search queries, sort/filter changes, profile edits, account actions, blocking or reporting users or content, in-app preference changes (such as elevation units, map style, and thumbnail style), and taps on hiking-news articles (including the publisher name of the article opened). Events include the action name and minimal context (such as a peak identifier, photo count, news publisher name, or the key and value of a setting you changed) but never the contents of your check-ins, posts, photos, or messages. When you are signed in, events are associated with a stable user identifier so we can analyse cohort behaviour. We use this information to understand engagement and improve features. We do not sell this data.
- Crash diagnostics: we use Firebase Crashlytics (a Google service) to collect crash reports. A report includes your device model, operating system version, app version, the stack trace at the moment of crash, and a short log of the most recent in-app actions (event names only, no user content) so we can reproduce and fix the bug. Reports are tied to a stable user identifier when you are signed in.
- Identifiers: our analytics and crash-diagnostics providers use a non-resettable identifier scoped to our app (the iOS Identifier for Vendor) plus an instance-specific identifier issued by Firebase. We do not use the iOS Advertising Identifier (IDFA) and do not perform cross-app or cross-website tracking.
Information from third parties
- If you sign in with Apple ID (when this option is offered), Apple shares your Apple-issued identifier and, on first sign-in only, your name and email if you choose to share them.
3. How We Use Information
- To operate, maintain, and improve the Service.
- To create and manage your account, authenticate you, and follow your privacy preferences.
- To display your contributions — your check-ins, trip reports, and photos — to other users of the Service.
- To send you notifications (in-app, push, or email) about activity relevant to you, subject to your notification preferences.
- To respond to support requests and enforce these terms.
- To comply with legal obligations and protect the safety of users and the public.
4. Sharing Information
We do not sell your personal information. We share it only in the following limited circumstances:
- With other users: your public profile (display name, avatar, bio, badges, join date) and the content you create — check-ins, trip reports, and photos — are visible to other users of the Service. Private details such as your year of birth and email address are never shown to other users.
- Service providers: we use trusted third parties to operate the Service. Specifically:
- Supabase — hosts your account, content, and uploaded photos, and provides authentication. Located in the United States.
- Google Firebase — provides analytics (Firebase Analytics) and crash diagnostics (Firebase Crashlytics) as described in Section 2. Located in the United States.
- Resend — delivers transactional email on our behalf (account confirmation, password reset, change-email confirmation). Located in the United States. Resend processes only the recipient address and the email body we generate; it does not retain your other personal information.
- Apple — provides authentication via Sign in with Apple where offered.
- Apple WeatherKit — provides weather data displayed on peak detail pages. Apple receives the latitude and longitude of the peak you are viewing; no user-identifying information is sent.
- OpenStreetMap and MapKit — render maps and resolve location searches you perform within the Service. Search queries you type are sent to MapKit (Apple) for geocoding.
- Legal: we may disclose information when required by valid legal process, or to protect rights, property, or safety.
- Business transfers: if PeakDork is involved in a merger, acquisition, or asset sale, your information may be transferred. We will notify you before your information becomes subject to a different privacy policy.
5. Storage and Security
Your account data, content, and photos are stored on servers operated by our backend provider (Supabase). Analytics events and crash reports are stored by Google Firebase. Sign-in credentials are hashed and not directly accessible to us. We use industry-standard encryption in transit (TLS) and at rest where supported by our providers.
No security system is perfect. While we work to protect your information, we cannot guarantee absolute security, and you use the Service at your own risk.
6. Your Rights and Choices
Depending on where you live, you may have specific rights under privacy laws such as the EU General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA). PeakDork supports these regardless of your location:
- Access: request a copy of the personal information we hold about you.
- Portability: request a machine-readable export of your data. This export includes your check-ins, posts, photos, comments, follows, and other content you have created.
- Correction: update inaccurate information directly in the app, or contact us for changes you cannot make yourself.
- Deletion: delete your account from within the app. Account deletion enters a 30-day cooling-off period during which you may sign in and cancel. When the cooling-off period ends, your photos, check-ins, likes, follows, planned climbs, saved peaks, gear, and other personal data are permanently removed. Your posts and comments are kept but the author is replaced with “[deleted user]” so that conversation threads and mentions remain coherent for other users.
- Withdraw consent: for processing based on consent, you may withdraw consent at any time without affecting the lawfulness of prior processing.
- Object or restrict: in some cases you may object to processing or ask us to restrict it.
- Complain: if you believe we have not complied with applicable privacy law, you may lodge a complaint with your local data protection authority.
To exercise any right that is not self-serve in the app, contact us through our contact form (reason: Privacy / data request).
Analytics opt-out: at this time, opting out of analytics or crash reporting is not available as an in-app setting. We may add an in-app toggle in a future release. If you want analytics and crash data collection disabled in the meantime, you can request this through our contact form (reason: Privacy / data request); we will honour the request and stop collecting from your account on a best-effort basis.
7. Legal Basis for Processing (EEA / UK Users)
If you are located in the European Economic Area or the United Kingdom, our legal basis for processing your personal information depends on the specific information and context:
- Performance of a contract — to create and operate your account, store and serve the content you submit, and provide the features you request. This is the basis for processing account information, profile data, content you create, and check-in / planned-climb data.
- Legitimate interests — to maintain the security and reliability of the Service, prevent fraud and abuse, diagnose crashes, and understand how the Service is used in aggregate. We balance these interests against your rights and only use this basis where the processing is necessary and proportionate.
- Consent — for any processing that requires consent under applicable law (for example, optional location access on your device, or in-app push notifications). You can withdraw consent at any time through your device or app settings without affecting the lawfulness of prior processing.
- Legal obligation — to comply with applicable laws, court orders, and other legal process.
8. California Privacy Rights (CCPA / CPRA)
If you are a California resident, the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), provides you with specific rights regarding your personal information. This section supplements the rest of this Privacy Policy.
Categories of personal information we collect. In the past 12 months, we have collected the following categories of personal information from California residents:
- Identifiers — email address, account user ID, device identifiers (Identifier for Vendor, Firebase instance ID).
- Commercial information — none. PeakDork does not currently process payments.
- Internet or other electronic network activity — interactions with the Service captured through analytics events and crash reports.
- Geolocation data — coarse and precise GPS coordinates of your check-ins and any tracks you choose to record.
- Visual information — photos and avatars you upload. EXIF metadata embedded in the original file (camera, GPS, timestamps) is stripped during upload and is not stored.
- Inferences — none. We do not build inferred profiles for advertising or marketing.
- Sensitive personal information — none used for purposes that trigger the right to limit under CPRA. Precise geolocation is collected only to render maps and tag your contributions; we do not use it for advertising or to infer characteristics about you.
Sources of personal information. Directly from you (when you create an account or submit content); from your device (location, device information, photos); from third-party authentication providers (Apple, when you use Sign in with Apple).
Business or commercial purpose for collection. To operate the Service, secure your account, display your contributions to other users per your visibility settings, send service-related communications, diagnose crashes, and understand engagement in aggregate.
Sale or sharing of personal information. We do not sell your personal information for monetary consideration, and we do not share it for cross-context behavioural advertising. We have not done so in the past 12 months.
Your California rights. The rights described in Section 6 (access, portability, correction, deletion) apply to California residents. In addition:
- Right to know what categories and specific pieces of personal information we have collected about you, the categories of sources, the purposes for collection, and the categories of third parties to whom we have disclosed it.
- Right to opt out of sale or sharing — there is nothing to opt out of because we do not sell or share for cross-context advertising.
- Right to limit use of sensitive personal information — we do not use sensitive personal information for purposes that trigger this right.
- Right to non-discrimination — we will not deny service, charge different prices, or provide a different level of quality because you exercised any privacy right.
To exercise these rights, contact us through our contact form (reason: Privacy / data request). We will verify your identity through reasonable means before processing the request.
"Do Not Track" signals. The Service does not currently respond to browser "Do Not Track" signals because no consistent industry standard for honouring them exists. We do not track users across third-party websites or apps for advertising purposes regardless of any signal.
9. Children's Privacy
PeakDork is not intended for children under 13. We do not knowingly collect personal information from anyone under 13. If you believe a child under 13 has provided us with information, contact us through our contact form (reason: Privacy / data request) and we will delete it.
10. International Data Transfers
Our backend, analytics, and email providers are based in the United States, and your information will be transferred to and processed there. The United States may not provide the same level of data protection as your home jurisdiction. Where transfers involve personal data of users in the European Economic Area, the United Kingdom, or Switzerland, we rely on appropriate safeguards required by applicable law, including the European Commission's Standard Contractual Clauses (SCCs) and the United Kingdom's International Data Transfer Addendum, which our service providers commit to via their data processing agreements.
11. Data Retention
We keep your information for as long as your account is active or as needed to provide the Service. Specific retention practices:
- Account and profile data — kept until you delete your account.
- User-generated content (check-ins, photos, planned climbs, etc.) — kept until you delete it individually or until your account is deleted.
- Posts and comments — kept after account deletion but anonymised by replacing the author with "[deleted user]" so threads and mentions remain coherent.
- Analytics events and crash reports — retained per Firebase's default retention (currently 14 months for analytics; crash reports retained for the active app version plus a reasonable trail).
- Email logs — Resend retains delivery logs for a limited period for diagnostic purposes per their own privacy policy.
- Backups — encrypted backups may persist for a short window after account deletion (typically 30 days) before being overwritten in normal rotation.
- Legal records — we may retain limited records longer when required to comply with legal obligations, resolve disputes, or enforce our agreements.
12. Third-Party Services
The Service may include links to third-party websites or integrate third-party services. This Privacy Policy does not cover the practices of those third parties. We encourage you to review their privacy policies before providing them with information.
13. Push Notifications
If we add push notifications in a future release, they will require your explicit consent on your device. You can revoke this consent at any time through your device's notification settings. We do not use push notifications for marketing.
14. Changes to This Policy
We may update this Privacy Policy from time to time. Material changes will be communicated through the app and will require your renewed acceptance before continued use. The version number above identifies which version of the Policy is in effect.
15. Contact
Questions about this Privacy Policy or your personal information can be submitted through our contact form (reason: Privacy / data request). This is the official channel for all privacy correspondence and data-rights requests.