APP privacy policy

PEAKSTERS Privacy Policy

Effective Date: 1 April 2026
Last Updated: 1 April 2026

TABLE OF CONTENTSIntroduction
Children's Privacy — Special Notice
Information We Collect
How We Use the Camera and AI Technology
How We Use Your Information
Legal Bases for Processing
Sharing and Disclosure of Information
International Data Transfers
Data Retention
Your Rights
Data Security
Cookies and Tracking Technologies
Third-Party Links and Services
Changes to This Privacy Policy
Data Protection Officer and Representatives
Contact Us About Your Data

1. INTRODUCTION
Welcome to Peaksters. Peaksters ("we," "us," "our," or the "Company") is committed to protecting the privacy and security of your personal information and the personal information of children in your care. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our mobile application, website, and related services (collectively, the "Services").

Peaksters is an educational fitness platform designed for children aged 6–14, powered by advanced AI motion-analysis technology. Our Services allow parents to register children and track their fitness progress, while enabling certified coaches to provide tailored training — all with a firm commitment to privacy, safety, and compliance with children's privacy laws worldwide.

This Privacy Policy applies to all users of our Services, including parents, children, and coaches. We encourage you to read this policy carefully and to contact us if you have any questions.

2. CHILDREN'S PRIVACY — SPECIAL NOTICE
A Message to Parents and GuardiansWe take the protection of children's privacy very seriously. Peaksters is designed specifically for children aged 6–14 ("Children"), and we comply with applicable children's privacy laws worldwide, including the U.S. COPPA, the ICO Age Appropriate Design Code (UK), and GDPR Article 8 (for EU users).
Children cannot independently create or use Peaksters accounts. Only parents or legal guardians ("Parents") may register children and create accounts. Without prior verifiable parental consent, we will not knowingly collect, use, or disclose any child's personal information.

Compliance StatementsCOPPA Compliance: Peaksters complies with the U.S. Children's Online Privacy Protection Act (15 U.S.C. § 6501 et seq.). We obtain verifiable parental consent before collecting, using, or disclosing the personal information of children under 13.
Age Appropriate Design Code Compliance (UK): Peaksters implements the requirements of the ICO Age Appropriate Design Code, including privacy by design, best-interests determination, transparency, and safeguards.
GDPR Article 8 Compliance: For EU users, we obtain explicit parental consent before processing the personal data of children under 16.

What We Collect About ChildrenParents provide the following information about children:

Child's first and last name
Child's date of birth
Sport type or fitness focus

During use of the app, we automatically collect:

History of exercise attempts and completions
Correct and incorrect movement executions
Difficulty levels attempted
Duration of training sessions
Progress metrics and achievements
Movement coordinates (skeleton/keypoint data) — see Section 4
What We Do NOT Collect About ChildrenVideo recordings or images
Facial recognition data
Biometric identification data
Precise geolocation data
Payment or financial information
Health, medical, or clinical records
Phone numbers or contact information

Parental RightsAs a Parent, you have the following rights regarding your child's personal data:

Right to review: request and review all personal information we hold about your child
Right to rectification: request corrections to inaccurate information
Right to deletion: request permanent deletion of your child's account and all associated data within 30 days
Right to withdraw consent: withdraw consent at any time — processing stops immediately
Right to restriction: request that we restrict further collection or processing
Right to data portability: request your child's data in a portable, machine-readable format

To exercise any of these rights, contact us at privacy@peaksters.app.
No Behavioral Profiling or Targeted AdvertisingPeaksters does not engage in behavioral profiling, predictive analytics advertising, or targeted advertising directed at children. Our Services do not display third-party advertising.

3. INFORMATION WE COLLECT
3.1 Information You Provide to UsParent Account Information: first and last name, email address, account password (hashed), notification preferences, account settings.
Child Profile Information: child's first and last name, date of birth, sport type or fitness focus, additional profile settings selected by the Parent.
Coach Registration Information (if applicable): first and last name, email address, professional credentials, sport specialty, country and coaching location.

3.2 Automatically Collected InformationTraining Activity Metrics: list of exercises, number of attempts, successful and unsuccessful executions, difficulty levels, time spent per session, progress metrics, achievements, and badge unlocks.
Movement Coordinates (temporary on-device processing): during training sessions, AI motion analysis processes movement data on the user's device. Details are in Section 4.
Device and Technical Data: device model, operating system, device ID, app version, IP address (for security), connection type, crash reports.

3.3 Information We Do NOT CollectVideo recordings or images of any kind
Facial recognition or facial detection data
Biometric identification data (fingerprints, iris scans, etc.)
Precise geolocation or GPS data
Payment or financial information (handled exclusively by App Store / Google Play)
Health and medical records or clinical diagnoses
Behavioral health or psychological profiling data

4. HOW WE USE THE CAMERA AND AI TECHNOLOGY
Camera Activation and AccessThe device camera is activated only when a child begins an active training session. It is not used for any other purpose outside of real-time motion analysis during a session.
On-Device Processing OnlyAll processing of the video stream is performed on the user's device. Video frames are processed locally in the device's RAM and are never transmitted to Peaksters servers, cloud infrastructure, or any third-party service. The video stream remains confined to the device at all times.
No Video Recording or StoragePeaksters does not record, store, log, or archive video footage. Video data exists temporarily only in the device's RAM during active processing and is discarded immediately once processing completes or the session ends.
Movement Coordinate ExtractionOur AI analyzes the video stream to extract movement coordinates — specifically, skeleton keypoint data (joint positions, body-segment angles). These coordinates represent spatial positions and movement patterns, without identifying the individual performing the exercise.
Movement coordinates are used to: analyze exercise form and technique, identify movement errors, generate corrective feedback, assess exercise difficulty completion, and contribute to performance metrics. Coordinate data is transmitted to Peaksters servers and retained for 24 months after your last activity.
No Facial Recognition or Biometric IdentificationPeaksters does not use facial recognition, facial detection, or any face-based biometric technology. The system does not identify individuals, verify identities, or create facial profiles. Movement data is never used for biometric identification.

5. HOW WE USE YOUR INFORMATION
Providing and maintaining the Peaksters Services and your account

Creating personalized training programs tailored to each child's fitness level and sport focus
Generating weekly progress reports for Parents
Coordinating with a coach and feedback (only if the Parent authorizes the Coach)
Sending account notifications and achievement milestones
Service improvement and analytics (on aggregated, anonymized data)
Customer support and technical assistance
Legal compliance, fraud detection, and security protection

6. LEGAL BASES FOR PROCESSING For EU and UK Users (GDPR)
Contractual performance: processing of account and training data to provide the Peaksters Services

Parental consent (children's data): explicit, informed, verifiable parental consent under GDPR Article 8
Legitimate interests: service improvement, fraud detection, security, and legal compliance
Legal obligation: compliance with applicable laws, court orders, and regulatory requirements
For U.S. Users (COPPA)Verifiable parental consent: obtained before collecting any personal information from children under 13
Contractual necessity: processing of parent account information to maintain the contractual relationship

7. SHARING AND DISCLOSURE OF INFORMATION
Coach Access to Child DataA Coach has access to a child's training data, progress metrics, and achievement information ONLY if: (i) the Parent has provided explicit written consent; and (ii) the Coach is currently connected to the child's account. Coach access is always revocable by the Parent through Settings.
Service Providers and ProcessorsWe engage third-party service providers for the following purposes: cloud hosting and data storage (OVHcloud, European Union), AI motion-analysis technology (KinesteX, with data stored on Google Cloud Platform in North America), database management, analytics, customer support, email communication, and security. All providers are bound by Data Processing Agreements (DPAs) and may not use personal information for their own purposes. KinesteX does not use Peaksters children's data to train or improve their AI models.
Legal RequirementsWe may disclose personal information if required by law, court order, or other legal process, or to protect the rights and safety of users.

Information We Do NOT ShareWe do not sell personal information for any consideration
We do not share children's data with third parties for marketing or advertising
We do not share children's data with data brokers or behavioral profilers
We do not provide access to raw video footage or facial data

8. INTERNATIONAL DATA TRANSFERS
Personal information is stored on secure servers operated by OVHcloud in the European Union (France and Germany). OVHcloud infrastructure is compliant with ISO 27001, 27017, 27018, and 27701 standards and is GDPR-compliant. Training activity data processed via the KinesteX AI SDK is additionally stored on Google Cloud Platform (GCP) servers in North America (United States). This transfer is protected by Standard Contractual Clauses (SCCs) embedded in the Google Data Processing Agreement. No data is transferred to the United Arab Emirates.
For transfers of personal information from the EU and UK to countries not deemed to have adequate data protection, we rely on the European Commission's Standard Contractual Clauses (SCCs), and we have entered into SCCs with all relevant service providers.
For transfers from the UK following the GDPR transition, we implement the UK Addendum to the SCCs, as required by the UK International Data Transfer Agreement (IDTA).

9. DATA RETENTION
Active accounts: we retain all personal information necessary to provide the Peaksters Services. Training activity metrics and movement coordinates are retained for 24 months after your last activity.

Deleted accounts: personal information is permanently deleted within 30 days of an account deletion request
Movement coordinate data (skeleton keypoints): retained for 24 months after your last activity
Video data: deleted immediately upon completion of each training session — never stored or archived
Legal and compliance retention: up to 3 years from account closure where required by law
Anonymized and aggregated data: may be retained indefinitely, as it cannot be linked to individuals

10. YOUR RIGHTS
Rights Available to All UsersRight of access: request and receive a copy of all personal information we hold about you

Right to rectification: correct inaccurate or incomplete information
Right to erasure: request permanent deletion within 30 days
Right to withdraw consent: withdraw consent at any time; processing stops and data is deleted within 30 days
Rights of EU and UK Users (GDPR and UK GDPR)Right to restriction of processing
Right to data portability (structured, machine-readable format)
Right to object to processing based on legitimate interests
Right not to be subject to automated decision-making
Right to lodge a complaint with the ICO (UK) or your national data protection authority (EU)
California Consumer Rights (CCPA/CPRA)Right to know what personal information we collect, use, and share
Right to delete personal information
Right to opt out of sale or sharing (Peaksters does not sell personal information)
Right to non-discrimination when exercising privacy rights
Parental Rights (Children's Privacy)Review all information collected about your child
Request correction of inaccurate information
Request permanent deletion of your child's account and data
Withdraw consent for data collection and processing
Revoke a coach's access to your child's data at any time

To exercise any right, contact us at privacy@peaksters.app. We will verify your identity and respond within 30 days.

11. DATA SECURITY
Encryption in transit: TLS 1.3 for all data transfers

Encryption at rest: AES-256 encryption on all stored data
Access control: principle of least privilege, regularly reviewed and revoked when no longer needed
Authentication: password hashing (bcrypt), multi-factor authentication where available
On-device processing: video never leaves the device, eliminating the risk of video interception
Regular security assessments: vulnerability scanning, penetration testing, and code reviews
Incident response: breach notification to users and supervisory authorities as required by GDPR Article 33
Staff training: all personnel with data access receive data protection training
Third-party security: all service providers bound by DPAs with equivalent security requirements

12. COOKIES AND TRACKING TECHNOLOGIES
The Peaksters mobile application uses PostHog (via the KinesteX SDK) to collect anonymized usage analytics, including the number of active users, feature usage, and session duration. No personal data, health data, or children's identification data is shared with PostHog. Analytics is configured to collect only aggregated, anonymized data. We do not use advertising tracking technologies and we do not perform behavioral targeting. You may request that PostHog analytics be disabled for your account by contacting hello@peaksters.pro.
For EU/UK users: in accordance with the ePrivacy Directive and UK PECR, we obtain prior consent before placing non-essential cookies on your device.

13. THIRD-PARTY LINKS AND SERVICES
Peaksters is distributed through the Apple App Store and Google Play Store. All payments are processed exclusively through these platforms — Peaksters does not collect, store, or process payment information.
Our Services may contain links to third-party websites or services. This Privacy Policy does not apply to third-party services.
Our app includes the following third-party services:

KinesteX — provides exercise workout content. We send only a workout-content identifier to load videos. No personal user data is shared with KinesteX. Cookies are disabled in the KinesteX integration.
Crisp — provides live chat support. No personal data is shared automatically. Only a generic identifier ("Peakster user") is set for the chat session. Users may voluntarily provide information during conversations.
Adapty — manages in-app subscriptions and purchase validation. Adapty receives an anonymous user profile identifier and subscription transaction data. No personal data (name, email) is shared with Adapty.
Expo Push Notifications — delivers push notifications. We share the device's push notification token with the Expo push notification service. No personal data is attached to notifications.

CookiesOur app uses a session token (JWT) solely for authentication purposes. This is a functional first-party token and is not used for tracking. Third-party cookies are disabled in all in-app web views. We do not use cookies for tracking, advertising, or analytics purposes.

14. CHANGES TO THIS PRIVACY POLICY
We may update this Privacy Policy from time to time. The "Last Updated" date at the top of this document will reflect the date of any changes.
For material changes affecting the processing of children's data, we will notify Parents by email at least 30 days before the changes take effect, and we will seek renewed consent where required. Your continued use of Peaksters after a change constitutes acceptance of the updated policy.

15. DATA PROTECTION OFFICER AND REPRESENTATIVES
Data Protection Officer (EU/UK)Peaksters has appointed a Data Protection Officer to oversee compliance with data protection law.
Data Protection Officer: Lira Galieva Email: dpo@peaksters.pro Address: V Dobje 4, 4260 Bled, Slovenia
EU Representative (GDPR Article 27)EU Representative: Lira Galieva Email: dpo@peaksters.pro Address: V Dobje 4, 4260 Bled, Slovenia
UK Representative (UK GDPR Article 27)UK Representative: Lira Galieva Email: dpo@peaksters.pro Address: V Dobje 4, 4260 Bled, Slovenia
Supervisory AuthoritiesYou have the right to lodge a complaint with your local data protection authority:

United Kingdom: Information Commissioner's Office (ICO) — www.ico.org.uk — mail@ico.org.uk
EU: The data protection authority in your member state — edpb.europa.eu/about-edpb/board/members_en

16. CONTACT US ABOUT YOUR DATA
If you have questions about this Privacy Policy, your personal information, how your data is used, or wish to exercise any of your rights, contact us:
Peaksters Privacy Team Data Protection Officer: dpo@peaksters.pro Address: V Dobje 4, 4260 Bled, Slovenia Response time: within 15 business days for general inquiries; within 30 days for formal data subject requests (access, rectification, deletion, portability).
For parental requests regarding your child's data, we will verify your parental status before providing access. Verification may require proof of parental status (e.g., birth certificate, legal guardianship documentation).
Peaksters | dpo@peaksters.pro | Document Version: 1.2 | 1 April 2026