Privacy Policy

1. Introduction

PeakRoutine ("we," "our," or "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our mobile application, website, and related services (collectively, the "Service").

Please read this Privacy Policy carefully. By accessing or using the Service, you acknowledge that you have read, understood, and agree to be bound by this Privacy Policy. If you do not agree with our policies and practices, please do not use our Service.

2. Information We Collect

2.1 Information You Provide to Us

We may collect information that you provide directly to us when you:

• Create an Account: When you register for an account, we collect your name, email address, password, and other optional profile information.
• Complete Health Assessments: Information you provide in questionnaires and assessments about your health goals, habits, preferences, and other personal details.
• Track Your Health: Data you manually log about your mood, nutrition, sleep patterns, stress levels, and other health-related information.
• Contact Us: Information you provide when contacting us for customer support or other inquiries.
• Make Purchases: Payment information and billing details when you subscribe to premium features (although payment processing is handled by third-party payment processors).

2.2 Information Collected Automatically

When you use our Service, we may automatically collect certain information, including:

• Device Information: Information about your mobile device or computer, including device type, operating system, unique device identifiers, IP address, mobile network information, and device settings.
• Usage Information: Information about how you use the Service, such as the features you access, the time and duration of your use, and your interactions with the Service.
• Location Information: With your permission, we may collect precise or approximate location information from your device.
• Health and Fitness Data: With your permission, we may collect health and fitness data from your device's health apps (such as Apple Health) or connected wearable devices.

2.3 Cookies and Similar Technologies

We use cookies and similar tracking technologies to collect information about your interactions with our website and Service. You can control cookies through your browser settings and other tools. For more detailed information about the cookies we use, please visit our Cookie Policy.

3. How We Use Your Information

We use the information we collect for various purposes, including to:

• Provide, maintain, and improve the Service;
• Create and manage your account;
• Generate personalized health insights, recommendations, and plans;
• Process and complete transactions;
• Send you technical notices, updates, security alerts, and support messages;
• Respond to your comments, questions, and requests;
• Develop new products and services;
• Monitor and analyze trends, usage, and activities in connection with our Service;
• Detect, investigate, and prevent fraudulent transactions and other illegal activities;
• Protect the rights and property of PeakRoutine and others;
• Personalize your experience with the Service, including providing content or features that match your interests and preferences;
• Facilitate contests, sweepstakes, and promotions and process and deliver entries and rewards.

4. Information Sharing and Disclosure

We may share your information in the following circumstances:

4.1 With Your Consent

We may share your information when you direct us to do so or provide your consent.

4.2 With Service Providers

We may share your information with third-party vendors, consultants, and other service providers who need access to such information to carry out work on our behalf.

4.3 For Legal Reasons

We may share information if we believe disclosure is necessary or appropriate to (a) comply with laws, regulations, legal processes, or governmental requests; (b) enforce our terms and policies; (c) protect our rights, safety, or property, and/or that of our users or others.

4.4 Business Transfers

We may share or transfer your information in connection with a merger, acquisition, reorganization, sale of assets, or bankruptcy, in which case the successor entity would have rights to use your information as described in this Privacy Policy.

4.5 Aggregated or De-identified Information

We may share aggregated or de-identified information that cannot reasonably be used to identify you with third parties for research, marketing, analytics, and other purposes.

4.6 Special Protections for Health Data

We recognize that health information is particularly sensitive. While we may share certain information with service providers as described in Section 4.2, we commit to the following additional protections for your health data:

• No Sale of Health Data: We will never sell your health information to third parties for marketing, advertising, or any commercial purposes.
• Limited Service Provider Access: Service providers who may have access to health data are strictly limited to those essential for providing our core services (such as secure cloud storage) and are contractually prohibited from using this data for any other purpose.
• Enhanced Contractual Protections: All service providers with access to health data are bound by strict contractual terms that:
  • Prohibit any secondary use of your health data
  • Require implementation of enhanced security measures
  • Mandate immediate notification of any data breach
  • Prevent any further sharing of your data with additional parties
• Data Minimization: We only share the minimum amount of information necessary for service providers to perform their specific functions.

5. Data Security

We implement appropriate technical and organizational measures to protect the security, integrity, and confidentiality of your information. However, no electronic transmission or storage technology is 100% secure. Therefore, while we strive to use commercially acceptable means to protect your information, we cannot guarantee its absolute security.

We encourage you to use a unique and strong password for your account and to not share it with others. We are not responsible for the functionality, privacy, or security measures of any other organization.

6. Data Retention

We retain your information for as long as necessary to fulfill the purposes outlined in this Privacy Policy, unless a longer retention period is required or permitted by law. When determining how long to retain information, we consider the amount, nature, and sensitivity of the information, the potential risk of harm from unauthorized use or disclosure, the purposes for which we process the information, and applicable legal requirements.

When we no longer need your information, we will delete or anonymize it. If this is not possible, we will securely store your information and isolate it from any further use until deletion is possible.

7. Your Rights and Choices

Depending on your jurisdiction, you may have certain rights regarding your personal information. These may include:

• Access: You can request a copy of the personal information we hold about you.
• Correction: You can ask us to correct inaccurate or incomplete information.
• Deletion: You can ask us to delete your personal information in certain circumstances.
• Restriction: You can ask us to restrict the processing of your information in certain circumstances.
• Data Portability: You can request a copy of your information in a structured, commonly used, and machine-readable format.
• Objection: You can object to our processing of your information in certain circumstances.
• Withdraw Consent: If we process your information based on your consent, you can withdraw that consent at any time.

To exercise your rights, please contact us using the information provided in the "Contact Us" section below. We will respond to your request within the time frame required by applicable law.

Please note that some of these rights may be limited where we have compelling reasons to continue processing your information.

8. Children's Privacy

Our Service is not directed to children under the age of 13, and we do not knowingly collect personal information from children under 13. If we learn that we have collected personal information from a child under 13, we will promptly delete that information. If you believe we have collected personal information from a child under 13, please contact us using the information provided in the "Contact Us" section below.

9. International Data Transfers

We operate globally and may transfer your information to countries other than your country of residence, including the United States. These countries may have data protection laws that are different from the laws of your country. By using our Service or providing us with your information, you consent to the transfer, processing, and storage of your information in these countries.

When we transfer your information to other countries, we will protect that information as described in this Privacy Policy and in accordance with applicable law. We use contractual protections for international transfers of personal information, including the European Commission's Standard Contractual Clauses.

10. Third-Party Links and Services

Our Service may contain links to third-party websites, services, or content that are not owned or controlled by PeakRoutine. We are not responsible for the privacy practices or the content of these third parties. We encourage you to review the privacy policies of any third-party websites or services that you access through our Service.

11. Updates to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or for other operational, legal, or regulatory reasons. We will notify you of any material changes by posting the updated Privacy Policy on our website or through the Service and updating the "Last Updated" date at the top of this Privacy Policy. Your continued use of the Service after the effective date of the revised Privacy Policy constitutes your consent to the changes.

12. California Privacy Rights

If you are a California resident, the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA) provide you with specific rights regarding your personal information.

12.1 Right to Know

You have the right to request that we disclose information about our collection and use of your personal information over the past 12 months, including:

• The categories of personal information we collected about you;
• The categories of sources from which we collected the personal information;
• The business or commercial purpose for collecting or selling your personal information;
• The categories of third parties with whom we share the personal information;
• The specific pieces of personal information we collected about you.

12.2 Right to Delete

You have the right to request that we delete any of your personal information that we collected from you and retained, subject to certain exceptions.

12.3 Right to Opt-Out of Sale or Sharing

You have the right to opt-out of the sale or sharing of your personal information.

12.4 Non-Discrimination

We will not discriminate against you for exercising any of your CCPA/CPRA rights.

12.5 Exercising Your Rights

To exercise your rights under the CCPA/CPRA, please contact us using the information provided in the "Contact Us" section below. Please note that we may need to verify your identity before responding to your request.

13. GDPR — Rights for EEA and UK Users

If you are located in the European Economic Area (EEA) or the United Kingdom, the General Data Protection Regulation (GDPR) or UK GDPR applies to our processing of your personal data.

13.1 Legal Basis for Processing

We process your personal data on the following legal bases (Article 6 GDPR):

• Consent (Art. 6(1)(a)): Where you have given us your explicit consent to process your data — for example, when creating an account, granting Apple Health access, or receiving marketing communications. You may withdraw consent at any time without affecting the lawfulness of prior processing.
• Contract Performance (Art. 6(1)(b)): Where processing is necessary to provide the Service you have requested, including account management and subscription billing.
• Legitimate Interests (Art. 6(1)(f)): Where processing is in our legitimate interests (e.g., fraud prevention, improving the Service, security monitoring), provided those interests are not overridden by your rights.
• Legal Obligation (Art. 6(1)(c)): Where processing is required to comply with applicable law.

13.2 Special Category Health Data (Article 9 GDPR)

Health and fitness data is a "special category" under Article 9 GDPR and receives heightened protection. We process such data solely on the basis of your explicit consent (Art. 9(2)(a)), which you provide when you grant permission to access Apple Health or Google Fit data and agree to our Privacy Policy during onboarding. You may withdraw this consent at any time by contacting us at privacy@peakroutinehealth.com or deleting your account.

13.3 Your GDPR Rights

In addition to the rights described in Section 7, EEA/UK residents have the right to:

• Lodge a complaint with the supervisory authority in your country of residence. A list of EEA authorities is available at edpb.europa.eu. UK residents may contact the Information Commissioner's Office (ICO).
• Not be subject to solely automated decision-making that produces legal or similarly significant effects, unless you have given explicit consent or it is necessary for a contract.

We will respond to all GDPR rights requests within 30 days of receipt.

13.4 International Transfers

When we transfer your personal data from the EEA/UK to countries that do not provide an equivalent level of data protection, we rely on the European Commission's Standard Contractual Clauses (SCCs) or the UK International Data Transfer Agreement (IDTA) as the appropriate safeguard.

14. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our privacy practices — including requests to access, correct, or delete your data — please contact us at:

PeakRoutine
Email: privacy@peakroutinehealth.com

When submitting a data deletion request, please include:

• Your full name
• The email address associated with your account
• A description of what data you want deleted (e.g., "all data", "health data only")

We will acknowledge your request within 5 business days and complete it within 30 days as required by applicable law (including GDPR Article 17 and CCPA).