Skip to content

How we treat your data

PeakLine is built around a small set of principles about your data. They're not legal boilerplate — they're decisions baked into the codebase.

Your account, your control

We never see your Strava password

When you connect to PeakLine you use Strava's standard OAuth 2.0 flow. You enter your credentials on strava.com, not on us, and only a scoped access token is handed back. We literally cannot log in as you.

You can revoke that token at any time from Strava's Authorized Apps page. The moment you do, PeakLine stops working for your account — we have no way to fetch new data.

We never sell your data

Your data works only for you

We analyze your activities for one reason: to give you better insights. That's the entire business model.

  • No targeted advertising.
  • No selling, renting, or trading data to brokers or third parties.
  • No "anonymized" data shared with anyone. Aggregating doesn't count as anonymization in our book.
  • No exceptions.

What we actually store

For full transparency, here's what's in the database when you have a Strava-connected account:

Category What Why
Profile Strava user ID, name, profile picture URL, country To render the dashboard
Tokens OAuth access token, refresh token, expiry timestamp To fetch your activities
Activities Strava activity IDs + cached analysis results To avoid re-analyzing on every page load
Preferences FTP, LTHR, max HR, zones, language, theme, units So the analysis is accurate to you
Optional integrations Telegram chat ID, Garmin session token (encrypted) Only if you opt in

We do not store your password (we never had it) and we don't keep copies of GPX streams beyond what's needed for the latest cached analysis.

What gets sent out

A few features call external APIs. Here's the list — nothing more, nothing less:

  • Strava — we fetch your activities, streams, segments, and gear. Standard OAuth, your token.
  • Open-Meteo — historical and forecast weather data, queried by latitude/longitude/time. No account or API key required by them.
  • OpenWeather — historical air quality, same lat/lon model.
  • Telegram Bot API — only if you've connected Telegram, only to deliver messages.

That's the whole list. We do not call Google Analytics, Facebook Pixel, Hotjar, or any other tracker. The site uses Prometheus and Sentry for internal telemetry; neither sees your activity data.

Cookies

PeakLine sets a small number of cookies — session, language preference, theme — and that's it. There are no advertising cookies and no third-party tracking cookies. Full breakdown on the cookies page.

Account deletion

Click Delete account in Settings. We immediately:

  1. Invalidate the Strava token on our side.
  2. Delete your row from the user table.
  3. Drop cached analyses linked to your user ID.
  4. Cancel any pending background jobs (auto-reports, webhook handlers).

If you'd like a hard confirmation, you can also revoke from Strava's settings page first, then delete in PeakLine. Either order works.

Open, independent, single-developer

PeakLine isn't a corporation. It's an independent project run by one developer who is also a serious cyclist. That has two consequences worth knowing about:

  • Decisions are made for athletes, not shareholders. When a feature would be good for the business but bad for users, it gets vetoed by the only person who can veto it.
  • No external compliance pressure pushes us toward dark patterns. No growth team, no quarterly engagement targets, no funnel optimization.

If you ever want to verify a claim on this page, the code is the source of truth.

A note on backups

We do take encrypted database backups for disaster recovery. They live in the same data center as the production database, are encrypted at rest, and are pruned on a 30-day rolling window. They exist so that a disk failure doesn't lose your data — not so we can resurrect a deleted account.