How we treat your data¶
PeakLine is built around a small set of principles about your data. They're not legal boilerplate — they're decisions baked into the codebase.
Your account, your control¶
We never see your Strava password
When you connect to PeakLine you use Strava's standard OAuth 2.0 flow. You enter your credentials on strava.com, not on us, and only a scoped access token is handed back. We literally cannot log in as you.
You can revoke that token at any time from Strava's Authorized Apps page. The moment you do, PeakLine stops working for your account — we have no way to fetch new data.
We never sell your data¶
Your data works only for you
We analyze your activities for one reason: to give you better insights. That's the entire business model.
- No targeted advertising.
- No selling, renting, or trading data to brokers or third parties.
- No "anonymized" data shared with anyone. Aggregating doesn't count as anonymization in our book.
- No exceptions.
What we actually store¶
For full transparency, here's what's in the database when you have a Strava-connected account:
| Category | What | Why |
|---|---|---|
| Profile | Strava user ID, name, profile picture URL, country | To render the dashboard |
| Tokens | OAuth access token, refresh token, expiry timestamp | To fetch your activities |
| Activities | Strava activity IDs + cached analysis results | To avoid re-analyzing on every page load |
| Preferences | FTP, LTHR, max HR, zones, language, theme, units | So the analysis is accurate to you |
| Optional integrations | Telegram chat ID, Garmin session token (encrypted) | Only if you opt in |
We do not store your password (we never had it) and we don't keep copies of GPX streams beyond what's needed for the latest cached analysis.
What gets sent out¶
A few features call external APIs. Here's the list — nothing more, nothing less:
- Strava — we fetch your activities, streams, segments, and gear. Standard OAuth, your token.
- Open-Meteo — historical and forecast weather data, queried by latitude/longitude/time. No account or API key required by them.
- OpenWeather — historical air quality, same lat/lon model.
- Telegram Bot API — only if you've connected Telegram, only to deliver messages.
That's the whole list. We do not call Google Analytics, Facebook Pixel, Hotjar, or any other tracker. The site uses Prometheus and Sentry for internal telemetry; neither sees your activity data.
Cookies¶
PeakLine sets a small number of cookies — session, language preference, theme — and that's it. There are no advertising cookies and no third-party tracking cookies. Full breakdown on the cookies page.
Account deletion¶
Click Delete account in Settings. We immediately:
- Invalidate the Strava token on our side.
- Delete your row from the user table.
- Drop cached analyses linked to your user ID.
- Cancel any pending background jobs (auto-reports, webhook handlers).
If you'd like a hard confirmation, you can also revoke from Strava's settings page first, then delete in PeakLine. Either order works.
Open, independent, single-developer¶
PeakLine isn't a corporation. It's an independent project run by one developer who is also a serious cyclist. That has two consequences worth knowing about:
- Decisions are made for athletes, not shareholders. When a feature would be good for the business but bad for users, it gets vetoed by the only person who can veto it.
- No external compliance pressure pushes us toward dark patterns. No growth team, no quarterly engagement targets, no funnel optimization.
If you ever want to verify a claim on this page, the code is the source of truth.
A note on backups¶
We do take encrypted database backups for disaster recovery. They live in the same data center as the production database, are encrypted at rest, and are pruned on a 30-day rolling window. They exist so that a disk failure doesn't lose your data — not so we can resurrect a deleted account.