PeakList Legal

Privacy Policy

This Privacy Policy explains how PeakList collects, uses, stores, shares, and protects information when you use the PeakList iOS app, widgets, public share links, related web pages, and backend services. PeakList is operated by Nathan Sobol. In this Policy, "PeakList," "we," "us," and "our" refer to Nathan Sobol and the services used to provide PeakList.

This Policy is intended to describe the app as it exists today, including accounts, public profiles, social features, hike logs, photo uploads, Apple Health imports, Strava imports, route imports, Custom Route, Snap route calculation, Alpine Plant ID, Pro billing, public plan links, live shared planning, trail reports, support requests, offline maps, widgets, analytics, Trails, Navigate, PeakList Global, maps, weather, Jackknife, Water Calculator, Plan Builder, Food Library and nutrition planning, gear and carry planning, to-do queues, and other location-based tools.

1. Age Requirement

PeakList is not directed to children under 13 and is intended for users who are at least 13 years old. We do not knowingly collect personal information from children under 13. If you believe a child under 13 has provided personal information through PeakList, contact us at [email protected] and we will take appropriate steps to delete it.

2. Summary of Our Practices

  • We do not sell your personal information.
  • We do not share your personal information for cross-app behavioral advertising.
  • We do not run continuous background location tracking outside an active Navigate session.
  • If you start Navigate, PeakList may use background location while Navigate is active to keep navigation and local GPX recording working when your phone is locked or the app is in the background.
  • Live location and Navigate GPX traces are not uploaded or synced unless you choose to save, sync, share, upload, or publish content that includes route or location data.
  • We use precise or approximate location only when you grant permission and use features that need it, such as maps, Trails, Navigate, Mountain Finder AR, weather or conditions tools, Jackknife, Water Calculator context, Plan Builder context, or Share Location Snapshot.
  • Custom Route, Snap, trail elevation, weather, astronomy, Alpine Plant ID, and similar provider-backed features may send the minimum coordinates, route samples, selected images, or context needed to return the result.
  • Connecting Strava is optional. If you connect Strava, we request the Strava scopes shown during authorization, store OAuth tokens encrypted on our server, and use Strava activity data only to provide connection, review, import, sync, validation, and disconnect features you request.
  • Food Library search uses a bundled USDA FoodData Central-derived dataset in the app. If you save or sync planning records, food selections, quantities, weights, USDA source identifiers, and nutrition totals may be stored with your planning data.
  • Public features can make information visible to other users or to anyone with a public link, depending on the visibility choices you make.
  • PeakList Global uses in-app Navigate telemetry and validated Strava imports where enabled from official routes to support personal analytics, validation, standings, titles, and anti-abuse review. Public standings require opt-in. Private navigated efforts and imported efforts may still support your personal analytics.
  • PeakList Global public surfaces may show holder identity, scope names, scores, elapsed time, achieved date, summary stats, and leaderboard placement, but raw GPS tracks are not shown publicly.
  • Health, fitness, route, location, planning, food, gear, water, and safety-diagnostic information can be sensitive. We use it only to provide requested app features, sync features you enable, safety and diagnostics tools, and related support.

3. Information We Collect

Account and Authentication Data

If you create an account, we may collect your email address, authentication user identifier, display name, profile metadata, profile visibility setting, avatar or profile picture selection, sign-in provider identifiers, connected service identifiers such as Strava athlete identifiers or usernames, and related account settings. Sign in with Apple, Google sign-in, Strava authorization, or email/password sign-in may provide authentication or connection identifiers needed to create, secure, or connect your account.

Profile, Social, and Public Activity Data

If you use profile or social features, we may collect profile text, display name, profile image choices, website or social links you add, hiking stats you choose to show, friend requests, friendships, blocks, moderation reports, profile visibility settings, and public activity. If you make a profile, hike log, photo, trail report, achievement, PeakList Global standing, or activity public, it may be visible to other users and may appear in public profile, recent activity, leaderboard, map, or community surfaces.

Hiking, Checklist, Planning, and Journal Data

PeakList may store checklist progress, peak lists, favorites, wishlists, to-do queues, achievements, games, scores, streaks, saved hikes, hike logs, completion dates, notes, tags, routes, custom route drafts, snapped route results, distance, duration, elevation gain, gear plans, inventory items, Food Library selections, food names, USDA source identifiers, quantities, weights, calories, macronutrients, sodium, calories per day, calories per ounce, saved trip plans, templates, generated plan content, public plan share links, live plan edits, live plan participation, meeting spots, participant identity choices, presence state, review-factor choices, carry, food, and water-planning values, trail condition reports, access reports, PeakList Global participation state, navigated or imported effort summaries, holder titles, leaderboard placement, and other information you enter or generate in the app. Some features work locally on your device; signed-in users may sync supported data through cloud services.

PeakList Global Competitive Telemetry

If you use Navigate on official PeakList trail data, or if you submit a validated Strava import where PeakList enables that source, PeakList may create a PeakList Global effort draft or effort record. This may include the linked hike log, user identifier, list, peak, trail, trail segment, route context, trailhead identifiers, source application, external workout identifier, start and end time, elapsed and moving time, distance, elevation gain and loss, highest and lowest elevation, summit and checkpoint matching, route-match score, GPS quality score, speed and pace summaries, season identifier, eligibility status, invalid or review reason, public/private visibility, telemetry digest, downsampled validation samples, and related metadata. We use this information to determine whether an effort is navigated, validated from Strava, not navigated, needs review, or rejected; to compute Peak Holder, Trail Holder, Trail Segment Holder, Segment Best, Personal Best, targets, achievements, metadata leaderboards, and analytics; to prevent duplicate or manipulated submissions; and to audit holder changes.

Manual logs, imported GPX, Apple Health, FIT, TCX, bulk import, web import, duplicated logs, and similar non-Navigate sources may still support personal hike history where available, but they are not intended to create public PeakList Global standings. Validated Strava imports may qualify for public PeakList Global only where PeakList expressly enables that source and the same server-side route, segment, summit, and integrity checks pass. Raw or downsampled validation tracks are treated as private owner/service data and are not displayed on public standings. If you opt into public PeakList Global standings, public surfaces may show your display name, profile image or initials, relevant public profile identity, scope held or attempted, score, elapsed time, achieved date, rank, title, route or peak name, summary telemetry, and recent activity related to public standings.

Imported Route, Fitness, and Health Data

If you choose to import workouts or routes from Apple Health, Strava, GPX, TCX, FIT, or similar files, PeakList may process workout dates, activity labels, duration, distance, source app metadata, route summaries, track points, elevation data, and route file contents. Apple Health access is requested through Apple's permission prompts. Strava access is requested through Strava OAuth; PeakList may store Strava connection status, athlete identifier, username or profile names returned by Strava, requested and granted scopes, whether private-activity access was requested, connection and token expiration dates, last sync time, encrypted access and refresh tokens, OAuth state records, webhook receipts, activity summaries, route streams, external workout identifiers, and imported activity details needed to review, import, validate, disconnect, troubleshoot, and prevent abuse. Strava route streams may include latitude/longitude, altitude, time, and distance samples. If you authorize private Strava activity access, PeakList may request private activities from Strava for the import flow until you disconnect Strava, revoke access, or the authorization expires. Route retention for Apple Health imports is optional and controlled by your settings. Custom Route and Snap may process selected endpoints, waypoints, route geometry, snapped waypoints, distance, duration, and elevation summaries to calculate or save a route. If you save or sync a hike log that includes imported health, fitness, Strava, or route data, that data may be stored with the hike log.

Location, Sensor, Camera, and Photo Permission Data

PeakList may request access to location, camera, photo library, motion, altitude, heading, and related sensor data for features such as Mountain Finder AR, Trails and Navigate, map centering, weather and conditions lookup, Jackknife diagnostics, Water Calculator or Plan Builder context, Custom Route, Snap, Share Location Snapshot, Alpine Plant ID, wallpaper or image saving, hike photo selection, and PeakList Global validation. Jackknife may process device, battery, motion, compass, altitude, location-permission, and network-reachability signals to display diagnostics. PeakList uses background location only during an active Navigate session, and only to keep navigation and local GPX recording working while your phone is locked or the app is in the background. Live location and locally recorded Navigate GPX traces are not uploaded or synced unless you choose to save, sync, share, upload, submit, or publish content that includes route or location data, including PeakList Global efforts. Location and sensor data may otherwise remain local unless you save, sync, share, upload, submit, or publish content that includes it.

Uploaded Photos and Media

If you upload hike-log photos, the app may process and upload selected images, captions, visibility settings, file size, content type, file hash, hike-log identifiers, and related metadata. Photo files are stored in Cloudflare R2 using upload URLs issued by PeakList backend services, and metadata is stored in Supabase. Uploaded photos may be private or public depending on the visibility settings for the photo, hike log, or related feature. Public photos may be visible to other users or public viewers. Deleted photos and related metadata are removed from active app surfaces, subject to backups, security logs, and legal retention needs.

Alpine Plant ID Data

If you use Alpine Plant ID, the selected camera or photo-library image is sent to PeakList backend services and then to the plant identification provider, currently PlantNet, for live identification. Original Plant ID images are not stored by default for the current version, but PeakList may store request metadata, quota usage, image hashes, provider response metadata, normalized identification results, and saved share-card metadata when needed to provide the feature, prevent abuse, or show your history.

Support, Suggest Edit, and Safety Reports

If you contact support, submit a suggested edit, report a trail issue, report a user, or send a moderation report, we may collect your message, reply email, selected list or screen, app version, build number, device model, operating system, platform, network reachability, authentication state, last known error, reported content identifiers, and other diagnostics you choose to include. Backend services may hash IP address and user-agent information for rate limiting and abuse prevention. Support messages and important operational notices may be delivered through Resend or similar email services.

Billing and Entitlement Data

If you purchase PeakList Pro or another paid feature, Apple processes your payment. PeakList does not receive or store your payment card number. We may receive and store App Store transaction identifiers, product identifiers, signed transaction data, app account tokens, subscription status, renewal state, grace period state, refund or revocation state, lifetime purchase status, and entitlement history so that we can unlock Pro features and provide billing support.

Analytics, Crash, Performance, and Gameplay Data

PeakList may collect product interaction, crash, performance, diagnostic, and gameplay content data, including app version, device type, operating system, screen or feature events, feature engagement, Custom Route calculation events, support or report actions, game sessions, game rounds, saved game progress, scores, streaks, unlocks, achievement progression, PeakList Global standings and submission states, and similar usage data. Firebase Analytics delivery is controlled by your analytics preference where applicable; when enabled, Firebase may process app instance identifiers or device-level identifiers for analytics. Some local functional analytics may still be processed on-device or in app storage to power achievements, game progression, PeakList Global, and app functionality.

Widgets, App Intents, App Group, and Local Storage

PeakList stores data locally on your device using app storage, local files, caches, app group storage, and similar mechanisms. This may include preferences, offline datasets, downloaded maps or trail files, cached images, widgets snapshots, App Intents data, checklist state, recent app state, tutorial state, local hike logs, local drafts, and imported files. Device backups, iCloud device backup settings, or iOS behavior may also affect local copies.

4. How We Use Information

We use information to:

  • Provide and personalize app features, accounts, sync, public profiles, hike logs, photos, social features, Trails, Navigate, maps, weather, Jackknife, Water Calculator, Plan Builder, Food Library, Custom Route, Snap, live shared plans, planning tools, widgets, games, PeakList Global, achievements, and Pro access.
  • Process Apple Health, Strava, route, image, location, weather-query, route calculation, elevation, sensor, gear, food, water, and planning data when you request related features.
  • Display public content according to your visibility choices.
  • Validate Navigate efforts and eligible Strava imports, compute PeakList Global standings, detect duplicate or manipulated submissions, process holder changes, provide personal targets, and preserve audit records for competitive integrity.
  • Operate billing, subscription, trial, grace-period, restore-purchase, refund, and entitlement systems.
  • Provide support, respond to privacy requests, investigate bugs, and process suggested edits or safety reports.
  • Moderate content, enforce community rules, prevent abuse, protect security, and rate-limit backend services.
  • Improve app performance, diagnose crashes, understand feature usage, and develop new features.
  • Comply with legal obligations, accounting requirements, App Store requirements, fraud prevention needs, and enforceable requests from authorities.

Where law requires a legal basis, we rely on contract performance, consent, legitimate interests, legal obligations, and, when relevant, your decision to make information public or request a specific feature.

5. Public Content and Visibility

Some PeakList features are private by default, while others are designed for sharing. Public profile information, public hike logs, public photos, recent activity entries, public trail condition reports, public plan links, live shared plan content, public achievements, public PeakList Global standings, holder titles, ranks, and similar content may be visible to other users or anyone with access to a public link or public app surface. Public plan links, public profile pages, and public leaderboard or map surfaces should be treated as public. Public web pages, shared links, standings, and map or leaderboard entries may be copied, cached, linked, indexed, screenshotted, or viewed outside PeakList. Do not publish or opt into public features for content that you do not want others to see.

You can change many visibility settings in the app, delete supported content, revoke public plan links, leave supported live plan sessions, turn off public PeakList Global standings where supported, block users, or report content. Turning off public PeakList Global standings generally stops new public holder appearances, but private navigated efforts may still support personal analytics, and copies or historical records may remain in backups, logs, moderation records, audit records, caches, screenshots, external shares, or places where other users already accessed the content.

6. How We Share Information

Service Providers

We use service providers to operate PeakList. These may include Supabase for authentication, database, storage metadata, edge functions, Strava token vault records, and account services; Cloudflare Workers and R2 for backend APIs, photo storage, public assets, offline map and trail downloads, StoreKit sync, Strava integration endpoints, and account deletion workflows; Firebase and Google services for analytics, crash, and performance diagnostics; Resend for support and operational email; Apple for App Store payments, Sign in with Apple, HealthKit, MapKit, StoreKit, widgets, and system permissions; Google for Google sign-in and related platform services; Strava for user-authorized activity import; GraphHopper and OpenStreetMap contributors for route calculation and route data; PlantNet for plant identification; and USDA FoodData Central as the source for bundled food and nutrition reference data.

Public and User-Directed Sharing

We share information when you direct us to do so, such as publishing a public profile, uploading public photos, joining public PeakList Global standings, sharing a location snapshot, creating or joining a public plan link, sharing live plan content with collaborators, exporting a route, connecting or disconnecting Strava, submitting a public trail report, using native iOS share sheets, or sending a support request.

External Data Providers

PeakList uses public and third-party data sources for maps, route calculation, route snapping, weather, forecasts, alerts, trail and access information, trail elevation profiles, wildfire, streamflow, air quality, sunrise and sunset, astronomy, plant identification, mountain content, activity import, and food and nutrition reference data. Providers may include Apple, Strava, GraphHopper, OpenStreetMap contributors, NOAA/NWS, Open-Meteo, OpenTopoData, USGS, NASA FIRMS, AirNow, U.S. Naval Observatory, PlantNet, USDA FoodData Central, Wikimedia Commons, and other public or licensed sources. When the app or backend requests data from these providers, they may receive the requested coordinates, waypoints, route samples, route or peak context, activity identifiers, query details, time, endpoint information, and ordinary network metadata needed to return the data. Bundled USDA FoodData Central-derived food data is searched locally in the app unless a future feature clearly states otherwise.

Legal, Safety, and Business Reasons

We may disclose information if we believe it is reasonably necessary to comply with law, protect users, investigate fraud or abuse, enforce our Terms, respond to lawful requests, protect rights or safety, or transfer the service in connection with a merger, acquisition, restructuring, or similar transaction. PeakList is not an emergency monitoring or dispatch service, and we do not routinely review user data to identify emergencies.

7. HealthKit and Sensitive Data

PeakList uses Apple Health data only with your permission and only for app functionality you request, such as importing workouts into hike logs. PeakList does not use HealthKit data for advertising, does not sell HealthKit data, and does not share HealthKit data with advertising platforms. You can revoke Apple Health permissions in iOS settings or the Health app. If you save or sync a hike log containing HealthKit-derived information, it will be handled under this Policy like other hike-log data.

Precise location, route tracks, custom routes, Strava activities, health, fitness, photos, planning notes, food selections, nutrition estimates, gear lists, water estimates, public plans, live shared plans, trail reports, PeakList Global standings, and safety diagnostics can reveal sensitive information about where you go, when you hike, how fast you move, what you carry or eat, and what routes you prefer. Use visibility controls carefully before publishing, sharing, importing, or joining public standings for content that includes this information.

8. Data Retention

We retain information for as long as needed to provide PeakList, maintain your account, preserve synced content, operate Pro billing, provide support, comply with law, resolve disputes, prevent abuse, and enforce our Terms.

In general:

  • Account data remains until you delete your account or request deletion, subject to limited retention for legal, security, billing, fraud-prevention, and backup purposes.
  • Synced hike logs, photos, profile content, social data, saved plans, food selections, nutrition totals, custom routes, public reports, PeakList Global efforts, standings, holder-change events, validation summaries, imported Strava activity details saved into hike logs, and game progression remain until deleted, unpublished, reset, superseded, seasonally replaced, or removed by moderation, subject to backups, audit needs, fraud-prevention, dispute resolution, and legal retention.
  • Strava connection records and encrypted OAuth tokens remain until you disconnect Strava, revoke access, delete your account, or the connection is otherwise removed, subject to limited retention for security, abuse-prevention, webhook processing, troubleshooting, audit, backup, legal, and dispute-resolution needs. Disconnecting Strava stops future Strava import access but does not automatically delete hike logs or PeakList Global records you already saved or submitted from Strava.
  • Custom Route calculation cache, route hashes, quota records, and provider response metadata may be retained for a limited period to return requested routes, reduce repeated provider calls, enforce limits, diagnose failures, and prevent abuse.
  • StoreKit and billing records may be retained as needed for accounting, tax, entitlement, refund, fraud-prevention, and App Store compliance.
  • Support emails and diagnostics may be retained as needed to respond, maintain service quality, prevent abuse, and keep business records.
  • Aggregated, de-identified, or non-identifying analytics may be retained longer for product improvement.
  • Local data remains on your device until you delete it, reset it, uninstall the app, clear app data, or change device backup settings.

9. Your Choices and Privacy Rights

Depending on where you live, you may have rights to request access, correction, deletion, portability, restriction, objection, withdrawal of consent, or information about how your personal data is used. California and other US state privacy laws may also provide rights to know, access, correct, delete, obtain a copy, opt out of sale or sharing, limit certain uses of sensitive personal information, and avoid discrimination for exercising privacy rights.

PeakList does not sell personal information or share personal information for cross-context behavioral advertising. We use sensitive personal information only for the features, security, support, and legal purposes described in this Policy.

You can use in-app controls to change profile visibility, manage public content, export supported records, reset synced app data, delete supported content, delete supported saved plans, food selections, or routes, disconnect Strava, disable analytics delivery where available, revoke public plan links, leave supported live plan sessions, turn off public PeakList Global standings where supported, revoke Health and location permissions through iOS, revoke Strava access through Strava where available, and request account deletion. You may also contact [email protected]. We may need to verify your identity before fulfilling a request, and some requests may be limited where allowed by law, such as when records must be retained for security, legal, tax, billing, fraud-prevention, competitive integrity, audit, dispute-resolution, or public-interest reasons.

10. Security

We use reasonable technical, administrative, and organizational safeguards designed to protect information. These include platform permission prompts, authentication, access controls, row-level security where supported, scoped upload URLs, encryption for Strava OAuth token storage, service-side secrets, and operational monitoring. No system is perfectly secure. You are responsible for maintaining the security of your device, account credentials, connected third-party accounts, and public sharing choices.

11. International Processing

PeakList is operated from the United States, and our service providers may process information in the United States and other countries. Privacy laws in those countries may differ from the laws where you live. Where required, we rely on appropriate legal mechanisms for international processing and transfers.

12. Cookies and Tracking Technologies

The native iOS app does not use traditional browser cookies. Public web pages, public share links, support endpoints, and backend services may create ordinary server logs or use similar technologies for security, diagnostics, abuse prevention, and service operation. PeakList does not track you across third-party apps or websites for advertising.

13. Changes to This Policy

We may update this Privacy Policy as PeakList changes. When we make material changes, we will update the effective date and may provide notice in the app, by email, through App Store metadata, or by other reasonable means. Continued use of PeakList after an update means the revised Policy applies to later use.

14. Contact

For privacy requests, account deletion requests, legal notices, or questions about this Privacy Policy, contact:

Email: [email protected]

Please include enough information for us to understand your request and verify your identity where required.

Open support View Terms Back to PeakList