The short version
- Your health data is stored locally, encrypted with AES-256 via SQLCipher.
- Authentication is anonymous — we never ask for your name, email, or phone number.
- Cloud sync is off by default. You have to opt in.
- Crash reports strip health data before leaving the device.
- You can export or clear all evidence from the app at any time.
Our privacy principles
Privacy is a design constraint, not a marketing line. The product is built around four non-negotiable principles:
- Offline-first. The app works fully offline. Every core feature — onboarding, logging, plan viewing, exercises, Vault content — functions without a network.
- Anonymous by default. We use Supabase anonymous authentication. No personal identifier is required to create or use an account.
- Encrypted at rest. The local database uses SQLCipher with a 256-bit key generated on-device and stored in the platform keychain via
flutter_secure_storage. - Minimum necessary processing. When server-side compute is unavoidable (plan generation, weekly insight), we aggregate and strip before transmitting.
What we collect
Data you enter during onboarding and logging:
- Basics. Date of birth, height, weight. Used to compute age and BMI.
- Activity. Weekly solo and partner frequency. Per-log entries include type, timestamp, duration, satisfaction, erection quality, pleasure, refractory period, mood, protection used, and free-text notes.
- Goals. Which of the nine goals you select (stamina, lasting longer, frequency, energy, prostate health, testosterone, fertility, erectile health, general vitality).
- Lifestyle. Sleep hours, diet type, exercise level, stress level, symptom and substance-use checkboxes.
- Progress. Exercise completions, XP, badges earned, streak state, weekly challenge progress.
Optional device data, only if you grant permission:
- Apple HealthKit / Health Connect. Reading and writing are independent opt-ins, each gated by a separate operating-system permission and off by default. Read pulls total sleep in bed, resting heart rate, daily steps, and total exercise minutes to enrich your insights. Write mirrors sessions you complete in PeakVital into Health as workouts (activity type and duration only — no calorie estimate, no health detail).
- Biometric unlock. Face ID or fingerprint match is performed by the operating system. PeakVital never receives your biometric data.
Where your data lives
All of the data described above is written to an encrypted local database on your device. The database file is encrypted using SQLCipher with a 256-bit key; the key is generated on first launch and stored in the device's secure keychain. Your data does not leave the device unless one of the specific scenarios in the next two sections applies.
Optional cloud sync
Cloud sync is off by default. If you enable it in settings, an encrypted copy of your local database may be synchronised to our storage so you can restore it on a new device. You can disable sync and delete the server copy at any time from within the app.
Server-side processing
A small number of features require a server round-trip. Each one is scoped to the minimum data needed and does not persist beyond the response unless noted:
- Plan generation (
generate-plan). Your onboarding intake — age bracket, BMI, weekly frequency, goals, lifestyle sliders — is sent to our edge function to produce a personalised plan. If the call fails, a local deterministic engine produces a baseline plan so your device is never stuck. - Weekly insight (
weekly-insight). Aggregated weekly statistics (counts, averages, correlations) are sent to produce a narrative insight. Raw per-log entries are not transmitted. - Plan adaptation (
adapt-plan). At Day 30 and Day 60 checkpoints, summary performance data is sent to adjust targets or tier. - Vault content. Article fetching over HTTPS. No personal data is transmitted with the request.
- Subscription state via RevenueCat and the
revenuecat-webhookfunction. Billing identifiers only; no health data.
Analytics and crash reports
We use Sentry for crash reporting. The integration is configured to strip health-related breadcrumbs before events are sent. Crash reports contain stack traces, anonymised device information, and app version — never your logged activity, goals, or biometric state.
We do not use behavioural profiling SDKs, and our on-device usage analytics never leave your device. The only optional exception is the advertising attribution described below, which you must explicitly turn on.
Advertising and attribution
PeakVital runs no ads inside the app and shows you no targeted advertising. To measure whether our own ad campaigns work, iOS users can optionally enable an Ad Performance toggle in settings. It is off by default and double-gated:
- Apple App Tracking Transparency. Nothing is shared unless you grant tracking at the system ATT prompt and turn the in-app toggle on.
- Coarse funnel events only. When enabled, a small number of non-health events (such as app activation) are sent to Meta for campaign attribution. We never transmit your logged activity, goals, symptoms, subscription details, or any health-revealing data.
- Privacy-safe defaults. Automatic event logging and advertiser-ID collection are disabled at the SDK level. You can revoke consent at any time by turning the toggle off, which stops tracking and clears the associated data.
Sharing with third parties
We do not sell your data. We do not share it with advertisers, brokers, or affiliates. The only third parties involved in processing are:
- Supabase — anonymous authentication and edge function hosting.
- RevenueCat and the platform app stores (Apple, Google) — subscription management and billing.
- Sentry — crash reporting with health data stripped.
- Meta — ad-campaign attribution, only if you enable the iOS Ad Performance toggle, and limited to coarse non-health funnel events.
Each processor is bound by contract to use the data only to provide the service we request.
Retention and deletion
Local data is retained on your device until you delete it. Two first-class controls exist in the app:
- Export My Data — produces a readable copy you can keep or move.
- Clear All Evidence — wipes the local vault and resets the app state.
If you had cloud sync enabled, disabling it offers to delete the server copy. Deletion is immediate and irreversible.
Security controls
- SQLCipher + AES-256 for the local database.
- Device keychain for key storage (iOS Keychain, Android Keystore).
- Biometric lock optional Face ID / fingerprint on app resume.
Age and eligibility
PeakVital is intended for users 18 years of age or older. The in-app age gate is a self-certification. We do not knowingly process data from minors. If you believe a minor has created an account, email us and we will delete the data.
Your rights and the exit hatch
The off-switch is always visible. From inside the app you can export your data, clear all evidence, toggle cloud sync, and cancel your subscription via the store that billed you.
If your jurisdiction grants you additional rights (access, correction, portability, restriction, objection, erasure, or the right to lodge a complaint with a supervisory authority), contact us and we will honour them without charge.
Regional disclosures
EEA / UK. The lawful bases for processing are consent (for optional features like cloud sync, Health read and write, and ad attribution) and contract (providing the app you subscribed to). You can withdraw consent at any time by disabling the relevant toggle.
California. We do not sell your personal information. We do not share it for cross-context behavioural advertising unless you opt into the iOS Ad Performance feature; you can withdraw that consent at any time by disabling the toggle.
Changes to this policy
We may update this policy when the product changes. Material changes will be surfaced in-app. The “last updated” date at the top of this page reflects the most recent revision.
Contact
Privacy questions, access requests, or concerns: privacy@peakvital.app.