Privacy Policy
Last updated: May 2026
Introduction
PeakReps ("we", "us", "our") complies with the New Zealand Privacy Act 2020 (the "Act") when dealing with personal information. Personal information is information about an identifiable individual (a natural person).
This policy sets out how we will collect, use, disclose and protect your personal information.
This policy does not limit or exclude any of your rights under the Act. If you wish to seek further information on the Act, see www.privacy.org.nz.
Changes to This Policy
We may change this policy by uploading a revised policy onto the website. The change will apply from the date that we upload the revised policy.
Who Do We Collect Your Personal Information From
We collect personal information about you from:
- you, when you provide that personal information to us, including via the website at peakreps.com and any related service (including the PeakReps application), through any registration or subscription process, through any contact with us (e.g. telephone call or email), or when you buy or use our services and products
- third parties where you have authorised this or the information is publicly available
- Firebase Authentication (Google), which provides us with your authentication credentials and email address when you sign in
If possible, we will collect personal information from you directly.
What Personal Information We Collect
We collect the following categories of personal information:
| Category | Details |
|---|---|
| Account information | Name (first name, last name), email address, phone number (optional), profile picture (optional), and Firebase authentication user ID. |
| Business information (for trainers) | Business name, business address (optional), business profile picture (optional), and whitelabel app configuration (app branding, colours, logos). |
| Client information | Name, email address, phone number (optional), and profile picture provided by a trainer when creating a client invitation, along with invite code and invitation status. |
| Fitness and health data | Exercise names, descriptions, and associated media; workout routines; training programs; workout execution data including reps, weights, distance, time, RPE (rate of perceived exertion), calories, breaths, sets, and rest periods; workout completion status and scheduling information; and program assignment progress. |
| Media files | Profile pictures, exercise demonstration media, workout media, and app branding assets uploaded to the platform. |
| Technical and usage data | HTTP request logs (method, path, status code, response time), error logs, and website analytics data collected via PostHog (page views, events) on the marketing website only. |
How We Use Your Personal Information
We will use your personal information:
- to verify your identity and authenticate your access to the platform
- to provide the PeakReps SaaS platform and related services to you, including enabling trainers to manage clients, create workouts, and build branded fitness applications
- to facilitate client invitations and onboarding via email
- to enable workout execution tracking and fitness progress monitoring
- to store and deliver media files (profile pictures, exercise media, branding assets) via secure presigned URLs
- to respond to communications from you, including complaints
- to conduct research and statistical analysis (on an anonymised basis)
- to improve the services and products that we provide to you
- to protect and/or enforce our legal rights and interests, including defending any claim
- to monitor and maintain the security and performance of our platform
- for any other purpose authorised by you or the Act
Disclosing Your Personal Information
We may disclose your personal information to:
- any business that supports our services and products, including any person that hosts or maintains any underlying IT system or data centre that we use to provide the platform, specifically: Firebase Authentication (Google) for user identity verification; Amazon Web Services for database hosting (AWS RDS), file storage (AWS S3), email delivery (AWS SES), and application hosting (AWS ECS Fargate); and PostHog for website analytics (marketing website only)
- a person who can require us to supply your personal information (e.g. a regulatory authority)
- any other person authorised by the Act or another law (e.g. a law enforcement agency)
- any other person authorised by you
We may transfer your information in the case of a sale, merger, consolidation, liquidation, reorganisation or acquisition.
We do not sell your personal information to third parties. We do not use third-party data brokers or advertising networks.
International Data Storage
Our services and products are supported by infrastructure located outside New Zealand. This means your personal information is held and processed outside New Zealand, specifically:
| Service | Location |
|---|---|
| AWS ap-southeast-2 (primary database & file storage) | Sydney, Australia |
| Firebase Authentication (Google) | Google's global infrastructure |
| PostHog (website analytics) | May be processed outside New Zealand |
Protecting Your Personal Information
We will take reasonable steps to keep your personal information safe from loss, unauthorised activity, or other misuse, including:
- storing our database in a private VPC subnet (not publicly accessible)
- using HTTPS encryption via AWS Certificate Manager on all connections
- restricting CORS to authorised domains only
- using presigned URLs with time-limited expiry for file access (no publicly accessible storage objects)
- authenticating all API requests using Firebase JWT token verification
- enforcing business-scoped access controls ensuring users can only access data within their authorised business
- validating all input data using structured DTOs
Data Retention
Data is stored for the duration of your account. When an account is permanently deleted, all associated data (business, clients, training programs, workouts, exercises, media, and billing records) is permanently deleted. When an account is archived, data is held for 30 days to allow recovery before permanent deletion.
Deleting Your Account and Data
You have the right to request deletion of your personal information at any time. You can do this directly from within the PeakReps app (More menu → Delete account) or via the web at app.peakreps.com/request-deletion.
When you archive your account, your data is held for 30 days to allow recovery, then permanently deleted. When you reset your account data, your business and all associated client data is deleted immediately. In both cases, deletion includes:
- Your account and login credentials
- Business profile and settings
- All client records
- Training programs, workouts, and exercises
- Uploaded media and files
- Billing records
If you have questions about data deletion, contact us at support@peakreps.com.
Accessing and Correcting Your Personal Information
Subject to certain grounds for refusal set out in the Act, you have the right to access your readily retrievable personal information that we hold and to request a correction to your personal information. Before you exercise this right, we will need evidence to confirm that you are the individual to whom the personal information relates.
In respect of a request for correction, if we think the correction is reasonable and we are reasonably able to change the personal information, we will make the correction. If we do not make the correction, we will take reasonable steps to note on the personal information that you requested the correction.
If you want to exercise either of the above rights, email us at jamie@peakreps.com. Your email should provide evidence of who you are and set out the details of your request (e.g. the personal information, or the correction, that you are requesting).
We may charge you our reasonable costs of providing to you copies of your personal information or correcting that information.
Internet Use
While we take reasonable steps to maintain secure internet connections, if you provide us with personal information over the internet, the provision of that information is at your own risk.
If you follow a link on our website to another site, the owner of that site will have its own privacy policy relating to your personal information. We suggest you review that site's privacy policy before you provide personal information.
Cookies and Analytics
We use PostHog for website analytics on our marketing website at peakreps.com. PostHog may use cookies and similar technologies to monitor your use of the website. You may disable cookies by changing the settings on your browser, although this may mean that you cannot use all of the features of the website.
We do not use analytics tracking within the PeakReps SaaS application itself.
Contacting Us
If you have any questions about this privacy policy, our privacy practices, or if you would like to request access to, or correction of, your personal information, you can contact us at jamie@peakreps.com.