Privacy Policy
Last updated: June 2026
1. Who We Are
Peakd ("we", "us", "our") is operated by Peakd Labs Ltd (Company No. 17331702), registered in England & Wales. We are the data controller for your personal information. For privacy inquiries, contact us via our contact form.
2. What We Collect
We collect the minimum data necessary to operate the platform:
| Data | Purpose | Legal Basis |
|---|---|---|
| Email address | Account creation, login, notifications | Contract |
| Display name | Shown on votes, comments, profile | Contract |
| Password (hashed) | Authentication | Contract |
| Votes & ratings | Computing rankings | Contract |
| Comments | Community discussion | Contract |
| Submissions, lists, polls | User-created content (you can delete your own at any time) | Contract |
| IP address (hashed) | Rate limiting, fraud prevention, security audit trail | Legitimate interest |
| Device fingerprint | Vote fraud detection — identifying when multiple accounts operate from the same device. Not used for advertising or cross-site tracking. | Legitimate interest |
| Entity addresses (user-provided) | Address autocomplete when editing entities (via OpenStreetMap Nominatim). No map is displayed — a directions button links to Google Maps. | Contract |
| Page views (anonymous) | Trending scores, popularity metrics | Legitimate interest |
| OAuth identifiers | Social login (Google, GitHub) | Consent |
| 2FA secret (encrypted) | Two-factor authentication for admin accounts. Encrypted at rest (AES-256). Optional — only stored if you enable 2FA in Settings. | Contract |
| Birth year | Age verification (restricting mature content to 18+) | Legal obligation |
| Country | Optional profile field, shown publicly if provided | Consent |
| Device/browser info | Session management, security (logged in Settings) | Legitimate interest |
| Preferences (interests, follows, bookmarks) | Personalising your feed and recommendations | Contract |
| Social links (user-provided) | Displayed on your public profile | Consent |
| Outbound link clicks | Measuring interest in external websites (anonymous, not tied to user) | Legitimate interest |
| Profession (optional) | Shown to claimed businesses as anonymous aggregated demographic data only (e.g. "42 engineers rated you"). Never linked to your votes. Private by default — you can optionally show it on your public profile. | Consent |
| Referral source & intent (optional) | How you found Peakd and what you use it for. Internal analytics only — never shared externally or shown publicly. | Consent |
| Payment data | Processed by Stripe. We store subscription status only — never card numbers. | Contract |
3. What We Do NOT Collect
- We do not use third-party analytics (no Google Analytics, no Meta Pixel)
- We do not sell, rent, or share personal data with advertisers
- We do not track you across other websites
- We do not use cookies for advertising purposes
- We do not perform automated decision-making or profiling that affects your rights
3b. Automated Entity Data Collection
Peakd uses automated tools to collect and enrich publicly available information about entities (products, companies, services, places, etc.) from:
- Public websites and their metadata (titles, descriptions, images)
- Public APIs (Wikipedia, Open Library, MusicBrainz, TMDB, Product Hunt, GitHub)
- Publicly accessible company pages and documentation
This data consists of publicly available factual information about organisations, products, and services — not personal data about individuals. It includes names, descriptions, logos, pricing, categories, and official links that are already publicly accessible on the internet.
If you represent an entity listed on Peakd and believe any information is inaccurate or should be removed:
- Use the Suggest Edit feature on any entity page to propose corrections
- Use the Claim feature to verify ownership and gain management access
- Submit a removal request for content you want taken down
- Contact us at our contact page for urgent matters
4. Cookies & Local Storage
We use:
- peakd_token (httpOnly cookie) — Authentication. Essential for keeping you logged in. Secure, not accessible to JavaScript. Expires after 24 hours (automatically refreshed).
- peakd_refresh (httpOnly cookie) — Refresh token. Used to silently renew your session without requiring re-login. Secure, not accessible to JavaScript. Expires after 7 days. Rotated on each use (old token invalidated).
- localStorage — stores your theme preference, cookie consent choice, interests, and a device fingerprint (a non-reversible hash derived from screen size, timezone, and browser settings — used for vote fraud detection only, never for advertising). Essential for site function.
- sessionStorage — stores ad draft data temporarily. Cleared when browser tab closes.
- OAuth state cookies — temporary, used during Google/GitHub login flow only. Deleted after login completes.
- peakd_country (cookie) — Stores your detected or selected country (ISO code, e.g. "GB"). Used to personalise rankings and show country-relevant content first. Derived from your IP address via Cloudflare's geo-detection on first visit. You can change this anytime via the country selector, or clear it to browse globally. No precise location or IP address is stored.
- Stripe — Stripe may set its own cookies during payment checkout. See Stripe's privacy policy.
We do not use third-party analytics cookies or advertising tracking pixels.
5. How We Process Data
- Rankings — Your votes are aggregated into entity scores. Individual votes are not attributed on entity pages, but your rating history is visible on your public profile unless you enable private mode in Settings.
- AI processing — Entity descriptions may be processed by AI models (running locally, not sent to third-party APIs) for categorisation and enrichment. No personal data is processed by AI.
- View tracking — IP addresses are hashed (one-way, irreversible) before storage. We cannot identify you from view records.
- Vote integrity — A device fingerprint (hash of screen size, timezone, platform, and browser settings) is stored alongside votes. This allows us to detect when multiple accounts are being used from the same device to manipulate rankings. The fingerprint cannot identify you personally — it identifies a device configuration. It is never shared with third parties or used for advertising.
- Session caching — Your session status is temporarily cached in server memory for up to 5 minutes to improve performance. No additional personal data is stored, and cached data is automatically purged.
- Promotions — Ad impression counts are incremented anonymously. We do not share visitor data with advertisers. Advertisers may choose to target their ads to specific countries — this filtering uses your detected country code (from Cloudflare, already stored in your peakd_country cookie). No additional personal data is collected for ad targeting, and no personal data is ever shared with advertisers. Advertisers only see aggregate statistics (total impressions and clicks by country).
6. Data Retention
| Data | Retention |
|---|---|
| Account data | Until you delete your account |
| Votes & comments | Until you delete your account (cascade deleted) |
| Vote history (score changes) | Until you delete your account (cascade deleted) |
| View records | 90 days (auto-purged) |
| Device fingerprints (on votes) | Until you delete your account (cascade deleted with votes) |
| 2FA secret & backup codes | Until you disable 2FA or delete your account (immediately wiped) |
| Session data (device/browser) | Until you sign out or delete from Settings |
| Ranking snapshots | Indefinite (aggregate entity scores, used for historical charts — no personal data) |
| Audit logs | 1 year (records: account actions, claims, moderation decisions, system operations. Includes user ID and IP.) |
| Submission drafts | 30 days (auto-expired) |
| Ad promotion data | 2 years after exhaustion |
7. Your Rights
Depending on your location, you have the following rights:
All users:
- Access — Request a copy of all data we hold about you
- Deletion — Delete your account and all associated data (Settings → Delete account)
- Correction — Update your profile information at any time
- Portability — Request your data in machine-readable format
EU/UK residents (GDPR / UK GDPR):
- Right to restrict processing
- Right to object to processing based on legitimate interest
- Right to withdraw consent at any time
- Right to lodge a complaint with your local Data Protection Authority (e.g. ICO in the UK)
California residents (CCPA/CPRA):
- Right to know what personal information is collected and how it's used
- Right to delete personal information
- Right to opt-out of sale/sharing — we do NOT sell or share your data
- Right to non-discrimination for exercising these rights
Canadian residents (PIPEDA):
- Right to access and challenge accuracy of your personal information
- Right to withdraw consent (account deletion)
Brazilian residents (LGPD):
- Right to confirmation of processing, access, correction, anonymisation, deletion
- Right to information about public/private entities with whom data is shared
- Right to revoke consent
Australian residents (Privacy Act 1988):
- Right to access and correct your personal information (APP 12 & 13)
- Right to complain to the Office of the Australian Information Commissioner (OAIC)
- We do not transfer data outside Australia without adequate protections
New Zealand residents (Privacy Act 2020):
- Right to access, correct, and request deletion of personal information
- Right to complain to the Office of the Privacy Commissioner
To exercise any right, use our contact form, email [email protected], or the account deletion feature in your profile settings. We respond within 30 days.
8. Data Sharing
We share data only in these cases:
- Infrastructure providers — Hosting (AWS), database, CDN. They process data on our behalf under data processing agreements.
- Legal requirements — If required by law, court order, or to protect safety.
- Aggregated/anonymous data — Public rankings and statistics contain no personal information.
We do NOT share personal data with advertisers, entity owners, or third-party analytics providers.
9. Data Location & International Transfers
Your data is stored on servers operated by our cloud hosting provider. Servers may be located in any region worldwide, selected based on performance and cost. Data may be processed in any country where our infrastructure providers and operators reside.
- Hosting & database — Cloud infrastructure provider. Region selected for optimal cost and performance; may change over time.
- Payments — Third-party payment processor. Payment data is processed under their own privacy policy and data processing agreement. We never store card numbers.
- Email — Transactional email service provider.
- Image & file storage — Cloud storage provider (global edge network).
- Operators — Our team may access data from locations worldwide for support, moderation, and maintenance purposes.
Where data is transferred outside the United Kingdom or European Economic Area, we rely on Standard Contractual Clauses (SCCs), adequacy decisions, or other approved transfer mechanisms to ensure your data remains protected under applicable data protection law.
By using Peakd, you acknowledge that your data may be processed outside your country of residence.
10. Security
- Passwords are hashed with industry-standard algorithms (never stored in plaintext)
- IP addresses are hashed before storage (irreversible)
- All connections use HTTPS/TLS encryption
- Database access is restricted and audited
- JWT tokens expire and are stored client-side only
11. Children
Peakd is not intended for users under 13. We do not knowingly collect personal data from children under 13. Users aged 13-17 may use the platform with parental/guardian consent. If you believe a child under 13 has created an account, contact us and we will delete it promptly.
12. Changes to This Policy
We may update this policy. Material changes will be communicated via email or a site notice. Continued use after changes constitutes acceptance.
13. Contact
For privacy inquiries, data requests, or complaints:
Peakd Data Protection
Contact: peakd.io/contact