Privacy Policy
Last updated: June 10, 2026
1. Who we are
Peaklist ("we," "us," or "our") operates the website at https://peaklist.vercel.app — a universal media-tracking and community platform covering anime, manga, manhwa, games, visual novels, movies, TV, books, novels, and music. For data-protection purposes, Peaklist is the data controller.
Questions or requests: privacy@peaklist.app
2. What data we collect
Account data — when you register we collect your email address, chosen username, and (optionally) a display name and profile picture. We use Better Auth for authentication; passwords are hashed and never stored in plain text. If you sign in via Google or Discord, we receive only the public profile fields those providers share (name, email, avatar).
List and activity data — everything you add to your list, scores, reviews, comments, AMV submissions, forum posts, and club activity. This data is stored on our servers and is necessary to provide the service.
AniList / CSV import data — if you import your existing list from AniList or a CSV file, we process that data to populate your Peaklist. We do not store your AniList password; OAuth is used for the connection.
Usage and analytics data — we use two analytics services:
- Vercel Analytics — privacy-first, cookie-free pageview counting and Web Vitals (page speed). No personal identifiers are attached. See Vercel's privacy policy.
- PostHog— product behaviour analytics (which features are used, where users drop off). Hosted on PostHog's EU cloud; your data stays in the European Economic Area. All form inputs are masked — we never record passwords, messages, or personal notes. Session replay is enabled with masking. You are identified by your internal user ID, never your email. See PostHog's privacy policy.
File uploads — profile pictures and other media you upload are stored via UploadThing (a file-hosting service). Files are served from their CDN.
Log data — like most web services, our servers automatically record IP addresses, browser user-agent, and request timestamps in server logs. Logs are retained for up to 30 days.
3. How we use your data
- To provide and operate the Peaklist service
- To authenticate you and keep your account secure
- To send transactional emails (account verification, password reset) via Resend
- To improve the product using aggregated, anonymised usage data
- To generate personalised recommendations based on your list
- To display your public profile, list, and activity to other users (subject to your privacy settings)
We do not sell your data to third parties. We do not use your data for advertising targeting.
4. Legal basis (GDPR)
For users in the EEA / UK:
- Contract — processing your account and list data to fulfil the service you signed up for (Art. 6(1)(b))
- Legitimate interests — analytics and security logging, where our interest in operating a safe and improving service is not overridden by your rights (Art. 6(1)(f))
- Consent — any optional features where we ask for permission before collecting data
5. Cookies and local storage
We use cookies for authentication sessions (HttpOnly, Secure, SameSite=Lax). No third-party advertising cookies are set.
We use localStorage for your theme preference and enabled-format choices. This data never leaves your device.
PostHog uses a first-party cookie or localStorage for session continuity. You can opt out by contacting us or clearing site data in your browser.
6. Data sharing
We share data only with the following sub-processors, strictly to provide the service:
- Vercel — hosting and edge compute (US/EU)
- Neon / Supabase — PostgreSQL database (EU)
- Resend — transactional email
- UploadThing — file storage
- PostHog — product analytics (EU cloud)
- Upstash — message queue for background jobs
- Ably — real-time notifications
No data is shared with data brokers or marketing platforms.
7. Your rights
Under GDPR (and similar laws), you have the right to:
- Access — request a copy of the data we hold about you
- Rectification — correct inaccurate data (most fields editable in Settings)
- Erasure — request deletion of your account and associated data
- Portability — export your list as CSV via Settings → Import/Export
- Object / Restrict — object to processing based on legitimate interests
- Withdraw consent — where processing is based on consent, withdraw at any time
To exercise any right, email privacy@peaklist.app. We will respond within 30 days.
8. Data retention
We retain your account and list data for as long as your account is active. If you delete your account, your personal data is deleted within 30 days. Server logs are deleted after 30 days. Anonymised, aggregated analytics data may be retained indefinitely.
9. Children
Peaklist is not directed at children under 13 (or under 16 in the EEA). We do not knowingly collect personal data from children. If you believe a child has registered, please contact us and we will delete the account promptly.
10. Changes to this policy
We may update this policy when our practices change. For material changes, we will post a notice in the app. The "last updated" date at the top always reflects the current version.
11. Contact
Data controller: Peaklist
Email: privacy@peaklist.app
If you are in the EEA and believe we have not addressed your concern, you have the right to lodge a complaint with your local data protection authority.