Privacy Policy

1. What We Collect

Summit collects only the data needed to provide the app experience. Here is what we store:

• Email address — used for authentication and account management (signing in, password resets)
• Display name — shown to your group members
• Avatar image (optional) — stored in Supabase Storage if you upload one
• Group names — the names of groups you create or join
• Goal text and completion status — the goals you set and whether you mark them complete
• Reflection and entry text — any free-text entries you write during a summit period

We do not collect payment information, location data, or device identifiers beyond what Supabase authentication logs by default (IP address and browser/device user-agent at sign-in).

2. How We Use Your Data

Your data is used solely to provide the Summit app experience: displaying your entries to your group members and syncing your data across your devices. We will never sell, rent, or share your data with third parties. We do not use your data for advertising, analytics profiling, or AI model training.

3. Who Can See Your Data

Only members of your group(s) can see your entries, goals, and reflections. Group membership requires an explicit invite link — nobody can join your group without one.

We (the developers) have access to the database for debugging and support purposes, limited to the minimum necessary. We do not browse user content as a matter of practice.

4. Data Storage

Summit is hosted on Supabase (AWS infrastructure, US region). Your data is encrypted at rest (AES-256) and in transit (TLS 1.2+). We enforce Row-Level Security at the database level, which means even direct database queries respect group membership boundaries.

5. Data Retention and Deletion

During the beta period, you can request account deletion by contacting us at the email below. When your account is deleted:

• Your authentication record, user profile, and group memberships are permanently removed.
• Your free-text entries and reflections are permanently deleted.
• Goal items you created are preserved with your name removed, so your group's shared history remains intact.

Note: database backups may retain your data for a limited time after deletion. We plan to add in-app account deletion before public launch.

6. Third-Party Services

Summit relies on the following services:

• Supabase — database, authentication, and file storage
• Vercel — web hosting (this website and invite pages)
• Apple — app distribution via TestFlight (beta) and the App Store

We do not use analytics SDKs, ad networks, or tracking pixels.

7. Children

Summit is not directed at children under 13. We do not knowingly collect personal data from children. If you believe a child has provided us with data, please contact us and we will remove it.

8. Changes to This Policy

We may update this privacy policy from time to time. When we do, we will update the “Last updated” date at the top of this page. For material changes that affect how your data is collected or used, we will notify you in the app.

9. Contact

If you have questions about this privacy policy or your data, contact us at privacy@tothesummit.club.