Peak AthleteBy Athlosys Sports

Legal

Privacy Policy

Last updated: 17 May 2026

Peak Athlete ("Peak Athlete", "we", "our") is a sports-performance management platform for Indian schools, operated by Athlosys Sports Private Limited ("Athlosys"), a company incorporated in India with its registered office in Goa, India.

This policy explains what personal data we process, why we process it, how it is protected, and the rights you hold under the Digital Personal Data Protection Act, 2023 ("DPDP Act"). It applies to school administrators, PE teachers, scouts, students, parents, and any other person whose data passes through the platform.

1. Who is the Data Fiduciary?

For data collected through Peak Athlete, the participating school is the primary Data Fiduciary with respect to its students' data. Athlosys acts as the Data Processor on the school's behalf, processing data only on documented instructions and only for the purposes set out in this policy.

For data you provide directly (an administrator's contact details, a PE teacher's account, a scout's registration, a parent's consent record), Athlosys acts as the Data Fiduciary.

2. What we collect

The platform stores the following categories of personal data:

  • Account data — name, email, role (super-admin, school admin, PE teacher, student/parent, scout), phone number (optional), avatar image (optional), short bio (optional), and the school you are associated with.
  • Student profile data — name, class, section, gender, age, date-of-birth (where provided), and the school the student belongs to.
  • Biometric measurements — height, weight, arm span, wing span, leg span. Used for the Physical Profile Score (PPS) and sport-fit analysis.
  • Medical observations — resting heart rate, blood pressure, haemoglobin, blood glucose, ferritin, CRP, vitamin D₃ (where the school chooses to capture them), ongoing conditions, ongoing treatments. Used solely for the Medical Safety Signals feature and the school's clearance workflow.
  • Performance data — quarterly assessment metrics (speed, agility, reaction time, endurance, vertical jump, standing broad jump, coordination, flexibility) and derived Athletic Potential Rating (APR) scores.
  • Authentication data — encrypted password hashes (we never see your password in plaintext), session tokens, password-reset and account-status records, and invitation tokens.
  • Audit and operational data — timestamps and actor identifiers for every meaningful action on the platform, IP addresses and user-agent strings for security events, and error diagnostics captured when something goes wrong.

3. Children's data

A material proportion of the data we process belongs to children (students under 18). Under the DPDP Act, processing of a child's personal data requires verifiable consent from a parent or lawful guardian, and we do not undertake any processing likely to cause detrimental effect, tracking, behavioural monitoring, or targeted advertising directed at children.

Schools are responsible for obtaining the requisite parental consent before adding a student to the platform. Parents may at any time request a copy of their child's data, request correction or erasure, or withdraw consent, by contacting the school or our Grievance Officer (section 11).

4. Lawful basis for processing

  • Consent — for student data (collected by the school from parents) and for marketing-style communications.
  • Performance of a contract — to provide the platform to schools that have engaged Athlosys.
  • Legitimate uses permitted under the DPDP Act — security, fraud prevention, statutory compliance.

5. How we use the data

  • To compute APR scores, PPS profiles, and per-student progress reports.
  • To raise medical-safety signals so that a school administrator can review them before clearance.
  • To allow PE teachers to capture assessments offline and synchronise the data when connectivity is restored.
  • To allow verified scouts, where the school has enabled this feature, to discover athletes within explicit consent boundaries.
  • To send transactional emails (invitations, password resets, status changes).
  • To operate, secure, debug, and improve the platform — including aggregated and anonymised analytics that cannot be used to re-identify any individual.

6. How we share the data

We do not sell personal data. We share it only with the categories of recipient listed below, and only as required to operate the platform:

  • Within the school — administrators and PE teachers of the same school can view the student data they need for their role.
  • To parents — through the student/parent surface, restricted to their own child's record.
  • To verified scouts — only after the school enables scout discovery and only within the consent and audit boundaries the school configures.
  • To our sub-processors — infrastructure providers such as Supabase (database, authentication, storage), Vercel (web hosting), Resend (transactional email), and Sentry (error monitoring, with medical and biometric fields scrubbed before any event leaves the browser). Each sub-processor is bound by confidentiality and data-protection obligations.
  • When required by law — to comply with a valid order from a competent authority in India.

7. Data residency and transfers

Personal data is processed and stored in regions configured by our infrastructure providers. Where data crosses an international border, it does so subject to appropriate safeguards and only as permitted by the DPDP Act and any rules notified under it.

8. How we secure the data

  • Encryption in transit (HTTPS / TLS) and encryption at rest at the database layer.
  • Row-Level Security in the database, enforcing role-aware access so a school administrator cannot read another school's data.
  • Audit log capturing every meaningful action — who, what, when — so incidents can be reconstructed.
  • Medical and biometric field scrubbing in our error-reporting pipeline so this data never leaves the browser even when uncaught errors occur.
  • Mandatory password rotation for administrator-issued temporary passwords on first sign-in.

9. How long we keep the data

We retain personal data for as long as the school's engagement with Peak Athlete is active, plus a limited period thereafter to satisfy legal, accounting, and dispute-resolution obligations. Where a parent or school requests deletion, we honour the request subject to those legal-retention obligations.

10. Your rights

Under the DPDP Act you have the right to:

  • obtain confirmation of, and a summary of, the personal data we process;
  • correct, complete, or update inaccurate or incomplete data;
  • erase personal data that is no longer necessary for the stated purpose;
  • nominate another individual to exercise these rights on your behalf;
  • raise a grievance with our Grievance Officer (section 11); and
  • approach the Data Protection Board of India if you believe your rights have been violated.

11. Grievance Officer

For any question about this policy or to exercise your rights, please contact:

We aim to acknowledge grievances within seven (7) business days and to resolve them within thirty (30) days of receipt.

12. Cookies and similar technologies

We use a small number of strictly-necessary cookies and browser-storage items to keep you signed in, remember your light/dark theme preference, and store offline assessment data on a PE teacher's device until it can be synchronised to the server. We do not use third-party advertising cookies and we do not track you across other websites.

13. Changes to this policy

When we change this policy we update the "Last updated" date at the top and, for material changes, notify affected users by email or through an in-app banner. Continued use of the platform after the effective date of a change constitutes acceptance of the revised policy.