Privacy Policy

Peak Elephant Privacy Policy

Effective date: 2026-05-19 Last updated: 2026-05-19

This Privacy Policy describes how Peak Elephant LLC ("Peak Elephant," "we," "us," or "our") collects, uses, discloses, retains, and protects personal data when you use the Peak Elephant service at https://www.peakelephant.com and any related applications, APIs, mobile apps, and integrations (collectively, the "Service").

Peak Elephant is a B2B project-management platform organized around multi-tenant organization workspaces. An organization owns its workspace and the content inside it; individual users contribute to that workspace. This dual structure is important for understanding how we handle data, and is described throughout this policy.

1. Who we are and how to contact us

Controller (for users of the Service who are not contributing to an organization other than their own) and processor (for users contributing to a customer organization):

Peak Elephant LLC 601 High St NE Albuquerque, NM 87102, USA

Privacy contact: privacy@peakelephant.com

Availability in the EEA, the United Kingdom, and Switzerland: Peak Elephant does not currently offer the Service to, or accept signups from, data subjects established in the European Economic Area, the United Kingdom, or Switzerland. The Service enforces this restriction at signup. We have therefore not appointed an EU Article 27 representative or a UK GDPR representative. Before we begin offering the Service in those regions, we will (a) appoint a representative under GDPR Article 27 (and the equivalent under the UK GDPR), (b) implement the transfer mechanisms set out in our Data Processing Agreement, and (c) update this Privacy Policy accordingly. If you believe you have created an account from one of these regions, please contact privacy@peakelephant.com so we can close the account and erase any associated personal data.

Data Protection Officer (DPO): None. We have determined that we are not required to appoint a DPO under GDPR Article 37. The privacy contact above handles all data-subject requests and supervisory-authority correspondence.

2. Scope

This policy applies to:

• Personal data of end users who sign up for personal accounts.
• Personal data of organization admins and members who use a customer organization workspace.
• Personal data we receive about individuals from third parties (for example, a colleague who invites you, an OAuth provider, or a CRM integration).
• Personal data of visitors to https://www.peakelephant.com and our marketing pages.

It does not govern:

• The third-party services you integrate with (Google Calendar, Microsoft 365, HubSpot, Salesforce, Stripe Checkout, etc.) — those have their own policies.
• Customer Content that is processed on behalf of a customer organization. For that processing, the customer organization is the data controller and Peak Elephant is the processor; the customer organization is responsible for the lawful basis of processing of any personal data its members upload as Customer Content.

3. Categories of personal data we collect

We collect the following categories of personal data:

We do not intentionally collect special categories of personal data under GDPR Article 9 (such as health, biometric, or political-opinion data). We ask that you do not upload such data into the Service unless your organization has confirmed with us a lawful basis to do so.

4. Sources of personal data

We receive personal data:

• Directly from you when you sign up, complete onboarding, fill in your profile, configure billing, or use the Service.
• From organization admins who invite you into a workspace and may provide your name and email to send the invitation.
• From other organization members when they mention, tag, assign, or comment on you.
• From integrations you authorize, such as Google Calendar, Microsoft Outlook, HubSpot, or Salesforce. We only receive what those integrations send based on the scopes you grant.
• From our subprocessors for the purposes for which we engaged them (for example, Stripe sends us a customer ID and the last 4 digits of the card; Mailtrap sends us delivery and bounce events).
• From cookies, SDKs, and server logs, as described in Section 9.

5. Purposes of processing and legal bases under GDPR

The table below describes the purposes for which we process your personal data and the GDPR legal basis for each purpose. Where we rely on legitimate interest, we have completed a balancing test and documented the specific interest.

We never use AI features to make decisions that produce legal or similarly significant effects about you (see Section 13).

6. Recipients and disclosure of personal data

We share personal data with the following categories of recipients:

• Employees, contractors, and advisors of Peak Elephant on a strict need-to-know basis, subject to confidentiality and least-privilege access controls.
• Subprocessors that provide infrastructure and services on our behalf — see our subprocessor list at https://www.peakelephant.com/subprocessors and at docs/legal/subprocessors.md in our repository. We bind each subprocessor with a data-processing agreement that contains the GDPR Article 28 obligations. For our own role as a processor on behalf of customer organizations, see the Peak Elephant Data Processing Agreement at docs/legal/dpa.md.
• Other members of your organization workspace. If you are part of an organization, your profile and your contributions are visible to other members of that workspace as designed.
• A successor entity in the event of a merger, acquisition, reorganization, financing, or asset sale. We will give notice before personal data becomes subject to a different privacy policy.
• Law enforcement, courts, regulators, or third parties when we are required by law, a binding court order, or a lawful subpoena, or when we have a good-faith belief that disclosure is necessary to investigate fraud or protect the safety of users or the public. We will narrow disclosures to what is legally required and, where lawful, notify affected users.

We do not sell personal data. We do not "share" personal data for cross-context behavioral advertising as those terms are defined in the California Consumer Privacy Act, as amended ("CCPA/CPRA"). We do not use Customer Content to train AI models that serve other customers.

7. International transfers

Peak Elephant is based in the United States, and our primary infrastructure (Supabase, Vercel) is operated from data centers in the United States. If you access the Service from outside the United States, your personal data will be transferred to and processed in the United States and in any other country where our subprocessors operate (see Section 1 and docs/legal/subprocessors.md).

EEA, UK, and Swiss data subjects: as described in Section 1, the Service is not currently offered to data subjects established in the EEA, the United Kingdom, or Switzerland. We do not knowingly Process personal data of individuals in those regions in our role as a controller. To the extent personal data of an EEA, UK, or Swiss data subject reaches the Service indirectly — for example, because a customer organization established outside those regions includes that data subject's information in Customer Content uploaded to a workspace — the customer organization is the controller of that data and is responsible for the lawful basis of the transfer; Peak Elephant acts only as a processor under our Data Processing Agreement.

Future-state SCCs (if we begin accepting EEA/UK/Swiss customers): If and when Peak Elephant begins offering the Service to data subjects in the EEA, the UK, or Switzerland, we will rely on the European Commission's Standard Contractual Clauses (Module 2 or Module 3 as applicable), the UK Addendum, and the Swiss-specific amendments, in each case as incorporated by reference into our Data Processing Agreement. We supplement those clauses with technical and organizational measures, including encryption in transit (TLS 1.2 or higher), encryption at rest (AES-256 or equivalent), strong access controls, and an obligation on each subprocessor to challenge unlawful government access requests.

8. Retention

We retain personal data only for as long as we need it for the purposes described in Section 5 and as required by law. The default retention schedule is:

• Active account — all data is retained for the life of the account.
• You cancel a personal account — your account enters a 30-day reactivation grace period. After grace expires, your personal identifiers (name, email, profile, avatar) are anonymized to "Former member." Your contributions to organization workspaces (tasks, comments, files, AI prompts) remain inside those workspaces, attributed to the anonymized identifier. This is necessary because the organization owns the workspace and needs continuity of work product.
• You file a GDPR Article 17 erasure request or a CCPA right-to-delete request — we replace your personal identifiers with a pseudonymous token. Contributions may remain in pseudonymized form where permitted by GDPR Recital 26 and applicable law. We will tell you what was deleted, what was pseudonymized, and what was retained under a legal exception, with the reason.
• Organization workspace closes with no remaining users — the workspace and all its data are deleted after a 30-day grace period.
• Backups — rotated out of our backup systems within 90 days. During that period, restoration from a backup would temporarily resurface deleted data, after which our retention pipeline re-applies the deletion.
• Audit and security logs — privileged-action audit logs are retained for up to seven (7) years in support of security investigations, account-takeover defense, and SOC 2 evidentiary requirements. Active (hot) audit-log storage is at least the most recent 12 months; older entries may be moved to colder, append-only archive storage with equivalent integrity controls.
• Billing records — retained as required by U.S. tax law (typically 7 years) and the equivalent requirements of any jurisdiction where you have purchased.
• Marketing-suppression list — if you unsubscribe, we retain your email on a suppression list indefinitely to honor your unsubscribe.
• Exceptions — legal hold, ongoing fraud or abuse investigations, or specific records required by tax, accounting, or other law are retained for the period required, then deleted or anonymized.

9. Cookies and tracking technologies

We use the following categories of cookies and similar technologies on https://www.peakelephant.com and inside the Service:

• Strictly necessary — sign-in session cookies, CSRF tokens, route-protection cookies. Cannot be disabled.
• Functional — preference cookies (theme, language) and onboarding-progress cookies.
• Analytics & performance — measure feature usage and detect errors to improve the Service. We avoid third-party analytics that profile users across the web.
• No advertising cookies. We do not run third-party advertising cookies on the Service.

Consent and management. On your first visit to https://www.peakelephant.com or to the Service from a browser that does not already have a recorded choice, we present a cookie consent banner at the bottom of the page. You can:

• Accept all — enables functional and analytics cookies in addition to strictly-necessary cookies.
• Reject non-essential — only strictly-necessary cookies are set.
• Customize — toggle the functional and analytics categories independently.

Your choice is stored locally in your browser (under the key pe-cookie-consent-v1 in localStorage) and applied on every subsequent visit from the same browser. To change your choice later, clear the pe-cookie-consent-v1 entry from your browser's site data (Application → Storage → Local Storage in most browser dev tools) and reload the page; the banner will reappear. Browser settings remain available as a secondary mechanism to manage cookies you have already accepted.

Global Privacy Control (GPC) and Do Not Track (DNT). We honor browser-level signals from the Global Privacy Control. When we detect a GPC signal, we treat it as an opt-out of any "sale" or "sharing" under California law (even though we do not sell or share personal data for cross-context behavioral advertising) and we automatically record a "reject non-essential" decision for the cookie banner without showing it. We do not currently respond to legacy DNT headers because there is no consensus on their meaning, but the practical effect is the same: we do not engage in cross-context behavioral advertising.

10. Your rights under GDPR (EEA, UK, Switzerland)

If you are in the EEA, the UK, or Switzerland, you have the following rights with respect to your personal data:

• Right of access (Art. 15) — confirm whether we process your personal data and obtain a copy.
• Right to rectification (Art. 16) — correct inaccurate or incomplete personal data.
• Right to erasure / "right to be forgotten" (Art. 17) — request deletion under the conditions in the article.
• Right to restriction of processing (Art. 18).
• Right to data portability (Art. 20) — receive your personal data in a structured, commonly used, machine-readable format.
• Right to object (Art. 21), including to processing based on legitimate interest and to direct marketing (which is an absolute right).
• Right to withdraw consent (Art. 7(3)), where consent is the legal basis.
• Right not to be subject to a decision based solely on automated processing, including profiling, that produces legal or similarly significant effects (Art. 22). See Section 13.
• Right to lodge a complaint with the supervisory authority in your country of residence, place of work, or place of the alleged infringement (Art. 77).

To exercise any of these rights, contact privacy@peakelephant.com. We will respond within 30 days (extendable by 60 days for complex requests under Art. 12(3)). If you are a contributor to a customer organization, please be aware that the customer organization is the controller of Customer Content; in that case we will forward your request to the customer organization and assist them in responding under our Data Processing Agreement.

We may need to verify your identity before fulfilling a request. We will use the minimum information necessary to do so.

11. Your rights under U.S. State Privacy Laws

We grant U.S. residents the rights described in this Section 11 to the extent the applicable state's privacy law gives you those rights. Where a state law grants a right not listed here, we will honor it. We do not sell or "share" personal information for cross-context behavioral advertising in any state.

11.1 California (CCPA/CPRA)

If you are a California resident, you have the following rights under the California Consumer Privacy Act, as amended by the California Privacy Rights Act:

• Right to know what personal information we have collected about you, the categories of sources, the business purpose for collection, and the categories of recipients.
• Right to delete your personal information, subject to legal exceptions (for example, completing a transaction, security, legal compliance).
• Right to correct inaccurate personal information.
• Right to opt out of sale or sharing for cross-context behavioral advertising. We do not sell personal information and do not share it for cross-context behavioral advertising; we honor Global Privacy Control as an opt-out signal in any case.
• Right to limit the use of sensitive personal information. We do not use sensitive personal information for any purpose beyond providing the Service and the operational purposes permitted by 11 CCR § 7027(m).
• Right to non-discrimination for exercising your rights.
• Shine the Light (Cal. Civ. Code § 1798.83). We do not share personal information with third parties for those third parties' direct-marketing purposes.

11.2 Virginia, Colorado, Connecticut, Utah, Texas, Oregon, Montana, Iowa, Tennessee, Delaware, Indiana, New Jersey, New Hampshire, Maryland, Kentucky, Minnesota, and Rhode Island

If you are a resident of a U.S. state that has enacted a comprehensive consumer-privacy law — including, as of the effective date above, Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Utah (UCPA), Texas (TDPSA), Oregon (OCPA), Montana (MTCDPA), Iowa (ICDPA), Tennessee (TIPA), Delaware (DPDPA), Indiana (INCDPA), New Jersey (NJDPA), New Hampshire (NHPA), Maryland (MODPA), Kentucky (KCDPA), Minnesota (MCDPA), and Rhode Island (RIDPA) — you have, at a minimum, the following rights with respect to your personal data:

• Right to confirm whether we Process your personal data and to access that data.
• Right to correct inaccuracies in your personal data.
• Right to delete your personal data.
• Right to obtain a copy of your personal data in a portable, readily usable format.
• Right to opt out of (i) targeted advertising, (ii) the sale of personal data, and (iii) profiling in furtherance of decisions that produce legal or similarly significant effects.

We do not engage in targeted advertising, do not sell personal data, and do not use profiling to make decisions that produce legal or similarly significant effects about you (see Section 13).

11.3 Right to appeal a denied request (VCDPA, CPA, CTDPA, and similar laws)

If we deny a rights request, in whole or in part, you may appeal that decision within sixty (60) days of receiving the denial by replying to the email in which we sent the denial, or by emailing privacy@peakelephant.com with the subject line "Privacy Rights Appeal". We will respond to your appeal within forty-five (45) days, identifying any action we are taking or, if we are denying the appeal, the reasons for the denial and the contact information for the supervisory authority in your state (for example, the Virginia Attorney General for VCDPA appeals, the Colorado Attorney General for CPA appeals, the Connecticut Attorney General for CTDPA appeals).

11.4 How to exercise these rights

To exercise the rights in this Section 11:

• Email privacy@peakelephant.com with the subject line "Privacy Rights Request," identifying the state under whose law you are exercising the right and the specific right you want to exercise; or
• Use the deletion-request flow inside your account settings (when available).

You may designate an authorized agent in writing to act on your behalf. We will verify both your identity and the agent's authorization using the minimum information necessary, consistent with each state's verification standard.

We retain the categories of personal information listed in Section 3 for the periods described in Section 8.

12. Children

The Service is not directed to children under 16, and we do not knowingly collect personal data from anyone under 16. During signup, we require users to confirm that they are at least 16 years old. If we learn that we have collected personal data from a person under 16 without parental consent (or, where applicable, the consent of an appropriate authority), we will delete that personal data. Parents and guardians who believe their child has provided personal data to us should contact privacy@peakelephant.com.

13. Automated decision-making and AI features

The Service includes AI-powered features that process Customer Content to generate suggestions, summaries, insights, and recommendations inside your workspace. We use subprocessors such as Anthropic (Claude) and OpenAI to perform inference. The subprocessor list at docs/legal/subprocessors.md lists what each model provider receives and where it is processed.

We do not make decisions about you that produce legal effects or similarly significant effects solely by automated means within the meaning of GDPR Article 22. All AI outputs are presented as suggestions for a human to review and act on. We do not use Customer Content to train AI models that serve other customers. Where a subprocessor offers a "no-training" option for API inputs, we use it.

You can learn more about how each AI subprocessor handles inputs in the subprocessor list and in that subprocessor's published documentation.

14. Security

We implement and maintain administrative, technical, and physical safeguards designed to protect personal data from unauthorized access, use, disclosure, alteration, and destruction. Our program includes:

• Encryption in transit — TLS 1.2 or higher for all client and inter-service traffic.
• Encryption at rest — AES-256 or equivalent for primary databases, object storage, and backups.
• Multi-factor-authentication-capable authentication for end users and required MFA for privileged staff access.
• Role-based access control and row-level security at the database layer to enforce tenant isolation between organization workspaces.
• Access reviews of staff with production access on a recurring basis, plus immediate revocation on role change.
• Audit logging of privileged actions (admin operations, key access, exports, deletions).
• Vulnerability management, including dependency scanning, periodic penetration testing, and a process to triage and remediate findings.
• Incident response with on-call rotation, runbooks, and post-incident reviews.
• Breach notification. If we determine that a personal-data breach is likely to result in a risk to the rights and freedoms of EEA/UK data subjects, we will notify the relevant supervisory authority within 72 hours of becoming aware of the breach, as required by GDPR Article 33, and we will notify affected data subjects without undue delay when Art. 34 requires us to. For other jurisdictions we will comply with the applicable breach-notification law. We will also notify customer organizations of breaches affecting their Customer Content under our Data Processing Agreement.

No system is perfectly secure. If you have any reason to believe your interaction with the Service is no longer secure, please contact us immediately at privacy@peakelephant.com.

15. Email and marketing communications

Transactional emails (account verification, password resets, billing receipts, security alerts, in-product notifications you have opted into) are sent on the basis of contract performance. You cannot opt out of transactional emails while your account remains active, except for in-product notifications that have explicit user-level toggles.

Marketing emails are sent on the basis of your consent. Every marketing email includes a working unsubscribe link and is sent from a verified sender. As required by the U.S. CAN-SPAM Act (15 U.S.C. § 7704), each marketing email includes our company name and registered postal address:

Peak Elephant LLC, 601 High St NE, Albuquerque, NM 87102, USA

After you unsubscribe, we will stop sending marketing emails. We retain your email on a suppression list to honor your unsubscribe.

For EEA/UK users, we comply with the e-Privacy Directive 2002/58/EC and the UK PECR for any direct marketing.

16. Changes to this policy

We may update this Privacy Policy from time to time. For material changes that adversely affect your rights, we will provide at least 30 days' advance notice by posting the updated policy and emailing the account email on file. Continued use of the Service after the effective date constitutes acceptance of the updated policy. The "Effective date" at the top of this policy reflects when the current version took effect.

17. Contacting us

Privacy questions or rights requests:

Peak Elephant LLC 601 High St NE Albuquerque, NM 87102, USA Email: privacy@peakelephant.com

If we have not responded to your inquiry within a reasonable time, or you believe we have not handled it properly, EEA/UK data subjects may lodge a complaint with their local supervisory authority. California residents may contact the California Privacy Protection Agency.