Privacy Policy

Last updated: 2026-04-17

1. Data Controller & Contact

The data controller responsible for your personal data is Raúl Ocaña Alcaide, operating under the trademark Startup Creator Art, with tax identification number ES15432143V, located at Calle Venegas 9, 4B; 35003 - Las Palmas de Gran Canaria.

For any privacy-related inquiries, you can contact us at hello@peeklit.com.

2. Information We Collect

Information you provide

  • Email address and profile information provided during authentication via WorkOS
  • Any additional information you voluntarily provide when using the service

Information collected automatically

  • IP address (anonymized for analytics)
  • Browser type and version
  • Operating system
  • Pages visited and interactions with the service
  • Referring URL and access timestamps

Information collected from link viewers

When someone opens a link shared through Peeklit, we automatically collect the following data on behalf of the link sender:

  • Approximate location (city and country), derived from your IP address
  • Browser type and operating system
  • Date and time of viewing
  • Whether and when you opened the link
  • For documents: which pages you viewed, how long you spent on each page, and your overall completion rate (percentage of pages seen)
  • A pseudonymized visitor identifier (a cryptographic hash of your IP address and browser information) used to distinguish unique viewers — this cannot be reversed to identify you personally

Link viewers do not need to create an account. However, the sender may require you to provide your email address before accessing the document. No cookies are stored on the viewer's device during viewing. The person who shared the link is the data controller for this information; Peeklit processes it on their behalf as a data processor.

3. Purposes & Legal Basis (GDPR)

Under the General Data Protection Regulation (GDPR), we process your personal data based on the following legal grounds:

PurposeLegal BasisDetails
Account creation and managementContract performance (Art. 6(1)(b))Necessary to provide the service you signed up for
Error monitoring and stabilityLegitimate interest (Art. 6(1)(f))Via Sentry to maintain service reliability
Personalized analytics and usage insightsConsent (Art. 6(1)(a))Via PostHog with your explicit consent. Includes identified session tracking, feature usage patterns, and user journey analysis. Only active when you accept analytics cookies.
Aggregate audience measurementLegitimate interest (Art. 6(1)(f))We collect anonymous, aggregate statistics about site usage (page views, browser type, country) to understand overall service performance. No cookies are stored, no persistent identifiers are created, and no individual user can be identified.
Link viewer analytics (on behalf of the sender)Legitimate interest (Art. 6(1)(f))When someone opens a link shared via Peeklit, we collect viewing data (approximate location, device type, the fact that the link was opened, and for documents: which pages were viewed and time spent per page) on behalf of the sender. The sender has a legitimate interest in knowing whether and how their shared content was engaged with. No cookies are stored on the viewer's device. Viewers may request deletion of their data.

4. Data Sharing & Recipients

We share your data only with the following third-party service providers, each acting as a data processor under appropriate agreements:

  • WorkOS — Authentication and identity management
  • MongoDB Atlas — Database and backend infrastructure
  • PostHog — Product analytics (personalized insights with consent; anonymous aggregate measurement under legitimate interest)
  • Sentry — Error tracking and performance monitoring
  • Resend — Transactional email delivery

We do not sell your personal data to any third party.

5. International Data Transfers

We strive to keep your data within the European Economic Area (EEA) whenever possible:

  • PostHog hosted in the EU, no transfer outside the EEA
  • Sentry hosted in the EU, no transfer outside the EEA
  • MongoDB Atlas hosted in the EU, no transfer outside the EEA
  • Resend hosted in the EU, no transfer outside the EEA
  • WorkOS US-based; transfers are protected under the EU-US Data Privacy Framework

6. Cookies

We use cookies and similar technologies to operate and improve our service. For a detailed breakdown of which cookies we use and their purposes, please refer to our Cookie Policy.

Your cookie consent is stored server-side with a timestamp to ensure we can demonstrate valid consent as required by GDPR Article 7(1).

7. Data Retention

  • Account data: retained for as long as your account is active
  • Analytics data: retained according to PostHog's data retention policy
  • Error tracking data: retained by Sentry for 90 days
  • Link viewer data (including any email address provided through the sender's access gate): retained for as long as the associated link exists. The sender may delete the link and its viewer data at any time. Viewers may also request deletion by contacting us
  • Upon account deletion: all personal data is deleted within 30 days of your request. Billing and financial records may be retained for up to 5 years to comply with applicable tax and accounting obligations.

8. Your Rights (GDPR)

If you are located in the European Economic Area, you have the following rights under the GDPR:

  • Right of access obtain a copy of your personal data
  • Right to rectification correct inaccurate or incomplete data
  • Right to erasure request deletion of your personal data
  • Right to restriction limit how we process your data
  • Right to data portability receive your data in a structured, machine-readable format
  • Right to object object to processing based on legitimate interest
  • Right to withdraw consent withdraw consent at any time without affecting the lawfulness of prior processing

To exercise any of these rights, contact us at legal@peeklit.com. We will respond within 30 days.

9. Your Rights (CCPA/California)

If you are a California resident, you have the following rights under the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA):

  • Right to know what personal information we collect, use, and disclose
  • Right to delete request deletion of your personal information
  • Right to correct correct inaccurate personal information
  • Right to opt-out opt out of the sale or sharing of personal information (we do not sell your data)
  • Right to non-discrimination we will not discriminate against you for exercising your privacy rights

10. Right to Lodge a Complaint

If you believe your data protection rights have been violated, you have the right to lodge a complaint with the AEPD (Agencia Española de Protección de Datos), the supervisory authority in Spain.

11. Children's Privacy

Peeklit is not directed at individuals under the age of 16. We do not knowingly collect personal data from children under 16. If we become aware that we have collected personal data from a child under 16, we will take steps to delete that information promptly.

12. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will notify you by email or through a prominent notice on our service. Your continued use of Peeklit after such changes constitutes your acceptance of the updated policy.

13. Contact

For any questions about this Privacy Policy or our data practices, please contact us at hello@peeklit.com.