TrailSpark

Privacy Policy

Last updated: March 2026

TrailSpark ("we", "us", "our") operates the TrailSpark mobile application and the trailspark.com website (collectively, the "Service"). This Privacy Policy explains what data we collect, how we use it, and your rights.

1. Information we collect

Account information

When you register, we collect your email address, display name, and password. Your password is stored using a one-way cryptographic hash (bcrypt) — we never store or have access to your plaintext password. If you sign in with Google or Apple, we receive your name and email address from the provider. We do not receive or store your Google or Apple password.

Activity and location data

When you record an activity (run, hike, cycle), we collect GPS coordinates, timestamps, distance, elevation, and pace data. When you generate routes, we receive your starting location. GPS location data is processed on our servers to generate routes and is stored when you save a route or record an activity. We do not continuously track your location outside of active route generation or activity recording.

Push notification tokens

If you enable push notifications, we store a device token provided by Apple (APNs) or Google (FCM) to deliver notifications such as new followers, kudos, and activity comments. You can disable push notifications at any time in your device settings, which stops delivery. Stored tokens are deleted when you log out or delete your account.

Device and usage data

We collect device type, operating system version, and app version for debugging and improving the Service. Crash reports are collected via Sentry to diagnose and fix bugs. We use self-hosted Umami analytics on our website to understand usage patterns; Umami does not use cookies, does not track individuals across sites, and all data is stored on our own EU-based servers. We do not use third-party advertising SDKs.

Offline map telemetry

When you download offline map packages, we record the region, tile count, and download status for service reliability monitoring. This telemetry does not include your location or any personal data beyond your user ID.

Cookies

Our website uses a single functional cookie (NEXT_LOCALE) to remember your language preference. We do not use tracking cookies or third-party advertising cookies.

2. How we use your data

We use your data to: generate personalized route suggestions based on your preferences and location; record and display your activities; enable social features (public profile, sharing routes); sync routes to connected third-party services (e.g. Garmin Connect) when you explicitly authorize it; send transactional emails (account verification, password reset); and improve the reliability and performance of the Service.

3. Third-party services

We share data with third parties only as necessary to operate the Service:

  • MapTiler — provides map tiles. Your device requests tiles directly from MapTiler's servers, which may log IP addresses per their own privacy policy.
  • Garmin Connect — if you choose to link your Garmin account, we store an OAuth access token and refresh token to push courses to your Garmin Connect account. We access only the Courses API scope. You can disconnect Garmin at any time from your account settings, which immediately deletes your stored tokens.
  • Resend — delivers transactional emails on our behalf. Your email address is shared with Resend solely for this purpose.
  • Firebase Cloud Messaging (Google) — delivers push notifications to your device. Your device token is shared with Firebase solely for notification delivery. We do not use Firebase Analytics or any other Firebase services.
  • Sentry — processes crash reports to help us diagnose and fix bugs. Crash data may include device type, OS version, and stack traces but does not include your GPS data or personal content.
  • Google Sign-In / Apple Sign-In — if you choose to sign in with Google or Apple, authentication is handled by the respective provider. We receive only your name and email address; we do not access your contacts, calendar, or any other account data.

We never sell, rent, or trade your personal data to third parties for marketing or advertising purposes.

4. Data security

All communication between your device and our servers is encrypted via TLS (HTTPS). Passwords are hashed with bcrypt. Authentication uses short-lived JWT tokens with automatic refresh. Our servers are hosted in the EU (Hetzner, Germany). Access to production systems is restricted to authorized personnel only.

5. Your rights

Under the GDPR and similar data protection laws, you have the right to:

  • Access — request a copy of all personal data we hold about you.
  • Correction — update or correct inaccurate personal data.
  • Deletion — delete your account and all associated data from your account settings. Upon deletion, your data is permanently removed within 30 days.
  • Portability — export your routes and activities in standard formats (GPX, FIT).
  • Restriction — request that we limit processing of your data.
  • Objection — object to processing of your data for specific purposes.

6. Data retention

We retain your data for as long as your account is active. If you delete your account, all personal data (profile, activities, routes, preferences, connected service tokens) is permanently erased within 30 days. Server logs containing IP addresses are automatically rotated and deleted after 90 days.

7. Children's privacy

The Service is not directed at children under 16. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us and we will promptly delete it.

8. Changes to this policy

We may update this Privacy Policy from time to time. If we make material changes, we will notify you via email or an in-app notice. The "Last updated" date at the top reflects the most recent revision.

9. Contact

If you have questions about this Privacy Policy or wish to exercise your rights, email us at privacy@trailspark.com.

Privacy Policy — TrailSpark