TrailSpark

Privacy Policy

Last updated: March 2026

TrailSpark ("we", "us", "our") operates the TrailSpark mobile application and the trailspark.com website (collectively, the "Service"). This Privacy Policy explains what data we collect, how we use it, and your rights.

1. Information we collect

Account information

When you register, we collect your email address, display name, and password. Your password is stored using a one-way cryptographic hash (bcrypt) — we never store or have access to your plaintext password.

Activity and location data

When you record an activity (run, hike, cycle), we collect GPS coordinates, timestamps, distance, elevation, and pace data. When you generate routes, we receive your starting location. This data is essential to provide the core functionality of the Service.

Device and usage data

We collect device type, operating system version, and app version for debugging and improving the Service. We do not use third-party analytics or advertising SDKs.

Cookies

Our website uses a single functional cookie (NEXT_LOCALE) to remember your language preference. We do not use tracking cookies or third-party advertising cookies.

2. How we use your data

We use your data to: generate personalized route suggestions based on your preferences and location; record and display your activities; enable social features (public profile, sharing routes); sync routes to connected third-party services (e.g. Garmin Connect) when you explicitly authorize it; send transactional emails (account verification, password reset); and improve the reliability and performance of the Service.

3. Third-party services

We share data with third parties only as necessary to operate the Service:

  • MapTiler — provides map tiles. Your device requests tiles directly from MapTiler's servers, which may log IP addresses per their own privacy policy.
  • Garmin Connect — if you choose to link your Garmin account, we store an OAuth access token and refresh token to push courses to your Garmin Connect account. We access only the Courses API scope. You can disconnect Garmin at any time from your account settings, which immediately deletes your stored tokens.
  • Resend — delivers transactional emails on our behalf. Your email address is shared with Resend solely for this purpose.

We never sell, rent, or trade your personal data to third parties for marketing or advertising purposes.

4. Data security

All communication between your device and our servers is encrypted via TLS (HTTPS). Passwords are hashed with bcrypt. Authentication uses short-lived JWT tokens with automatic refresh. Our servers are hosted in the EU (Hetzner, Germany). Access to production systems is restricted to authorized personnel only.

5. Your rights

Under the GDPR and similar data protection laws, you have the right to:

  • Access — request a copy of all personal data we hold about you.
  • Correction — update or correct inaccurate personal data.
  • Deletion — delete your account and all associated data from your account settings. Upon deletion, your data is permanently removed within 30 days.
  • Portability — export your routes and activities in standard formats (GPX, FIT).
  • Restriction — request that we limit processing of your data.
  • Objection — object to processing of your data for specific purposes.

6. Data retention

We retain your data for as long as your account is active. If you delete your account, all personal data (profile, activities, routes, preferences, connected service tokens) is permanently erased within 30 days. Server logs containing IP addresses are automatically rotated and deleted after 90 days.

7. Children's privacy

The Service is not directed at children under 16. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us and we will promptly delete it.

8. Changes to this policy

We may update this Privacy Policy from time to time. If we make material changes, we will notify you via email or an in-app notice. The "Last updated" date at the top reflects the most recent revision.

9. Contact

If you have questions about this Privacy Policy or wish to exercise your rights, email us at privacy@trailspark.com.

TrailSpark — Routes that feel like you