Data Processing Agreement

1. Definitions

In this Data Processing Agreement ("DPA"):

"Controller" refers to the individual user who determines the purposes and means of processing personal data through their use of the Service.
"Processor" refers to TrekFreely, which processes personal data on behalf of the Controller.
"Personal Data" means any information relating to an identified or identifiable natural person.
"Processing" means any operation performed on Personal Data, including collection, storage, use, disclosure, and deletion.
"Data Subject" means the individual to whom the Personal Data relates.
"Sub-Processor" means any third party engaged by the Processor to process Personal Data on behalf of the Controller.
"Applicable Data Protection Law" includes the EU General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), the California Privacy Rights Act (CPRA), and any other applicable data protection legislation.

2. Scope and Purpose of Processing

This DPA applies when TrekFreely processes personal data on behalf of users in connection with:

Storing and managing trip plan data, including routes, destinations, and scheduling.
Processing GPS location data from satellite communicators and other sources.
Managing emergency contact information and sending safety notifications.
Storing and encrypting medical information provided in trip plans.
Operating the contact dashboard and check-in system.
Facilitating SAR handoff when explicitly requested.

3. Types of Personal Data Processed

TrekFreely processes the following categories of personal data:

Identity data: Name, email address, display name.
Contact data: Phone numbers, email addresses of emergency contacts.
Location data: GPS coordinates, routes, trailhead locations, vehicle parking locations.
Health data: Medical conditions, allergies, and other health information voluntarily provided (encrypted at rest with AES-256-GCM).
Trip data: Trip plans, gear lists, group member information, activity types, check-in schedules.
Communication data: Check-in messages, SMS content, satellite communicator messages.
Technical data: Device battery levels, signal strength from satellite communicators.

4. Processor Obligations

TrekFreely, as Processor, shall:

Process Personal Data only in accordance with the Controller's documented instructions, which are defined by the Controller's use of the Service features.
Ensure that persons authorized to process Personal Data have committed to confidentiality.
Implement and maintain appropriate technical and organizational security measures as described in Annex B.
Assist the Controller in responding to Data Subject requests to exercise their rights.
Assist the Controller in ensuring compliance with data breach notification obligations.
Delete or return all Personal Data upon termination of services, subject to retention periods described in our Privacy Policy.
Make available all information necessary to demonstrate compliance with this DPA.

5. Sub-Processors

TrekFreely's infrastructure is primarily self-hosted. We minimize the use of third-party sub-processors. The current list of sub-processors is maintained in Annex C of this DPA.

Before engaging any new sub-processor, TrekFreely will notify users with active accounts via email at least 30 days in advance. If you object to a new sub-processor, you may terminate your account before the sub-processor begins processing your data.

6. Data Subject Rights

TrekFreely will assist the Controller in responding to requests from Data Subjects exercising their rights under Applicable Data Protection Law, including rights of access, rectification, erasure, restriction, portability, and objection.

Users can exercise many of these rights directly through their account settings. For requests that cannot be fulfilled through the Service, contact [email protected].

7. Security Measures

TrekFreely implements and maintains the technical and organizational security measures described in Annex B. These measures are designed to protect Personal Data against unauthorized or unlawful processing, accidental loss, destruction, or damage.

For additional details about our security practices, see our Security page.

8. Data Breach Notification

In the event of a personal data breach, TrekFreely will notify affected users without undue delay and no later than 72 hours after becoming aware of the breach, where feasible. The notification will include:

A description of the nature of the breach, including the categories and approximate number of Data Subjects affected.
The name and contact details of a point of contact for further information.
A description of the likely consequences of the breach.
A description of the measures taken or proposed to address the breach and mitigate its effects.

9. Audit Rights

TrekFreely will make available to the Controller all information reasonably necessary to demonstrate compliance with this DPA. The Controller may request an audit of TrekFreely's data processing practices with reasonable advance notice, conducted during normal business hours, and without causing undue disruption to operations.

10. Data Return and Deletion

Upon termination of your account or upon request, TrekFreely will delete your Personal Data within the retention periods specified in our Privacy Policy. You may request a data export in a structured, machine-readable format before deletion.

11. Term and Termination

This DPA remains in effect for as long as TrekFreely processes Personal Data on behalf of the Controller. It survives termination of the Controller's account with respect to any Personal Data that remains in TrekFreely's systems during the applicable retention period.

Annex A: Processing Details

Detail	Description
Subject matter	Provision of outdoor safety and trip planning services
Duration	Duration of user's account plus applicable retention periods
Nature and purpose	Storage, processing, and display of trip plans, location tracking, check-in monitoring, emergency contact notifications, SAR coordination
Categories of Data Subjects	Registered users (backcountry travelers), emergency contacts, group members
Categories of Personal Data	Identity, contact, location, health (encrypted), trip plans, communications, technical

Annex B: Technical and Organizational Measures

Encryption in transit: TLS 1.3 for all connections.
Encryption at rest: AES-256-GCM field-level encryption for medical notes and raw device payloads. Database backups encrypted at rest.
Access control: Role-based access control. Administrative access requires multi-factor authentication.
Session security: HttpOnly, Secure, SameSite=Strict cookies. Server-side session storage in Redis.
Infrastructure security: Self-hosted infrastructure. Cloudflare Tunnel for secure ingress (no open inbound ports). Network segmentation between services.
Application security: Automated SAST scanning (Semgrep), dependency vulnerability scanning (Trivy), secret detection (TruffleHog). Content Security Policy headers.
Data minimization: Location history deleted 7 days after trip close. Medical notes deleted 30 days after trip close. Raw device payloads deleted after 30 days.
Monitoring: Audit logging for administrative actions. Automated alerts for security events.

Annex C: Sub-Processor List

Sub-Processor	Purpose	Location	Data Processed
Cloudflare, Inc.	CDN, DDoS protection, DNS, Tunnel ingress	United States (global edge network)	IP addresses, HTTP request metadata, cached static content
Proton AG (ProtonMail)	Sending login links, check-in alerts, notifications	Switzerland	Email addresses, notification content

All other infrastructure components (database, cache, application server, background workers) are self-hosted and operated directly by TrekFreely. No third-party sub-processors are involved in processing those components.

For questions about this Data Processing Agreement:

Email: [email protected]

TrekFreely
Colorado, United States