Privacy Policy

1. Data Controller

TrekFreely is the data controller responsible for your personal data. TrekFreely is a free, non-monetized outdoor safety and stewardship platform. We do not sell, rent, or trade your personal information. We do not serve advertisements. We do not use your data for marketing purposes.

For privacy inquiries, contact us at [email protected].

2. Information We Collect

Information you provide directly

• Account information: Email address and display name when you create an account.
• Trip plan data: Trip details including destinations, routes, start and return times, vehicle descriptions, group members, gear lists, and activity type.
• Emergency contact information: Names, phone numbers, and email addresses of contacts you designate for trip notifications.
• Medical information: Medical conditions, allergies, and other health information you voluntarily provide in trip plans. This data is encrypted at rest using AES-256-GCM encryption and is only accessible during SAR handoff scenarios you explicitly initiate.
• Communications: Messages you send through the check-in system, including SMS and satellite communicator messages.

Information collected automatically

• Location data: GPS coordinates received from satellite communicators (Garmin inReach, SPOT), APRS-IS feeds, SMS coordinate messages, or mobile app location sharing when you explicitly enable it for an active trip.
• Check-in data: Timestamps and status of trip check-ins.
• Device information: Battery level and signal data from satellite communicators when available.
• QR code scans: When you scan a TrekFreely-printed QR code (for example, a sticker at a trailhead register or kiosk), we log a timestamp, the campaign identifier embedded in the code, the country derived from your IP address, and a coarse device family (iOS, Android, or Other) derived from your browser's User-Agent string. We do not store the IP address itself, the full User-Agent, or any other identifier. Scans are never linked to a user account.

Information we do not collect

• We do not use tracking cookies, advertising cookies, or analytics cookies.
• We do not collect browsing behavior, click patterns, or page view histories.
• We do not use Google Analytics, Meta Pixel, or any third-party tracking service.
• We do not fingerprint browsers or devices.

3. How We Use Your Information

We use your information exclusively for the following purposes:

• Service delivery: Operating trip planning, check-in, and contact dashboard features.
• Safety notifications: Sending check-in reminders, missed check-in alerts, and overdue notifications to your designated emergency contacts.
• SAR coordination: Providing trip plan data to Search and Rescue organizations when you or your emergency contacts explicitly initiate a SAR handoff.
• Transactional communications: Sending magic link login emails, trip activation confirmations, and system notifications directly related to your use of the service.
• Service improvement: Aggregated, anonymized usage patterns to improve platform reliability. No individual user data is used for this purpose.
• Print-campaign measurement: Aggregated QR-code scan counts to evaluate which printed materials (stickers, kiosk signs, brochures) generate engagement. Counts are never linked to a user account, never sold or shared, and never used to build a profile of any individual.

4. Legal Bases for Processing (GDPR)

For users in the European Economic Area (EEA), United Kingdom, and Switzerland, we process your personal data under the following legal bases:

• Contract: Processing necessary to provide the services you have requested, including trip planning, check-in monitoring, and contact dashboard access.
• Consent: Where you have given explicit consent, such as providing medical information in trip plans or enabling location tracking.
• Legitimate interest: Processing necessary for our legitimate interests, such as maintaining platform security and preventing abuse, where those interests are not overridden by your rights.
• Vital interest: In emergency situations where processing is necessary to protect your life or the life of another person, such as SAR escalation scenarios.

5. Data Sharing and Disclosure

We do not sell, rent, or trade your personal information to any third party. We share data only in the following limited circumstances:

• Emergency contacts: Trip plan details (excluding medical notes) are shared with contacts you designate, via the contact dashboard you provide them access to.
• SAR organizations: Trip plan data including medical notes is shared with Search and Rescue organizations only when you or your emergency contacts explicitly initiate a SAR handoff.
• Legal requirements: We may disclose data when required by valid legal process. See our Law Enforcement & Data Request Policy for details.
• Service providers: Our infrastructure is self-hosted. We use Cloudflare for CDN and tunnel services. We use ProtonMail (Proton AG, Switzerland) for sending login links and notifications. These providers process data only as necessary to deliver their services.
• Map rendering: Trip planning pages use Mapbox GL JS for interactive map rendering. Mapbox collects anonymous usage telemetry (map load counts, browser type, and general location derived from IP address) as required by their Terms of Service. No TrekFreely user data, trip details, routes, or personal information is sent to Mapbox. See Mapbox's Privacy Policy for details on their data practices.

6. Data Retention

We retain your data only as long as necessary for the purposes described in this policy.

7. Data Security

We take the security of your data seriously. Measures include:

• TLS 1.3 encryption for all data in transit.
• AES-256-GCM field-level encryption for sensitive data (medical notes, raw device payloads).
• HSTS preloading with one-year max-age.
• Secure, HttpOnly, SameSite=Strict session cookies.
• Automated security scanning (SAST, dependency scanning, secret detection) in our CI/CD pipeline.
• Content Security Policy, Referrer-Policy, and Permissions-Policy headers.

For more details, see our Security page.

8. Your Rights Under GDPR

If you are in the EEA, UK, or Switzerland, you have the following rights:

• Right of access: Request a copy of the personal data we hold about you.
• Right to rectification: Request correction of inaccurate personal data.
• Right to erasure: Request deletion of your personal data, subject to legal retention obligations.
• Right to restriction: Request restriction of processing in certain circumstances.
• Right to data portability: Receive your data in a structured, machine-readable format.
• Right to object: Object to processing based on legitimate interest.
• Right to withdraw consent: Withdraw consent at any time where processing is based on consent.

To exercise these rights, contact [email protected]. We will respond within 30 days. You also have the right to lodge a complaint with your local data protection authority.

9. Your Rights Under CCPA/CPRA

If you are a California resident, the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA) provide you with the following rights:

• Right to know: Request disclosure of the categories and specific pieces of personal information we have collected about you.
• Right to delete: Request deletion of your personal information.
• Right to correct: Request correction of inaccurate personal information.
• Right to opt-out of sale or sharing: We do not sell or share your personal information for cross-context behavioral advertising. There is nothing to opt out of.
• Right to non-discrimination: We will not discriminate against you for exercising your privacy rights.

Categories of personal information collected: Identifiers (email, name), geolocation data (trip coordinates), health information (voluntarily provided medical notes), and internet or other electronic network activity (check-in status).

Sale of personal information: We have not sold personal information in the preceding 12 months. We do not sell personal information. We will never sell personal information.

To exercise these rights, contact [email protected]. We will respond within 45 days as required by law.

10. Cookies and Tracking

TrekFreely uses only strictly necessary session cookies to maintain your login state. These cookies are:

• HttpOnly (not accessible to JavaScript)
• Secure (transmitted only over HTTPS)
• SameSite=Strict (not sent with cross-site requests)
• Stored in server-side Redis (no sensitive data in the cookie itself)

We do not use advertising cookies, analytics cookies, or tracking cookies. We do not use Google Analytics, Meta Pixel, or any third-party tracking service. Our privacy-respecting analytics, when enabled, are cookieless and self-hosted.

11. Children's Privacy

TrekFreely is not directed at children under 13. We do not knowingly collect personal information from children under 13. If we learn that we have collected personal information from a child under 13, we will delete that information promptly. If you believe a child under 13 has provided us with personal information, please contact [email protected].

12. International Data Transfers

TrekFreely is operated from the United States. If you access our services from outside the United States, your data will be transferred to and processed in the United States. We take appropriate safeguards to ensure your data is protected in accordance with this policy and applicable law, including the use of Standard Contractual Clauses where required by GDPR.

13. Changes to This Policy

We may update this Privacy Policy from time to time. Changes will be posted on this page with an updated "Last updated" date. If we make material changes that affect how we handle your data, we will notify you via email if you have an account.

14. Contact Us

For privacy-related questions, requests, or concerns:

• Email: [email protected]

TrekFreely
Colorado, United States