Skip to main content

Security

How we protect your data and how we think about security.

Our Security Principles

TrekFreely handles sensitive data — location history, trip plans, medical information, and emergency contacts. Security is not a feature we added. It is the foundation everything else is built on.

Privacy by Design

We collect only what's necessary. No tracking cookies. No advertising IDs. No third-party analytics. Your location data gets deleted when your trip ends.

Defense in Depth

Multiple layers of protection: encrypted transit, encrypted storage, application-layer encryption for sensitive fields, and strict access controls.

Least Privilege

Every component and user operates with the minimum permissions necessary. Contact dashboards are read-only. Medical notes are visible only during SAR handoff.

Infrastructure Security

  • Self-hosted infrastructure: Our application, database, and cache run on infrastructure we control. We do not use multi-tenant cloud hosting for data storage.
  • No open inbound ports: Public access is provided through Cloudflare Tunnel, which makes outbound connections from our server. There are no open inbound ports exposed to the internet.
  • Cloudflare protection: DDoS mitigation, WAF rules, and CDN caching for static assets are handled at the edge before traffic reaches our infrastructure.
  • Network segmentation: Application services (web server, database, cache, background workers) are isolated in separate containers with controlled inter-service communication.

Data Protection

Encryption in transit

  • Every connection to our servers runs TLS 1.3.
  • HSTS is preloaded with a one-year max-age and tightly secured session cookies.

Encryption at rest

  • Medical notes and raw device payloads are encrypted at the application layer using AES-256-GCM before being written to the database. The encryption key is stored in environment secrets, never in code or the database.
  • Database backups are encrypted at rest.

Data retention

  • Location history -- gone 7 days after a trip closes.
  • Medical notes -- 30 days.
  • Raw device payloads -- also 30 days.
  • Want your account wiped? We delete it permanently on request.

Full retention details are in our Privacy Policy.

Application Security

  • Static analysis (SAST): Semgrep scans every code change for security vulnerabilities before it reaches production.
  • Dependency scanning: Trivy scans all dependencies for known vulnerabilities. High and critical findings block deployment.
  • Secret detection: TruffleHog scans the codebase to prevent accidental commit of credentials, API keys, or other secrets.
  • Security headers: Content-Security-Policy, Referrer-Policy, and Permissions-Policy headers are enforced in production. X-Frame-Options, X-Content-Type-Options, and HSTS headers are set on all responses.
  • CSRF protection: All state-changing operations are protected against cross-site request forgery.
  • Bot protection: Public forms use Cloudflare Turnstile for privacy-respecting bot detection.
  • Automated dependency updates: Dependabot monitors and proposes updates for Python, JavaScript, Docker, and GitHub Actions dependencies weekly.

Authentication

  • Passwordless authentication: We use email-based magic links for login. No passwords are stored. Login tokens are single-use, expire after 15 minutes, and are hashed before storage.
  • Passkey support: Optional FIDO2/WebAuthn passkey authentication for users who want hardware-backed login security.
  • No social login: We do not use OAuth or social login providers. Your login does not depend on or share data with any third-party identity provider.
  • Session security: Sessions are stored server-side in Redis. Session cookies are HttpOnly, Secure, and SameSite=Strict.
  • Contact dashboard access: Emergency contact dashboards use unique, per-trip UUID tokens in the URL. No account, login, or cookie is required. Tokens are scoped to a single trip and expire after the trip ends.

Regulatory Compliance

  • GDPR compliant: Data subject rights (access, rectification, erasure, portability, restriction, objection) are supported. Data minimization and purpose limitation are enforced by design.
  • CCPA/CPRA compliant: Right to know, right to delete, right to correct, and right to opt-out of sale are supported. We do not sell personal information.
  • Privacy by design: IP addresses are not logged. Cookieless, self-hosted analytics. No third-party tracking.

See our Privacy Policy, Data Processing Agreement, and Law Enforcement Policy for details.

Responsible Disclosure

If you discover a security vulnerability in TrekFreely, we ask that you report it responsibly so we can address it before it is publicly disclosed.

How to report

Email [email protected] with a description of the vulnerability. Include:

  • A description of the vulnerability and its potential impact.
  • Steps to reproduce the issue.
  • Any proof-of-concept code or screenshots, if applicable.

Our response

  • We will acknowledge your report within 2 business days.
  • We will provide an initial assessment within 5 business days.
  • We will work with you to understand and resolve the issue.
  • We will credit you in our security acknowledgments (unless you prefer to remain anonymous).

Safe harbor

We will not pursue legal action against security researchers who discover and report vulnerabilities in good faith, following responsible disclosure practices. We consider security research conducted in accordance with this policy to be authorized and will not initiate legal action against you for it.

We ask that you:

  • Don't access, modify, or delete another user's data.
  • Don't degrade service availability.
  • Give us reasonable time to address the issue before going public.

Stay in the Loop

Get trail safety tips, stewardship updates, and TrekFreely news delivered to your inbox. No spam, unsubscribe anytime.

Subscribe to Our Newsletter