<GPX.sh

Log in
Sign up

Privacy Policy

Last updated: January 1, 2025

1. Introduction

GPX.sh is operated by AMD2K22 S.R.L., a company registered in the European Union. We are committed to protecting your privacy and processing your personal data in compliance with the General Data Protection Regulation (GDPR) and applicable data protection laws.

This Privacy Policy explains what data we collect, how we use it, and your rights regarding your personal information.

2. Data Controller

The data controller responsible for your personal data is:

AMD2K22 S.R.L.
For privacy inquiries, please contact us through our contact page.

3. Information We Collect

3.1 Information You Provide

  • Account Information: Email address and password when you create an account.
  • GPX Files: Files you upload, which may contain GPS coordinates, timestamps, elevation data, waypoints, and other location-related information.
  • Location Data: When using our mobile applications (when available), we may collect your device's location to provide location-based features.
  • Communications: Information you provide when contacting us for support or feedback.

3.2 Information Collected Automatically

  • Usage Data: We use internal analytics tools to collect anonymized information about how you use our service. This data is not linked to your identity and is used solely to improve our service.
  • Device Information: Browser type, operating system, and general device information for compatibility and security purposes.
  • Approximate Location (IP-Based): We use your IP address to determine your country and center the map when you start a new GPX file. This location is not stored.
  • Security Logs: IP address, user agent, and timestamps for detecting abuse, preventing fraud, and securing the service.

4. Cookies and Local Storage

4.1 Essential Cookies

We use the following cookies that are strictly necessary for the service to function:

  • Session Cookie: Maintains your authenticated session while using the service.
  • Remember Me Cookie: Keeps you logged in between visits (if you choose this option).
  • XSRF Token Cookie: Protects against cross-site request forgery attacks.

4.2 Local Storage

We use your browser's local storage to save your preferences, such as theme settings (light/dark mode) and consent status. This data remains on your device and is not transmitted to our servers.

5. Third-Party Services

We use the following third-party services that are essential for providing our service:

  • Google Maps API: Provides map display functionality in the editor. Google may collect usage data according to their Privacy Policy.
  • Mapbox: Provides map display functionality in the viewer. Mapbox may collect usage data according to their Privacy Policy.
  • Paddle: Processes payments for premium subscriptions. When you make a payment, Paddle handles your payment information according to their Privacy Policy. We do not store your payment card details.
  • Resend: Delivers transactional emails (account verification, password recovery, notifications). Your email address is shared with Resend solely for email delivery according to their Privacy Policy.

6. Legal Basis for Processing

We process your personal data based on the following legal grounds:

  • Contract: Processing necessary to provide you with our service (account management, file storage, premium features).
  • Legitimate Interest: Processing necessary for security, abuse prevention, fraud prevention, service improvement, and analytics (using anonymized data).
  • Consent: For optional features such as newsletter subscriptions. You can withdraw consent at any time.

7. How We Use Your Information

We use your information to:

  • Provide, maintain, and improve our service
  • Process and securely store your GPX files
  • Process payments for premium subscriptions
  • Send essential service communications (account activation, password recovery, important service updates)
  • Send newsletter communications (only if you have opted in)
  • Ensure security and prevent fraud
  • Comply with legal obligations

8. Communications

By default, we only send you emails necessary for the functioning of your account:

  • Account activation and verification
  • Password recovery
  • Important service announcements and security notices

If you opt in to our newsletter, you will receive updates about new features and tips for using GPX.sh. You can unsubscribe at any time using the link in any newsletter email.

9. Data Sharing

We do not sell your personal data. We do not display advertisements on our service.

We may share your information only in the following circumstances:

  • Service Providers: With third-party services described in Section 5, solely for providing our service.
  • Legal Requirements: When required by law, court order, or governmental authority.
  • Protection of Rights: To protect our rights, safety, or property, or that of our users.

10. User-Generated Content

When you upload GPX files, you control their visibility:

  • Private files: Accessible only to you.
  • Public files: Accessible to anyone with the link. Once you make a file public, we cannot control who accesses, downloads, or shares it further.

You are responsible for ensuring you have the right to share the content in your GPX files and that they do not contain sensitive location data you do not wish to disclose.

11. International Data Transfers

Your data is primarily stored and processed within the European Union. However, some third-party services (Google, Mapbox, Paddle) may transfer data to countries outside the EU. These transfers are protected by appropriate safeguards, including Standard Contractual Clauses approved by the European Commission.

12. Data Security

We implement appropriate technical and organizational measures to protect your personal data, including:

  • Encrypted data transmission (HTTPS/TLS)
  • Secure password hashing
  • Regular security updates and monitoring
  • Access controls and authentication

While we strive to protect your data, no method of transmission or storage is 100% secure. We cannot guarantee absolute security.

13. Data Retention

  • Account Data: Retained for as long as your account is active. Upon account deletion request, your data will be deleted within 30 days.
  • GPX Files: Retained until you delete them or request account deletion.
  • Analytics Data: Anonymized analytics data may be retained indefinitely as it cannot be linked to individuals.
  • Security Logs: Retained for up to 3 months and deleted thereafter, unless needed for an ongoing investigation or legal obligation.

14. Your Rights Under GDPR

As an EU-based service, we respect your rights under the GDPR. You have the right to:

  • Access: Request a copy of the personal data we hold about you.
  • Rectification: Request correction of inaccurate personal data.
  • Erasure: Request deletion of your personal data ("right to be forgotten").
  • Data Portability: Receive your data in a structured, commonly used format.
  • Restriction: Request restriction of processing in certain circumstances.
  • Object: Object to processing based on legitimate interest.
  • Withdraw Consent: Withdraw consent at any time where processing is based on consent.

To exercise any of these rights, please contact us through our contact page. We will respond to your request within 30 days.

You also have the right to lodge a complaint with your local data protection authority if you believe we have violated your privacy rights.

15. Children's Privacy

Our service is not intended for children under 16 years of age. We do not knowingly collect personal data from children under 16. If you believe we have collected information from a child under 16, please contact us immediately and we will delete such information.

16. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or legal requirements. We will notify you of significant changes by:

  • Posting the updated policy on this page with a new "Last updated" date
  • Sending an email notification for material changes (if you have an account)

We encourage you to review this policy periodically.

17. Contact Us

If you have questions about this Privacy Policy, wish to exercise your data protection rights, or have concerns about how we handle your personal data, please contact us through our contact page.