Privacy Policy
1. Who we are
TrailStack is a curated GPX track and roadbook marketplace for adventure riders and creators, available at trailstack.app.
TrailStack is the data controller for all personal data processed through this platform.
2. What this policy covers
This policy explains what personal data we collect, why we collect it, how we use it, who we share it with, and what rights you have under the General Data Protection Regulation (GDPR) and Belgian privacy law.
It applies to:
- Visitors to trailstack.app
- Users who sign up for the waitlist
- Registered riders and creators
3. Data we collect and why
3.1 Waitlist sign-up
| Data | Purpose | Legal basis |
|---|---|---|
| Email address | To notify you at launch and send your welcome email | Legitimate interest (Art. 6(1)(f) GDPR) / consent where required |
| Role selection (rider / creator / both) | To send the correct welcome email variant | Same as above |
| Timestamp | Record-keeping and anti-abuse | Legitimate interest |
3.2 User accounts (at launch)
| Data | Purpose | Legal basis |
|---|---|---|
| Email address | Authentication, account communications | Contract (Art. 6(1)(b) GDPR) |
| Password (hashed — never stored in plain text) | Authentication | Contract |
| Username / display name | Public profile | Contract |
| Profile photo (if uploaded) | Creator public profile | Contract |
| Role (rider / creator) | Personalising the platform experience | Contract |
3.3 Route and content data (creators)
| Data | Purpose | Legal basis |
|---|---|---|
| GPX files | Storing and distributing routes | Contract |
| Route metadata (title, description, photos) | Catalogue display | Contract |
3.4 Purchase data (riders)
| Data | Purpose | Legal basis |
|---|---|---|
| Payment details | Processed entirely by Stripe — we never see or store card numbers | Contract |
| Purchase history | Order management and download access | Contract |
| Subscription status | Access control | Contract |
3.5 Technical and analytics data (all visitors)
| Data | Purpose | Legal basis |
|---|---|---|
| Server logs (IP address, browser type, pages visited) | Security, error diagnosis | Legitimate interest |
| Vercel edge network metadata | Hosting and CDN delivery | Legitimate interest |
| Analytics data (pages visited, session duration, referral source) | Understanding platform usage and improving the product | Consent (where non-essential cookies or tracking are involved) |
| Ad interaction data (clicks, conversions) | Measuring effectiveness of paid campaigns | Consent |
Where analytics or advertising tools require cookies or device fingerprinting, we will obtain your consent via a cookie banner before activating them.
4. Data processors
We share your data with the following third-party processors, each operating under a data processing agreement (DPA) or equivalent safeguard.
4.1 Active processors
| Processor | Role | Location | Privacy reference |
|---|---|---|---|
| Vercel Inc. | Hosting and CDN | USA (SCCs apply) | vercel.com/legal/privacy-policy |
| Supabase Inc. | Database and authentication | EU-Central-1 (Frankfurt) | supabase.com/privacy |
| Stripe Inc. | Payment processing | USA (SCCs apply) | stripe.com/privacy |
| Resend Inc. | Transactional email delivery | USA (SCCs apply) | resend.com/legal/privacy-policy |
| Anthropic PBC | AI access screening of creator-uploaded routes | USA (SCCs apply) | anthropic.com/privacy |
| Cloudflare Inc. | Email routing | USA (SCCs apply) | cloudflare.com/privacypolicy |
4.2 Processors that may be used in future
The following processors may be used in future for analytics and marketing purposes. They are not currently active. If and when activated, they will only be enabled with appropriate user consent where required under GDPR and Belgian ePrivacy law, and this policy will be updated accordingly.
| Processor | Role | Location | Privacy reference |
|---|---|---|---|
| Google LLC (Google Analytics) | Platform usage analytics | USA (SCCs apply) | policies.google.com/privacy |
| Google LLC (Google Ads) | Paid advertising and conversion tracking | USA (SCCs apply) | policies.google.com/privacy |
| Meta Platforms Ireland Ltd. (Meta Ads / Meta Pixel) | Paid advertising and conversion tracking | Ireland / USA (SCCs apply) | facebook.com/privacy/policy |
We do not sell your data to any third party. We do not share your data with advertisers beyond what is necessary to measure the effectiveness of our own campaigns.
5. International transfers
TrailStack is established in Belgium (EU). Some processors listed above are based outside the European Economic Area. Where data is transferred outside the EEA, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission under Art. 46(2)(c) GDPR as the legal transfer mechanism.
6. How long we keep your data
| Data | Retention period |
|---|---|
| Waitlist email (pre-launch) | Until launch + 12 months, or until you unsubscribe |
| User account data | For the duration of your account + 2 years after deletion |
| Purchase records | 7 years (Belgian accounting law — mandatory) |
| Server logs | 30 days rolling |
| Creator route files | For the duration of the creator's account |
| Analytics data | Per the relevant processor's retention settings |
7. Your rights under GDPR
As a data subject under GDPR, you have the following rights:
- Right of access (Art. 15) — you can request a copy of all personal data we hold about you.
- Right to rectification (Art. 16) — you can ask us to correct inaccurate data.
- Right to erasure (Art. 17) — you can ask us to delete your data, subject to legal retention obligations.
- Right to restriction (Art. 18) — you can ask us to pause processing while a dispute is resolved.
- Right to data portability (Art. 20) — you can request your data in a machine-readable format.
- Right to object (Art. 21) — you can object to processing based on legitimate interest.
- Right to withdraw consent — where processing is based on consent, you can withdraw at any time without affecting prior processing.
To exercise any of these rights, email us at hello@trailstack.app. We will respond within 30 days.
8. Cookies
8.1 Strictly necessary cookies
TrailStack uses strictly necessary cookies for session management and authentication. These do not require consent.
8.2 Analytics and advertising cookies
We do not currently use analytics or advertising cookies. If we introduce them, we will display a cookie consent banner compliant with Belgian ePrivacy law before any non-essential cookie is set. You will always be able to withdraw consent via the cookie settings on the platform.
9. Marketing communications
If you signed up for the waitlist, you will receive a welcome email and, at launch, a launch announcement. Every email includes an unsubscribe link. You can also unsubscribe at any time by emailing hello@trailstack.app.
We do not send marketing emails without a valid legal basis under GDPR and the Belgian Act of 13 June 2005 on electronic communications.
10. Data security
We implement appropriate technical and organisational measures to protect your personal data, including:
- Encryption in transit (HTTPS enforced)
- Hashed passwords (never stored in plain text)
- Row-level security policies on our database
- Secret keys stored as environment variables, never in code
- Stripe handles all payment card data — we never store it
If we become aware of a data breach that poses a risk to your rights and freedoms, we will notify the Belgian Data Protection Authority within 72 hours and affected users without undue delay, as required by Art. 33–34 GDPR.
11. Supervisory authority
You have the right to lodge a complaint with the Belgian Data Protection Authority:
Drukpersstraat 35, 1000 Brussels
contact@apd-gba.be
www.gegevensbeschermingsautoriteit.be
12. Changes to this policy
We may update this policy as the platform evolves. Material changes will be communicated by email (if you have an account) and by updating the “Last updated” date above. Continued use of the platform after the effective date constitutes acceptance of the updated policy.