Back to home

Privacy Policy | Pocket Trotter

How we protect your data and your privacy

Last updated : June 18, 2026

1. Data controller

The data controller is Quentin RUFFIER DES AIMES, publisher of Pocket Trotter (see the legal notice). Contact for any question about your data: contact.pocket.trotter@gmail.com.

No data protection officer (DPO) has been appointed, as this is not mandatory given our activity. The address above is your single point of contact.

2. Data we collect

Pocket Trotter is available through a website and an Android mobile app. This policy applies to both; the data categories below are collected regardless of which one you use.

Account data

  • Name, email address, profile picture and Google identifier, provided when you sign in via Google (OAuth).
  • Subscription status, our payment provider's customer/subscription identifiers, renewal dates.
  • Technical account data: login dates, usage counters (number of searches, routes), active/inactive status.

Content you upload

Location data

The GPX files you upload are location data. A track may reveal your home, your usual places and your sporting habits. We recommend not publicly publishing tracks that start from your home.

  • GPX files and route geometries.
  • Route metadata: name, description, activity type, distance, elevation gain, difficulty, tags.
  • Favourites.

Technical and usage data

  • IP address, user agent (browser/device), referring page.
  • Activity logs (actions performed in the app) for security and abuse prevention.
  • Anonymised audience-measurement data (see the Cookies section).

Payment data

Payments on the web are processed by Stripe; purchases made in the Android app are processed by Google Play (Google). In both cases, your card details are entered directly with the payment provider: we never store your card number. We only keep the identifiers needed to manage the subscription (Stripe customer/subscription identifier or Google Play purchase token) and the billing information.

3. Purposes and legal bases

Each processing activity has a legal basis under Article 6 GDPR:

PurposeLegal basis
Creating and managing your accountPerformance of the contract (Art. 6.1.b)
Uploading, processing, displaying and sharing your GPX tracksPerformance of the contract (Art. 6.1.b)
Managing the premium subscription and paymentPerformance of the contract (Art. 6.1.b)
Invoicing and accounting obligationsLegal obligation (Art. 6.1.c)
Security, fraud/abuse prevention, rate limiting, logsLegitimate interest (Art. 6.1.f)
Responding to your messages via the contact formLegitimate interest / your request (Art. 6.1.f)
Website audience measurementConsent (Art. 6.1.a)

4. Recipients and processors

Your data is never sold. It is accessible to the publisher and to technical processors acting on our behalf, strictly within the scope of the service:

RecipientRoleLocationSafeguards
Vercel Inc.Hosting, file storage (Blob), audience measurementUSA / EUDPF + standard contractual clauses
Neon Inc.Database (account, routes, logs)EU / USAStandard contractual clauses
Google Ireland / LLCSign-in (OAuth), POI enrichment (Places, premium), in-app billing and purchase verification (Google Play)EU / USADPF + standard contractual clauses
StripeSubscription payment (web)EU (Ireland) / USADPF + standard contractual clauses
ResendEmail delivery (contact)USAStandard contractual clauses
Open-MeteoWeather data (coordinates only)EU (Germany)No identifying data transmitted
OpenStreetMap / Overpass + tile providersMap display, POI dataEU / internationalIP address transmitted when loading maps

When the map is displayed, your IP address is necessarily transmitted to the tile and map-data providers in order to serve you the imagery.

5. Transfers outside the EU

Some processors are located in or may process data in the United States. Such transfers are governed by appropriate safeguards: certification under the EU–US Data Privacy Framework (DPF) and/or the European Commission's standard contractual clauses.

6. Retention periods

DataRetention period
Account and profileFor the lifetime of the account, then deleted after 24 months of inactivity (a warning email is sent beforehand) or on your request
Routes and GPX filesUntil deleted by you or until your account is closed
Favourites and preferencesUntil your account is closed
Technical logs (IP, agent, activity)Up to 12 months
Billing and subscription data10 years (statutory accounting obligation)
Proof of cookie consent6 months (the choice is then requested again)
Session cookieDuration of the session (30 days maximum)

7. Your rights

Under the GDPR, you have the following rights over your data:

  • Right of access to a copy of your data.
  • Right to rectification of inaccurate data.
  • Right to erasure (“right to be forgotten”).
  • Right to restriction of processing.
  • Right to object to processing based on legitimate interest.
  • Right to data portability: receive your data in a reusable format (your GPX files can also be downloaded from your account).
  • Right to withdraw consent at any time (notably for audience measurement), without retroactive effect.
  • Post-mortem directives: arrange what happens to your data after your death.

To exercise these rights, write to contact.pocket.trotter@gmail.com. We reply within one month (extendable by two months for complex requests). Proof of identity may be requested in case of reasonable doubt.

8. Complaint to the supervisory authority

If you believe the processing of your data does not comply with the law, you may lodge a complaint with the French supervisory authority, the CNIL (3 Place de Fontenoy, TSA 80715, 75334 Paris Cedex 07 — www.cnil.fr), or with the supervisory authority of your country of residence.

9. Security

We implement appropriate technical and organisational measures: encryption in transit (HTTPS/TLS), access control, secure hosting, validation and sanitisation of uploaded files (protection against XXE/XSS attacks), rate limiting and session revocation.

10. Cookies and trackers

Strictly necessary cookies

Essential for the site to work, they do not require your consent: session and authentication cookies (NextAuth), anti-CSRF protection. Local storage also keeps your preferences (cookie choice, language, POI display options).

Audience measurement

We use Vercel Web Analytics and Speed Insights to measure traffic and performance. These tools are designed without advertising cookies and with anonymised data. They are enabled only with your consent via the banner; you can refuse or withdraw it at any time.

No advertising

We use no advertising cookies and carry out no profiling for targeting purposes. Your data is never sold to third parties.

11. Minors

The service is not intended for persons under 15. If you are under 15, the consent of a holder of parental authority is required to create an account.

12. Automated decisions

We make no decisions producing legal effects based solely on automated processing. Hiding part of the points of interest from signed-out visitors is merely an incentive to sign up and has no legal effect.

13. Changes

This policy may change. The last-updated date appears at the top of the page. In the event of a substantial change, we will inform you by appropriate means.