This Privacy Policy explains how PackTracker ("we", "us", or "our") collects, uses, and protects your personal information when you use our outdoor gear management platform at https://mypacktracker.com (the "Service").

We are committed to protecting your privacy and being transparent about how we handle your data. By using PackTracker, you agree to the collection and use of information as described in this policy.

1. Information We Collect

1.1 Account Information

When you create an account with us, we collect:

• Email address - for account creation, authentication, and communication
• Name - obtained from your chosen authentication provider (Google, GitHub, or direct registration)
• Profile image - provided by social authentication providers or uploaded by you to customize your profile
• Profile information - any additional details from social authentication providers that you consent to share

1.2 Content You Create

• Gear and equipment data - outdoor equipment, gear specifications, organization systems, and related content you create
• Trip and route information - outdoor activities, routes, planning data, and associated documentation
• Images and files - photos, documents, and other files you upload are stored with unique identifiers and may be accessible via direct links
• Public content - when you choose to make your content public, this information becomes visible to other users and visitors, including any associated data you've linked together

1.3 Usage Data

We automatically collect information about how you use our Service through PostHog analytics:

• Pages visited and features used within the application
• Time spent on different sections
• User interactions and navigation patterns
• Technical information like browser type, device type, and IP address

1.4 Payment Information

If you subscribe to our premium features, payment processing is handled by Stripe. We do not store your payment card details - these are securely processed and stored by Stripe in accordance with their privacy policy.

2. How We Use Your Information

We use your personal information for the following purposes:

2.1 Service Provision

• Creating and managing your account
• Enabling you to organize and manage your outdoor gear and activities
• Storing and displaying your content, including images and data files
• Processing premium subscriptions

2.2 Service Improvement

• Understanding how users interact with our features
• Identifying areas for improvement and new feature development
• Monitoring usage patterns to optimize performance
• Managing our third-party service costs (e.g., mapping services)

2.3 Communication

• Sending transactional emails (account confirmations, password resets, deletion confirmations)
• Service updates and important notifications
• Marketing communications (only with your explicit consent)

2.4 Legal and Security

• Complying with legal obligations
• Protecting against fraud and abuse
• Enforcing our terms of service

3. Legal Basis for Processing (UK GDPR)

We process your personal data based on the following legal grounds:

• Contract performance - processing necessary to provide our backpack planning service
• Legitimate interests - improving our service, analytics, and business operations
• Consent - for marketing communications and non-essential features
• Legal compliance - meeting our legal and regulatory obligations

4. Information Sharing

We share your information only in the following limited circumstances:

4.1 Service Providers

We work with trusted service providers who help us deliver our service:

• WorkOS - authentication and user management
• Resend - email delivery services
• PostHog - analytics and product insights
• Stripe - payment processing for subscriptions
• Cloud storage and hosting providers - secure infrastructure and content delivery

4.2 Public Content

When you choose to make your content public, this information becomes visible to other users and may be indexed by search engines. Public content may include any associated data you've organized or linked together within our platform.

4.3 Legal Requirements

We may disclose your information if required by law, court order, or to protect our rights and the safety of our users.

5. Data Security

We implement appropriate technical and organizational measures to protect your personal data:

• Secure hosting infrastructure with Hetzner
• Encrypted data transmission (HTTPS)
• Access controls and authentication via WorkOS
• Regular security assessments and updates
• Unique identifiers for uploaded content to prevent unauthorized access

However, no method of transmission over the internet is 100% secure, and we cannot guarantee absolute security.

5.1 Data Breach Response

In the unlikely event of a data breach that poses a risk to your rights and freedoms, we will:

• Assess and contain the breach immediately
• Notify the UK Information Commissioner's Office (ICO) within 72 hours where required by law
• Inform affected users without undue delay if the breach is likely to result in high risk to you
• Provide clear information about what happened, what data was involved, and what steps we're taking
• Offer guidance on protective measures you can take
• Implement additional safeguards to prevent similar incidents

6. Data Retention

• Account data - retained while your account is active and for a reasonable period after deletion to comply with legal obligations
• User content - retained according to your account status and content sharing settings
• Files and media - retained based on your content preferences and sharing settings
• Analytics data - retained according to PostHog's retention policies
• Communication records - retained as necessary for customer support and legal compliance

7. Your Rights

Under UK GDPR, you have the following rights:

7.1 Access and Control

• Account management - update your profile and preferences in your account settings
• Account deletion - delete your account through your settings page
• Data access - request a copy of your personal data
• Data portability - request your data in a machine-readable format

7.2 Account Deletion Process

When you delete your account, we aim to remove your personal data promptly. However, we may retain certain information for a limited period where we have legitimate reasons, such as:

• Completing ongoing transactions or resolving billing matters
• Complying with legal, tax, or regulatory obligations
• Preventing fraud and maintaining security
• Technical backup retention periods during our standard data management cycles
• Resolving disputes or enforcing our terms of service

Any retained data will be securely stored and limited to what's necessary for these specific purposes. We will permanently delete this data once these obligations no longer apply.

7.2 Corrections and Objections

• Rectification - correct inaccurate personal data
• Erasure - request deletion of your personal data
• Restriction - limit how we process your data
• Objection - object to processing based on legitimate interests

7.3 Marketing Communications

You can unsubscribe from marketing emails at any time using the unsubscribe link in our emails or by contacting us directly.

8. International Data Transfers

Some of our service providers may be located outside the UK/EEA. When we transfer your data internationally, we ensure appropriate safeguards are in place, such as:

• Standard Contractual Clauses approved by the UK ICO
• Adequacy decisions for certain countries
• Certification schemes and codes of conduct

9. Children's Privacy

Our Service is not intended for children under 13 years of age. We do not knowingly collect personal information from children under 13. If you believe we have collected information from a child under 13, please contact us immediately.

10. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or legal requirements. We will:

• Post the updated policy on this page
• Update the "Last updated" date
• Notify you of material changes via email or prominent notice in our Service
• For significant changes affecting your rights, seek your consent where required

11. Third-Party Services

Our Service integrates with third-party services that have their own privacy policies:

• Google/GitHub - for social authentication (governed by their respective privacy policies)
• Stripe - for payment processing (Stripe Privacy Policy)
• WorkOS - for authentication management
• PostHog - for analytics
• Resend - for email delivery

We encourage you to review the privacy policies of these services.