Privacy Policy

Last updated: June 2026

Not legal advice. This policy is a draft for operator review and has not been reviewed by a solicitor or data-protection professional. Operator review pending before public launch.

1. Who we are

notmapped is a cycling route-planning web application operated as an independent project. Contact: hello@notmapped.com.

2. What data we collect and why

notmapped collects the minimum data needed to provide the service:

Strava OAuth tokens — stored encrypted in our database to read your activity history on your behalf. Required to build your coverage heatmap and generate routes.
Activity data from Strava — GPS route polylines and sport type for each cycling activity you have on Strava. We store the polylines locally so we can rebuild your heatmap without repeatedly fetching from Strava. We do not store activity names, descriptions, heart rate, power, cadence, or any other Strava fields.
Strava profile data — your first name and profile photo URL (used to display your avatar in the app). We do not store your email address from Strava.
Coverage tiles — an H3 (hexagonal grid) record of which geographic cells your rides have covered. This is derived from your activity polylines and stored in our database.
Billing data — for Explore subscribers, payment information is handled entirely by Stripe. We store only your Stripe customer ID and subscription status; we never see or store your card number or billing address.
Server logs — our hosting server (Hetzner, Germany) keeps standard access logs including IP addresses for up to 90 days. These are used for debugging and security only and are not linked to your notmapped account.

3. Analytics

We use Plausible Analytics to understand how notmapped is used — page views, referral sources, and whether visitors connect their Strava account. Plausible is a privacy-respecting analytics service hosted in the EU (Germany) operated by Plausible Insights OÜ.

Plausible does not use cookies, does not collect personal identifiers, does not track you across websites, and does not share data with advertisers. The data collected is aggregate-only and cannot be used to identify you individually. You do not need to accept or reject any analytics to use notmapped.

4. Sub-processors

We use the following third-party sub-processors to operate the service:

Service	Purpose	Data shared	Location	Retention
Strava	Activity data source (OAuth read + optional description write)	Your Strava athlete ID and activities (via their API)	USA (Strava, Inc.)	Until you disconnect or delete your account
Stripe	Payment processing (Explore subscriptions)	Payment method, billing email (collected by Stripe directly)	EU / USA (Stripe, Inc.)	Per Stripe's retention policy
Plausible Analytics	Cookieless, aggregate-only analytics	Anonymised page view data (no PII, no cookies)	EU, Germany (Hetzner) — operated by Plausible Insights OÜ (Estonia)	Per Plausible's retention policy
Neon (AWS eu-central-1)	Primary database (PostgreSQL)	All user account data, activity polylines, coverage tiles, tokens	AWS eu-central-1, Frankfurt, Germany	Until account deletion
Hetzner	Application hosting (VPS)	Access logs including IP addresses	Germany (Falkenstein)	~90 days (standard server log rotation)

5. Your rights (GDPR)

If you are located in the European Union or European Economic Area, you have rights under the General Data Protection Regulation (GDPR) including the right to access, rectify, erase, and restrict processing of your personal data. The following rights are already implemented in the application:

Disconnect Strava — removes your Strava OAuth tokens from our database immediately. Available in the Settings panel at any time. After disconnecting, notmapped can no longer read your Strava data or generate routes.
Delete account — permanently and irrevocably deletes your notmapped account, all activity data, coverage tiles, and account record from our database. Also cancels any active Explore subscription via Stripe. Available in the Settings panel. This action cannot be undone.

For any other data rights request (access, portability, objection, restriction), please contact us at hello@notmapped.com. We will respond within 30 days.

6. Data security

Strava OAuth tokens are stored encrypted at rest using AES-256 (via the Python cryptography library, Fernet symmetric encryption). All traffic between your browser and notmapped is encrypted in transit via HTTPS (TLS 1.2+, enforced by Caddy on the server). Session cookies are marked HttpOnly and Secure to prevent JavaScript access and transmission over plain HTTP.

7. Children

notmapped is not directed at children under 16. We do not knowingly collect personal data from anyone under 16. If you believe a child has provided us with personal data, please contact us and we will delete it.

8. Changes to this policy

We may update this Privacy Policy from time to time. Material changes will be communicated via the application. Continued use after changes are posted constitutes acceptance of the updated policy.

9. Contact

For privacy questions, data access requests, or concerns: hello@notmapped.com