Privacy Policy
Last updated: 27 June 2026 · v1.0
This policy explains how we collect, use, and protect your personal data when you use the Flamap mobile application and related services (the "Service"). It is written to comply with the EU General Data Protection Regulation (Regulation (EU) 2016/679, "GDPR") and Spanish Organic Law 3/2018 on Data Protection and Guarantee of Digital Rights ("LOPDGDD").
1. Who is responsible for your data (Data Controller)
The data controller responsible for processing your personal data is:
| Field | Detail |
|---|---|
| Controller | Josep Pinot Valls, a self-employed professional (autónomo) established in Spain |
| Contact email | help@flamap.app |
For any question about this policy or your personal data, contact us at the email above.
2. What data we collect
We only collect data that is necessary to provide the Service. We do not use advertising, third-party analytics, or crash-reporting SDKs in the app.
2.1 Account and identity data
- Email address and password (authentication is handled by Supabase; passwords are stored hashed, never in plain text).
- If you choose "Sign in with Google", the identifier and basic profile information provided by Google's OAuth service.
- A unique user identifier (UUID) generated for your account.
2.2 Profile data (provided by you)
- Username / display name.
- Optional: date of birth, gender, profile photo (avatar).
- Home location name, preferred units (metric/imperial), language, and default sport type.
- Fitness profile data: height, weight, and FTP (Functional Threshold Power).
2.3 Location data
- Precise location (GPS) — used to show your position on the map and to provide navigation. We process precise location only after you grant the permission, and you can revoke it at any time in your device settings.
- Approximate location — your device may also be located approximately (e.g. derived from your IP address or coarse network location) to centre the map near you.
- Recorded GPS tracks, route geometry, waypoints, and elevation profiles.
2.4 Activity and health-related data
When you import or sync activities, we process fitness metrics that may include moving/elapsed time, distance, elevation gain, calories, average heart rate, power, and cadence, together with the associated GPS records.
Special-category data. Heart rate and other physiological metrics may qualify as health data ("special category" data under Article 9 GDPR). We process this data only with your explicit consent, which you give when you connect a device or import an activity containing such data. You may withdraw this consent at any time by disconnecting the integration or deleting the relevant activities.
2.5 Connected services
- If you link a Wahoo or Hammerhead account, we store the access tokens needed to sync your routes and activities. We never receive your password for those services.
2.6 Content and support data
- Routes, saved climbs/segments, and GPX files you create, import, or share.
- Feedback and bug reports you submit, including any diagnostic information you choose to include (e.g. app version).
2.7 Technical data
- Data necessary to operate the Service securely, such as your session token (stored encrypted on your device) and basic request metadata (e.g. IP address used to deliver API responses).
- App preferences stored locally on your device (e.g. map layer settings).
3. Why we use your data and our legal basis
| Purpose | Data used | Legal basis (GDPR Art. 6 / 9) |
|---|---|---|
| Create and manage your account; authenticate you | Account, identity | Performance of a contract (Art. 6(1)(b)) |
| Provide maps, routing, route creation, and navigation | Location, profile, routes | Performance of a contract (Art. 6(1)(b)) |
| Store and display your activities and fitness metrics | Activity / health data | Explicit consent (Art. 9(2)(a)) |
| Sync routes/activities with Wahoo / Hammerhead | Connected-service tokens, routes, activities | Consent (Art. 6(1)(a)) — given by linking the account |
| Respond to feedback and provide support | Support data | Legitimate interest (Art. 6(1)(f)) / contract |
| Keep the Service secure and prevent abuse | Technical data | Legitimate interest (Art. 6(1)(f)) |
| Comply with legal obligations | As required | Legal obligation (Art. 6(1)(c)) |
Where we rely on consent, you may withdraw it at any time without affecting the lawfulness of processing carried out before withdrawal.
4. Who we share data with (Processors and third parties)
We do not sell your personal data, and we do not use it for third-party advertising. We share data only with service providers ("processors") that help us run the Service, under data-processing agreements, and only as needed:
| Provider | Purpose | Privacy information |
|---|---|---|
| Supabase, Inc. (USA) | Authentication and database hosting for your account and user data | supabase.com/privacy |
| Cloudflare, Inc. (USA) | R2 object storage and delivery of images and assets (e.g. avatars, route previews) | cloudflare.com/privacypolicy |
| Google Ireland Ltd. / Google LLC | Optional "Sign in with Google"; loading of display fonts (Google Fonts) | policies.google.com/privacy |
| Wahoo Fitness LLC | Only if you link it — to sync your routes and activities | wahoofitness.com/privacy-policy |
| Hammerhead / SRAM LLC | Only if you link it — to sync your routes and activities | hammerhead.io/privacy-policy |
| Apple Inc. / Google LLC (app stores) | App distribution and, where applicable, billing | Apple / Google store policies |
Map and elevation tiles and routing are served from our own infrastructure using open data (e.g. OpenStreetMap, OpenMapTiles, Overture Maps, and the Valhalla routing engine); this does not involve sending your personal data to third-party map providers. We may also disclose data if required by law, to comply with a legal obligation, or to protect our or others' legal rights and safety.
4.1 What other users can see
Most of your data is private to your account. The following are visible to others only when you actively choose to share:
- Your username and profile photo may be visible to other users you interact with.
- When you share a route or create a public link, that route (its geometry and details) becomes accessible to anyone who has the link, until you delete or unshare it. Please consider that a shared route may reveal places you visit, such as your home or workplace.
We do not make your activities, recorded GPS tracks, or fitness metrics public, and we do not build public heatmaps or aggregated maps from your tracks.
5. International data transfers
Some of our processors (e.g. Supabase, Cloudflare, Google) may process data on servers located outside the European Economic Area (EEA). Where this happens, the transfer is protected by appropriate safeguards under Chapter V GDPR, such as the European Commission's Standard Contractual Clauses (SCCs) or an adequacy decision. You may request a copy of the relevant safeguards using the contact details in Section 1.
6. How long we keep your data
We keep personal data only for as long as necessary for the purposes described above.
| Data | Retention |
|---|---|
| Account, profile, routes, saved climbs, and activities | For as long as your account is active |
| Data after you delete your account | Deleted or anonymised without undue delay; residual copies in encrypted backups are purged within 30 days |
| Session token and preferences stored on your device | Until you log out or uninstall the app |
| Feedback and support messages | Up to 24 months, then deleted unless needed for a legal claim |
| Server/security logs (e.g. IP address) | Up to 90 days, then deleted or anonymised |
We may retain certain records for longer where we are legally required to (e.g. tax or accounting obligations) or to establish, exercise, or defend legal claims.
7. Your rights
Under the GDPR and LOPDGDD you have the right to:
- Access the personal data we hold about you.
- Rectify inaccurate or incomplete data (you can edit most profile data directly in the app).
- Erasure ("right to be forgotten") — you can delete your account from within the app, which removes your data from our systems.
- Data portability — you can export your data from within the app in a structured, machine-readable format.
- Restrict or object to certain processing.
- Withdraw consent at any time (e.g. disable location access, disconnect a device).
To exercise any right, use the in-app controls or contact us at help@flamap.app. We will respond within one month. If you believe we have not handled your data correctly, you have the right to lodge a complaint with the Spanish Data Protection Agency (Agencia Española de Protección de Datos, AEPD), www.aepd.es.
8. Security
We apply technical and organisational measures to protect your data, including encryption in transit (HTTPS), encrypted storage of session tokens on your device, hashed passwords, and access controls. No method of transmission or storage is completely secure, but we work to protect your information and to notify you and the authorities of any breach as required by law.
9. Children
The Service is not directed to children under 14. In accordance with Spanish law, minors under 14 may not create an account without the consent of a parent or legal guardian. If you believe a child has provided us with personal data, contact us and we will delete it.
10. Changes to this policy
We may update this policy from time to time. We will post the updated version here with a new "Last updated" date and, where changes are significant, notify you within the app.
11. Contact
For any privacy-related request: help@flamap.app.