App Privacy Policy

Last updated: 2026-05-29

1. Who We Are

Back in Pack ("we", "us", "our") is operated by Mark Goodlad, Switzerland. We publish the Back in Pack mobile application ("the App") available on iOS and Android.

Privacy contact: privacy@backinpack.com
Data controller (GDPR): Mark Goodlad, Switzerland

2. What Data We Collect

2.1 Account Data

  • Email address
  • Display name (optional)
  • Profile photo (optional)
  • Authentication provider (email/password, Google, Apple)

When you sign in with Apple and choose to hide your email, Apple provides a relay address. We store only what Apple provides.

2.2 App Content Data

Data you create inside the App:

  • Gear lists and pack configurations
  • Trip details (name, dates, notes)
  • Community posts, replies, and reactions
  • Imported gear lists (from HTML/URL scraping, performed locally on-device or via a CORS proxy)

2.3 Location Data

This data is collected only with your explicit permission.

  • Precise GPS location — used when you record a trip route or use the live tracking feature. You must grant location permission ("While Using" or "Always") before this is collected. Precision can be set to approximate in your device OS settings.
  • Trip route / GPX data — GPS coordinates recorded during a trip, stored as part of your trip record in the cloud.
  • Trip planning coordinates — location you enter or select when planning a trip (used to fetch weather and route data).

You can withdraw location permission at any time in your device's Settings app. Revoking location access stops new location data being collected; previously recorded trip routes remain stored unless you delete them.

2.4 Health & Fitness Data

  • We do not currently read from Apple Health, Google Fit, or any fitness platform.
  • Physical activity data (e.g. fitness level, pack weight tolerances) may be entered manually by you as trip notes.

2.5 Device & Technical Data

  • Device type, OS version, and app version (for crash reporting and compatibility)
  • Push notification token (FCM) — only if you grant notification permission
  • App Check attestation token — a platform-level integrity signal (AppAttest on iOS, Play Integrity on Android, reCAPTCHA v3 on web). This token does not identify you individually.

2.6 Usage Data

  • We do not use third-party analytics SDKs (e.g. Firebase Analytics, Mixpanel).
  • Firebase infrastructure logs (Firestore, Cloud Functions) may capture IP addresses and request metadata for security and quota management. These are retained per Google's default Firebase log retention settings.

2.7 Weather & Map Queries

When you open a trip's weather or map view, the App sends trip coordinates to our backend (Firebase Cloud Functions), which forwards them to OpenWeather. No personal identifiers are sent alongside coordinates. These requests are proxied server-side so your device IP is not exposed to OpenWeather directly.

3. How We Use Your Data

Purpose Legal basis (GDPR) Legal basis (other)
Provide and sync the App Contract performance Necessary for service
Store and display your gear, packs, and trips Contract performance Necessary for service
Route planning and weather fetching Contract performance Necessary for service
Push notifications for community replies Consent (notification permission) Consent
Moderate community posts for prohibited content Legitimate interests (platform safety) Legitimate interests
Detect and prevent fraud / abuse Legitimate interests (security) Legitimate interests
Respond to your support requests Contract performance / Legal obligation Necessary for service
Comply with legal obligations Legal obligation Legal obligation

We do not use your data for advertising, profiling for marketing, or sale to third parties.

4. Data Storage & Location

Your data is stored on Google Firebase infrastructure, with the primary region set to europe-west (Belgium).

Data type Storage service Primary region
Account, gear, packs, trips, community Firebase Cloud Firestore europe-west (Belgium, EU)
Images (gear, posts, GPX files) Firebase Cloud Storage europe-west (Belgium, EU)
Authentication records Firebase Authentication Global (Google-managed)
Server-side function logs Google Cloud Logging europe-west

Data at rest is encrypted by Google using AES-256.
Data in transit is encrypted via TLS 1.2 or higher.

Your data is stored within the EU. Where any processing occurs outside the EU (e.g. Google's global authentication infrastructure or US-based Google services), we rely on Google's Standard Contractual Clauses (SCCs) as the legal transfer mechanism. You can review Google's data transfer commitments at firebase.google.com/support/privacy.

Australian users: Your data is stored primarily in the EU. We take reasonable steps to ensure Google LLC provides privacy protections equivalent to the Australian Privacy Principles (APPs).

5. Subprocessors

We share data with the following third-party processors:

Subprocessor Purpose Data shared Region
Google LLC — Firebase App backend, database, auth, storage, push notifications All user data EU (primary) / USA (auth infrastructure)
Google LLC — Gemini AI Community post moderation; plain-English weather summaries Post text content (no PII); trip coordinates (no name) USA
OpenWeather Weather forecasts and historical data Trip coordinates (proxied; no PII) EU (Netherlands)
MapTiler AG Map tile rendering Tile requests with map coordinates Switzerland / CDN
MapLibre Open-source map SDK (on-device rendering) No data transmitted
OpenRouteService (HeiGIT) Hiking route planning Trip waypoints Germany (EU)
Open-Elevation (SRTM) Track elevation data GPS coordinates Open infrastructure
Open-Meteo Geocoding / place search Search query text EU
Frankfurter API Currency exchange rates for pricing No personal data EU
Apple Inc. Sign in with Apple OAuth Email / relay email USA
Google LLC — Sign-In Google OAuth Google account email + profile USA

We do not use advertising networks, data brokers, or social media trackers.

We will update this list when we add new subprocessors and notify users where required by applicable law.

6. Your Rights

6.1 Rights Under GDPR (EU/EEA and UK)

You have the right to:

  • Access — request a copy of the personal data we hold about you
  • Rectification — correct inaccurate data
  • Erasure ("Right to be Forgotten") — request deletion of your personal data (see Section 7)
  • Restriction — ask us to limit processing while a dispute is resolved
  • Portability — receive your data in a structured, machine-readable format
  • Object — object to processing based on legitimate interests
  • Withdraw consent — where processing is based on consent (e.g. push notifications, location access), withdraw it at any time without affecting lawfulness of prior processing

To exercise any of these rights, email privacy@backinpack.com. We will respond within 30 days (extendable to 90 days for complex requests, with notice).

You also have the right to lodge a complaint with your local supervisory authority. UK users may contact the ICO at ico.org.uk. EU users may contact their national DPA.

6.2 Rights Under CCPA/CPRA (California, USA)

California residents have the right to:

  • Know what personal information we collect and how it is used
  • Delete personal information (see Section 7)
  • Correct inaccurate personal information
  • Opt out of the sale or sharing of personal information — we do not sell or share your personal information
  • Non-discrimination for exercising your rights

To submit a California rights request, email privacy@backinpack.com or use the in-app account deletion feature.

6.3 Rights Under PIPEDA (Canada)

Canadian residents may request access to their personal data and challenge its accuracy. Contact privacy@backinpack.com.

6.4 Rights Under the Australian Privacy Act

Australian residents may request access to or correction of their personal information held by us, and may complain to the Office of the Australian Information Commissioner (OAIC) if unsatisfied with our response.

7. Account Deletion & Right to Be Forgotten

You can delete your account and all associated data at any time:

In-app: Profile → [Account] → Delete Account

This will permanently delete:

  • Your account credentials and profile
  • All gear lists, packs, and trip data
  • All stored images and GPX files

Community posts and replies are stored under your display name only, with no link to your account. On account deletion, your display name is removed from your posts but the post content may remain visible in the community. If you wish to delete specific posts, do so before deleting your account, or contact privacy@backinpack.com.

What happens after deletion:

  • Data is removed from Firestore and Storage immediately upon confirmation
  • Firebase Authentication record is deleted within 24 hours
  • Google infrastructure backup retention may retain deleted data for up to 30 days before permanent erasure (Google's standard backup window)
  • Aggregated, anonymised analytics (if any) that cannot be re-linked to you are not deleted

To request deletion by email (if you cannot access the app), contact privacy@backinpack.com. We will process the request within 30 days.

8. Data Retention

Data type Retention period
Active account data Retained while your account is active
Community posts Stored under display name only; display name removed on account deletion, post content may be retained
Deleted posts (removed by moderation) 90 days (for appeal purposes), then permanently deleted
Push notification tokens Deleted when you sign out or delete your account
Firebase infrastructure logs 30 days (Google default)
Crash / error logs 90 days

9. Children's Privacy

The App is not directed at children under the age of 13 (or 16 in the EU/EEA). We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, contact privacy@backinpack.com and we will delete it promptly.

10. Push Notifications

If you grant notification permission, we use your Firebase Cloud Messaging (FCM) token to send push notifications for:

  • Replies to your community threads
  • [Any future notification types will be listed here]

You can disable notifications at any time in your device Settings. Your FCM token is deleted when you sign out or delete your account.

11. Community Content & AI Moderation

Community posts and replies are processed by Google Gemini (server-side via Firebase Cloud Functions) to:

  • Detect and remove prohibited content (hate speech, spam, harassment)
  • Detect post language
  • Auto-translate posts to English, French, German, and Spanish

Post text is sent to Google's Gemini API. No account identifiers are included in the moderation request. Moderation decisions are logged in Firestore for 90 days to support appeals.

Community posts are stored under your display name only. Your underlying account details (email address, authentication provider, profile data) are not attached to or retrievable from your posts.

12. Security

We implement the following security measures:

  • Firebase App Check (AppAttest / Play Integrity / reCAPTCHA) validates that requests come from genuine app instances
  • All data in transit uses TLS 1.2+
  • All data at rest is encrypted (AES-256, Google-managed)
  • Access to Firebase project console is restricted to authorised personnel with MFA

Despite these measures, no system is completely secure. In the event of a data breach affecting your rights and freedoms, we will notify affected users and relevant authorities as required by applicable law (within 72 hours under GDPR).

13. Changes to This Policy

We may update this policy from time to time. When we make material changes, we will:

  • Update the "Last updated" date at the top of this page
  • Notify you via in-app notification or email if the change materially affects how your data is used

Continued use of the App after changes are posted constitutes acceptance of the updated policy.

14. Contact Us

For privacy questions, rights requests, or complaints:

Email: privacy@backinpack.com
Response time: Within 30 days

Data controller:
Mark Goodlad
Switzerland

Back in Pack — Train hard. Fuel right. Pack smart. Go further.