Privacy Policy

1. Information We Collect

Account Information

When you create an account, we collect information through our authentication provider, Clerk. This includes your name, email address, and profile picture. If you sign in through a third-party provider (such as Google or Apple), we receive the information you authorize that provider to share.

Trip Content

We collect photos, videos, and associated metadata (such as file names, timestamps, and file sizes) that you upload to your trips. Media is uploaded directly from your device to Cloudinary, our cloud media storage provider. We also store trip names, descriptions, member lists, and other organizational data you create within the Service.

Google Photos Data (Optional)

If you choose to connect your Google Photos account, we access your Google Photos library in read-only mode using the Google Photos Library API. We access only photo metadata (such as dates, dimensions, and media item IDs) and photo content that you explicitly choose to import into a trip. We store an encrypted OAuth refresh token on our servers to maintain your connection. We do not access, store, or process any Google Photos data beyond what is necessary to perform the import you initiate.

Usage Data

We automatically collect certain information when you access the Service, including your device type, operating system, browser type, IP address, general usage patterns, and interaction data. This data helps us maintain, improve, and secure the Service.

Cookies (Web Only)

Our web application uses cookies and similar technologies to maintain your session, remember your preferences, and ensure the security of your account. We do not use cookies for advertising or cross-site tracking.

2. How We Use Your Information

We use the information we collect for the following purposes:

• Provide and maintain the Service: enabling you to create trips, upload media, invite members, and share memories.
• Process and store your media: uploading, transforming, and delivering your photos and videos through Cloudinary.
• Import photos from connected services: if you connect Google Photos, we use the Google Photos Library API solely to retrieve and import photos you select into your OurTrail trips. Imported photos are stored via Cloudinary like any other uploaded media.
• Authenticate and secure your account: verifying your identity and protecting against unauthorized access via Clerk.
• Send service-related communications: account verification, security alerts, trip invitations, and important updates about the Service.
• Improve the Service: analyzing aggregate usage patterns to enhance performance, reliability, and user experience.

3. How We Store Your Data

Your data is distributed across trusted, industry-standard service providers:

• Media storage: Photos and videos are stored and delivered via Cloudinary, a third-party cloud media platform with enterprise-grade security.
• Account data: Authentication credentials and profile information are managed by Clerk, a dedicated authentication provider.
• Application data: Trip details, member relationships, favorites, and other app data are stored via Convex, a backend-as-a-service platform.

All data transmitted between your device and our services is encrypted using HTTPS/TLS. We implement appropriate technical and organizational measures to protect your information against unauthorized access, alteration, disclosure, or destruction.

4. Third-Party Services

We rely on the following third-party services to operate OurTrail. Each service receives only the data necessary for its function:

Each third-party service operates under its own privacy policy. We encourage you to review their respective policies for details on how they handle your data.

5. Google API Services — Limited Use Disclosure

OurTrail's use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. Specifically:

• We only access Google Photos data that you explicitly authorize through the OAuth consent screen.
• We use Google Photos data solely to import photos into your OurTrail trips — the feature you requested when connecting your account.
• We do not use Google Photos data for serving advertisements, including retargeting, personalized, or interest-based advertising.
• We do not allow humans to read your Google Photos data unless (a) we have your explicit consent, (b) it is necessary for security purposes (e.g., investigating abuse), (c) it is necessary to comply with applicable law, or (d) the data is aggregated and anonymized for internal operations.
• We do not transfer Google Photos data to third parties except as necessary to provide and improve the Service (e.g., storing imported photos in Cloudinary), with your consent, or as required by law.

6. Your Rights

For EU Users (GDPR)

If you are located in the European Economic Area, you have the following rights under the General Data Protection Regulation:

• Right of access: request a copy of the personal data we hold about you.
• Right to rectification: request correction of inaccurate or incomplete data.
• Right to erasure: request deletion of your personal data.
• Right to data portability: receive your data in a structured, commonly used format.
• Right to restrict processing: request that we limit how we use your data.
• Right to object: object to the processing of your personal data in certain circumstances.

For California Users (CCPA)

If you are a California resident, you have the following rights under the California Consumer Privacy Act:

• Right to know: request disclosure of the categories and specific pieces of personal information we have collected about you.
• Right to delete: request deletion of your personal information.
• Right to opt-out: opt out of the sale of your personal information. Note: we do not sell personal information.
• Right to non-discrimination: we will not discriminate against you for exercising any of these rights.

Exercising Your Rights

To exercise any of the rights described above, please contact us at info@syntaxlabtechnology.com. We will respond to your request within 30 days. We may ask you to verify your identity before processing your request.

7. Data Retention

• Active accounts: your data is retained for as long as your account remains active and you continue to use the Service.
• Soft-deleted media: when you delete photos or videos, they are moved to a trash folder and can be restored for up to 30 days. After 30 days, they are permanently and irreversibly deleted from all systems.
• Account deletion:if you request deletion of your account, all associated data -- including trips, media, and profile information -- will be permanently removed within 30 days. Backup copies may take up to an additional 30 days to be purged from our third-party providers' systems.
• Google Photos tokens: if you disconnect your Google Photos account, your encrypted OAuth tokens are deleted immediately. If you delete your OurTrail account, all Google-related tokens and data are permanently removed alongside your other data.

8. Children's Privacy

OurTrail is not directed to children under the age of 13. We do not knowingly collect personal information from children under 13 in compliance with the Children's Online Privacy Protection Act (COPPA). If you are a parent or guardian and believe that your child has provided us with personal information, please contact us at info@syntaxlabtechnology.com, and we will promptly delete such information from our systems.

9. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or other factors. When we make material changes, we will notify you by email or through an in-app notification and update the "Last updated" date at the top of this page. We encourage you to review this policy periodically for the latest information on our privacy practices.

10. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us: