Privacy Policy
Last updated: January 8, 2026
1. Introduction
Welcome to Waymarker. We are committed to protecting your personal data and respecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you visit our website and use our services.
Waymarker is operated by Rosbech Media Consult ApS (CVR: 39337975), a company registered in Denmark. We comply with the General Data Protection Regulation (GDPR), the Danish Data Protection Act (Databeskyttelsesloven), and other applicable data protection laws.
2. Data Controller
The data controller responsible for your personal data is:
If you have any questions about this Privacy Policy or our data practices, please contact us at the email address above.
3. Personal Data We Collect
We collect and process the following categories of personal data:
3.1 Account Information
- Full name - To personalize your experience
- Email address - For account authentication and communication
- Password - Securely hashed and stored for account access
- Profile picture - If you sign in with Google
3.2 Connected Services Data
When you connect your Strava account to Waymarker, we access:
- Strava athlete ID - To identify your account
- Activity data - GPS routes, names, dates, distances, and elevation data
- OAuth tokens - Securely stored to maintain your connection
We only request read access to your activities. We never post, modify, or delete anything on your Strava account. For more information about how Strava processes your data, please see Strava's Privacy Policy.
3.3 Usage Data (Analytics)
With your consent, we collect analytics data using PostHog to understand how visitors use our website. This may include:
- Pages visited and interactions
- Device type and browser information
- Approximate location (country/region level)
- Referral source
- Session duration
Analytics data is only collected if you consent via our cookie banner. You can withdraw consent at any time by clicking "Cookie Preferences" in our website footer.
3.4 Technical Data
We automatically collect certain technical data necessary for the operation of our service:
- IP address (for security and fraud prevention)
- Browser type and version
- Device information
3.5 User-Generated Content
When you use Waymarker, you may create and share:
- Map designs and poster configurations
- Route data from GPX uploads
- Published maps with titles and descriptions
- Comments and interactions on shared maps
4. Legal Basis for Processing
Under GDPR, we must have a legal basis for processing your personal data. We rely on the following legal bases:
4.1 Contract Performance (Article 6(1)(b) GDPR)
We process your account and service data to:
- Create and manage your account
- Provide the map creation and export services
- Enable Strava integration when you connect your account
- Provide customer support
4.2 Legitimate Interests (Article 6(1)(f) GDPR)
We process certain data based on our legitimate business interests:
- Fraud prevention and security monitoring
- Improving our services and user experience
- Administrative purposes and record-keeping
4.3 Consent (Article 6(1)(a) GDPR)
We only process certain data with your explicit consent:
- Analytics cookies (PostHog)
- Marketing communications (if you opt-in)
You can withdraw consent at any time without affecting the lawfulness of processing based on consent before its withdrawal.
4.4 Legal Obligations (Article 6(1)(c) GDPR)
We may process your data to comply with legal obligations such as:
- Tax and accounting requirements
- Responding to lawful requests from authorities
5. How We Use Your Data
We use your personal data for the following purposes:
- Account Management: Creating and managing your Waymarker account
- Service Delivery: Providing map creation, Strava import, and export functionality
- Communication: Sending transactional emails, responding to inquiries
- Analytics: Understanding how our service is used to make improvements (with consent)
- Security: Protecting against fraud, abuse, and unauthorized access
- Community Features: Enabling map sharing, comments, and social interactions
6. Third-Party Service Providers
We use trusted third-party service providers to help operate our business. These providers process personal data on our behalf under Data Processing Agreements (DPAs):
| Provider | Purpose | Location |
|---|---|---|
| Supabase | Database hosting, authentication | USA (with SCCs) |
| PostHog | Analytics (with consent) | USA (with SCCs) |
| Vercel | Website hosting | USA (with SCCs) |
| MapTiler | Map tile services | Switzerland |
| Strava | Activity import (when connected) | USA |
SCCs = Standard Contractual Clauses, which provide appropriate safeguards for international data transfers as required by GDPR.
7. International Data Transfers
Some of our service providers are located outside the European Economic Area (EEA), primarily in the United States. When we transfer personal data outside the EEA, we ensure appropriate safeguards are in place:
- Standard Contractual Clauses (SCCs): EU-approved contractual terms that require the recipient to protect your data
- EU-US Data Privacy Framework: Where applicable, certified under the framework
8. Data Retention
We retain your personal data only for as long as necessary:
- Account data: For as long as your account is active, plus up to 5 years after deletion for legal/accounting purposes
- Published maps: Until you delete them or your account is closed
- Strava connection: Tokens are retained while connected; deleted when you disconnect
- Analytics data: Anonymized or deleted within 24 months
- Communication records: Up to 3 years for support and quality purposes
9. Your Rights Under GDPR
As a data subject, you have the following rights:
- Right of Access: Request a copy of the personal data we hold about you
- Right to Rectification: Request correction of inaccurate or incomplete data
- Right to Erasure: Request deletion of your personal data ("right to be forgotten")
- Right to Restriction: Request limited processing of your data
- Right to Data Portability: Receive your data in a structured, machine-readable format
- Right to Object: Object to processing based on legitimate interests
- Right to Withdraw Consent: Withdraw consent at any time where processing is based on consent
To exercise any of these rights, please contact us at hello@waymarker.eu. We will respond to your request within one month.
10. Complaints
If you believe we have not handled your personal data properly, you have the right to lodge a complaint with the Danish Data Protection Agency (Datatilsynet):
11. Cookies
We use cookies and similar technologies on our website. For detailed information about the cookies we use and how to manage them, please see our Cookie Policy.
12. Security
We implement appropriate technical and organizational measures to protect your personal data, including:
- Encryption of data in transit (HTTPS/TLS)
- Secure password hashing
- Access controls and authentication
- Regular security reviews
- Secure storage of OAuth tokens
While we strive to protect your personal data, no method of transmission over the Internet is 100% secure. We cannot guarantee absolute security.
13. Children's Privacy
Our services are not directed to individuals under the age of 16. We do not knowingly collect personal data from children. If you believe we have collected data from a child, please contact us immediately.
14. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of any material changes by posting the new Privacy Policy on this page and updating the "Last updated" date. We encourage you to review this Privacy Policy periodically.
15. Contact Us
If you have any questions about this Privacy Policy or our data practices, please contact us: