Privacy Policy

1. Who we are

SkateMap ("SkateMap", "we", "us") is operated by [LEGAL_ENTITY_NAME], an individual / entity established in Spain. We are the data controller for personal data described in this policy.

For privacy questions, requests, or complaints, contact us at [PRIVACY_CONTACT_EMAIL].

You have the right to lodge a complaint with the Spanish Data Protection Agency (AEPD) or your local EU supervisory authority.

2. What we collect

2.1 Today (Phase 0)

• Account data: email address and a hashed password (or OAuth identifier when you sign in with a third-party provider).
• Authentication metadata: session tokens, login timestamps, IP address of the device that authenticated.
• Error telemetry: when something crashes in the app, we record the stack trace, the URL, your browser/OS, your IP, and a short session replay (a recording of mouse movements and clicks with text inputs masked). This is processed by Sentry on our behalf.
• Server logs: standard request logs (IP, user agent, timestamp, status code) kept by our hosting providers for security and debugging.

2.2 Planned (later phases)

As SkateMap features launch, we will start collecting additional categories. We will update this section before each category goes live:

• Profile: display name, optional bio, profile picture, stance, skill level — only what you choose to publish.
• Location: when you choose to use the map, your device's approximate location to center the map. We do not track your background location.
• User-generated content: spots, photos, videos, comments, broadcasts, and sessions that you publish.
• Interactions: spots you check in to, content you save, accounts you follow.
• Reports + moderation records: if you report content or are reported, we keep the report and the moderation outcome.
• Payment data: for the future marketplace and DIY donation features, payment processors (Stripe and similar) will collect card data directly; we will only see transaction metadata.

3. Why we use it (legal bases)

Under Article 6 of the GDPR, we rely on the following lawful bases:

• Contract: account creation, authentication, delivery of features you request, and moderation needed to operate the service.
• Legitimate interests: security, fraud prevention, error monitoring, abuse moderation, and aggregate analytics about how the service is used. We balance these against your rights and only use the data necessary to achieve the purpose.
• Consent: optional features such as marketing emails, non-essential cookies, and access to your precise location. You can withdraw consent at any time without affecting prior processing.
• Legal obligation: when we must retain or disclose data to comply with applicable law (for example, responding to a valid court order).

4. Who processes data on our behalf

We use the following sub-processors to run SkateMap. All of them are bound by data processing agreements and either operate in the EU or transfer data under Standard Contractual Clauses approved by the European Commission.

• Supabase (US / EU) — database, authentication, storage.
• Vercel (US / EU edge) — web and admin hosting.
• Railway (US) — backend API hosting.
• Sentry (EU region) — error monitoring and session replay.
• Inngest (US) — background job processing.
• Mapbox (US) — map tiles and geocoding (when the map ships).
• Cloudflare R2 (global) — media storage (when photo/video upload ships).
• Mux (US) — video transcoding (when video ships).

We do not sell your personal data or share it with advertisers.

5. Cookies and local storage

SkateMap uses strictly necessary cookies and local storage for authentication (keeping you signed in) and for security (CSRF tokens). These are exempt from consent under the ePrivacy Directive.

When we add analytics or any non-essential tracking in a later phase, we will request your consent first and update this section accordingly.

6. International transfers

Some of our sub-processors are located in the United States. Where data leaves the European Economic Area, we rely on Standard Contractual Clauses and supplementary measures (encryption in transit and at rest) to ensure your data receives an essentially equivalent level of protection.

7. Retention

• Account data: kept while your account is active and for up to 30 days after you delete it, then permanently erased.
• Error telemetry: 90 days (Sentry default), then auto-deleted.
• Server logs: 30 days.
• Moderation records: kept as long as needed to enforce community rules and respond to complaints, typically 2 years.
• Backups: encrypted backups are kept for up to 35 days for disaster recovery, then overwritten.

8. Your rights

Under the GDPR, you have the right to:

• Request a copy of the personal data we hold about you (right of access).
• Correct inaccurate or incomplete data (rectification).
• Ask us to delete your data (erasure / "right to be forgotten").
• Restrict how we use your data (restriction).
• Receive your data in a portable format (portability).
• Object to processing based on legitimate interests.
• Withdraw consent at any time, where consent is the lawful basis.
• Lodge a complaint with the AEPD or your local supervisory authority.

To exercise any of these rights, email [PRIVACY_CONTACT_EMAIL]. We will respond within one month.

9. Minors

SkateMap is not directed at children under 14. The age of digital consent in Spain is 14; in other EU member states it ranges from 13 to 16. If you are under the age of digital consent in your country, you may only use SkateMap with verifiable consent from a parent or legal guardian.

If we learn that we have collected personal data from a child under the applicable age without proper consent, we will delete it.

10. Security

We protect your data with encryption in transit (TLS) and at rest, scoped database access policies (row-level security), least-privilege service credentials, and routine security review. No system is perfectly secure; in the event of a breach affecting your rights and freedoms, we will notify you and the AEPD within 72 hours as required by Article 33 GDPR.

11. Changes to this policy

We will post any material changes to this page with an updated "Last updated" date and notify registered users by email at least 7 days before they take effect.