Effective: July 10, 2026 – Version 2.4
Protecting your personal data is important to us. This privacy policy applies to the mobile app "Shelto" (iOS and Android) as well as the website shelto.app. It informs you in accordance with Art. 13 and 14 GDPR about how we process your personal data.
Minimum age: Use of the app requires a minimum age of 16 years. Persons under 16 may only use the app with the consent of a parent or guardian.
Data Protection Officer: We are not required to appoint a Data Protection Officer (§ 38 BDSG / Art. 37 GDPR). For any data protection inquiries, please use the contact details above.
When signing in via Google or Apple:
Foreground Location (Art. 6(1)a – Consent):
Background Location (Art. 6(1)a – Explicit consent required):
Note on Art. 9 GDPR: Pure GPX data without fitness metrics (heart rate, cadence, etc.) is not considered health data. Shelto does not collect fitness or health data.
Note: Payment details (credit card, etc.) are processed exclusively by Apple/Google, not by us.
If you subscribe via our newsletter page, we process the following data:
Provider & Legal Basis: The newsletter is delivered via our service provider Beehiiv, Inc. (USA). After submitting, you are redirected to a Beehiiv signup form where you confirm your email address via double opt-in. Legal basis is your consent pursuant to Art. 6(1)a GDPR. You may withdraw at any time via the unsubscribe link in every email.
When you use our contact form at /contact or /kontakt, we process:
Purpose & Legal Basis: The data is used solely to handle your request and is delivered to support@shelto.de on our European infrastructure (Hetzner, Germany). Legal basis is Art. 6(1)f GDPR (legitimate interest in efficient communication) or Art. 6(1)b GDPR in case of pre-contractual contact.
When you visit our website, server logfiles are automatically created:
Purpose & Legal Basis: The logfiles serve IT security, error analysis and stable operation of our website (Art. 6(1)f GDPR). We do not combine them with other data sources and do not use them for marketing purposes.
| Purpose | Data | Legal Basis |
|---|---|---|
| Providing app functionality | Account data, routes, content | Art. 6(1)b GDPR (Contract) |
| Navigation and route planning (foreground) | Location data | Art. 6(1)a GDPR (Consent) |
| Background navigation | Location data | Art. 6(1)a GDPR (Explicit consent) |
| Push notifications | FCM token, device ID | Art. 6(1)a GDPR (Consent) |
| App analytics and improvement | Usage data (anonymized) | Art. 6(1)f GDPR (Legitimate interest) |
| Product analytics (PostHog) | Event and usage data, screen views, user ID, subscription tier, device and app information | Art. 6(1)a GDPR (Consent) |
| Error and crash diagnostics (PostHog) | Error type (error class), device and app information | Art. 6(1)a GDPR (Consent) |
| Subscription management | Purchase and subscription data | Art. 6(1)b GDPR (Contract) |
| Route export to third-party devices | Route data | Art. 6(1)a GDPR (Consent) |
| Map display | Location, map interactions | Art. 6(1)b GDPR (Contract) |
| Weather display for routes | Route/location coordinates (processed on our own servers) | Art. 6(1)b GDPR (Contract) |
| Geocoding (location search) | Search queries, approximate location | Art. 6(1)b GDPR (Contract) |
| IT security, abuse prevention | Technical data, logs | Art. 6(1)f GDPR (Legitimate interest) |
| Newsletter delivery | Email address | Art. 6(1)a GDPR (Consent) |
| Handling contact requests | Name, email, subject, message | Art. 6(1)f or 6(1)b GDPR |
| Operational security & server logging | Server logfiles (IP, user agent, timestamp) | Art. 6(1)f GDPR (Legitimate interest) |
We work with various service providers to deliver our app and website. Details on all recipients can be found in the full documentation.
Weather data: weather forecasts and severe weather warnings are processed on our own servers (Hetzner, EU). As data sources we use open data from Deutscher Wetterdienst (DWD) and the Copernicus Atmosphere Monitoring Service (CAMS). No personal data is transmitted to these providers.
Some of our service providers are located outside the EU/EEA:
| Provider | Country | Legal Basis for Transfer |
|---|---|---|
| Google (Firebase, Analytics) | USA | EU-Standardvertragsklauseln (SCCs) |
| RevenueCat | USA | EU-Standardvertragsklauseln (SCCs), DPA |
| Garmin | USA | EU-Standardvertragsklauseln (SCCs) |
| Wahoo | USA | EU-Standardvertragsklauseln (SCCs) |
| Hammerhead | USA | EU-Standardvertragsklauseln (SCCs) |
| Mapbox, Inc. | USA | EU-US Data Privacy Framework (DPF), DPA |
| Beehiiv, Inc. | USA | EU Standard Contractual Clauses (SCCs) |
The USA is considered a third country. We have concluded EU Standard Contractual Clauses (SCCs) pursuant to Art. 46(2)c GDPR with these providers, or the provider is certified under the EU-US Data Privacy Framework (DPF), in which case the adequacy decision pursuant to Art. 45 GDPR applies.
| Data Category | Retention Period |
|---|---|
| Account data | Until account deletion + 30 days backup retention |
| Routes and content | Until deletion by user or account deletion |
| Public routes/collections | Until unpublished or deleted |
| Location data (navigation) | Only during active navigation (not permanently stored) |
| Analytics data (Firebase) | 14 months (Google Analytics standard) |
| Analytics data (PostHog) | 12 months |
| Analytics data (Website) | 14 months, only with consent |
| Payment data | 10 years (statutory retention requirement) |
| Server logs | 30 days |
| Push tokens | Until logout or token invalidation |
| Newsletter subscriber data | Until withdrawal (unsubscribe link) or deletion of the subscription |
| Contact requests (email content) | Until the request is fully handled + 6 months |
Our website displays a cookie banner on first visit with the following options:
You can withdraw your consent at any time via "Cookie Settings" in the footer.
| Name | Provider | Purpose | Duration | Typ |
|---|---|---|---|---|
| shelto_cookie_consent | Shelto | Cookie consent status | 1 year | Necessary |
| _ga, _ga_* | Analytics | 2 years | Analytics |
Art. 22 GDPR – Profiling: No automated decision-making including profiling takes place that produces legal effects or similarly significantly affects you.
The display of "popular" routes is based on aggregated, non-personalized metrics (view counts, likes) and does not constitute profiling under GDPR.
You have the following rights under GDPR:
By Email: support@stansday.com
In the App:
Data Export (Art. 20 GDPR): On request via email to support@stansday.com we will provide the personal data you have supplied in a structured, commonly used and machine-readable format (JSON) within 30 days.
Response Time: We will process your request within one month (extendable by two further months for complex requests, Art. 12(3) GDPR).
You can withdraw consent as follows:
| Consent | How to Withdraw |
|---|---|
| Location (foreground) | iOS/Android Settings → Apps → Shelto → Location |
| Location (background) | iOS/Android Settings → Apps → Shelto → Location → "Never" |
| Push notifications | iOS/Android Settings → Apps → Shelto → Notifications |
| In-app product analytics (PostHog) | Profile → Product analytics → Withdraw consent |
| Analytics (Website) | Cookie Settings in footer → Disable Analytics |
| Garmin/Wahoo/Hammerhead | Profile → Settings → Disconnect |
We implement technical and organizational measures to protect your data:
You have the right to lodge a complaint with a data protection supervisory authority. The authority responsible for us is:
The Hessian Commissioner for Data Protection and Freedom of Information
Postfach 3163
65021 Wiesbaden, Germany
E-Mail: poststelle@datenschutz.hessen.de
You may also contact the supervisory authority in your place of residence.
We reserve the right to update this privacy policy as needed. For material changes, we will notify you:
The current version is always available in the app under Profile → Privacy and on our website.
Questions about data protection?
Contact us: support@stansday.com
This privacy policy was last updated on July 10, 2026.
We use cookies for the best website experience. You can adjust your settings at any time. More in our Privacy Policy.
Required for basic website functionality. Cannot be disabled.
Help us understand how the website is used. Google Analytics 4 with IP anonymization.
For personalized advertising and marketing campaigns. Track visitors across websites.