Privacy Policy

Effective: July 10, 2026 – Version 2.4

1. Introduction and Scope

Protecting your personal data is important to us. This privacy policy applies to the mobile app "Shelto" (iOS and Android) as well as the website shelto.app. It informs you in accordance with Art. 13 and 14 GDPR about how we process your personal data.

Minimum age: Use of the app requires a minimum age of 16 years. Persons under 16 may only use the app with the consent of a parent or guardian.

2. Data Controller

Stansday UG (haftungsbeschränkt)

Oberer Kolberg 12

34212 Melsungen

Germany

E-Mail: support@stansday.com

Data Protection Officer: We are not required to appoint a Data Protection Officer (§ 38 BDSG / Art. 37 GDPR). For any data protection inquiries, please use the contact details above.

3. Categories of Personal Data

3.1 Account Data (upon registration)

  • Email address
  • Username
  • Password (stored encrypted using hashing)
  • Profile picture (optional)
  • Name (optional)

3.2 OAuth Authentication Data

When signing in via Google or Apple:

  • OAuth token and user ID from the provider
  • Name (if provided by the provider)
  • Email address (may be anonymized with Apple's Hide My Email)

3.3 Location and Navigation Data

Foreground Location (Art. 6(1)a – Consent):

  • GPS coordinates for map display and route planning
  • Only captured during active app usage

Background Location (Art. 6(1)a – Explicit consent required):

  • GPS coordinates during active navigation
  • Required for turn-by-turn navigation when app is minimized
  • Captured exclusively in the mobile app (iOS/Android) – the shelto.app website does not process any background location data
  • You can revoke this permission at any time in your device settings

3.4 GPX Routes and Activity Data

  • Created and saved routes (GPS coordinates, waypoints)
  • Elevation profile and surface data
  • Route descriptions and names

Note on Art. 9 GDPR: Pure GPX data without fitness metrics (heart rate, cadence, etc.) is not considered health data. Shelto does not collect fitness or health data.

3.5 User Content

  • Uploaded photos (POIs, routes, collections)
  • Comments and ratings
  • Created collections
  • Favorites and saved places (POIs)

3.6 Technical Data

  • Device ID (anonymized, platform-generated)
  • Operating system and version (iOS/Android)
  • App version
  • Push notification token (FCM)

3.7 Payment and Subscription Data

  • Subscription status (Free/Supporter/Supporter Pro)
  • Purchase history (via Apple App Store / Google Play)
  • RevenueCat customer ID

Note: Payment details (credit card, etc.) are processed exclusively by Apple/Google, not by us.

3.8 Newsletter Data (Website)

If you subscribe via our newsletter page, we process the following data:

  • Email address
  • Time of signup and confirmation (double opt-in)
  • Unsubscribe status

Provider & Legal Basis: The newsletter is delivered via our service provider Beehiiv, Inc. (USA). After submitting, you are redirected to a Beehiiv signup form where you confirm your email address via double opt-in. Legal basis is your consent pursuant to Art. 6(1)a GDPR. You may withdraw at any time via the unsubscribe link in every email.

3.9 Contact Form

When you use our contact form at /contact or /kontakt, we process:

  • Name
  • Email address
  • Subject (optional)
  • Message content
  • Time of the request

Purpose & Legal Basis: The data is used solely to handle your request and is delivered to support@shelto.de on our European infrastructure (Hetzner, Germany). Legal basis is Art. 6(1)f GDPR (legitimate interest in efficient communication) or Art. 6(1)b GDPR in case of pre-contractual contact.

3.10 Server Logfiles

When you visit our website, server logfiles are automatically created:

  • IP address
  • Date and time of the request
  • Requested URL and HTTP status code
  • Transferred data volume
  • User agent (browser, operating system)
  • Referer URL (previous page, if transmitted by the browser)

Purpose & Legal Basis: The logfiles serve IT security, error analysis and stable operation of our website (Art. 6(1)f GDPR). We do not combine them with other data sources and do not use them for marketing purposes.

4. Purposes and Legal Bases of Processing

PurposeDataLegal Basis
Providing app functionalityAccount data, routes, contentArt. 6(1)b GDPR (Contract)
Navigation and route planning (foreground)Location dataArt. 6(1)a GDPR (Consent)
Background navigationLocation dataArt. 6(1)a GDPR (Explicit consent)
Push notificationsFCM token, device IDArt. 6(1)a GDPR (Consent)
App analytics and improvementUsage data (anonymized)Art. 6(1)f GDPR (Legitimate interest)
Product analytics (PostHog)Event and usage data, screen views, user ID, subscription tier, device and app informationArt. 6(1)a GDPR (Consent)
Error and crash diagnostics (PostHog)Error type (error class), device and app informationArt. 6(1)a GDPR (Consent)
Subscription managementPurchase and subscription dataArt. 6(1)b GDPR (Contract)
Route export to third-party devicesRoute dataArt. 6(1)a GDPR (Consent)
Map displayLocation, map interactionsArt. 6(1)b GDPR (Contract)
Weather display for routesRoute/location coordinates (processed on our own servers)Art. 6(1)b GDPR (Contract)
Geocoding (location search)Search queries, approximate locationArt. 6(1)b GDPR (Contract)
IT security, abuse preventionTechnical data, logsArt. 6(1)f GDPR (Legitimate interest)
Newsletter deliveryEmail addressArt. 6(1)a GDPR (Consent)
Handling contact requestsName, email, subject, messageArt. 6(1)f or 6(1)b GDPR
Operational security & server loggingServer logfiles (IP, user agent, timestamp)Art. 6(1)f GDPR (Legitimate interest)

5. Recipients and Third Parties

We work with various service providers to deliver our app and website. Details on all recipients can be found in the full documentation.

  • Hetzner Cloud – Hosting (EU)
  • Google Firebase – Analytics, Push (USA, SCCs)
  • PostHog – Product analytics (app) (EU, Frankfurt)
  • RevenueCat – Subscription management (USA, SCCs)
  • OpenFreeMap (Hyperknot Software Kft.) – Map service/base maps (EU, Hungary – no IP logging by the provider)
  • Mapbox, Inc. – Satellite maps (Supporter Pro subscription only; map requests transmit IP address and user agent to Mapbox, retained for 30 days) (USA, DPF)
  • Komoot GmbH (Photon API) – Geocoding/location search (Germany)
  • Garmin, Wahoo, Hammerhead – Device integration (USA, SCCs)
  • Beehiiv, Inc. – Newsletter delivery (USA, SCCs)

Weather data: weather forecasts and severe weather warnings are processed on our own servers (Hetzner, EU). As data sources we use open data from Deutscher Wetterdienst (DWD) and the Copernicus Atmosphere Monitoring Service (CAMS). No personal data is transmitted to these providers.

6. Data Transfers to Third Countries

Some of our service providers are located outside the EU/EEA:

ProviderCountryLegal Basis for Transfer
Google (Firebase, Analytics)USAEU-Standardvertragsklauseln (SCCs)
RevenueCatUSAEU-Standardvertragsklauseln (SCCs), DPA
GarminUSAEU-Standardvertragsklauseln (SCCs)
WahooUSAEU-Standardvertragsklauseln (SCCs)
HammerheadUSAEU-Standardvertragsklauseln (SCCs)
Mapbox, Inc.USAEU-US Data Privacy Framework (DPF), DPA
Beehiiv, Inc.USAEU Standard Contractual Clauses (SCCs)

The USA is considered a third country. We have concluded EU Standard Contractual Clauses (SCCs) pursuant to Art. 46(2)c GDPR with these providers, or the provider is certified under the EU-US Data Privacy Framework (DPF), in which case the adequacy decision pursuant to Art. 45 GDPR applies.

7. Data Retention

Data CategoryRetention Period
Account dataUntil account deletion + 30 days backup retention
Routes and contentUntil deletion by user or account deletion
Public routes/collectionsUntil unpublished or deleted
Location data (navigation)Only during active navigation (not permanently stored)
Analytics data (Firebase)14 months (Google Analytics standard)
Analytics data (PostHog)12 months
Analytics data (Website)14 months, only with consent
Payment data10 years (statutory retention requirement)
Server logs30 days
Push tokensUntil logout or token invalidation
Newsletter subscriber dataUntil withdrawal (unsubscribe link) or deletion of the subscription
Contact requests (email content)Until the request is fully handled + 6 months

8. Cookies and Tracking (Website)

8.1 Cookie Consent

Our website displays a cookie banner on first visit with the following options:

  • Necessary Cookies (always active): Session management, authentication
  • Analytics Cookies (optional): Google Analytics 4
  • Marketing Cookies (optional): Currently not used

You can withdraw your consent at any time via "Cookie Settings" in the footer.

8.2 Cookies Used

NameProviderPurposeDurationTyp
shelto_cookie_consentSheltoCookie consent status1 yearNecessary
_ga, _ga_*GoogleAnalytics2 yearsAnalytics

9. Automated Decision-Making and Profiling

Art. 22 GDPR – Profiling: No automated decision-making including profiling takes place that produces legal effects or similarly significantly affects you.

The display of "popular" routes is based on aggregated, non-personalized metrics (view counts, likes) and does not constitute profiling under GDPR.

10. Your Rights

You have the following rights under GDPR:

  • Access (Art. 15): You may request information about your stored personal data.
  • Rectification (Art. 16): You may request correction of inaccurate data.
  • Erasure (Art. 17): You may request deletion of your data ("right to be forgotten").
  • Restriction (Art. 18): You may request restriction of processing.
  • Data Portability (Art. 20): You may receive your data in a machine-readable format (JSON).
  • Objection (Art. 21): You may object to processing based on Art. 6(1)f.
  • Withdrawal (Art. 7(3)): You may withdraw consent at any time.

10.1 How to Exercise Your Rights

By Email: support@stansday.com

In the App:

  • Profile → Settings → Delete Account (complete data deletion)

Data Export (Art. 20 GDPR): On request via email to support@stansday.com we will provide the personal data you have supplied in a structured, commonly used and machine-readable format (JSON) within 30 days.

Response Time: We will process your request within one month (extendable by two further months for complex requests, Art. 12(3) GDPR).

11. Withdrawal of Consent

You can withdraw consent as follows:

ConsentHow to Withdraw
Location (foreground)iOS/Android Settings → Apps → Shelto → Location
Location (background)iOS/Android Settings → Apps → Shelto → Location → "Never"
Push notificationsiOS/Android Settings → Apps → Shelto → Notifications
In-app product analytics (PostHog)Profile → Product analytics → Withdraw consent
Analytics (Website)Cookie Settings in footer → Disable Analytics
Garmin/Wahoo/HammerheadProfile → Settings → Disconnect

12. Data Security

We implement technical and organizational measures to protect your data:

  • Transport Encryption: All data transfers via TLS 1.3/HTTPS
  • Password Security: Passwords hashed with bcrypt (non-reversible)
  • Access Control: Role-based access control, two-factor authentication for administrators
  • Server Security: Regular security updates, firewall, DDoS protection
  • Backup: Daily encrypted backups with 30-day retention
  • Penetration Testing: Regular security reviews

13. Right to Lodge a Complaint

You have the right to lodge a complaint with a data protection supervisory authority. The authority responsible for us is:

The Hessian Commissioner for Data Protection and Freedom of Information

Postfach 3163

65021 Wiesbaden, Germany

E-Mail: poststelle@datenschutz.hessen.de

https://datenschutz.hessen.de

You may also contact the supervisory authority in your place of residence.

14. Changes to This Privacy Policy

We reserve the right to update this privacy policy as needed. For material changes, we will notify you:

  • In the app via in-app notification
  • On the website via a banner

The current version is always available in the app under Profile → Privacy and on our website.

Questions about data protection?
Contact us: support@stansday.com

This privacy policy was last updated on July 10, 2026.

🍪 Cookie Settings

We use cookies for the best website experience. You can adjust your settings at any time. More in our Privacy Policy.

Necessary Cookies

Required for basic website functionality. Cannot be disabled.

Analytics Cookies

Help us understand how the website is used. Google Analytics 4 with IP anonymization.

Marketing Cookies

For personalized advertising and marketing campaigns. Track visitors across websites.