Privacy Policy

1.1 Account & Identity

• Email address — Required to create an account, receive your daily briefing, campsite availability alerts, trip notifications, and account communications.
• Name (optional) — Used to personalize your briefing greeting.
• Subscription status — Tier (Free/Base/Pro), billing cycle, and feature entitlements.

1.2 Location & Activity Preferences

• Saved Locations — Geographic coordinates (lat/lon) of mountain locations you save for personalized condition monitoring. Stored server-side and associated with your account.
• Saved Spots — Trailheads, campgrounds, and peaks you bookmark (tier-limited: Free=2, Base=10, Pro=unlimited).
• Activity preferences — Activities you follow (hiking, camping, skiing, hunting, fishing, etc.) used to filter briefing content.
• Campground watchlist — Campgrounds you monitor for availability alerts.
• Bucket list items — Saved trails, campgrounds, and fishing spots with visited status.

1.3 Trip Safety Data

• If you use the Trip Safety feature: planned route, departure location, expected return time, waypoint descriptions, and emergency contact information (names and email addresses).
• Check-in events (departure, waypoint, safe return) are recorded as immutable log entries with timestamp.
• Emergency contacts are stored solely to enable overdue-trip notifications — they are never used for marketing or shared beyond the trip notification function.

1.4 Community Reports

• If you submit trail condition reports, dog hazard reports, or wildlife sightings, that content is stored and displayed within the Service. Do not include personally identifying information in community submissions.
• Community reports are associated with your anonymous visitor fingerprint, not your email, by default.

1.5 Usage & Technical Data

• Page views and feature interactions — Which features you use, how often, and in what sequence. Used for product analytics and improvement.
• Device and browser info — User agent, viewport, approximate timezone. Used for compatibility and rendering.
• IP address — Logged for security, abuse prevention, and approximate geolocation (state/region level only). Not used for advertising.
• Visitor fingerprint — A pseudonymous identifier (stored in localStorage) used to associate anonymous actions across sessions without requiring login. Not linked to your email unless you choose to log in.

1.6 Legal Acceptances

• If you accept our federal land liability, SOS, or other typed-signature disclaimers, we record: your identifier, typed name, disclaimer type and version, IP address, user agent, and timestamp. This record is immutable and retained for legal compliance.

2.1 How Location is Collected

PeakScout does not continuously track your real-time GPS position. Location data is collected only through explicit user actions:

• Saved Locations — You manually enter or search for a location; we store the coordinates.
• Discovery / "What's Open Now" — If you grant browser geolocation permission, your approximate coordinates are used to fetch nearby conditions. This is a one-time query per session, not continuous tracking.
• Trip Plans — You enter your planned destination coordinates or trailhead name.

2.2 Storage and Retention

Saved location coordinates are retained for the life of your account. Discovery queries (one-time geolocation) are cached for 30 minutes in an anonymized bucket (rounded to ~10km precision) and not linked to your account identity.

2.3 Sharing Location Data

Your saved location coordinates are transmitted to third-party weather and conditions APIs (NOAA/NWS, Open-Meteo, USGS) as query parameters to fetch relevant data. These are outbound queries with no user identity attached — the APIs receive coordinates, not your email or account ID.

2.4 Anonymization

Discovery and "What's Open Now" queries use coordinate buckets (rounded latitude/longitude) rather than precise GPS coordinates. We cannot re-identify your precise location from bucketed data.

• Service delivery — Sending daily briefings, campsite alerts, trip overdue notifications, permit availability alerts, and seasonal event countdowns.
• Personalization — Tailoring your briefing content to your saved locations, activities, and preferences.
• Safety — Notifying your emergency contacts if a trip plan goes overdue.
• Billing & subscription management — Processing payments and managing subscription status via Stripe. Applying referral credits and alert credits.
• Product improvement — Aggregate analytics on feature usage to prioritize development.
• Security & abuse prevention — Detecting unauthorized access, bot activity, and fraudulent transactions.
• Legal compliance — Meeting obligations under applicable federal and state law, including disclaimer acceptance recordkeeping.

We do not use your data for behavioral advertising, user profiling for ad targeting, sale to data brokers, or any commercial purpose beyond operating PeakScout.

We share data with the following third parties, for the specified purposes only:

We do not share your personal data with any advertising networks, data brokers, or parties not listed above.

Under the California Consumer Privacy Act (CCPA), California residents have the following rights:

• Right to Know — You may request a list of the personal information we have collected about you, the categories of sources, business purposes for collection, and categories of third parties with whom it is shared.
• Right to Delete — You may request deletion of personal information we have collected, subject to legal exceptions (e.g., legal retention obligations).
• Right to Opt-Out of Sale — We do not sell personal information. There is nothing to opt out of, but you have this right and we honor it.
• Right to Non-Discrimination — We will not discriminate against you for exercising any CCPA right.
• Right to Correct — You may request correction of inaccurate personal information.

To submit a CCPA request, email peakscout@polsia.app with subject line "CCPA Request." We will respond within 45 days. We may request verification of your identity before processing your request.

In the 12 months prior to the effective date of this policy, we have not sold or disclosed California consumers' personal information to third parties for commercial purposes.

PeakScout is a U.S.-based service focused on U.S. outdoor recreation. We do not actively target users in the European Economic Area (EEA) or United Kingdom. If you choose to access the Service from the EEA or UK, your data will be processed in the United States.

For EEA/UK users, our legal bases for processing personal data are:

• Contract performance — Processing necessary to deliver the Service you subscribed to.
• Legitimate interests — Security, fraud prevention, product analytics (where not overridden by your interests).
• Legal obligation — Where processing is required by applicable law.
• Consent — For push notifications and optional marketing communications (separately collected).

EEA/UK residents may have the right to lodge a complaint with their local data protection authority. Contact peakscout@polsia.app to exercise GDPR rights — we will respond within 30 days.

PeakScout is not directed to children under 13. We do not knowingly collect personal information from children under 13. If a parent or guardian believes their child has provided us with personal information, please contact peakscout@polsia.app immediately and we will delete that information promptly.

Users between 13 and 17 must have parental consent. If we discover an account belongs to a user under 13 without parental consent, we will terminate the account and delete associated data.

PeakScout uses the following types of cookies and local storage:

We do not use third-party advertising cookies, retargeting pixels, or cross-site tracking for ad delivery. You can disable cookies in your browser settings, but session cookies are required for login and some features will not work without them.

PeakScout supports browser-based web push notifications for campsite availability alerts, trip overdue alerts, and condition updates. Push notification delivery requires:

• Explicit browser permission — You must grant push permission in your browser. We request this permission only when you opt into a specific alert type.
• Subscription token — Your browser provides a push endpoint URL (VAPID subscription) which we store to send alerts. This token is device-specific and not linked to personal identity unless you are logged in.

To revoke push notification consent: use your browser's site settings to remove push permission for peakscout.polsia.app. You can also manage notification preferences in your account settings. Revoking push permission does not affect email alerts.

All payment processing is handled by Stripe, Inc., a PCI DSS Level 1 certified payment processor. PeakScout never receives, stores, or processes raw payment card data (card numbers, CVV, expiry).

When you subscribe or make a purchase:

• Stripe collects your card details directly via their hosted checkout or embedded Elements
• PeakScout receives from Stripe: a customer ID, subscription ID, payment status, and last-four digits of the card for display purposes only
• Your billing address may be passed to Stripe for fraud and tax purposes

For questions about Stripe's data practices, see the Stripe Privacy Policy.

Regardless of your location, you have the following rights:

• Access — Request a copy of the personal data we hold about you
• Correction — Request correction of inaccurate or incomplete data
• Deletion — Request deletion of your account and personal data (subject to legal retention obligations)
• Portability — Request your data in a machine-readable format (JSON)
• Opt-out of communications — Unsubscribe from briefing emails via the unsubscribe link in any email, or update notification preferences in your account
• Withdraw consent — Revoke push notification permission through browser settings

To exercise any right, email peakscout@polsia.app with subject line "Privacy Request" and describe your request. We respond within 45 days. We may need to verify your identity before processing the request.

We implement industry-standard security controls including:

• TLS encryption for all data in transit
• AES-256-GCM encryption for OAuth tokens and sensitive credentials at rest
• Parameterized queries throughout — no raw SQL string interpolation
• Access controls limiting database and infrastructure access to authorized personnel
• Sandbox isolation for agent-executed code — production credentials are blocked from agent environments by default

No method of transmission over the Internet or electronic storage is 100% secure. We cannot guarantee absolute security, but we take reasonable precautions and maintain incident response procedures.

In the event of a data security breach that affects your personal information, we will:

• Notify affected users by email within 72 hours of becoming aware of the breach, to the extent practicable
• Notify applicable regulatory authorities as required by law (GDPR Article 33, CCPA, state breach notification statutes)
• Describe the nature of the breach, the data affected, likely consequences, and steps taken to mitigate harm
• Provide a dedicated contact channel for breach-related inquiries

If you suspect unauthorized access to your account, immediately email peakscout@polsia.app with subject line "Security Incident."

We may update this Privacy Policy from time to time. We will notify you of material changes by email to your registered address at least 14 days before the changes take effect. The "Effective" date at the top of this policy reflects the date of the most recent revision. Continued use of the Service after changes take effect constitutes your acceptance of the revised policy.

For historical versions of this policy, contact us at the email below.

Privacy questions, data requests, or security concerns:

• Email: peakscout@polsia.app
• Subject line for privacy requests: "Privacy Request"
• Subject line for security incidents: "Security Incident"
• Response time: Within 45 days for privacy requests; within 72 hours for security reports
• Operated by: PeakScout, powered by Polsia Inc.