PRIVACY POLICY

paddlesnitch.com is run by Baldur Gudbjornsson, the data controller for this service. For questions or requests about your personal data, email privacy@paddlesnitch.com. The site is hosted on Amazon Web Services in the eu-west-1 region (Ireland).

We only collect data you give us by signing up and using the site:

• Email address — used to sign you in.
• Display name — shown to other users on leaderboards.
• Password hash — held by Amazon Cognito; we never see your plaintext password.
• GPS traces you upload — the raw file (GPX, FIT, or CSV) and the derived race result (elapsed time, 500 m splits).
• Crew names and seat numbers — if you submit on behalf of a multi-person boat.
• Race date — the date you raced, as you entered it.
• Boat class — K1, 2X, 8+, etc.

Heart-rate and cadence are explicitly discarded at parse time, even if your GPS file contains them. We never store, display, or transmit biometric data.

We process this data under performance of a contract (UK GDPR Art. 6(1)(b)): you sign up to use the service, and the service cannot rank your time without knowing who you are, what boat you raced in, and what your GPS trace says. We do not process your data for any other purpose — no marketing, no analytics, no profiling.

We hold your data for as long as your account exists. You can delete it at any time from your account page — that removes your user record, all courses and trials you created, all entries you submitted, and rebuilds any affected leaderboards. The deletion is immediate and irreversible.

Under UK GDPR you can:

• Access a copy of your data — use the "Download my data" button on your account page.
• Erase your data — use the "Delete my account" button on your account page.
• Rectify incorrect data — email us; for display name you can also edit it in Cognito.
• Port your data — the export download is a machine-readable JSON file.
• Object or restrict processing — email us.
• Complainto the Information Commissioner's Office (ico.org.uk) if you think we've mishandled your data.

We set two cookies, both strictly necessary for signing you in:

• tt_id — your sign-in token (a signed JWT from Cognito). 24 hour lifetime.
• tt_refresh — used to keep you signed in across sessions. 30 day lifetime.

We do not use analytics cookies, advertising cookies, or any third-party trackers. The map tiles are fetched from CARTO and OpenStreetMap and do not receive any of your personal data.

We use a small number of processors to run the service:

• Amazon Web Services (eu-west-1, Ireland) — hosting, user pool (Cognito), and storage (S3).
• Amazon SES — to send transactional emails (sign-in codes, password resets) from noreply@paddlesnitch.com.
• CARTO and OpenStreetMap — map background tiles. Their servers see your IP and the map tile you requested; they do not see any of your account data.

We do not sell your data, share it with advertisers, or transfer it outside the European Economic Area.

If we change how we handle your data we'll update this page and bump the "last updated" date at the top. For significant changes (new categories of data, new processors) we'll email registered users before the change takes effect.

privacy@paddlesnitch.com