Far — Privacy Policy
DRAFT — requires review by qualified counsel before publication.
Effective date: [DATE] Last updated: [DATE]
Far ("Far", "we", "us") is a backpacking trip-planning service operated by [LEGAL ENTITY NAME, ENTITY TYPE, REGISTERED ADDRESS] ("the Company"). This policy explains what personal information we collect, why, who receives it, and the rights you have over it. It is written to be read, not skimmed — it is short because Far collects little.
The one-paragraph version: Far stores the trips you plan — titles, dates, locations, routes, gear, and photos — so the service can work. Trip plans reveal where you will be and when, so we treat them as sensitive: they are private by default, never sold, never used for advertising, and never shared except with the service providers needed to run Far (listed in full below). We run no analytics trackers and no advertising. When you use an AI feature, a summary of the relevant trip data is sent to our AI provider to generate the answer. You can export your data and delete your account at any time.
1. Who is responsible for your data
[LEGAL ENTITY NAME] is the data controller for the purposes of the EU and UK GDPR and the equivalent responsible organization under PIPEDA (Canada), Quebec Law 25, the Australian Privacy Act, and the New Zealand Privacy Act 2020.
- Privacy contact: [privacy@far.app]
- Privacy Officer (required by PIPEDA and Quebec Law 25): [NAME / ROLE]
- EU representative (GDPR Art. 27, if the Company has no EU establishment): [NAME, ADDRESS or "Not yet appointed"]
- UK representative (UK GDPR Art. 27, if no UK establishment): [NAME, ADDRESS or "Not yet appointed"]
2. What we collect
Account data. Your email address (used as your sign-in identity), and — if you sign in with Google — your name and profile photo as provided by Google. Far has no passwords; sign-in is by Google or a one-time email link.
Trip data (treated as sensitive). Trip titles, descriptions, dates, a location name, map coordinates, drawn routes and waypoints, and difficulty labels. This data describes where you plan to be and when. It is private to your account by default and is only readable by you.
Gear data. Your gear inventory: item names, brands, weights, categories, notes, and named loadouts.
Uploads. Photos and GPX route files you choose to upload. These are stored in private object storage and linked only to your account.
Weather cache. When you view a trip's forecast, we cache the forecast for that trip's coordinates so we don't re-fetch it on every view.
AI usage counter. A count of AI-assistant questions you have asked on the free plan (used to enforce the free allowance). We do not store your AI chat transcripts.
Plan and trial status. Whether you are on the Free or Pro tier and when your trial ends.
Technical data. Your IP address is processed transiently for rate limiting (sign-in and upload abuse prevention) and appears in standard server logs held by our hosting provider. We set only the cookies strictly necessary for sign-in and security (see the Cookie Policy).
What we do NOT collect: passwords; payment card numbers ([when billing launches, payments will be handled by PAYMENT PROCESSOR, which receives your card details — we will see only subscription status]); real-time device location or GPS tracking; health or fitness data; analytics or behavioral tracking data; advertising identifiers.
3. Why we process it (and the legal basis)
| Purpose | Data | Legal basis (GDPR/UK GDPR) |
|---|---|---|
| Providing the service: storing and displaying your trips, routes, gear, uploads | Account, trip, gear, upload data | Contract performance (Art. 6(1)(b)) |
| Sign-in and account security, rate limiting, abuse prevention | Email, IP address, session cookies | Contract performance; legitimate interest in security (Art. 6(1)(f)) |
| AI features you invoke (trip assistant, plan generation, gear parsing, alert/permit summaries) | A textual summary of the relevant trip: title, location, dates, route distance/elevation, forecast, gear names and weights | Contract performance — the feature cannot work without it; used only when you invoke the feature |
| Weather forecasts, elevation, trail/park/permit lookups for your trip | Trip coordinates and location names sent to the providers in §7 | Contract performance |
| Transactional email (sign-in links; [future: receipts, renewal notices]) | Email address | Contract performance |
| Enforcing free-plan limits and trials | Plan tier, AI usage count, trial date | Contract performance |
| Legal compliance (tax, requests from authorities) | Minimal records as required | Legal obligation (Art. 6(1)(c)) |
We do not use your data to train AI models, and our contracts with AI providers [MUST BE VERIFIED: confirm Groq's current API data-usage terms — as of drafting, Groq states API inputs/outputs are not used for training] prohibit them from doing so.
We do no profiling and make no automated decisions with legal or similarly significant effects.
4. Marketing
Far currently sends no marketing email. If we introduce a newsletter or product announcements, they will be strictly opt-in (express consent, per CASL and GDPR), with one-click unsubscribe, and never a condition of using the service.
5. Sharing you control
Everything is private by default. One sharing feature exists: you can turn on a public link for a single trip's gear list. That page shows the trip title and the gear list with weights — it does not show your route, dates, or location. The page is excluded from search-engine indexing. Anyone with the link can view it until you turn sharing off. Turning sharing off disables the link immediately.
6. Who we share data with (service providers)
We share personal data only with the processors needed to operate Far. We do not sell personal information, and we do not "share" it for cross-context behavioral advertising (as those terms are defined in the CCPA/CPRA). The current list, kept up to date at [/legal/subprocessors]:
| Provider | Role | Data | Location |
|---|---|---|---|
| Vercel | Hosting, server logs, scheduled jobs | All service traffic, IP addresses | US/EU [VERIFY region config] |
| Neon | PostgreSQL database | All stored account/trip/gear data | [REGION] |
| Cloudflare (R2 object storage) | Storage of uploaded photos and GPX files | Your uploads | [REGION] |
| Upstash | Rate limiting (Redis) and background job queue (QStash) | Email addresses and IPs as short-lived rate-limit keys; job payloads | [REGION] |
| Groq | AI inference for AI features | Trip summaries as described in §3, only when you use an AI feature | US |
| OAuth sign-in (only if you choose it) | Your Google account email, name, photo | US | |
| [SMTP PROVIDER] | Sending sign-in link emails | Email address | [REGION] |
| Mapbox | Map rendering in your browser | Your IP address and the map area you view (which may correspond to your trip location) | US |
Loaded in your browser when you use the map and trip features (these services receive your IP address and the coordinates being looked up, but no account identity): Open-Meteo (weather, elevation); OpenStreetMap Nominatim (location search); Overpass API (trail data); Waymarked Trails and OpenFreeMap (trail overlays and map tiles); Esri/ArcGIS (satellite and topo imagery); AWS Open Data (terrain tiles); US National Park Service and Recreation.gov (park alerts and permit areas, US trips); Parks Canada and BC Parks (Canadian trips).
[INTERNAL — RESOLVE BEFORE PUBLISHING] The Overpass fallback mirror at
maps.mail.ru(operated by VK, Russia) receives trip coordinates when the primary Overpass endpoint fails. Sending EU users' planned-location data to a Russian-operated server has no available GDPR Chapter V transfer mechanism. Recommendation: remove the mirror (useoverpass.kumi.systemsor self-host) rather than disclose it.
7. International transfers
Far's providers process data primarily in [the United States / REGIONS]. Where data about EU, UK, or Swiss users is transferred to the US, we rely on [the EU–US Data Privacy Framework where the provider is certified, and/or Standard Contractual Clauses] — [VERIFY per provider: Vercel, Neon, Cloudflare, Upstash, Groq, Google, Mapbox]. For Canadian users, data is processed outside Canada; by using Far you acknowledge it may be accessible to authorities in those jurisdictions under their laws (PIPEDA openness requirement; Quebec Law 25 cross-border assessment on file: [YES/NO]).
8. Retention
Summary (full schedule at [/legal/data-retention]):
- Account, trip, gear, and upload data: kept until you delete the trip, the item, or your account.
- Account deletion removes all trips, routes, waypoints, gear, loadouts, uploads, and cached forecasts immediately (database cascade), and stored files within [30] days.
- Weather caches and AI response caches expire automatically on short TTLs.
- Rate-limit keys (email/IP) expire within hours.
- Server logs are retained by our host for [VERIFY Vercel log retention] days.
- [Billing records, once payments launch: retained as required by tax law, typically 7 years.]
9. Your rights
Depending on where you live (EU/UK GDPR, PIPEDA, Quebec Law 25, CCPA/CPRA, Australian Privacy Act, NZ Privacy Act 2020), you have the right to access, correct, export (portability), delete, and restrict or object to processing of your personal data, and to withdraw consent where processing is based on consent. Far implements these directly:
- Export: Settings → Export my data produces a machine-readable archive (JSON + GPX
- your uploaded files). [BLOCKER: endpoint not yet built.]
- Delete: Settings → Delete account permanently removes your data as described in §8. [BLOCKER: endpoint not yet built.]
- Anything else: email [privacy@far.app]. We respond within 30 days (or sooner where law requires). You will not be discriminated against for exercising any right.
You may complain to your supervisory authority: your EU Data Protection Authority, the UK ICO, the Office of the Privacy Commissioner of Canada, the Commission d'accès à l'information du Québec, the OAIC (Australia), or the OPC (New Zealand). California residents: we do not sell or share personal information, so no "Do Not Sell or Share" opt-out is required; our full CCPA disclosures are contained in §§2–3 and 6–8.
10. Security
Traffic is encrypted in transit (HTTPS/TLS). Data is encrypted at rest by our database and storage providers. There are no passwords to breach — sign-in is via Google or single-use email links. Every data query is scoped to the owning account. Uploads go to private storage via short-lived signed URLs with file-type and size limits. Rate limiting protects sign-in and upload endpoints. Details: [/legal/security] or security contact [security@far.app]. If a breach affects your data, we will notify you and the relevant regulator as required (GDPR 72-hour rule; PIPEDA/provincial and state equivalents).
11. Children
Far is not directed to children. You must be at least [16 — RECOMMENDED: 16 for EU simplicity; minimum 13 (COPPA) if counsel prefers] to create an account. We do not knowingly collect children's data; if you believe a child holds an account, contact [privacy@far.app] and we will delete it.
12. Changes
We will post changes here and update the date above. For material changes we will notify you by email or in-product notice before they take effect.