Privacy Policy

1. Who we are

Ghost Trax Ltd (company number 17124252) ("we", "us", "our") is a GPS ghost-racing application available on iPhone and Apple Watch. This Privacy Policy explains how we collect, use, and protect your personal data when you use the Ghost Trax app or visit this website.

If you have questions about this policy, please contact us at privacy@ghosttraxapp.com.

2. Data we collect

We collect the following data when you use Ghost Trax:

• Account information — your email address and display name, provided when you sign up.
• GPS and location data — precise GPS coordinates recorded during your runs, rides, and walks. This data forms your "ghost" recordings and route polylines.
• Activity data — distance, duration, pace, and split times derived from your GPS recordings.
• Profile information — optional fields including a profile photo, bio, home location, and athlete level that you choose to provide.
• Social data — friend connections you initiate within the app, and the visibility settings you choose for your routes and ghosts.
• Device data — your device type (iPhone or Apple Watch) is recorded alongside each ghost to identify the recording source.
• Apple Sign In — if you choose to sign in with Apple, we receive an Apple-provided user identifier and, where you permit it, your name and either your real email address or an Apple-generated relay address. We do not receive your Apple ID password.

We do not collect advertising identifiers, browsing history, or any data unrelated to your use of the Ghost Trax service.

3. How we use your data

• To provide the core Ghost Trax service — recording, storing, and replaying your ghost GPS data.
• To enable social features — showing your routes and ghosts to friends or the public according to your chosen visibility settings.
• To allow ghost sharing — generating a unique, unguessable share link for ghosts you choose to share.
• To maintain your account and authenticate you securely.
• To communicate with you about your account (e.g. email verification, password reset).

We do not use your data for advertising, profiling, or any purpose beyond operating and improving the Ghost Trax service.

4. Location data

Ghost Trax requests access to your precise location to record GPS routes. Location data is only collected while you are actively recording a ghost or racing. We do not collect background location data outside of active recording sessions.

Your GPS data is stored securely on our servers. You control the visibility of your routes and ghosts — they can be private (only you), friends-only, or public. You may delete any ghost or route at any time from within the app, which permanently removes the GPS data from our servers.

5. Data storage and security

Your data is stored using Supabase, a secure cloud database and storage platform. All data is transmitted over HTTPS. Authentication is handled via Supabase Auth with industry-standard JWT tokens stored in your device's secure Keychain.

Ghost GPS recordings are stored as JSON files in a private storage bucket. Access is controlled by row-level security policies that ensure you can only access your own data, or data that has been explicitly shared with you.

6. Data sharing

We do not sell, rent, or share your personal data with third parties for commercial purposes. Your data may be shared in the following limited circumstances:

• With other Ghost Trax users — only data you choose to make visible (routes set to "friends" or "public", and ghosts shared via link).
• Service providers — Supabase processes and stores your data on our behalf under a data processing agreement.
• Legal requirements — if required by law or to protect the rights and safety of Ghost Trax and its users.

7. Your rights

Under GDPR and applicable data protection law, you have the right to:

• Access — request a copy of the personal data we hold about you.
• Rectification — correct inaccurate data via your Profile settings in the app.
• Erasure — delete your account and all associated data at any time via Settings → Delete Account in the app.
• Portability — request your data in a machine-readable format.
• Objection — object to processing of your data in certain circumstances.

To exercise any of these rights, contact us at privacy@ghosttraxapp.com.

8. Data retention

• Active accounts — retained for as long as your account remains active.
• Account deletion — all associated data is permanently deleted immediately. Deletion is irreversible.
• Infrastructure backups — Supabase maintains automated backups for up to 30 days. Deleted data may persist in encrypted backups for up to 30 days before being permanently purged.
• Inactive accounts — accounts inactive for 24 months may be deleted after 30 days' notice by email.
• Support correspondence — emails may be retained for up to 3 years for legal and compliance purposes.

9. Children's privacy

Ghost Trax is not directed at children under 13. We do not knowingly collect personal data from children under 13.

10. Changes to this policy

We may update this Privacy Policy from time to time. We will notify you of significant changes by updating the "Last updated" date at the top of this page.