Privacy Policy

Effective date: 6 June 2025

1. Introduction
Thank you for trusting Pointrush ("Pointrush," "we," "us," or "our"). Your privacy is important to us. This Privacy Statement explains how we collect, use, disclose, and safeguard your information when you use the Pointrush web application, available at https://pointrush.nl and related domains (the "Service").
2. Who We Are
Pointrush is owned and operated by ABBOV automatisering, registered in the Netherlands. Email: privacy@pointrush.nl Postal address: Henry Dunantweg 138, 7242 HL Lochem, The Netherlands.
3. Scope of This Statement

This Privacy Statement applies to information we collect through the Service. It does not apply to third party websites or services that may be linked from our Service.

4. Information We Collect
CategoryExamplesPurpose
Account InformationName, email address, hashed password, authentication tokens (if you sign in with Google/Firebase Auth)Create and secure your account, identify you in the Service
Track & Waypoint DataTracks you create, waypoint coordinates, descriptions, visibility settings, media you uploadCore functionality: storing and displaying your content to you and (if you choose) to visitors
Device & Log DataIP address, browser type, operating system, referrer URL, access dates/times, actions performedProtect the Service, detect abuse, compile usage statistics, troubleshoot
Cookies & Local StorageSession ID, CSRF token, language preference, analytics identifier (if analytics enabled)Keep you signed in, remember preferences, measure performance
Support & FeedbackMessages, emails, bug reports, attached screenshotsRespond to inquiries, improve the Service

We do not knowingly collect sensitive personal data (e.g., health information, biometric data) or data from children under 16.

5. How We Use Your Information

We process your information only when we have a legal basis under the General Data Protection Regulation (GDPR):

  • To perform our contract with you – e.g., to create your account and let you build and share tracks.
  • Our legitimate interests – e.g., to prevent fraud, maintain security, and understand Service usage.
  • Your consent – e.g., where you choose to make tracks public or accept optional marketing communications.
  • Compliance with legal obligations – e.g., accounting and tax requirements or lawful disclosure requests.
6. Sharing & Disclosure

We never sell your personal data. We share it only as necessary:

RecipientReasonSafeguards
Google Cloud Firestore (EU multi region)Primary database & storageData encryption at rest and in transit; Standard Contractual Clauses if data leaves the EEA
Vercel, Inc.Hosting & content deliverySCCs + ISO 27001; data stored in EU regions where possible
Analytics provider (e.g., Plausible Analytics, Google Analytics 4)Aggregated usage insightsIP anonymisation; consent banner where required
Service providers (support, email, backups)Operate the ServiceBound by confidentiality and data processing agreements
Law enforcement or regulatorsLegal complianceOnly upon valid and binding request
7. International Transfers

We aim to keep your data within the European Economic Area (EEA). Where transfers outside the EEA occur (e.g., to Vercel or Google Cloud's US entities), we rely on:

  • Standard Contractual Clauses approved by the European Commission;
  • Adequacy decisions; or
  • Your explicit consent.
8. Security Measures
  • TLS encryption for data in transit.
  • Server side encryption at rest (Firestore default).
  • Least privilege access controls and role based permissions.
  • Automatic CI/CD security checks via GitHub.
  • Regular vulnerability assessments and dependency monitoring.

No internet transmission is 100% secure, but we implement industry standard measures to minimise risk.

9. Data Retention
Data TypeRetention Period
Account & track dataUntil you delete your account or content, or after 24 months of inactivity
BackupsEncrypted, rolling backups retained for up to 30 days
Logs90 days for security diagnostics
Financial/transaction records (if any)7 years (statutory)

We may anonymise data for analytical purposes; anonymised data is retained indefinitely.

10. Your Rights (GDPR)

You may exercise the following rights:

  • Access – Obtain a copy of your personal data.
  • Rectification – Correct inaccurate or incomplete data.
  • Erasure – "Right to be forgotten."
  • Restriction – Limit how we process your data.
  • Portability – Receive your data in a structured format.
  • Objection – Object to processing based on our legitimate interests.
  • Withdraw consent – Where we rely on consent, you may withdraw it at any time.
  • Complaint – Lodge a complaint with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens).

To exercise any right, email us at privacy@pointrush.nl. We will respond within one month (extendable by two months for complex requests).

11. Changes to This Privacy Statement

We may update this statement from time to time. If changes are material, we will provide notice (e.g., via email or prominent banner) and, where required, obtain your consent. All changes take effect once posted.

12. Contact Us

If you have questions or concerns about this Privacy Statement or our data practices, please contact:

Privacy Officer

Email: privacy@pointrush.nl

Address: Henry Dunantweg 138, 7242 HL Lochem, The Netherlands.