Who we are
Rastros is operated by GBS Tecnologia LTDA, a Brazilian limited liability company (sociedade empresária limitada) registered in Brazil. This privacy policy explains what personal data we collect when you use Rastros at https://rastros.app, why we collect it, how long we keep it, and the rights you have over it under the General Data Protection Regulation (GDPR) in the EU/UK, the Lei Geral de Proteção de Dados (LGPD) in Brazil, and the California Consumer Privacy Act (CCPA/CPRA) in California — among other state laws in the US.
If you have any question about this policy or want to exercise your rights, contact us at [email protected].
What we collect and why
| What | Why | Legal basis (GDPR / LGPD) |
|---|---|---|
| Email and name from Google sign-in | To create and identify your account | Contract performance |
| Content you upload — books, routes (GPX/FIT files and the GPS points inside them), memories (text, photos, videos, audio) | To provide the service you signed up for | Contract performance |
| Subscription identifiers (Stripe customer ID, subscription ID, invoice metadata) | To bill, generate receipts, and apply feature limits | Contract performance |
| Anonymous product analytics events (page views, feature interactions) | To understand how Rastros is used and improve it | Consent (you can opt in or out at any time via the Cookies link in the footer) |
| Server logs (IP address, request path, timestamp) for a short retention window | To debug, prevent abuse, and meet legal logging obligations | Legitimate interest |
We do not sell your personal data. We do not share it with third parties for marketing.
Where your data lives
| Data | Provider | Region |
|---|---|---|
| Account, content, billing identifiers (database) | SQL-like database | EU and Brazil |
| Photos, videos, audio uploads | S3-like object storage | EU and Brazil |
| Authentication | Google OAuth (Google LLC) | Global |
| Payment processing | Stripe, Inc. | US (with EU-standard contractual clauses) |
| Anonymous product analytics | PostHog Inc. | EU (eu.i.posthog.com) |
| Map tiles | Mapbox, Inc. | Global |
These providers act as sub-processors on our behalf. We have data-processing agreements where applicable, and they are restricted to what they need to perform their function.
How long we keep things
| Data | Retention |
|---|---|
| Account data (email, name) | While your account is active. After account deletion, removed within 30 days; backups expire within 30 days more |
| Content you uploaded | Same as account data |
| Subscription / billing records | 5 years after the last transaction (legal/tax obligation) |
| Analytics events (PostHog) | 12 months unless you opt out earlier |
| Server logs | 30 days |
| Consent records (audit of accept/reject) | 3 years after the last decision (LGPD demonstrability) |
When you delete your account, we erase or anonymize the data above within the windows shown. We may keep aggregate, fully-anonymized data indefinitely for product improvement.
Cookies and similar technologies
| Cookie / storage | Purpose | Strictly necessary? |
|---|---|---|
better-auth.session_token (cookie) | Keep you logged in | Yes |
PARAGLIDE_LOCALE (cookie) | Remember your language choice | Functional — required for the language switcher |
ph_*_posthog (cookie + localStorage) | Anonymous product analytics | No — opt-in only |
__stripe_* (cookies, on the checkout flow only) | Stripe fraud prevention during payment | Conditional — set only when you start a checkout |
You can change your choice at any time via the Cookies link in the footer. The link doubles as our California "Do Not Sell or Share My Personal Information" entry point.
If your browser sends a Do Not Track signal, we treat it as an opt-out and skip the cookie banner entirely.
Your rights
Under GDPR (EU/UK), LGPD (Brazil), CCPA/CPRA (California), and similar laws elsewhere, you have rights to:
- Access the personal data we hold about you.
- Rectify inaccurate data.
- Erase your data ("right to be forgotten").
- Export your data in a portable format.
- Object to processing or restrict how we use your data.
- Withdraw consent at any time, with no effect on processing already done.
- Lodge a complaint with the supervisory authority in your country (in Brazil: the ANPD; in EU/UK: your national data-protection authority; in California: the California Privacy Protection Agency).
To exercise any of these, email [email protected]. We respond within 30 days.
Children
Rastros is not directed at children. We do not knowingly collect data from anyone under 16 (EU) or under 13 (most other jurisdictions). If you believe a child has provided us with personal data, contact us and we will delete it.
International transfers
When data leaves the EU or Brazil (for example, to Stripe in the US), we rely on the European Commission's Standard Contractual Clauses for transfers from the EU, and on equivalent contractual safeguards under LGPD Art. 33 for transfers from Brazil. Sub-processors are contractually obliged to provide equivalent protection.
Changes to this policy
When we make material changes — for example, adding a new sub-processor or changing a retention period — we update the Effective date at the top of this page and re-prompt your cookie consent. Minor edits (typos, wording) do not trigger a re-prompt.
Contact
For any privacy or data-protection question:
GBS Tecnologia LTDA [email protected]