1. Effective date and changes
Effective date: May 13, 2026
This is the first published version of the Traildek Privacy Policy. When we make material changes, we will update the date above, post the new version here, and notify account holders by email. A summary of past revisions will appear in the change log below.
Change log
- May 13, 2026 — Initial publication.
2. Who we are
Traildek is operated by Traildek LLC, a limited liability company organized in the State of Utah, United States. We design and sell hiking trail card decks and operate the website at traildek.com.
For privacy questions, requests, or complaints, contact us at privacy@traildek.com.
3. What we collect, when, and why
We collect only the information we need to run the store, ship your orders, and improve the experience. The table below lists each category, where it comes from, and what we use it for.
| Category | Examples | Source | Purpose | Lawful basis (GDPR) |
|---|---|---|---|---|
| Identifiers | Name, email address, shipping address, phone number | You, at checkout or account creation | Fulfilling orders, customer support, account management | Performance of contract |
| Commercial information | Order history, cart contents, wishlist, returns | Your activity on the site | Servicing your orders and improving recommendations | Performance of contract; legitimate interest |
| Internet activity | Sessions, page views, referring URL, UTM tags, device type | Analytics beacons on this site | Understanding what works on the site and fixing bugs | Consent (EU/UK); legitimate interest (US) |
| Payment information | Card brand, last four digits, billing ZIP (not full card numbers) | Stripe, our payment processor | Processing payments and refunds | Performance of contract |
| User-generated content | Trail photos, completion records, reviews | Your uploads | Display on trail pages and product reviews | Consent |
| Communications | Support tickets, contact form messages, email replies | You, when you contact us | Resolving your question | Legitimate interest; consent for marketing replies |
| Inferences | Favorite regions, hike preferences, recommended decks | Derived from your activity | Personalizing recommendations | Legitimate interest |
We do not knowingly collect biometric data, precise geolocation, government IDs, or special categories of data (such as health, religion, or political views).
4. Third parties we share data with
We share data only with vendors who help us operate the store. Each is contractually required to use the information only for the services they provide to us.
- Stripe — processes payments. PCI compliance is handled by Stripe; we never see full card numbers.
- Clerk — manages account authentication, including email and password handling.
- Uploadthing — stores photos you upload with reviews or trail completions.
- Vercel — hosts the site, the CDN, and edge functions. Receives standard server logs (IP address, user agent, request URL).
- Vercel Blob — stores certain product imagery and downloadable files.
- Twilio SendGrid — sends transactional emails (order confirmations, shipping updates) and marketing emails you have opted into.
- Upstash — provides rate limiting and an analytics queue.
- Sentry — collects anonymized error reports so we can fix bugs.
- Anthropic, OpenAI, Google, Perplexity — used only for AI-citation tracking. We send queries about our own brand; we do not send customer data to these services.
- NOAA and the National Park Service — public APIs used to display trail and weather information. No personal data is sent.
- Print and fulfillment partners — receive the name and address needed to ship your order.
- Legal and regulatory authorities — we may disclose data when required by a valid legal request, or to protect our rights, safety, or property.
We do not sell your personal information for money. See Do Not Sell or Share for the broader regulatory meaning of “sale” and “sharing.”
6. Your privacy rights
Depending on where you live, you may have the following rights regarding your personal information:
- Access — ask for a copy of the data we hold about you.
- Correction — ask us to fix data that is inaccurate or out of date.
- Deletion — ask us to delete your data, subject to legal record-keeping requirements (for example, seven years of tax records).
- Portability — receive a structured copy of your data in a machine-readable format.
- Opt out of sale or sharing — see the section below.
- Withdraw consent — where we rely on consent, you can withdraw it at any time without affecting processing already done.
- Non-discrimination — we will not deny service, charge different prices, or provide different quality because you exercised a right.
To make a request, email privacy@traildek.com. We may ask you to verify your identity. We respond within 45 days under CCPA and within 30 days under GDPR. You may also authorize an agent to make a request on your behalf with written proof of authorization.
7. Do Not Sell or Share My Personal Information
We do not sell your personal information for money. Under California, Colorado, Connecticut, Virginia, Utah, and Texas privacy laws, certain analytics and advertising-related cookies can be treated as a “sale” or “sharing” of personal information even when no money changes hands.
You can opt out of any analytics or marketing cookies at any time by clicking Cookie Settings in the footer, or by emailing privacy@traildek.com with the subject line “Do Not Sell or Share.”
We also honor the Global Privacy Control browser signal as a valid opt-out (see below).
8. Global Privacy Control
If your browser sends a Global Privacy Control (GPC) signal, we treat it as an opt-out of the sale and sharing of personal information. Analytics and marketing cookies will be disabled by default for your session, and you can confirm or change this in Cookie Settings.
9. Data retention
We keep personal information only as long as we need it. Specific retention periods:
- Orders and tax records — 7 years, to comply with US tax record-keeping rules.
- Sessions and page views — 12 months rolling, then deleted.
- Approved user-generated content — kept while your account is active; deleted on request.
- Rejected user-generated content — held for up to 30 days for moderation review, then hard-deleted.
- Abandoned carts — 90 days, then deleted.
- Marketing email opt-outs — kept indefinitely so we never accidentally re-subscribe you.
- Support tickets — up to 3 years from the last activity, then archived or deleted.
10. International transfers
Traildek is operated from the United States, and our hosting and vendor infrastructure is primarily based in the US. If you access the site from the European Economic Area, the United Kingdom, or Switzerland, your information will be transferred to the United States. For those transfers we rely on Standard Contractual Clauses with our sub-processors and other safeguards permitted by applicable law.
11. Children's privacy
Traildek is intended for adults. You must be at least 18 years old to create an account or place an order. We do not knowingly collect personal information from anyone under 18. If you believe a minor has provided us with personal data, contact privacy@traildek.com and we will delete it.
12. Security
We protect your data with industry-standard safeguards: HTTPS everywhere, encryption in transit, password hashing handled by Clerk, payment processing isolated within Stripe's PCI environment, role-based access controls for staff, and regular dependency audits. No system is perfectly secure; if a breach affects your data, we will notify you and the appropriate regulators as required by law.
13. Changes to this policy
We may update this policy from time to time. Minor edits (such as typos or clarifications) will be made without notice. Material changes will be announced by email to account holders, by an in-site banner, and by re-prompting your cookie consent so you can review and reaffirm your choices.
14. Contact
Questions, requests, or complaints about this policy? Reach us at:
Traildek LLC
State of Utah, United States