Legal
The controller responsible for data processing on this website within the meaning of the GDPR is:
Felix Witte
Erbhof 9
44791 Bochum, Germany
Email: info@goraadv.com
No Data Protection Officer is required for this operation (fewer than 20 people regularly involved in processing; no systematic large-scale or special-category data processing).
We only process data that is technically necessary to provide the service or that you actively provide to us.
When you visit GoraAdv, our hosting provider (Hetzner) automatically logs standard web server data:
Legal basis: Art. 6(1)(f) GDPR — legitimate interest in maintaining server security and diagnosing technical errors.
Retention: 7 days, then automatically purged.
You may object to this processing under Art. 21 GDPR; however, doing so would make it impossible to serve the website to you.
If you create an account, we store:
Legal basis: Art. 6(1)(b) GDPR — necessary to perform the contract (providing the account-based features you signed up for).
Retention: Until you delete your account. You can request deletion at any time via info@goraadv.com.
If you save a route, we store:
Legal basis: Art. 6(1)(b) GDPR — necessary to provide the "save routes" feature you explicitly used.
Retention: Until you delete the route or your account.
We use your browser's localStorage — not cookies — for two purposes:
| Item stored | Purpose | Legal basis |
|---|---|---|
| JWT authentication token | Keeps you logged in between page loads | TDDDG §25(2) No. 2 — strictly necessary to provide the authentication service you requested |
| "Beta notice seen" flag | Prevents the one-time welcome notice from reappearing | TDDDG §25(2) No. 2 — strictly necessary for the intended usability of the service |
No tracking cookies, no advertising cookies, no analytics cookies are used. You can clear localStorage at any time via your browser settings — this will log you out.
If you subscribe to country launch notifications or the GoraAdv newsletter (via the countries page, the registration form opt-in checkbox, or any other sign-up form), we store:
Legal basis: Art. 6(1)(a) GDPR — your explicit consent via the opt-in checkbox or sign-up form.
Retention: Until you unsubscribe. Every email we send contains an unsubscribe link. You can also email info@goraadv.com to be removed at any time, and we will action it within 5 business days.
When you purchase a GPX credit bundle, the payment transaction is handled by Lemon Squeezy (see Section 3.4). We receive from Lemon Squeezy only the information necessary to credit your account:
On our side we track, per user: your current credit balance, your freebie counter, and a purchase audit log (one row per order). We do not store card details, billing addresses or tax-ID information — Lemon Squeezy handles all of that as Merchant of Record.
There is no subscription and no recurring charge. Each purchase is a one-time transaction. Credits never expire.
Legal basis: Art. 6(1)(b) GDPR — necessary to perform the contract (crediting your account for the GPX downloads you purchased).
Retention: The purchase audit log is kept for the statutory retention period required by German tax law (§147 AO / §257 HGB) of up to 10 years for billing records. This retention obligation applies to transaction data and cannot be shortened by a deletion request. Your credit balance is tied to your account and deleted with it (unused credits are forfeited on account deletion — see Terms §6.2).
After downloading a GPX file you may send a share invite to up to 12 friends. When you submit the share form we receive: your chosen sender name (display name for the invite), an optional personal note (max 200 characters), and the recipient email addresses.
Recipient email addresses are not stored. We use them solely to send the one-time invite email and then discard them from memory once the send is complete. They are not written to the database, not added to any mailing list, and not used for any purpose other than the single invite.
We keep only the following, in aggregate:
Recipients open the share link without logging in; we do not set any identifying cookies on their browser and do not track who downloaded which file. A per-token counter simply enforces the 50-download cap.
Legal basis:
Art. 6(1)(b) GDPR for processing the buyer's data (providing the sharing feature you used);
Art. 6(1)(a) GDPR for sending the invite to the recipient (you confirm via the consent checkbox that the recipient has agreed to receive the invite — the recipient's legal basis is the consent you obtained from them).
Retention: The share link and aggregate consent log are retained until the buyer deletes the share (from their account) or deletes their account. Recipient email addresses: not stored at all.
GoraAdv offers a public API and a Claude AI integration via the Model Context Protocol (MCP), allowing users to plan routes directly from Claude. The following explains what data is processed when you use the API or the Claude integration.
Data collected per API request:
Route data lifetime: Routes calculated via the API are stored in the api_routes table for 1 hour to allow GPX download and save operations, then automatically deleted. If you explicitly save a route (via goraadv_save_route or the planner), it is retained under the terms of section 2.3 above.
Rate limit logs: API request timestamps and endpoints are logged per API key for rate limiting enforcement. These logs are retained for 7 days and then purged.
Geocoding via Nominatim: Place name searches (e.g. "Pau, France") are forwarded to the OpenStreetMap Nominatim service operated by the OpenStreetMap Foundation. The query and your IP address may be transmitted to OSMF servers. OSMF's privacy policy applies: osmfoundation.org/wiki/Privacy_Policy
No data shared with third parties: Route data, API keys, and rate limit logs are not shared with any third party other than the hosting provider (Hetzner, acting as data processor under a DPA) and OSMF for geocoding queries.
Legal basis: Art. 6(1)(b) GDPR — necessary to provide the API service you requested.
Retention: API route data deleted after 1 hour; rate logs after 7 days; API keys until revoked or account deleted.
Our server is hosted by Hetzner Online GmbH, Industriestr. 25, 91710 Gunzenhausen, Germany. Hetzner processes server log data on our behalf as a data processor under Art. 28 GDPR. A Data Processing Agreement (DPA) is in place. All data remains within the EU. Hetzner's privacy policy: hetzner.com/legal/privacy-policy
Map tiles are served by the OpenStreetMap Foundation (OSMF) tile CDN. When the map loads, your IP address is transmitted to OSMF servers to fetch map images. Route calculations also use Nominatim (OSMF's geocoding service), which receives search queries and coordinates you enter in the planner. OSMF is based in the UK (adequacy decision applies). OSMF privacy policy: osmfoundation.org/wiki/Privacy_Policy
The "Support GoraAdv" button is a plain external link to ko-fi.com. No Ko-fi scripts or trackers are loaded on GoraAdv. When you click the link and visit Ko-fi, their own privacy policy applies: more.ko-fi.com/privacy
GPX credit bundle purchases are processed by Lemon Squeezy (a Stripe company), who acts as the Merchant of Record. When you buy a bundle, you enter payment data (card details, billing address) directly in the Lemon Squeezy checkout. GoraAdv never receives or stores your payment card data. All purchases are one-time — there is no subscription and no recurring charge.
For the payment transaction, Lemon Squeezy acts as an independent data controller — the payment data is collected and processed by Lemon Squeezy under their own privacy policy, not by GoraAdv. Lemon Squeezy is a US-based entity; international data transfers are covered by Standard Contractual Clauses (SCCs) under GDPR Art. 46.
Lemon Squeezy privacy policy: lemonsqueezy.com/privacy
Lemon Squeezy buyer terms: lemonsqueezy.com/buyer-terms
We have executed a Data Processing Agreement (DPA) with Lemon Squeezy for any personal data we share with them via API (such as your email address for order confirmation).
We send account-related emails (verification links, password reset, share invites) through an SMTP relay operated by our hosting provider. Your email address and the message content are transmitted to the SMTP server to deliver the message. No email contents are stored beyond the time required to deliver them. For friend-share invites specifically, see Section 2.7 — recipient addresses are not retained after sending.
Under the GDPR you have the following rights regarding your personal data:
To exercise any of these rights, email info@goraadv.com. We will respond within 30 days.
You have the right to lodge a complaint with the data protection supervisory authority responsible for your place of residence, or with the authority responsible for us:
Landesbeauftragte für Datenschutz und Informationsfreiheit Nordrhein-Westfalen (LDI NRW)
Kavalleriestraße 2–4, 40213 Düsseldorf
ldi.nrw.de
A list of all German supervisory authorities is available at bfdi.bund.de.
We do not use automated decision-making or profiling within the meaning of Art. 22 GDPR.
This website is served exclusively over HTTPS (TLS encryption). Passwords are stored as bcrypt hashes. We do not transmit or store payment card data — payment processing is handled entirely by Lemon Squeezy (a Stripe company) under their own security controls and PCI compliance.
We may update this privacy policy when we add new features or third-party services. The date at the top of this page reflects the last update. Significant changes will be noted in the app.