Privacy Policy

Jatelo ("we", "us", "our") operates the Jatelo mobile and web apps (the "Service") for outdoor athletes — paddlers, climbers, mountain bikers, hikers and trail runners. Jatelo is a private operation based in South Africa and is the data controller for personal data processed through the Service. Contact: support@jatelo.app.

EU/UK representative. Where required by GDPR Art. 27 or UK GDPR, our appointed representative for EU/UK data subjects is listed at jatelo.app/legal/eu-representative. Contact them in their local language with any data-protection enquiry that falls under EU/UK GDPR scope.

We collect only what we need to run the Service:

• Account data — email address, display name, username, avatar URL, and the authentication provider you signed up with (Apple, Google, or email/password via Supabase Auth).
• Profile data — sports you participate in, home city, bio, social links, and any content you choose to share publicly on your profile.
• Activity data — sessions you log manually (distance, duration, route, notes, photos), precise GPS tracks you record in the app, and ratings/comments you post.
• Device & diagnostics — coarse and precise location (only while you have granted permission), app version, device model, OS, crash logs and aggregated usage events.
• Data from connected services — see “Strava integration” below.
• Payment data — handled by Paystack (web) and RevenueCat with Apple/Google (mobile). We never see or store your card details; we receive a subscription status, platform, and a receipt reference.

Under GDPR Art. 6, every processing activity has a documented legal basis. The table below summarises how we use each data category, on what basis, and for how long we keep it.

• Account & profile — to create and operate your account, authenticate sign-in, render your profile. Basis: contract (Art. 6(1)(b)). Retention: for the life of your account; deleted within 30 days of account deletion (backups purged within 90 days).
• Activity & GPS tracks — to provide logbook, map, route history, heatmap and stats features. Basis: contract. Retention: for the life of your account; deleted with your account, or earlier if you delete the log.
• Location (precise, while-in-use) — to record GPS tracks and show nearby sections. Basis: consent (Art. 6(1)(a)), granted via OS permission prompt; revocable at any time in device settings. Retention: tracks you save are kept as activity data above.
• Strava-imported data — to import and display paddle activities you choose to sync. Basis: consent, granted at OAuth connect. Retention: kept for the life of your account so your paddle history stays intact if you simply unlink, and deleted immediately when you revoke Jatelo’s access from Strava, use “Erase & re-sync Strava data”, or delete your account.
• Subscription & payment metadata — to fulfil your Jatelo Pro subscription and meet tax/accounting duties. Basis: contract (Art. 6(1)(b)) and legal obligation (Art. 6(1)(c)) for invoices. Retention: 7 years for invoices and receipts; the subscription record itself for the life of your account.
• Crash logs & diagnostics — to keep the app stable. Basis: legitimate interest (Art. 6(1)(f)) in maintaining a working product. Retention: 90 days.
• Anti-abuse / bot-protection signals — used by Cloudflare Turnstile on sign-up. Basis: legitimate interest in preventing fraud. Retention: handled by Cloudflare per their policy; we do not store the raw signals.
• Support correspondence — emails you send us. Basis: legitimate interest in responding to you. Retention: 2 years from last contact.

We do not sell your data, share it with advertisers, or use it to build profiles for ad targeting.

Jatelo offers an optional integration with Strava. Connecting Strava is never required to use Jatelo, and you can disconnect at any time from your profile settings.

What we request from Strava. When you connect, we ask Strava for the following OAuth scopes:

• read — to read your public Strava profile (athlete name, ID and avatar) so we can link it to your Jatelo account.
• activity:read_all — to import your paddle activities and their GPS streams, including activities you’ve marked as private or followers-only.

What we store from Strava. For paddle-type activities only (Kayaking, Canoeing, Stand Up Paddling, Rowing, Surfing where flagged as paddle), we store:

• Activity ID, name, start time, duration, distance, elevation
• GPS polyline / streams (latlng, heart rate, cadence, power, time, altitude)
• Athlete first name, last name, profile photo URL and Strava athlete ID
• Gear, device and start-city tags
• OAuth access & refresh tokens (encrypted at rest in Supabase)

We do not import non-paddle activities (e.g. running, cycling). We do not share your Strava data with third parties.

Disconnecting. From your Jatelo profile you can disconnect Strava at any time. Disconnecting immediately revokes the OAuth token and stops all future syncs. Previously imported activities stay in your Jatelo log history so you keep your paddle record — remove them whenever you like with “Erase & re-sync Strava data”, which deletes every Strava-imported log, route, stream and split. If instead you revoke Jatelo’s access from within Strava, we treat that as a full deauthorization and automatically delete all of your Strava-imported data.

This app uses the Strava API. Strava is a trademark of Strava, Inc. Jatelo is not endorsed by or affiliated with Strava.

Jatelo runs on Supabase (PostgreSQL + PostGIS) and Vercel. Application data is stored in Supabase’s EU region (Frankfurt). Backups are encrypted at rest. OAuth tokens for connected services (including Strava) are stored encrypted in a separate user-secrets table with row-level security policies that restrict access to the owning user and our serverless functions.

Some sub-processors (Mapbox, RevenueCat, Apple, Google, Strava, Cloudflare) may process data outside the EEA, including in the United States. Where personal data of EU/UK subjects is transferred internationally, we rely on EU Standard Contractual Clauses (SCCs) or, where applicable, the EU-US Data Privacy Framework as the transfer mechanism.

We use the following sub-processors to deliver the Service. Each receives only the data needed to perform its function.

• Supabase, Inc. — database, auth, file storage (EU region)
• Vercel, Inc. — web hosting and serverless functions
• Mapbox, Inc. — map tiles and geocoding
• Paystack Payments Ltd. — web payments (ZAR)
• RevenueCat, Inc. — mobile subscription management
• Apple Inc. / Google LLC — App Store / Play Store billing, sign-in providers, and push notifications (APNs / FCM)
• Expo (650 Industries, Inc.) — push-notification token exchange
• Strava, Inc. — only when you choose to connect
• Cloudflare, Inc. — Turnstile bot protection on sign-up
• Sentry / PostHog — crash and aggregated product analytics, where enabled in-app

We do not give any sub-processor permission to use your data for their own marketing. The current list above is the authoritative list; we will update this page when sub-processors change.

The categories of data we collect through the Jatelo mobile app, as declared on the App Store:

• Location (precise) — linked to user, used for app functionality. Not used for tracking.
• Identifiers — user ID. Linked to user, used for app functionality.
• Purchases — purchase history (via RevenueCat). Linked to user, used for app functionality.
• Contact info — email address. Linked to user, used for app functionality and customer support.
• User content — photos, activity descriptions, posts. Linked to user, used for app functionality.
• Usage data — product-interaction events. Linked to user, used for analytics and app functionality.
• Diagnostics — crash data and performance data. Linked to user, used for app functionality.

Jatelo does not use any data for cross-app or cross-site tracking, and does not share data with data brokers or advertising networks.

The Google Play Data Safety declaration mirrors the categories in Section 7. Data in transit is encrypted with TLS. You can request deletion of any data at any time by emailing support@jatelo.app or by deleting your account from profile settings.

The Jatelo web app uses strictly-necessary cookies for sign-in and session security only. Where we operate optional analytics or crash tools (PostHog, Sentry) in the EU/UK, we present a consent banner before any non-essential SDK loads, and you can withdraw consent at any time. The mobile app does not use third-party tracking SDKs.

If you are in the EU, UK or a comparable jurisdiction, you have the following rights with respect to your personal data:

• Access — request a copy of your data
• Rectification — correct inaccurate data, directly via profile settings or by request
• Erasure — delete your account and all associated data
• Restriction — restrict processing in defined circumstances
• Portability — receive your data in a machine-readable format
• Objection — object to processing carried out on a legitimate-interest basis
• Withdraw consent — for Strava, push notifications, location, and any other consent-based processing, at any time, without affecting earlier processing
• Lodge a complaint — with your local supervisory authority (EU/UK) or with South Africa’s Information Regulator (POPIA)

To exercise any of these rights email support@jatelo.app. We aim to respond within one month, as required by GDPR Art. 12(3).

Jatelo is not directed at children. The minimum age to create an account is 16 if you are in the EU/EEA or UK, and 13 elsewhere (where local law does not require a higher age). We do not knowingly collect data from anyone below the applicable minimum age. If you believe a child has created an account, please contact us at support@jatelo.app and we will delete it.

We use industry-standard practices: TLS in transit, encryption at rest, row-level security on every table, short-lived JWTs, and asymmetric (ES256) signing of session tokens. No system is perfectly secure — if you discover a vulnerability please report it responsibly to support@jatelo.app.

We may update this policy as the Service evolves. Material changes will be announced inside the app and by email where appropriate. The “Effective” date at the top reflects the latest version.