Porth2Porth

This policy explains what personal data we collect, why we collect it, and what your rights are under the UK General Data Protection Regulation (UK GDPR). If you have any questions, please email us at [email protected].

1. Who we are

TM SOFTWARE CONSULTING LIMITED is the data controller for Porth2Porth. That means we decide how and why your personal data is used.

Company number: 12127527
27 Old Gloucester Street
London, WC1N 3AX
United Kingdom

2. What data we collect

When you create an account

Your name and email address
Your password (stored as a hashed value — we cannot read it)

When you use the Service

Walk logs: sections walked, dates, distances, notes
Photos you upload to your walk logs. Photos are stored as uploaded and may contain embedded EXIF metadata, including GPS coordinates, camera model, and date taken. We do not strip this data.
Push notification tokens (iOS) — to send you notifications about your account
Your account settings and preferences

Automatically

Your IP address and approximate location (country or region)
Device type, operating system, and browser or app version
Pages visited and actions taken within the app (via PostHog analytics — see section 6)
Error and crash logs to help us identify and fix bugs

3. Why we collect it

Purpose	Legal basis (UK GDPR)
Running your account and delivering the Service	Contract (Article 6(1)(b))
Sending account emails (confirmations, password resets)	Contract
Improving the app and fixing bugs	Legitimate interests (Article 6(1)(f))
Analytics to understand how the app is used	Legitimate interests
Sending push notifications (iOS)	Legitimate interests
Complying with legal obligations	Legal obligation (Article 6(1)(c))

We do not use your data for automated decision-making or profiling.

4. How we use your data

To create and manage your account
To save and display your walk logs and photos
To send you transactional emails (account confirmations, password resets)
To diagnose technical issues and improve the Service
To understand how people use the app so we can make it better

We do not sell your data to third parties. We do not use your data for advertising.

5. Who we share data with

We use a small number of trusted third-party services to run Porth2Porth. Each is contractually required to handle your data securely and in line with UK GDPR.

Provider	Purpose	Location
Heroku (Salesforce)	Application hosting	EU
Neon	Database hosting (PostgreSQL)	EU
Cloudflare	Image delivery and CDN	EU
Amazon Web Services (S3)	Photo storage	EU (eu-west-1)
PostHog	Product analytics	EU

All data is stored within the UK or EU. We do not transfer personal data outside these regions.

6. Analytics (PostHog)

We use PostHog to understand how people use the app — for example, which features are used most and whether new features are working as intended. PostHog collects anonymised usage events and does not build advertising profiles.

You can opt out of analytics tracking in your account settings. Opting out will not affect your ability to use any part of the Service.

7. Cookies

The web app uses a small number of cookies:

Session cookie — keeps you logged in during your visit. Essential for the Service to work.
CSRF token — protects against cross-site request forgery attacks. Essential.
PostHog analytics — anonymised usage tracking (see section 6). You can opt out in your account settings.

We do not use advertising cookies or third-party tracking cookies.

8. How long we keep your data

Data	Retention period
Account and walk data	Until you delete your account
Photos	Until you delete them or your account
Encrypted database backups	60 days, then permanently deleted
Server and error logs	30 days
Analytics events	12 months

When you delete your account, your personal data is removed from our live systems immediately. Encrypted backups are purged within 60 days.

9. Your rights under UK GDPR

You have the following rights regarding your personal data:

Right to access — request a copy of the data we hold about you
Right to rectification — ask us to correct inaccurate data
Right to erasure — ask us to delete your data
Right to restriction — ask us to limit how we use your data
Right to data portability — receive your data in a machine-readable format
Right to object — object to processing based on legitimate interests
Right to withdraw consent — where we rely on consent, withdraw it at any time

To exercise any of these rights, email us at [email protected]. We will respond within 30 days and may ask you to verify your identity.

You also have the right to complain to the UK data protection regulator, the Information Commissioner's Office (ICO): ico.org.uk or 0303 123 1113.

10. Security

We take reasonable technical and organisational measures to protect your data:

All data is encrypted in transit using HTTPS/TLS
All data is encrypted at rest on our servers and storage systems
Passwords are stored using bcrypt hashing — we cannot read them
Encrypted backups retained for 60 days
Access controls limiting who can access production systems

If we become aware of a personal data breach, we will notify the ICO within 72 hours where required by law, and will inform affected users without undue delay if the breach is likely to result in a high risk to your rights and freedoms.

If you believe your account has been compromised, please contact us at [email protected] immediately.

11. Children

Porth2Porth is not intended for children under 13. We do not knowingly collect data from children under 13. If you believe a child has created an account, please contact us and we will remove it promptly.

12. Changes to this policy

We may update this policy from time to time. When we do, we will update the date at the top and notify you by email or in the app before changes take effect.

13. Contact us

For any privacy questions or to exercise your rights:

Email: [email protected]

TM SOFTWARE CONSULTING LIMITED
27 Old Gloucester Street
London, WC1N 3AX
United Kingdom

Privacy Policy