KÅDUKA TRAIL RUNNING

Effective Date

May 1, 2025

Privacy Contact

privacy@kaduka.app

Jurisdiction

Global (GDPR, CCPA & more)

Before you start reading —

We wrote this to be genuinely readable, not just to satisfy a legal checkbox. Kåduka is a GPS trail running app. That means we handle some of the most personal data that exists: where you go, when you go there, how fast, and how hard your heart works. We take that seriously. Our core promise: your location and health data are yours. You decide what is shared, with whom, and you can take it all back at any time, including downloading a full copy or deleting everything.

1.  What Data We Collect

Because Kåduka is a GPS-based activity app, we collect more data than a typical service. The tables below show exactly what we collect, why, and whether it is required for core features.

1.1  Information You Give Us Directly

[1.1 here.]

1.2  Data Collected Automatically During Activity

[1.2 here.

1.3  Technical and Device Data

We collect standard technical information to keep the app running: device model, OS version, device ID, push notification token, crash logs, and performance metrics. This data is used only for reliability and is not linked to your personal profile for marketing.

1.4  Payment Information

All payments are processed by Stripe (stripe.com/privacy). We never see or store your full card number. We receive only a transaction confirmation token and payment status.

2.  How We Use Your Data

We use your data only for the purposes below. We do not sell your personal information to advertisers, data brokers, or any third party; ever.

[2 here]

3.  Location Privacy: Threats, Research & Our Protections

Why location privacy deserves its own section —

Peer-reviewed security research (Mink et al., CHI 2022, cited at the bottom of this document) studied how well 'privacy zones' actually protect fitness app users. Their finding was striking: even with a privacy zone enabled, 68% of guesses by ordinary, non-technical participants fell within 50 meters of a user's hidden home address, after viewing just three activities. In plain terms: the start/end point hiding that most fitness apps offer provides weaker protection than users assume. A motivated burglar, stalker, or other bad actor does not need technical skills to narrow down where you live, they just need to look at a few of your runs. We have built Kåduka with these documented, real-world risks in mind. Our protections are structural, not just toggles you have to remember to turn on.

3.1  Default: All Activities Are Private

When you create an account, every activity — including the full GPS route, start point, and end point — is set to Private. Nothing is visible to other users until you actively choose to share it.

3.2  Protected Zone (Start/End Obfuscation)

You can define a Protected Zone: a radius around any sensitive address (home, workplace, regular trailhead). When a Protected Zone is active:

• Your route is automatically trimmed so the segments inside the zone are excluded from any shareable version of the activity.

• The full, untrimmed route is retained in your private account only — your distance and elevation data stay accurate.

• The Protected Zone boundary itself is never stored on our servers or shared with any third party.

• We recommend using the largest zone radius that is practical for you. Research shows that larger zones are significantly harder for observers to defeat than smaller ones.

Important limitation you should know

• Privacy zones reduce, but cannot fully eliminate, the risk of location inference. Researchers have demonstrated that an observer who can see multiple activities from the same user can sometimes estimate a sensitive location even with a zone active, by analyzing where routes consistently begin and end near the zone boundary.

• To maximize your location privacy: use the largest zone available; vary your route starting points when possible; keep sharing set to 'Friends Only' or 'Private' rather than 'Public'; and consider beginning your GPS tracking a few blocks from home.

• This is an industry-wide limitation, not unique to Kåduka. We disclose it clearly because we believe you deserve to understand the actual risk level.

3.3  We Do Not Use Your Routes to Infer Protected Locations

Kåduka will never use your private route data to reconstruct or infer an address you have designated as protected. Analytics partners receive only anonymised, aggregated trail-popularity data — never individual GPS traces or routes.

3.4  Live Location Is Never Broadcast Without Your Consent

Your real-time position during a run is transmitted only to our servers to record your activity. It is never shared with other users in real time unless you explicitly enable a live-tracking feature and personally share the access link.

3.5  You Control Location History Deletion

You can delete any individual activity — including its complete GPS trace — at any time from within the app. Deleted activities are purged from our servers within 30 days. See Section 15 for full data portability and deletion rights.

4.  Social Sharing — Opt-In, Always

Kåduka is designed so that sharing is never automatic. Every sharing action requires your active choice. New accounts start fully private.

4.1  Activity Visibility Levels

[4.1 here]

4.2  Friend Connections Are Always Opt-In

No one is added to your friends list without your explicit acceptance of a request. We do not auto-follow, create social connections on your behalf, or suggest follows based on your physical proximity to another user during a run.

4.3  Profile Visibility Defaults to Friends Only

Your profile page (username, bio, photo) is visible only to accepted friends by default. You can expand this to all Kaduka users, or restrict it further, in Privacy Settings at any time.

4.4  Community Features

If you join group challenges, clubs, or segment leaderboards, your participation and result may be visible to other members of that group. You will always be informed of the visibility scope before joining, and you can withdraw at any time.

4.5  Tagging Requires Your Consent

Other users cannot tag you in activities or photos without your prior approval. Tag notifications require your confirmation before any tag becomes visible on your profile.

5.  Legal Bases for Processing (Including GDPR)

European data protection law (GDPR) and many other privacy frameworks require us to identify a specific legal basis for each type of data processing. The table below explains this in plain language.

[5 here.]

Withdrawing consent: Where we rely on your consent, you may withdraw it at any time through Privacy Settings or by emailing privacy@kaduka.app. Withdrawal will not affect the lawfulness of any processing that took place before you withdrew.

6.  Who We Share Your Data With

We do not sell, rent, or trade your personal information. The only third parties who receive your data are service providers who help us operate Kaduka — and they are contractually prohibited from using it for any other purpose.

6.1  Service Providers

[6.1 here]

6.2  Legal Requirements

We may disclose your information when required by a valid court order, subpoena, or government investigation. Where permitted by law, we will notify you before complying with any such request.

6.3  Business Transfers

In the event of a merger, acquisition, or sale of substantially all assets, your information may be transferred as part of that transaction. You will be notified in advance and given the opportunity to delete your account before any transfer occurs.

6.4  Other Users (Only What You Choose to Share)

If you set an activity to Friends Only or Public, certain information becomes visible to the audience you selected. Choose your sharing level carefully, as we cannot control what users do with content they can legitimately view.

7.  Cookies and Tracking Technologies

We use cookies and similar technologies on our website and app. Here is what we use and why:

[7 here]

Disabling essential cookies will prevent the app from functioning correctly. You can manage all other preferences through your browser, device, or the Privacy Settings page.

8.  AI-Powered Features

Kaduka uses machine learning to enhance your experience. Here is what our AI does — and what it does not do.

8.1  What Our AI Does

• Analyses your activity history to surface personalised insights: pace trends, effort distribution, personal records.

• Recommends trails based on your performance and preferences.

• Predicts trail conditions and difficulty from aggregated community data and weather feeds.

• Processes trail photos and user-generated text to improve search quality.

8.2  What Our AI Does Not Do

• Make decisions with legal or significant personal consequences without a human review step.

• Share your individual data with third-party AI model providers — all AI processing uses anonymised or aggregated data where possible.

• Infer sensitive characteristics (religion, ethnicity, health conditions beyond fitness metrics) from your data.

EU/EEA users: you have the right under GDPR Article 22 not to be subject to solely automated decision-making that produces significant effects. Contact us if you have questions about a specific AI feature.

9.  How Long We Keep Your Data

[9 here]

You can request deletion of any or all of your data at any time — see Section 15.

10.  How We Keep Your Data Secure

We use industry-standard technical and organizational measures to protect your data:

• End-to-end encryption for all sensitive data in transit (TLS 1.2 or higher at all times).

• Encryption of sensitive data at rest, including GPS history and health metrics.

• Biometric data never leaves your device — we receive only a cryptographic confirmation token.

• Strict access controls: employees access personal data only as required for their specific role.

• Regular third-party security audits and penetration testing.

• Firewall and intrusion-detection systems protecting our infrastructure.

• Mandatory data protection training for all staff who handle personal data.

No system is completely secure

Despite our best efforts, no method of internet transmission or electronic storage is 100% secure. We cannot guarantee absolute security, but we will notify you without undue delay (and within 72 hours for EU users as required by GDPR Article 33) if a data breach occurs that is likely to affect your rights or freedoms.

11.  Children's Privacy

Kåduka is intended for users aged 16 and older. We do not knowingly collect personal data from children under 16. If you believe we have inadvertently done so, contact privacy@kaduka.app immediately and we will delete that information promptly.

Users between 16 and 17: we recommend a parent or guardian review this policy. Features including social sharing, GPS history, and community leaderboards should be configured carefully for younger users. All sharing remains opt-in and can be set to Private.

12.  Your Rights at a Glance: All Regions

Regardless of where you live, the following rights apply to your data. How to exercise them is covered in Sections 13–15.

[12 here]

13.  European Residents: Full GDPR Rights

If you are located in the European Economic Area (EEA), the United Kingdom, or Switzerland, the General Data Protection Regulation (GDPR) and equivalent national laws apply to your data. This section supplements Sections 5 and 12.

13.1  Data Controller

Kaduka, LLC is the data controller for your personal data. Contact: privacy@kaduka.app | 8833A Midvale Ave N, Seattle, WA 98103, United States.

13.2  Special Categories of Data (GDPR Article 9)

Health data and biometric data are 'special categories' under GDPR and require explicit consent. We collect these only where you have given explicit, informed consent, which you may withdraw at any time without penalty.

13.3  International Data Transfers

Kåduka is based in the United States. When we transfer your data outside the EEA or UK, we rely on one or more of the following approved safeguards:

• Standard Contractual Clauses (SCCs) approved by the European Commission.

• Adequacy decisions where the destination country provides adequate protection.

• Binding Corporate Rules or other legally approved transfer mechanisms.

You may request a copy of the applicable safeguards by contacting privacy@kaduka.app.

13.4  Additional GDPR-Specific Rights

• Right to object to processing for direct marketing (Art. 21) — we will honour this immediately, without exception.

• Right not to be subject to solely automated decision-making with significant effects (Art. 22).

• Right to lodge a complaint with your EU supervisory authority — a full list is available at edpb.europa.eu.

13.5  Response Timelines Under GDPR

We will respond to all GDPR rights requests within 30 days of receipt. For complex or numerous requests, we may extend this by up to two additional months, but we will inform you within the first 30 days if an extension is needed.

13.6  Record of Processing Activities

We maintain a full record of processing activities as required by GDPR Article 30. All processing relies on one of: Art. 6(1)(a) consent; Art. 6(1)(b) contract; Art. 6(1)(c) legal obligation; Art. 6(1)(d) vital interests; Art. 6(1)(f) legitimate interests. For special category data, we rely exclusively on Art. 9(2)(a) explicit consent.

14.  United States Residents: State Privacy Rights

Depending on your state of residence, you may have additional rights under state privacy laws including the California Consumer Privacy Act (CCPA/CPRA), Virginia CDPA, Colorado Privacy Act, Connecticut Data Privacy Act, and equivalent laws enacted in other states.

14.1  Categories of Personal Information Collected (CCPA Reference)

[14. here]

14.2  Your California and State-Specific Rights

• Right to Know: what categories of personal information we collect, use, and disclose (we do not sell).

• Right to Delete: request deletion of your personal information (subject to limited legal exceptions).

• Right to Correct: request correction of inaccurate personal information we hold.

• Right to Opt Out: opt out of any 'sale' or 'sharing' of personal information — we do not sell data, but you may contact us to confirm your status.

• Right to Limit Use of Sensitive Information: restrict our use of sensitive personal information to only what is necessary to provide the service.

• Right to Non-Discrimination: we will never deny service, charge you more, or provide lower quality service because you exercised a privacy right.

To exercise these rights, email privacy@kaduka.app from the address associated with your account. We will verify your identity and respond within 45 days, or the period required by your state's law.

15.  Downloading and Deleting Your Data

Your data belongs to you

You have the right to take your data with you and the right to have it erased. Both are available to you at any time, with no questions asked and no penalty.

15.1  Downloading Your Data

You can request a complete export of your personal data at any time. Your export will include:

• Your full GPS route history in standard GPX and JSON formats.

• Your account profile, preferences, and privacy settings.

• Your health and activity metrics.

• Your in-app interactions and social data.

How to request: go to Settings > Privacy > Download My Data in the app, or email privacy@kaduka.app with 'Data Export Request' as the subject. We will deliver your export within 30 days in a machine-readable format you can import into other services.

15.2  Deleting Individual Activities

You can delete any individual activity — including its full GPS trace — directly from within the app at any time. The activity is permanently removed from our servers within 30 days.

15.3  Deleting Your Entire Account

You can permanently delete your Kaduka account and all associated personal data at any time:

• In the app: Settings > Account > Delete Account.

• By email: privacy@kaduka.app with the subject 'Account Deletion Request' and your account email address.

Account deletion is permanent and cannot be undone. Upon deletion:

• Your profile, activities, GPS history, health data, and social connections will be permanently removed within 30 days.

• Anonymised, aggregated data derived from your activities (such as trail popularity heatmaps) may be retained, as it cannot be linked back to you.

• Payment records are retained for 7 years as required by tax law but will not be accessible through the app.

• Backup systems are fully purged within 90 days of account deletion.

15.4  Verification

For security, we will verify your identity before processing any export or deletion request. This typically means confirming access to the email address associated with your account. We will respond within 45 days, or the period required by applicable law.

16.  Do-Not-Track

Some browsers and devices send a Do-Not-Track (DNT) signal. Where we detect a DNT signal, we will limit collection of non-essential tracking data and will not use your information for targeted marketing. Essential functionality and security measures may still require certain data collection regardless of DNT status.

17.  Policy Updates

We may update this Privacy Policy as our practices, technology, or legal obligations evolve. When we do:

• The 'Last Updated' date at the top of this document will change.

• For significant changes, we will provide at least 30 days' advance notice via the app and by email.

• Your continued use of Kaduka after the effective date constitutes acceptance of the updated policy.

• If you do not agree with a change, you may delete your account before the effective date at no penalty.

We will never reduce your privacy rights through a policy update without giving you the opportunity to opt out or delete your account first.

18.  Contact Us

If you have any questions, concerns, or requests about this policy or your personal data, please reach out:

Kaduka, LLC
Privacy: privacy@kaduka.app
Website: kaduka.app
Address: 8833A Midvale Ave N, Seattle, WA 98103, United States

We aim to respond to all enquiries within 30 days, or as required by applicable law.

© 2025 Kaduka, LLC. All rights reserved. This Privacy Policy is effective as of May 1, 2025 and supersedes all previous versions.

Location privacy protections informed by peer-reviewed research: Mink et al., CHI 2022. DOI: 10.1145/3491102.3502136