Privacy Policy

Last updated: March 2, 2026 · Effective: March 2, 2026

Contents

Data Controller
Overview
Data We Collect
How and Why We Use Your Data
Legal Basis for Processing (GDPR)
Public Nature of Content
Third-Party Services
Data Sharing and Disclosure
International Data Transfers
Data Retention
Your Rights
Children's Privacy
Security
Cookies and Similar Technologies
Changes to This Policy
Contact

1. Data Controller

The data controller responsible for processing your personal data is:

Jan Rabe
Morsbronner Weg 18
12109 Berlin
Germany
Email: contact@kibotu.net

If you have questions about data protection, you can reach the data controller at the address above.

2. Overview

This privacy policy explains how we collect, use, store, and protect your personal data when you use:

The Trail website at trail.services.kibotu.net (the "Website")
The Trail Android app available on Google Play (the "App")
The Trail API (the "API")

Together, these are referred to as the "Service." The Service is a micro-blogging platform where users can post short text entries, share links, and upload images. The source code is available as open source at github.com/kibotu/trail.

We are committed to protecting your privacy. We process personal data only to the extent necessary to provide and improve the Service, and in accordance with the EU General Data Protection Regulation (GDPR), the German Federal Data Protection Act (BDSG), the German Telecommunications-Telemedia Data Protection Act (TTDSG), and other applicable data protection laws.

3. Data We Collect

3.1 Account Data

When you sign in via Google OAuth, we receive and store:

Your Google account name and email address
Your Google profile picture URL
A unique Google user identifier

We do not receive or store your Google password. Authentication is handled entirely by Google's OAuth 2.0 service.

3.2 Profile Data

You may optionally provide additional profile information, including:

Display name and username
Bio / description text
Profile avatar image (uploaded)
Header / banner image (uploaded)

3.3 Content You Create

When you use the Service, you may create and submit content, including:

Text entries (posts) up to a configurable character limit (default 280 characters)
Comments on other users' entries
Images (up to 3 per post, processed and stored in WebP format, max 20 MB each)
Links and URLs (which may generate preview cards via a third-party service)
@mentions of other users
Claps / likes on entries (1–50 per entry)

3.4 Usage and Interaction Data

We automatically collect certain data about how you use the Service:

View counts on entries, comments, and profiles
Search queries (processed in real time to return results; not stored or logged)
Muting and reporting actions you take
Notification interactions

3.5 Technical Data

When you access the Service, we automatically process:

IP address — used only for spam protection and rate limiting (temporarily stored and automatically deleted after 1 hour; never used for tracking or profiling)
Browser type / User-Agent header — used together with your IP address to generate an irreversible one-way hash (SHA-256) for view count deduplication; the raw IP and User-Agent are not stored in view records
Pages / screens visited and time spent
Referring URL
Date and time of access

3.6 Data Collected via the App

The Android app may additionally collect, through integrated third-party SDKs:

App crash reports and diagnostic data (via Firebase Crashlytics)
Anonymized usage analytics (via Google Analytics for Firebase)
Device identifiers used by Google Play Services

3.7 Data We Do Not Collect

We do not collect precise geolocation data.
We do not access your device contacts, camera, or microphone without your explicit action.

4. How and Why We Use Your Data

Purpose	Data Used
Providing and operating the Service (account creation, authentication, posting, commenting)	Account data, profile data, content, technical data
Displaying your public profile and content to other users and visitors	Profile data, content
Generating link preview cards for shared URLs	URLs you post (sent to Iframely API)
Sending you notifications (claps, @mentions, comments)	Account data, interaction data
Providing search functionality	Content (indexed for full-text search)
Content moderation (responding to reports, enforcing policies)	Content, report data, account data
Spam protection and rate limiting (preventing abuse)	IP address (temporarily; auto-deleted after 1 hour)
View count deduplication (preventing inflated counts)	Irreversible hash of IP + User-Agent (raw values not stored)
Bot protection	User-Agent header (checked in real time, not stored)
Monitoring and improving performance, stability, and security	Crash reports, analytics
Complying with legal obligations	As required by applicable law

We do not use your data for automated decision-making or profiling. We do not sell your personal data.

5. Legal Basis for Processing (GDPR)

Under Art. 6(1) GDPR, we process your personal data on the following legal bases:

Legal Basis	Processing Activities
Contract performance (Art. 6(1)(b))	Account creation, authentication, providing the Service (posting, commenting, interactions), profile management, notifications
Legitimate interests (Art. 6(1)(f))	Spam protection and rate limiting (temporary IP processing), view count deduplication (hashed identifiers), bot protection, analytics and performance monitoring, crash reporting, security measures, content moderation. Our legitimate interest is operating a reliable, secure, and abuse-free Service. You can object to processing based on legitimate interests (see Section 11).
Legal obligation (Art. 6(1)(c))	Compliance with applicable laws, responding to lawful requests from authorities, record-keeping obligations
Consent (Art. 6(1)(a))	Optional marketing communications (if any). You can withdraw consent at any time.

6. Public Nature of Content

  Important: Trail is a public platform. All entries, comments, profile information, and uploaded media you post are publicly visible by default. This includes visibility via the Website, the App, the API, RSS feeds, and embedded widgets on third-party websites.

Think carefully before posting personal information. Once published, your content may be indexed by search engines, cached by third parties, or embedded on other websites. While you can delete your content from the Service, we cannot guarantee removal from third-party caches or archives.

7. Third-Party Services

The Service integrates the following third-party services, each with their own privacy policies:

Service	Purpose	Privacy Policy
Google OAuth 2.0	User authentication	Google Privacy Policy
Google Play Services	App distribution and services (Android)	Google Privacy Policy
Google Analytics for Firebase	Anonymized usage analytics (Android)	Firebase Privacy
Firebase Crashlytics	Crash reporting (Android)	Firebase Privacy
Iframely	URL preview / link card generation	Iframely Privacy Policy

When you post a URL, that URL is sent to the Iframely API to generate a preview card (title, description, thumbnail). Iframely may log these requests according to their own privacy policy.

We do not sell, rent, or trade your personal data. We may share your data only in the following circumstances:

Public content: Your posts, comments, profile data, and uploaded media are publicly accessible (see Section 6).
Third-party service providers: As described in Section 7, for the sole purpose of operating the Service.
Legal requirements: When required by law, regulation, legal process, or enforceable governmental request.
Safety and rights protection: When we believe in good faith that disclosure is necessary to protect the rights, safety, or property of the Service, our users, or the public, or to investigate or prevent fraud or illegal activity.

9. International Data Transfers

The Service is hosted on servers located in Germany. If you access the Service from outside the European Economic Area (EEA), your data will be transferred to Germany, which is within the EEA and subject to GDPR.

Some third-party services (Google, Firebase, Iframely) may process data outside the EEA. These providers maintain appropriate safeguards such as EU Standard Contractual Clauses (SCCs) or adequacy decisions. For details, please refer to their respective privacy policies linked in Section 7.

10. Data Retention

Data Category	Retention Period
Account data	Until you delete your account. After requesting deletion, your content is hidden immediately and permanently deleted after 14 days. Backup removal may take an additional 30 days.
Content you create (posts, comments, images)	Until you delete the content or your account
Profile data	Until you modify or delete it, or delete your account
Rate limit records (IP-based identifiers)	Automatically deleted after 1 hour
View deduplication hashes (irreversible; no raw IP)	24 hours (used to prevent duplicate view counts within a day)
Server access logs (web server level)	Up to 90 days
Analytics data (Firebase)	Per Google's retention settings (default: 14 months)
Crash reports (Crashlytics)	Per Google's retention policy (90 days)

After account deletion, we may retain certain data where required by law (e.g., for tax or legal compliance purposes) or to the extent necessary to resolve disputes or enforce our terms.

11. Your Rights

Under the GDPR, you have the following rights regarding your personal data:

Right of access (Art. 15) — You can request a copy of the personal data we hold about you.
Right to rectification (Art. 16) — You can request correction of inaccurate or incomplete data.
Right to erasure (Art. 17) — You can request deletion of your personal data ("right to be forgotten"), subject to legal retention obligations.
Right to restriction of processing (Art. 18) — You can request that we restrict processing of your data in certain circumstances.
Right to data portability (Art. 20) — You can request to receive your data in a structured, commonly used, machine-readable format.
Right to object (Art. 21) — You can object to processing based on legitimate interests. We will stop processing unless we have compelling legitimate grounds.
Right to withdraw consent (Art. 7(3)) — Where processing is based on consent, you can withdraw it at any time without affecting the lawfulness of prior processing.

To exercise any of these rights, please contact us at contact@kibotu.net. We will respond within one month as required by the GDPR (extendable by two months for complex requests).

Self-service options: You can exercise your right to erasure directly from your Trail profile page using the "Delete My Account" button. You can also download a complete copy of all your data from the same page using the "Download My Data" button (right to data portability).

Right to lodge a complaint

You have the right to lodge a complaint with a data protection supervisory authority if you believe your data is being processed unlawfully. You can contact the supervisory authority in the EU member state of your habitual residence, your place of work, or the place of the alleged infringement. In Germany, the relevant authority depends on the federal state (Bundesland) where the data controller is located.

12. Children's Privacy

The Service is not intended for children. In accordance with Art. 8 GDPR and its German implementation, we do not knowingly collect personal data from anyone under the age of 16. If you are under 16, you may only use the Service with the consent and supervision of a parent or legal guardian.

If we become aware that we have collected personal data from a child under 16 without parental consent, we will promptly delete that data. If you are a parent or guardian and believe your child has provided us with personal data, please contact us at contact@kibotu.net.

13. Security

We implement appropriate technical and organizational measures to protect your personal data against unauthorized access, alteration, disclosure, or destruction. These measures include:

Encrypted connections (HTTPS/TLS) for all data transmission
Secure authentication via OAuth 2.0 and JWT tokens
Access controls and principle of least privilege for server administration
Regular security updates and monitoring

However, no method of electronic transmission or storage is 100% secure. While we strive to protect your data, we cannot guarantee absolute security.

14. Cookies and Similar Technologies

The Website uses cookies and similar technologies for the following purposes:

Cookie / Technology	Purpose	Type
Session cookie	Maintaining your authenticated session	Strictly necessary (no consent required)
Firebase Analytics (App)	Anonymized usage statistics	Analytics (legitimate interest)

Strictly necessary cookies are required for the Service to function and cannot be disabled. You can configure your browser to block or delete cookies, but this may impair the functionality of the Service.

15. Changes to This Policy

We may update this privacy policy from time to time. When we make material changes, we will update the "Last updated" date at the top of this page and, where appropriate, notify you via the Service. We encourage you to review this page periodically. Continued use of the Service after changes constitutes acceptance of the updated policy.

16. Contact

If you have any questions about this privacy policy, your personal data, or wish to exercise your data protection rights, please contact:

Jan Rabe
Email: contact@kibotu.net