Privacy Policy

Last updated: March 2026

1. Introduction

Welcome to ClimbSync. This privacy policy explains how we collect, use, store, and protect your personal data when you use our mobile application.

ClimbSync is operated by Benjamin Orthner, an individual based in Austria. We are committed to protecting your privacy in accordance with the EU General Data Protection Regulation (GDPR) and Austrian data protection laws.

ClimbSync is currently in active development (pre-release). Features and processing details may evolve before broad public launch, and this policy may be updated accordingly.

2. Data Controller

The data controller responsible for your personal data is:

Benjamin Orthner
Vienna, Austria
Email: contact@climbsync.app

3. Data We Collect

3.1 Account Information

  • Email address (required for account creation)
  • Authentication provider data (if signing in via Google or Apple)
  • Account creation and last login timestamps
  • Billing account metadata shared with our subscription provider RevenueCat for purchase support and account lookup (currently App User ID, email address, and display name when available)

3.2 Profile Information (Voluntary)

  • Display name (publicly visible to other users)
  • Real name (visible according to your profile visibility settings)
  • Profile picture/avatar and avatar visibility settings
  • Short bio description and bio visibility settings
  • Climbing grades (boulder and sport) and grade visibility settings
  • Preferred home city / home gym and related visibility settings
  • Profile preferences such as language and unit/time formatting

3.3 Social Contact Information (Optional, Friends Only)

  • Phone number (international format)
  • WhatsApp number/username
  • Signal number/username
  • Telegram username
  • Instagram username
  • Discord username
  • Contact visibility controls, including optional friend-exclusion settings

3.4 Activity Data

  • Climbing session plans and participation data (gym, date, time, duration, notes, visibility)
  • Session invitations/proposals, poll votes, and proposal outcomes
  • Friend connections, friendship history, and block-list state
  • Favorite gyms and related discovery interactions
  • Notification preferences and in-app notification interactions
  • Profile statistics and insight aggregates generated from your activity

3.5 Technical Data

  • Device type and operating system version
  • App version and platform (iOS/Android/Web)
  • Security and reliability logs (e.g., request/error/rate-limit telemetry)
  • Product analytics events used to improve app flows (e.g., onboarding/session/search usage)

4. Purpose and Legal Basis

We process your data for the following purposes:

4.1 Contract Performance (Art. 6(1)(b) GDPR)

  • Providing the core ClimbSync service
  • Account creation and authentication
  • Enabling session sharing with friends
  • Managing friend connections, blocks, and profile visibility controls

4.2 Legitimate Interest (Art. 6(1)(f) GDPR)

  • Improving app functionality and user experience
  • Operating product analytics and telemetry for feature development and service reliability
  • Debugging and fixing technical issues
  • Fraud prevention, abuse prevention, and security

4.3 Consent (Art. 6(1)(a) GDPR, where required)

  • If we introduce processing that requires consent as legal basis (for example, optional marketing communication), we will request separate explicit opt-in before that processing starts.
  • At the current development stage, core app analytics and service operations are not consent-gated and are processed under contract/legitimate-interest bases as described above.

5. Data Storage and Security

Your data is stored on servers provided by Convex, Inc., which uses secure data centers in the European Union. We implement appropriate technical and organizational measures to protect your personal data, including:

  • Encryption of data in transit (TLS/SSL)
  • Encryption of data at rest
  • Server-side access controls
  • Secure authentication mechanisms

6. Data Sharing

We do not sell your personal data. We share your data only as follows:

  • With other ClimbSync users according to your visibility settings (public sessions are visible to all users; friend-only content is visible only to accepted friends)
  • Contact links are friends-only by default and may be hidden from selected friends using your contact visibility controls
  • Blocked users are restricted from seeing your activity as defined by product access rules
  • With service providers used to operate the app (e.g., infrastructure, mapping, authentication/email delivery, and subscription billing/support) under appropriate contractual safeguards
  • When required by law or legal process

7. International Data Transfers

Your data is primarily stored in the EU. In case of transfers outside the EU/EEA (e.g., to Convex, Inc. in the USA), appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) as approved by the European Commission.

8. Data Retention

We retain your personal data for as long as your account is active and as needed to operate the service securely. Current retention approach includes:

  • Core account/profile/session data: retained while your account remains active, then deleted when your account is deleted (subject to short technical backup windows).
  • Billing and subscription data: when you delete your account, we remove our local billing records. However, subscription and purchase history held by RevenueCat, Apple, or Google is subject to their respective retention policies and is not deleted by us. Active subscriptions are not cancelled by account deletion — you must cancel them through your store settings.
  • Raw product analytics events: retained for a limited period (currently 90 days) for reliability and product analysis.
  • Certain aggregated service metrics (including daily/monthly rollups) may be retained longer to understand product performance trends and system health.
  • Backup copies are typically deleted within approximately 30 days.

9. Your Rights (GDPR)

Under the GDPR, you have the following rights:

  • Right of Access (Art. 15): Request a copy of your personal data
  • Right to Rectification (Art. 16): Correct inaccurate data
  • Right to Erasure (Art. 17): Delete your account and data
  • Right to Restriction (Art. 18): Limit how we use your data
  • Right to Data Portability (Art. 20): Receive your data in a portable format
  • Right to Object (Art. 21): Object to processing based on legitimate interests (including product analytics/telemetry).
  • Right to Withdraw Consent (where consent is used): Withdraw consent at any time for consent-based processing.

To exercise these rights, contact us at contact@climbsync.app. We currently handle objection/rights requests manually via support. You also have the right to lodge a complaint with the Austrian Data Protection Authority (Österreichische Datenschutzbehörde).

10. Third-Party Services

ClimbSync uses the following third-party services:

  • Convex (database, authentication, storage) — convex.dev/privacy
  • Mapbox (map display) — mapbox.com/legal/privacy
  • RevenueCat (subscription billing infrastructure) — revenuecat.com/privacy
  • Google/Apple (OAuth authentication) — their respective privacy policies apply
  • Resend (transactional email delivery) — resend.com/legal/privacy-policy

11. Children's Privacy

ClimbSync is not intended for children under 16 years of age. We do not knowingly collect personal data from children under 16. If you believe we have collected data from a child, please contact us immediately.

12. Changes to This Policy

We may update this privacy policy from time to time. We will notify you of significant changes through the app or by email. The "Last updated" date at the top indicates when this policy was last revised.

For material changes, we may require renewed in-app acceptance before continued use of protected app areas.

13. Contact

For questions or concerns about this privacy policy or your personal data, please contact:

Benjamin Orthner
Email: contact@climbsync.app