Privacy Policy

Effective: May 27, 2026 · Version: 1.1 (2026-06-04)

This Privacy Policy describes how the TaliGo mobile application ("App", "Service") handles users' personal data. TaliGo is a personal project operated by an individual based in Hungary (see "Data Controller").

Data Controller
What Data We Collect
Purpose and Legal Basis
Storage and Transfers
Third-Party Services
Retention Period
Your Rights (GDPR)
Children and Minors
Changes to This Policy
Contact
Trademarks

1. Data Controller

Name: Marko Ignac (individual)
Country: Hungary
Email: mignac2@gmail.com

We are not required to appoint a Data Protection Officer (DPO) as our processing does not meet the threshold defined in GDPR Article 37.

2. What Data We Collect

Data provided at sign-up:

Email address (required, used for login)
Display name (required)
Password (stored hashed by Firebase Authentication — we don't see it)

Data generated during use:

Hikes you create (title, date, description, location, distance, difficulty)
Cover images you upload (stored on Cloudinary)
RSVP and "interested" states
Komoot / AllTrails URLs you provide
Push notification token (FCM, per device)

Location data (optional, consent-based only):

Precise GPS position (latitude and longitude) and a last-updated timestamp — only when you explicitly enable location sharing in an event's map view.
Your location is visible to other participants of that event (for group coordination purposes).
Location sharing is off by default; the app never activates it automatically.
While active, a persistent notification is shown. Tracking may continue with the screen off (foreground service) so group coordination works during the hike — but it can be stopped at any time and never starts automatically.
Location data is automatically deleted when the event ends.
Can be stopped at any time via the toggle in the event map view.

Automatically collected data:

Usage analytics (anonymous events: e.g. "event_create", "login")
Crash reports (stack trace, device type, OS version — no identifiers)
Approximate region (Firebase Analytics, based on IP)

We do not collect: contact list, full photo library content, advertising identifiers, browsing history. GPS location is only collected with explicit opt-in (see above).

3. Purpose and Legal Basis

Service delivery (GDPR Art. 6(1)(b) — contract performance): sign-up, hike storage, participant management, notifications.
Legitimate interest (GDPR Art. 6(1)(f)): app stability (crash reports), usage analytics for improvement.
Consent (GDPR Art. 6(1)(a)): push notifications (can be turned off in settings any time); precise location sharing (can be stopped any time in the event map view).

4. Storage and Transfers

Data is primarily stored on Google Firebase (Firestore, Authentication, Cloud Functions, Cloud Messaging) in the europe-west1 region (Belgium). Cover images are stored on Cloudinary's cloud storage (EU region).

No data is transferred outside the EU, except via Google's standard contractual clauses (SCC) for internal services.

5. Third-Party Services

Google Firebase (Google Ireland Ltd.) — backend, auth, database, push, analytics, crashlytics. policies.google.com/privacy
Cloudinary (Cloudinary Ltd.) — cover image hosting. cloudinary.com/privacy
Komoot / AllTrails — we only fetch route metadata (title, distance, difficulty, map preview URL) when you paste a public shareable link into your hike.

6. Retention Period

Active account: data is stored as long as your account is active.
After account deletion: your account and all associated data (your hikes, RSVPs) are immediately and permanently deleted (see "Your Rights").
Crash and analytics data: 14 months (Firebase default).
FCM tokens: automatically cleaned up when a device becomes unreachable.
Location data: automatically deleted when the event ends; immediately upon turning off location sharing.

Under the EU GDPR, you have the following rights:

Access: request a copy of your data.
Rectification: you can change your display name in the profile; for email change, contact us.
Erasure (right to be forgotten): Profile → Settings → "Delete account" — immediate and permanent deletion. The Firebase Auth user and all associated Firestore documents are removed within 1-2 seconds. This action cannot be undone.
Restriction / objection: push notifications can be disabled any time (Profile → Settings → Notifications); location sharing can be stopped any time in the event map view.
Data portability: you may request a JSON export of your data by email.
Complaint: to the Hungarian National Authority for Data Protection (NAIH, naih.hu).

8. Children and Minors

TaliGo is not intended for users under 16. We do not knowingly collect data from anyone under 16. If we learn that an account was created by someone under 16, we will delete it without delay.

9. Changes to This Policy

We update this document from time to time. For material changes we will display a notice in the app. The current version is always available at this URL.

10. Contact

For any privacy questions, data requests, or complaints, please contact us: mignac2@gmail.com.

11. Trademarks

"Komoot", its logo, and related marks are trademarks of Komoot GmbH. "AllTrails" and related marks are trademarks of AllTrails LLC. "Firebase", "Google", and related marks are trademarks of Google LLC. "Cloudinary" is a trademark of Cloudinary Ltd.

TaliGo is not affiliated with, endorsed by, or sponsored by Komoot GmbH, AllTrails LLC, Google LLC, or Cloudinary Ltd. We reference these brand names descriptively (nominative fair use) only to explain which external services we read data from (public Komoot / AllTrails tour URLs) or which services power our infrastructure (Firebase, Cloudinary).