Effective date: 9 May 2026
1. Controller
Pursuant to Article 4(7) of Regulation (EU) 2016/679 (the “General Data Protection Regulation” or “GDPR”) and the Slovenian Personal Data Protection Act (Zakon o varstvu osebnih podatkov, ZVOP-2), the controller responsible for the processing of personal data through gravelatlas.com (the “Service”) is:
Zavod Novi, a zavod established in the Republic of Slovenia.
Matična številka: 7325428000
Davčna številka: 16806077
Email: support@gravelatlas.com
Gravel Atlas is operated by Zavod Novi as a sub-brand. References in this Policy to “we”, “us”, or “Gravel Atlas” mean Zavod Novi acting under that brand.
Zavod Novi has not appointed a Data Protection Officer. We are not required to do so under Article 37 GDPR, as we are not a public authority, our core activities do not consist of regular and systematic monitoring of data subjects on a large scale, and we do not process special categories of personal data on a large scale.
2. Scope of this Policy
This Policy describes how Zavod Novi processes personal data of visitors to gravelatlas.com and registered users of the Service. It applies to processing carried out in the operation of the Service. It does not apply to third-party websites linked from the Service, the privacy notices of which apply to those services.
3. Categories of personal data we process
3.1 Account data. Where a user creates an account, we process the email address and password (stored as a salted hash), and optionally the first and last name, profile photograph, biographical text, place of residence, social-media link, and tip-jar URL.
3.2 Content data. Where a user uploads or creates content, we process route geometries (GPS coordinates, elevation profiles, waypoints), photographs, route descriptions and metadata, completion records, check-in records, comments, ratings, collections, event submissions, and bicycle entries.
3.3 Subscription data. Where a user subscribes to a paid plan, the payment is processed by Stripe Inc. Zavod Novi does not have access to the payment card details. We store only the Stripe customer identifier, the Stripe subscription identifier, the plan, and the renewal and expiry dates.
3.4 Newsletter data. Where a user opts in to the newsletter, we record that opt-in choice as a boolean value associated with the user's account.
3.5 Connected-service data. Where a user voluntarily connects a Strava account, we receive and store the OAuth tokens necessary to access activity data the user chooses to import.
3.6 Server log data. When the Service is accessed, our servers record the requesting IP address, the User-Agent string, the requested resource, the time of the request, and (where available) the referring URL. This processing is necessary for the security and operation of the Service.
3.7 Page-view data. Subject to the user's cookie consent, we record page-view events to a first-party database table. Each record includes the path visited, the referring URL, any utm_* campaign parameters, the User-Agent, an approximate country derived from the IP at the network edge, a randomly-generated per-visit session identifier, and (where the user is signed in) the user identifier.
3.8 Rate-limiting data. During sensitive actions (sign-in, registration, upload, follow), we briefly record the user's email address and IP address in our rate-limiter, Upstash Redis (Frankfurt). These records expire automatically within minutes.
4. Purposes of processing and legal bases
Zavod Novi processes the personal data described in section 3 for the following purposes, each on the legal basis identified below.
4.1 Operation of the Service (Article 6(1)(b) GDPR, performance of a contract). The processing of account data, content data, subscription data, and connected-service data is necessary to perform the contract concluded with the User upon account creation, including authenticating the User, hosting and rendering the User's content, delivering the functionality the User has requested, and maintaining the User's account.
4.2 Transactional communications (Article 6(1)(b) GDPR). Email messages necessary to operate the contract (account verification, password reset, subscription receipts, security notices) are sent on the basis of contract performance.
4.3 Payment processing (Article 6(1)(b) GDPR). Where the User subscribes to a paid plan, Zavod Novi shares the email address, the User's name, and the chosen plan with Stripe Inc. for the purpose of processing the payment.
4.4 Newsletter (Article 6(1)(a) GDPR, consent). The newsletter is sent on the basis of the User's prior, freely-given, specific, and informed consent. The User may withdraw that consent at any time through the unsubscribe link in any newsletter message or through account settings, without affecting the lawfulness of processing prior to withdrawal (Article 7(3) GDPR).
4.5 Audience measurement (Article 6(1)(a) GDPR, consent). Page-view data and Vercel Analytics events are processed only where the User has given prior consent through the cookie banner. The User may withdraw that consent at any time through the cookie-preferences link in the site footer.
4.6 Security and abuse prevention (Article 6(1)(f) GDPR, legitimate interest). Server log data and rate-limiting data are processed on the basis of Zavod Novi's legitimate interest in keeping the Service secure, investigating abuse, and protecting users and third parties from fraudulent or harmful activity. The User may object to such processing at any time on grounds relating to the User's particular situation pursuant to Article 21 GDPR.
4.7 Compliance with legal obligations (Article 6(1)(c) GDPR). Tax records, accounting records, and information disclosed in response to valid legal process are processed on the basis of Zavod Novi's compliance with applicable Slovenian and European Union law.
5. Recipients and processors
Zavod Novi shares personal data with the recipients listed below. Each recipient acts as a processor within the meaning of Article 28 GDPR, on the basis of a written data-processing agreement, and only for the purposes set out in this Policy. Zavod Novi does not sell, rent, or otherwise commercially exploit personal data, and does not share personal data with data brokers or advertising networks.
| Processor | Role | Location | Data shared |
|---|---|---|---|
| Vercel Inc. (DPA) | Hosting, edge network, Vercel Analytics | United States, with EU regions where available | Server logs, request data, page-view beacons |
| Neon Inc. | Managed PostgreSQL database | Frankfurt, Germany (eu-central-1) | All structured personal data described in section 3 |
| Vercel Blob | Object storage for files | Frankfurt, Germany (fra1) | Photographs, GPX files, generated map images |
| Stripe Inc. (DPA) | Payment processing | United States | Email address, name, plan; payment card data is collected and held by Stripe and is not accessible to Zavod Novi |
| Resend Inc. (DPA) | Transactional email delivery | United States | Email address, first name, message content |
| Upstash Inc. | Redis-based rate-limiter | Frankfurt, Germany | Email address and IP address combined into rate-limit keys; records expire within minutes |
| Mapbox Inc. (Privacy) | Map tiles and geocoding | United States | The User's IP address (incident to the request) and the coordinates of the area being viewed |
| OpenStreetMap Foundation | Tile servers and reverse-geocoding (Nominatim) | United Kingdom and community-operated | The User's IP address (incident to the request), tile coordinates |
| CARTO | Alternative basemap tiles | Spain and the United States | The User's IP address (incident to the request), tile coordinates |
| Photon by Komoot | Place-name search and reverse-geocoding | Germany | Search strings, latitude/longitude pairs |
| Overpass API mirrors (overpass-api.de, overpass.kumi.systems, overpass.openstreetmap.fr) | OpenStreetMap feature queries for route discovery and surface tagging | Germany and France | Query content reflecting the User's viewport and route activity. Requests are dispatched from Zavod Novi's servers, so the User's IP address does not reach the operators directly. |
| Strava Inc. (API Agreement) | Optional integration where the User connects a Strava account | United States | OAuth tokens; activities the User chooses to import |
The route-planning engine (BRouter) is hosted on Zavod Novi's own infrastructure at brouter.gravelatlas.com. Routing requests are not shared with any third party.
Personal data is disclosed to public authorities and law-enforcement bodies only where required by Slovenian or European Union law, on the basis of a valid order, and only to the extent so required. Where the law permits, Zavod Novi will inform the data subject of any such disclosure.
6. International transfers
Some recipients listed in section 5 are established outside the European Economic Area, in particular in the United States. Where personal data is transferred to such recipients, the transfer is carried out on the basis of the Standard Contractual Clauses adopted by the European Commission pursuant to Decision 2021/914 (Module 2: Controller to Processor) and supplemented, where the recipient offers them, by additional technical and contractual measures.
Copies of the Standard Contractual Clauses incorporated into the agreements with our United States processors are available within the Data Processing Agreements linked in section 5 (Stripe, Resend, Vercel) and on request at support@gravelatlas.com.
7. Retention
Zavod Novi retains personal data only for as long as is necessary for the purposes set out in this Policy or as required by applicable law. The retention periods set out below apply unless a longer period is required by Slovenian or European Union law.
| Data | Retention |
|---|---|
| Active account data | For the duration of the account. Upon deletion, account data is soft-deleted for thirty (30) days for accidental-recovery purposes, then permanently deleted. Database backups are rotated on a thirty-day cycle. |
| Content data (routes, collections, events) | For the duration of publication. Upon deletion, soft-deleted and purged on the thirty-day cycle described above. |
| Completion records, check-ins, comments | Cascade with the parent route or the User's account. Permanently deleted on cascade with no soft-delete period. |
| Authentication tokens (verification, password reset) | Expire automatically per the expiry timestamp on each token; pruned on a scheduled basis. |
| Server log data | Retained for the period necessary to investigate operational issues, typically days, not months. |
| Rate-limiting data | Expires automatically within minutes. |
| Page-view data (where consented) | Twelve (12) months, then permanently deleted. |
| Administrative audit logs | Twenty-four (24) months. |
| Stripe billing records | Held by Stripe in accordance with its retention schedule; Zavod Novi retains the linkage identifiers for the duration of the account. |
| Tax-relevant transaction data | Ten (10) years pursuant to the Slovenian Tax Procedure Act (Zakon o davčnem postopku, ZDavP-2). This processing is carried out on the basis of Article 6(1)(c) GDPR (legal obligation) and is not subject to erasure on request during that period. |
8. Rights of the data subject
Subject to the conditions set out in the GDPR, the data subject has the following rights with respect to personal data processed by Zavod Novi.
8.1 Right of access (Article 15 GDPR). The right to obtain confirmation as to whether personal data concerning the data subject is being processed and, where that is the case, access to the personal data and the information set out in Article 15(1).
8.2 Right to rectification (Article 16 GDPR). The right to obtain the rectification of inaccurate personal data. Most fields can be rectified directly through the User's account settings. For others, the data subject may write to support@gravelatlas.com.
8.3 Right to erasure (Article 17 GDPR). The right to obtain the erasure of personal data, subject to the limitations set out in Article 17(3) (including the retention obligations set out in section 7). A self-service deletion mechanism is being implemented. Until that mechanism is available, the data subject may request erasure by writing to support@gravelatlas.com; Zavod Novi will action the request within thirty (30) days.
8.4 Right to restriction of processing (Article 18 GDPR). The right to obtain the restriction of processing in the cases set out in Article 18(1).
8.5 Right to data portability (Article 20 GDPR). The right to receive personal data provided to Zavod Novi in a structured, commonly-used, and machine-readable format, and to transmit that data to another controller, where the processing is based on consent or on a contract and is carried out by automated means.
8.6 Right to object (Article 21 GDPR). The right, on grounds relating to the data subject's particular situation, to object to processing carried out on the basis of legitimate interest (section 4.6).
8.7 Right to withdraw consent (Article 7(3) GDPR). Where processing is based on consent, the data subject has the right to withdraw consent at any time, without affecting the lawfulness of processing carried out prior to withdrawal. Consent for the newsletter may be withdrawn through the unsubscribe link in any newsletter message or through account settings; consent for analytics may be withdrawn through the cookie-preferences link in the site footer; the Strava connection may be revoked through Settings › Connected accounts.
8.8 Right to lodge a complaint (Article 77 GDPR). The data subject has the right to lodge a complaint with a supervisory authority, in particular in the Member State of habitual residence, place of work, or place of the alleged infringement. The competent supervisory authority for Slovenia is the Information Commissioner (Informacijski pooblaščenec), whose contact details are available at https://www.ip-rs.si.
To exercise any of these rights, the data subject may write to support@gravelatlas.com. Zavod Novi will respond within thirty (30) days, or sooner where Article 12(3) GDPR so requires, and will request reasonable additional information only where necessary to confirm the identity of the requesting person.
9. Cookies and similar technologies
The Service uses cookies, localStorage, and sessionStorage entries. The complete list, together with the categories defined in the consent banner (Strictly necessary, Preferences, Analytics, Marketing) and the controls available to the User, is set out on the Cookies page. The User may review and revise the cookie-preference choice at any time through the Cookie preferences link in the site footer.
10. Security
Zavod Novi implements appropriate technical and organisational measures pursuant to Article 32 GDPR, including transport-layer encryption (TLS) on every connection, encryption at rest for the database and the object store (provider-default AES-256), salted password hashing (bcrypt), rate-limiting on authentication, upload, and write endpoints, and access controls limiting production-data access to the minimum number of personnel necessary to operate the Service.
In the event of a personal data breach likely to result in a risk to the rights and freedoms of natural persons, Zavod Novi will notify the Information Commissioner without undue delay and, where feasible, not later than seventy-two (72) hours after becoming aware of the breach pursuant to Article 33 GDPR, and will communicate the breach to affected data subjects pursuant to Article 34 GDPR where the conditions of that Article are met.
11. Children
The Service is not directed at children. Pursuant to Article 8 GDPR and Article 21(2) of the Slovenian Personal Data Protection Act (ZVOP-2), the age of digital consent in the Republic of Slovenia is fifteen (15) years. A person below that age may not create an account on the Service except with the documented consent of a parent or legal guardian. Where Zavod Novi becomes aware that an account has been created by a person below the age of fifteen without such consent, the account will be deleted.
12. Changes to this Policy and contact
12.1 Zavod Novi may update this Policy from time to time, in particular to reflect changes in the Service, in our processors, or in applicable law. Material changes will be notified to registered Users by email and through a prominent notice on the Service. The updated version takes effect fourteen (14) days after such notice, save where applicable law requires immediate effect.
12.2 Questions about this Policy and requests relating to the rights set out in section 8 may be addressed to Zavod Novi by email at support@gravelatlas.com.