Privacy policy
Last updated: 25 May 2026
Courtesy translation — the French version prevails.
1. Data controller
The controller of personal data processing is:
Fabrice Jolivet — sole trader, trading as Burst Innovation Lab
37 rue Blanqui, 33110 Le Bouscat, France
SIRET: 941 912 255 00010
Email: hello@plotrek.com
“Plotrek” is the trading name of the site published by Burst Innovation Lab for the sale of personalized topographic posters.
2. Data collected
We collect the following categories of data:
- Identification data: first name, last name, email address, postal address (only for physical products).
- Payment data: processed exclusively by Stripe. We store no card information on our servers.
- GPS activity data: GPX tracks imported by the Client (uploaded manually or fetched via Strava OAuth). Used only to generate the ordered work.
- Strava connection data (where applicable): temporary OAuth access token (6h), athlete_id, Strava first and last name. This data is stored exclusively in an encrypted browser-side cookie (HS256 key) and is never persisted in our database until you have confirmed a paid order. The OAuth scopes requested are
readandactivity:readonly (read-only); we never request write access to your activities. See our Strava page for details. - Strava activity data linked to an order: when you place an order, we keep the GPS polyline, the elevation profile, the title and date of the chosen Strava activity as well as your Strava first/last name (for the poster's “finisher” field). This data is kept for 5 years for accounting legal obligations; you may request its anonymization at any time (see section 6).
- Technical data: IP address, user-agent, application logs (anonymized after 90 days).
3. Purposes and legal bases
| Purpose | Legal basis |
|---|---|
| Fulfilment of the order | Performance of the contract (art. 6.1.b GDPR) |
| Issuing invoices and accounting obligations | Legal obligation (art. 6.1.c GDPR) |
| Customer service and responding to requests | Legitimate interest (art. 6.1.f GDPR) |
| Anonymized audience statistics | Legitimate interest (art. 6.1.f GDPR) |
4. Recipients and sub-processors
Your data is accessible only to Fabrice Jolivet (sole trader) and to the following technical sub-processors:
- Vercel Inc. (USA) — website hosting. Transfer covered by the European Commission's Standard Contractual Clauses.
- Railway Corp. (USA) — map generation pipeline. Same safeguards as Vercel.
- Supabase Inc. (Singapore) — database and order storage.
- Cloudflare R2 (USA) — storage of generated files (PDF, PNG, SVG).
- Stripe Payments Europe Ltd. (Ireland) — payment processing. Stripe is PCI-DSS level 1 compliant.
- Resend Inc. (USA) — sending transactional emails (confirmation, shipping).
- Strava Inc. (USA, where applicable) — fetching the GPS activity via OAuth, only if the Client chooses this option.
5. Retention period
- Order data (Client + address + GPX): 5 years (legal retention period for accounting and commercial data).
- Files generated on R2: 30 days after delivery.
- Strava connection data: until revoked by the Client or expiry of the OAuth token (6 hours for the short token).
- Technical logs: 90 days, then anonymization.
- Tax and accounting data: 10 years (article L123-22 of the French Commercial Code).
6. Your rights
In accordance with the GDPR, you have the following rights over your data:
- Right of access — obtain a copy of your data.
- Right to rectification — correct inaccurate data.
- Right to erasure (“right to be forgotten”) — except where legally required to retain.
- Right to restriction of processing.
- Right to portability — receive your data in a structured, readable format.
- Right to object to processing.
- Right to withdraw consent at any time, for processing based on it.
- Right to lodge a complaint with the CNIL: cnil.fr.
To exercise these rights, send an email to hello@plotrek.com stating your request and attaching proof of identity. We respond within 30 days.
6.1 Strava data — deletion and revocation
For data from the Strava API:
- Immediate self sign-out — go to the /account page and click “Sign out of Strava”. This action calls the Strava
POST /oauth/deauthorizeendpoint, revokes our access token and clears your local session. No action on Strava's side is needed afterwards. - Manual revocation on Strava's side — you can also revoke Plotrek's authorization via strava.com/settings/apps.
- Order anonymization — to erase the Strava data attached to a paid order (before the 5-year legal deadline), write to hello@plotrek.com. We replace the Strava first/last name with “Anonymous athlete” and remove the athlete_id from the generation payload; accounting obligations require us to keep the transaction metadata (date, amount, product) but these are not personal.
- Strava policy — strava.com/legal/privacy.
7. Cookies
The site uses a minimal number of cookies:
- Functional cookies (mandatory): session maintenance, tracking of the current cart.
- Anonymized audience-measurement cookies (legitimate interest): no third-party cookies, no advertising tracking.
No marketing or advertising cookie is placed without your explicit consent.
8. Security
We implement appropriate technical and organizational measures to protect your data: systematic TLS encryption, restricted data access, regular audits, daily backups.
In the event of a data breach likely to create a high risk to the rights and freedoms of the individuals concerned, we will notify the CNIL and the affected individuals within the timeframes set by the GDPR (72 hours).
9. Changes
This policy may be updated to reflect legal or technical developments. The date at the top of this page indicates the last update.