1. Introduction

Welcome to EXOTRAILS COMPANY LIMITED ("ExoTrails", "we", "our", or "us").

This Privacy Policy explains how we collect, use, disclose, store, and protect personal data of individuals who use exotrails.com or our mobile apps or our social media platforms (collectively, the "Service").

We comply with:

Decree 13/2023/NĐ-CP on Personal Data Protection (PDPD) of Vietnam (currently applicable)
Law No. 91/2025/QH15 on Personal Data Protection of Vietnam (effective Jan 1 2026), we will transition to full compliance by that date
Law No. 19/2023/QH15 on Protection of Consumers' Rights 2023
Law on Cybersecurity 2018 and Law on Network Information Security 2015
EU General Data Protection Regulation (GDPR)
California Consumer Privacy Act (CCPA), California Privacy Rights Act (CPRA) and CalOPPA
APEC Privacy Framework 2015
Other applicable global privacy laws.

We use your data to provide and improve Service. By using Service, you agree to the collection and use of information in accordance with this policy. Unless otherwise defined in this Privacy Policy, the terms used in this Privacy Policy have the same meanings as in our Terms and Conditions.

Our Terms and Conditions ("Terms") govern all use of our Service and together with the Privacy Policy constitutes your agreement with us ("agreement").

2. Definitions

Key terms used in this Policy:

SERVICE: the ExoTrails platform (website & apps) operated by EXOTRAILS COMPANY LIMITED
PERSONAL DATA means data about a living individual who can be identified from the data (or from that and other information either in our possession or likely to come into our possession).
USAGE DATA is data collected automatically either generated by the use of Service or from Service infrastructure itself (for example, the duration of a page visit).
COOKIES are small files stored on your device (computer or mobile device).
DATA CONTROLLER means a natural or legal person who (either alone or jointly or in common with other persons) determines the purposes for which and the manner in which any personal data are, or are to be, processed. For the purpose of this Privacy Policy, we are a Data Controller of your data.
DATA PROCESSORS (OR SERVICE PROVIDERS) means any natural or legal person who processes the data on behalf of the Data Controller (e.g. Server & Cloud Infrastructure Providers; Analytics & Measurement Services; Mapping & Location Services; Payment & Subscription Management Services; Email, Chatbot, & CRM Services; Media Storage Services (CDN); Fraud Prevention Services; Security Testing Providers and/or Others). We may use the services of various Service Providers in order to process your data more effectively. Each Data Processor signs a Data Processing Agreement with ExoTrails.
DATA SUBJECT is any living individual who is the subject of Personal Data.
THE USER is the individual using our Service. The User corresponds to the Data Subject, who is the subject of Personal Data.

3. Lawful Bases for Processing

We process Personal Data based on:

Consent – required for sensitive data such as health metrics, GPS tracking, contact discovery, marketing communications, advertising cookies.
Contract – to provide core services such as activity tracking and subscription plans.
Legal Obligation – to comply with Vietnamese law (cyber-security, accounting, taxation).
Legitimate Interests – to improve services, maintain security, prevent fraud.
Vital Interest – to protect an individual's life, health, or safety.

4. Data We Collect

a) Account & Contact Data

Name, email, phone, password, profile photo, language preference.

b) Activity, Health & Location Data

Activity & Sensor Data: route GPS traces, distance, pace, elevation, device IDs, if you choose to connect sensors - power, cadence, similar fitness metrics.

Location: processed only with your permission. We collect your location when you are recording an activity and enable Live Location in TrackMate.

When you enable Live Location in TrackMate (Track or Challenge mode), we collect your device's location at regular intervals to show your real-time position. You can control whether to share it with your groups in Track Mode. Location sharing stops when you end the session. Therefore, you are responsible for choosing who can view your real-time position and for sharing it only with trusted contacts or participants.

We retain live location records solely to support user safety and troubleshoot technical issues. These records are either deleted or anonymized when no longer needed, unless legal obligations require otherwise.

Sensitive Data: processed only with your explicit consent and for purposes you select.

c) Usage Data

Technical & Log Data. When you access the Service, we automatically collect technical data (browser, OS, referrer, URL visited, request timestamp, IP address, device identifiers, app/network latency). We use this to operate the Service, prevent abuse, and diagnose incidents. IP addresses and security logs are kept up to 90 days, then deleted or anonymized unless the law requires longer.

d) Contacts

If you opt in, we hash and compare your device contacts solely to help you discover friends; you can revoke this permission at any time.

e) Cookies, SDKs & Similar Technologies

We use (i) essential cookies/SDKs to run the Service, (ii) analytics (with consent where required) to improve performance, and (iii) profiling/marketing (only with your opt-in consent). You can manage non-essential cookies via our cookie banner and in-app controls, and adjust OS ad preferences (iOS/Android) or withdraw consent anytime in app/browser privacy settings.

f) Subscription & Billing Data

If you buy a subscription plan we collect:

Chosen plan, status, renewal date
Payment & invoicing details (processed by certified third-party gateways; we do not store full card details)
Transaction history (retained as required by accounting/tax law).

We use third-party payment processors to handle payments. They receive only the data needed to process your transaction and store card details on their systems. We receive confirmation of payment status and basic billing metadata. See our payment processor's privacy notice for details.

g) Third-Party Accounts

If you sign up or log in with Apple/Google or connect social accounts, we receive the info you authorize (e.g., name, email, profile image). You can disconnect anytime in settings or the third-party account.

h) AI/ML Features

We use machine learning/AI to power features such as route recommendations, anomaly detection on leaderboards, and training insights. We prefer aggregated/de-identified data where possible; where features rely on health or precise location data, we only process them with your settings and explicit consent (where required).

i) Other Data

While using our Service, we may also collect the following information: sex, age, date of birth, place of birth, passport details, citizenship, registration at place of residence and actual address, telephone number (work, mobile), details of documents on education, qualification, professional training, employment agreements, NDA agreements, information on bonuses and compensation, information on marital status, family members, social security (or other taxpayer identification) number, office location and other data.

5. Use of Data

We use your data to:

Provide, operate, and improve the Service
Record, analyze, and display your activities
Manage subscription accounts, payments, and renewals
Offer privacy & safety tools (e.g., privacy zones, profile visibility)
Provide customer support and communicate about the Service
Conduct analytics to enhance performance and user experience
Detect and prevent fraud, abuse, and security incidents
Comply with applicable laws and law-enforcement requests
Send newsletters, offers, and ads (with your consent)
Suggest content like routes, clubs, or people to follow
Personalize your feed and experience
Improve AI models using anonymous data
Use sensitive data (like health or location) only with your consent

You can control your preferences anytime in settings.

6. Privacy Controls

Visibility Controls: you choose per-activity and per-profile visibility: Everyone / Followers / Only You.

Safer Defaults: for new accounts and all minors, default visibility is Followers and start/end of routes are blurred by default.

Export & Deletion: you may download your data (including GPX) and delete your account at any time; we delete Personal Data unless retention is required by law.

7. Retention of Data

Subscription & billing records are retained for the period required by Vietnamese accounting/tax law (normally 10 years).

Activity & health data is retained until you delete it or your account, unless longer retention is required by law.

Other data will be retained throughout your use of the Service and will be deleted upon your request (except where such data is minimally required to maintain the use of the Service), or when you stop using the Service, or as required by law and competent government authorities, whichever comes first, unless longer retention is required by law.

We will delete or anonymize data no longer needed for stated purposes.

8. International Transfers

If your data is transferred outside Vietnam (e.g., to cloud servers in Singapore or the EU), we will:

Use contractual and technical safeguards
Comply with Decree 13/2023 and, from Jan 1 2026, Law 91/2025/QH15, including required impact assessments (see Section 9: DPIA) and prior notifications to the competent authority.

EU/EEA Transfers. Where applicable, we use Standard Contractual Clauses (and complementary safeguards) for transfers from the EU/EEA/UK.

9. Data Protection Impact Assessment (DPIA)

We comply with the regulations on preparing, storing, and submitting Data Protection Impact Assessment (DPIA) records within the prescribed time frame to the competent authorities in Vietnam when processing and/or transferring data outside Vietnam.

10. Disclosure of Data

We may disclose Personal Data:

As required by law, court order, or lawful government request
To our affiliates and vetted service providers under contractual confidentiality
In the event of a merger, acquisition, or asset transfer
To protect the rights, safety, or property of ExoTrails, our users, or the public
With your explicit consent for any other specified purpose.

We do not sell or rent your Personal Data for money.

11. Security

We apply appropriate technical and organizational measures to safeguard your data.

No online system is 100% secure; we will notify affected users and authorities of breaches as required by law.

12. Your Data Protection Rights

Depending on the country/region in which the user is located, we will comply with the data collection regulations of that country for the User.

a) Vietnamese Users – Current PDPD (Decree 13/2023)

You have the right to:

Be informed of processing
Give or withdraw consent
Access, copy, and rectify data
Request deletion unless retention is legally required
Restrict or object to processing
Lodge complaints with competent authorities.

Object to direct marketing at any time in email/push settings or via unsubscribe links.

Where we rely on consent (e.g., health or precise location for certain features), you may withdraw it at any time in settings; we may continue limited processing if another legal basis applies (e.g., legal compliance).

These rights will remain under Decree 13/2023 until Law 91/2025/QH15 takes effect on Jan 1 2026; we will then align fully with the updated rights framework.

b) EU / EEA Users Under General Data Protection Regulation (GDPR)

If you are a resident of the European Union (EU) and European Economic Area (EEA), you have certain data protection rights, covered by GDPR.

We aim to take reasonable steps to allow you to correct, amend, delete, or limit the use of your Personal Data.

If you wish to be informed what Personal Data we hold about you and if you want it to be removed from our systems, please email us at support@exotrails.com.

In certain circumstances, you have the following data protection rights to:

Access, update or to delete the information we have on you;
Have your information rectified if that information is inaccurate or incomplete;
Object to our processing of your Personal Data;
Request that we restrict the processing of your personal information;
Provided with a copy of your Personal Data in a structured, machine-readable and commonly used format;
Withdraw your consent at any time where we rely on your consent to process your personal information;

Please note, we may not be able to provide Service without some necessary data.

You have the right to complain to a Data Protection Authority about our collection and use of your Personal Data. For more information, please contact your local data protection authority in the European Economic Area (EEA).

c) California Users under the California Privacy Protection Act (CCPA / CalOPPA / CPRA)

If you are a California resident, ExoTrails complies with the California Online Privacy Protection Act (CalOPPA) and the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA).

Under these laws, you have the right to:

Know what personal information we collect, use, or share.
Request access to or deletion of your personal data.
Opt out of the sale or sharing of personal data (we do not sell data).
Be informed of any material changes to this Privacy Policy.

How we comply:

Our Privacy Policy link is clearly labeled and accessible on our homepage.
Users may visit our site anonymously.
Updates to this policy will be posted on this page.
You can request access, correction, or deletion of your data by emailing support@exotrails.com.

"Do Not Track" Signals:

We honor browser-based "Do Not Track" settings. When enabled, we do not track, place cookies, or deliver personalized advertising.

To adjust your Do Not Track settings, visit your browser's Preferences or Privacy Settings page.

d) Data Request Process

To protect your privacy and comply with applicable laws (PDPD, GDPR, CCPA), we verify your identity before processing any personal data request.

How to submit a request:

Email support@exotrails.com with:

Your full name and registered email;
The type of request (access, correction, deletion, restriction, or consent withdrawal).

We may request additional information to confirm your identity or authorized representation. Unverified requests may be declined.

What you can request:

Access to your personal data we currently hold;
Correction of inaccurate or outdated data;
Deletion of data no longer needed or processed unlawfully;
Restriction or withdrawal of consent for optional processing;
Data portability, where legally required and technically feasible.

Limitations:

We may refuse or limit requests that:

Infringe on another person's rights or confidentiality;
Conflict with legal obligations (e.g., tax, security, or audit retention);
Concern anonymized, aggregated, or system logs;
Are excessive or repeated within 12 months (as permitted under CCPA and GDPR).

Response time:

We will acknowledge your request within 10 working days and respond within 45 calendar days, unless extended for legitimate reasons.

For all privacy-related requests, contact: support@exotrails.com

13. Advertising & Analytics

We use analytics to improve the Service and, with your consent, cookies/SDKs for personalized offers/ads. Manage non-essential cookies via our banner and in-app controls; adjust advertising preferences in your device OS. You may opt out of marketing emails anytime and manage push notifications in app/OS settings.

14. Third-Party Services & APIs

If you connect third-party apps, devices, or integrations (e.g., wearables, training platforms), we share only the minimum data needed for an integration and prohibit unrelated use. Partners and developers may not use ExoTrails data to train AI models or for purposes outside the user-authorized feature. We may limit or revoke access for violations.

When you interact with our official pages on third-party platforms, those platforms may process your data under their terms. We may receive aggregated analytics about page visits and engagement.

15. Law-Enforcement Requests

We respond only to valid and lawful requests from competent authorities, consistent with Vietnamese law and applicable international obligations.

We require appropriate legal process (e.g., warrant, court order, or lawful written request) and where permitted, we will notify affected users.

We may publish periodic transparency information.

Where legally permitted, we aim to notify affected users before producing data in response to a government request and may publish aggregated transparency information.

16. Children's Privacy

The Service is not intended for anyone under 18, and we do not knowingly collect data from minors. For any permitted teen accounts in specific regions, stricter defaults apply (e.g., Followers-only visibility, stronger map privacy, messaging limits). Uploading heart-rate/health data generally requires being 16+ with explicit consent (where allowed by law). If you believe we collected data from a minor, contact support@exotrails.com.

17. Changes to This Policy

We may update this Policy to reflect changes in laws, technologies, or practices.

We will update the "Effective Date" above and, where appropriate, notify you by email or prominent notice in-app or on the website.

18. Contact Us

For any privacy-related questions, concerns, or rights requests:

Privacy Contact - ExoTrails
Email: support@exotrails.com