Privacy Policy

1. Who this policy covers

This Privacy Policy applies to Cardinal Labs LLC, an Oklahoma limited liability company ("Cardinal Labs," "we," "us," or "our"), and to the websites and applications we operate, including:

• cardinal-labs.studio — our studio website
• DirtPulse — our app for off-road and overland communities
• CampBound — our app for RV and campground communities
• Anchor — our app for boating and water communities

We refer to all of these together as the "Services." When you use any of them, this policy applies.

2. What we collect

We try to collect as little as we can while still making the Services work. Here's the full list:

Account information

When you create an account, we collect your email address and either a password or an identifier from a third-party sign-in provider (such as Apple or Google) if you choose that option. You can also provide an optional display name and profile photo.

Content you post

When you submit a trail report, campground review, launch condition, photo, comment, or other content (collectively, "User Content"), we store that content and associate it with your account. User Content is generally visible to other users of the relevant app.

Location, only when you actively use it

Some features — like "trails near me" or "find a campsite nearby" — need to know roughly where you are. When you tap one of these features, we ask your device for your current location and use it to return relevant results. We do not track your location in the background, and we do not log your continuous movement. See Section 6 for more.

Basic, privacy-friendly analytics

We use lightweight, server-side analytics to understand things like how many people visited a page or used a feature. These analytics do not use cookies for tracking, do not fingerprint your device, and do not build a profile of you across sites. We do not use Google Analytics, Meta Pixel, or other third-party advertising trackers.

Information your device sends automatically

When you visit one of our Services, our hosting provider receives standard request information: your IP address, the page you requested, your browser type, and the time of the request. This is normal web traffic data; we use it to operate the Services, debug problems, and protect against abuse. We do not link this to your identity unless you are signed in.

3. What we don't do

Some companies tell you what they collect and let you guess at the rest. Here is what we explicitly do not do:

• We do not sell your personal information to anyone, ever.
• We do not "share" your personal information for cross-context behavioral advertising (as the term is defined under California law).
• We do not run third-party ads in the Services.
• We do not embed third-party advertising trackers, marketing pixels, or session-replay tools.
• We do not track your location in the background.
• We do not build shadow profiles of people who don't have accounts.
• We do not read or scan your photos beyond what's needed to display them when you choose to upload one.

4. How we use your information

We use the information we collect to:

• Provide and operate the Services (sign you in, show you nearby content, post your reviews, etc.).
• Maintain account security and prevent abuse, spam, and fraud.
• Communicate with you about your account or material changes to the Services.
• Understand aggregate usage so we can improve the apps (for example, "this feature is rarely used; let's fix or remove it").
• Comply with legal obligations and enforce our Terms of Service.

5. When we share information

We share personal information only in the limited situations below:

Service providers we rely on

We use a small set of vendors to actually run the Services — for example, a hosting provider (currently Vercel) and the third-party sign-in providers you choose to use. These vendors process information only to provide services to us and are bound by contract to protect that information.

Other users (only what you choose to share)

Content you post — reviews, trail reports, photos, your display name — is visible to other users of the relevant app. Your email address and account credentials are not.

Legal requirements

We may disclose information if we believe in good faith that disclosure is required by law, legal process (such as a subpoena), or is necessary to protect the rights, property, or safety of Cardinal Labs, our users, or the public.

Business transfers

If Cardinal Labs is involved in a merger, acquisition, or sale of assets, your information may be transferred as part of that transaction. We will notify you and post a notice before any personal information becomes subject to a different privacy policy.

6. Location data

Location is the data category that matters most to outdoor apps, so we want to be specific.

• We only request your location when you actively use a feature that needs it. If you don't tap "find nearby," we don't ask.
• We don't run in the background. Our apps are Progressive Web Apps that operate while open in your browser. We do not request "always" location permission and we do not log your movements over time.
• We don't store your precise location with your account. When you fetch nearby content, your location is used to compute results and is not retained as part of your account profile.
• Posts you choose to attach a location to are stored with that post. If you tag a trail report with a coordinate, that coordinate becomes part of the post. You can delete the post to remove it.
• Your device controls override ours. You can deny or revoke location permission at any time in your browser or operating system settings.

7. Your posts and reviews

When you submit User Content, you can edit or delete it from within the relevant app at any time. Deleted content is removed from public view promptly. Backups and logs may retain copies for a limited period; we discuss retention in Section 8.

Other users may have copied, screenshotted, or referenced your content while it was visible. We can't control that, and deletion from our Services does not pull your content back from anywhere else it has traveled.

8. How long we keep things

• Account information — kept while your account is active. If you delete your account, we delete or anonymize your account information within 30 days, except where we need to retain it to comply with law, resolve disputes, or enforce agreements.
• User Content — kept until you delete it or your account. After deletion, residual copies may exist in encrypted backups for up to 90 days before being overwritten.
• Analytics and server logs — typically retained for up to 90 days, then deleted or aggregated.

9. Security

We use commercially reasonable technical and organizational measures to protect your information, including encryption in transit (HTTPS), encryption at rest for stored credentials, and limited internal access on a need-to-know basis. No system is perfectly secure, however, and we cannot guarantee absolute security. If we ever experience a breach affecting your personal information, we will notify you as required by applicable law.

10. Your rights and choices

Regardless of where you live, you can:

• Access or update your account information from within the app.
• Delete your content from within the app.
• Delete your account from within the app, or by emailing us at the address below.
• Export the User Content associated with your account by emailing us; we'll provide a copy in a portable format within 30 days.
• Revoke location permission through your browser or device settings at any time.

11. For California residents

If you are a California resident, the California Consumer Privacy Act, as amended by the California Privacy Rights Act ("CCPA/CPRA"), gives you additional rights. We summarize them here.

Categories of personal information we collect

In the past 12 months, we have collected the following CCPA/CPRA categories of personal information from users of the Services:

• Identifiers — for example, email address, account ID, IP address.
• Customer records — for example, display name and profile photo if you provide them.
• Internet or other electronic network activity — for example, basic page-view analytics and request logs.
• Geolocation data — only when you actively use a location-aware feature, as described in Section 6.
• User-generated content — the posts, photos, and reviews you submit.

We collect these categories from you directly (when you sign up or post) and from your device (for technical request data and any location you choose to share).

Purposes

We use these categories for the purposes described in Section 4: operating the Services, securing accounts, communicating with you, improving the apps, and meeting legal obligations.

Sale and sharing

We do not sell your personal information, and we do not share it for cross-context behavioral advertising, as those terms are defined under the CCPA/CPRA. We have not done so in the past 12 months.

Sensitive personal information

The only category of "sensitive personal information" we collect is precise geolocation, and only when you actively use a location-aware feature. We use it solely to provide the feature you asked for. We do not use or disclose it for purposes that require an opt-out under the CCPA/CPRA.

Your California rights

You have the right to:

• Know what personal information we have collected about you and how we use it.
• Request a copy of that information.
• Request deletion of that information, subject to legal exceptions.
• Request correction of inaccurate information.
• Limit our use of sensitive personal information (we already limit it to the purpose you requested).
• Not be discriminated against for exercising any of these rights.

To exercise any of these rights, email us at privacy@cardinal-labs.studio. We may need to verify your identity (typically by confirming control of the email address on the account) before we act on a request. You may also designate an authorized agent to make a request on your behalf.

12. Children

The Services are not directed to children under 13, and we do not knowingly collect personal information from children under 13. If you believe a child under 13 has provided us with personal information, please contact us and we will delete it promptly.

13. Changes to this policy

We may update this Privacy Policy from time to time. If we make material changes, we will update the "Last updated" date at the top and, where appropriate, provide additional notice (for example, an in-app message or an email to your account address). Your continued use of the Services after the effective date of an update constitutes acceptance of the updated policy.

14. Contact