Privacy Policy

Last updated: September 1, 2025

1. Introduction

At Carryless, we are committed to protecting your privacy and personal data. This Privacy Policy explains how we collect, use, and safeguard your information in compliance with the General Data Protection Regulation (GDPR) and other applicable privacy laws in the European Union.

2. Data Controller

Serac Alpine Gear created and maintains Carryless as a free, open-source service. Serac Alpine Gear acts as the data controller for the personal data you provide when using our service.

3. Legal Basis for Processing

We process your personal data based on:

• Contract: To provide the gear catalog and pack planning service you've requested
• Legitimate Interest: To maintain and improve our service security and functionality
• Consent: For any optional features you explicitly agree to use

4. Data We Collect

We practice data minimization and only collect information necessary to provide our service:

4.1 Account Information

• Email address: Required for account creation and authentication
• Username/Nickname: Your chosen display name for the service
• Password: Stored as a secure hash (never in plain text)

4.2 Service Data

• Gear inventory: Items, categories, weights, and notes you create
• Pack configurations: Your pack plans and item selections
• User preferences: Settings like currency and weight units

4.3 Technical Data

• Session tokens: For secure authentication during your visits
• Basic server logs: For security and error monitoring (IP addresses are not permanently stored)

5. How We Use Your Data

Your data is used exclusively to:

• Provide the gear catalog and pack planning functionality
• Maintain your account and authenticate your access
• Display your gear and packs within the application
• Enable public pack sharing when you choose to make packs public
• Ensure service security and prevent misuse

6. Data Sharing and Third Parties

We do not sell, rent, or share your personal data with third parties. Period.

The only exception is when you voluntarily make a pack public - in this case, your pack configuration (but not your email or other personal details) becomes visible to other users.

7. Data Security

We implement appropriate technical and organizational measures to protect your data:

• Password hashing using bcrypt
• CSRF protection for all state-changing operations
• Rate limiting to prevent abuse
• Secure session management
• Regular security updates to our infrastructure

8. Data Retention

We retain your data only as long as necessary:

• Account data: Until you delete your account
• Session data: Automatically expires after periods of inactivity
• Server logs: Kept for a maximum of 30 days for security purposes

9. Your Rights Under GDPR

As a data subject, you have the following rights:

• Right of Access: Request a copy of your personal data
• Right to Rectification: Correct inaccurate or incomplete data
• Right to Erasure: Request deletion of your personal data
• Right to Restrict Processing: Limit how we use your data
• Right to Data Portability: Receive your data in a portable format
• Right to Object: Object to certain types of data processing
• Right to Withdraw Consent: Where processing is based on consent

To exercise these rights, please contact us through our GitHub repository.

10. Cookies and Local Storage

We use minimal cookies and local storage:

• Session cookies: Essential for authentication and security
• Preference cookies: Remember your weight unit preference (grams/ounces)

All cookies are technically necessary for the service to function properly.

11. International Data Transfers

Your data is processed within the European Union. If we ever need to transfer data outside the EU, we will ensure appropriate safeguards are in place and obtain your explicit consent where required.

12. Funding and Independence

Our service is funded entirely through voluntary donations to Serac Alpine Gear. This funding model ensures we have no financial incentive to monetize your data or compromise your privacy. We are committed to maintaining this approach.

13. Children's Privacy

Our service is not intended for children under 16 years of age. We do not knowingly collect personal information from children under 16.

14. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify users of any significant changes through the platform and update the "Last updated" date at the top of this policy.

15. Contact and Supervisory Authority

For privacy-related questions or to exercise your rights, please contact us through our GitHub repository.

You also have the right to lodge a complaint with your local data protection supervisory authority if you believe we have not handled your data appropriately.