Privacy Policy

Last updated: 2 June 2026

This policy explains what personal data ScratchJourney collects, why we collect it, how we protect it, and the rights you have over it. We keep things deliberately simple: we collect the minimum needed to run the service, we never sell your data, and you can delete your account and all of its data at any time.

1. Who is responsible for your data

The controller responsible for your personal data is Robin Vandaele, the operator of ScratchJourney (scratchjourney.com). For any privacy question or request, you can contact us at privacy@scratchjourney.com.

2. What data we collect

  • Account data — your email address, your chosen display name, and your password (stored only as a secure, irreversible hash; we never see or store your actual password).
  • Travel data you create — the countries and regions you scratch, the dates you set, optional notes, and any photos and captions you choose to add.
  • Technical data — limited information needed to keep the service secure and working, such as your IP address as processed by our hosting provider for security and to deliver pages to you.

We do not collect special categories of data, and we do not use advertising or tracking profiles.

3. Why we use it and our legal basis

  • To provide the service (create your account, save your map, show your journal and profile) — legal basis: performance of our agreement with you.
  • To keep the service secure (prevent abuse, debug errors) — legal basis: our legitimate interest in running a safe service.

4. Cookies and local storage

We keep cookies to a minimum and group them into two categories:

  • Essential — a login cookie set after you sign in (so you stay signed in), plus local storage on your device for small preferences (wishlist, chosen theme, map/globe view). These are always active because the site cannot function without them, and they are not used for tracking or advertising.
  • Analytics (optional, consent-based) — we may use Google Analytics to understand how the site is used (for example: number of visitors, popular pages, countries). These cookies load only after you accept them via our cookie banner (Google Consent Mode). If you decline, no analytics cookies are set. You can change your choice later by clearing it in your browser. Learn how Google handles this data: How Google uses information from sites that use our services.
We do not currently show advertising. If we introduce ads in the future, we will update this policy and ask for your consent where the law requires it.

5. How long we keep your data

We keep your account data for as long as your account exists. When you delete your account, your account and all associated travel data are permanently removed from our database. Routine backups, if any, are rotated and overwritten over time.

6. Who we share it with

We do not sell your data and we do not share it for advertising. We rely on a small number of trusted service providers (processors) purely to operate the service:

  • Render — application hosting and database, located in the European Union (Frankfurt, Germany).
  • Cloudflare — network/proxy layer that helps deliver the site securely and reliably.
  • Google Analytics (Google Ireland Ltd.) — only if you consent to analytics cookies; receives aggregated usage statistics to help us understand and improve the service.

These providers process data only on our instructions and under their own data-protection commitments.

7. Where your data is stored

Your data is hosted within the European Union (Frankfurt, Germany). Connections to the site are encrypted with HTTPS.

8. Your rights

Under the GDPR (and equivalent laws such as the UK GDPR), you have the right to:

  • access the personal data we hold about you;
  • correct inaccurate data (you can edit your display name in your profile);
  • erase your data — you can delete your account yourself at any time from your profile, or ask us to do it;
  • receive a copy of your data, or ask us to provide it;
  • object to or restrict certain processing;
  • lodge a complaint with your data protection authority. In Belgium this is the Data Protection Authority (Gegevensbeschermingsautoriteit, gegevensbeschermingsautoriteit.be); residents elsewhere may contact their local authority.

To exercise any right, email privacy@scratchjourney.com.

9. How we protect your data

Passwords are stored only as secure hashes, all traffic is encrypted with HTTPS, and data is hosted within the EU. We aim to collect as little personal data as possible.

10. Children

ScratchJourney is not directed at children under 16. If you believe a child has provided us personal data, contact us and we will delete it.

11. Changes to this policy

We may update this policy from time to time. When we make material changes, we will update the "Last updated" date above and, where appropriate, notify you.

12. Contact

Questions about this policy or your data? Email privacy@scratchjourney.com.

← Back to ScratchJourney