Privacy Policy
Last updated 2026-04-22.
Turpoeng is a Norwegian service for checking in at hiking posts and tracking your own and your family's outdoor activity. We process personal data in accordance with the GDPR and Norwegian law.
Controller
Turpoeng — contact via post@turpoeng.no.
What we collect
- Account data: name, email, password (hashed), language.
- Child profiles: name, gender, birth year, language, and varde points for children you create. Children have no login and no email.
- Check-ins: GPS position (lat/lng + accuracy) and timestamp for each visit to a post.
- Varde data: level, points, and placement/collection timestamps.
- Subscription: billing status and period info. We never store card details — they live at Stripe/Vipps.
- Network and shares: whom you're connected with and which children you've shared.
Legal basis
- Contract: core functions (check-in, varder, billing).
- Consent: not used today. Should we ever add analytics or a newsletter, it will require your active opt-in first.
- Legitimate interest: anti-cheat logic and abuse prevention (logging GPS speed between check-ins).
Children under 13
Pro users may create child profiles for their own children. The parent consents on behalf of the child and assumes responsibility for having obtained that consent. Child profiles have no email and no login of their own.
Third-party processors
- Hetzner Online GmbH — server hosting. Our server is located in Helsinki (EU/EEA).
- Mailjet (France) — transactional email (verification, password reset, receipts).
- Stripe Payments Europe (Ireland) — card processing. We only receive status, never card numbers.
- Vipps MobilePay (Norway) — Vipps payments.
- Kartverket (Norway) — public API for elevation data (no user info sent).
- OpenStreetMap — map tiles served directly in your browser.
- Nominatim (OpenStreetMap) — reverse geocoding (place names from coordinates), used only when an admin creates a new post.
Retention
For as long as your account is active. When you delete your account, all personal data — name, email, GPS coordinates, varder, child profiles, subscription details — is removed immediately and permanently. You can export the full dataset as JSON from the profile page before deleting.
Automated decisions
The anti-cheat system flags check-ins that look suspicious (e.g. unrealistic speed between two positions). A flag is not an automated decision with legal effect — a system administrator always reviews it manually before any action is taken.
Data processing agreements
We have Data Processing Agreements (DPAs) in place with every third-party processor listed above, based on each provider's standard terms. The agreements ensure data is handled in accordance with the GDPR.
In case of a data breach
In the event of a personal data breach, we will notify the Norwegian Data Protection Authority within 72 hours as required by GDPR Art. 33. If the risk to you is high, we will notify you directly by email as well.
Your rights
- Access: download a full JSON export from the profile page.
- Rectification: edit profile info anytime.
- Erasure: "Delete account" on the profile page removes all your data immediately.
- Portability: the JSON export is a standard machine-readable format.
- Restriction: you can ask us to pause processing while a rectification or objection is being reviewed — contact post@turpoeng.no.
- Objection: you can object to processing based on legitimate interest (e.g. anti-cheat logging) — email us and we'll assess the request.
- Complaint: you may complain to the Norwegian Data Protection Authority.
Cookies and browser storage
Turpoeng doesn't use cookies. Login and language preference are stored locally in your browser (localStorage / sessionStorage) and only sent to our server when you act in the app. No tracking or analytics tools are used.
Security
Passwords are hashed with Argon2id. All traffic uses TLS 1.2/1.3. We minimize data and store only what we need.
Changes
Material changes will be announced via email. The latest version is always available here.