lash

Legal

Privacy Policy

Last updated: May 6, 2026

This Privacy Policy explains how lash collects, uses, shares, stores, and protects personal data when you use the lash iOS app, longasssectionhike.com, related websites, email flows, support flows, and any future product surfaces that link to this policy.

Controller: lash, Kiel, Germany. Contact: contact@longasssectionhike.com.

1. Short summary

lash is a social travel app. We process personal data to create and secure accounts, verify emails, publish and display travel content, store photos and location information chosen by users, support comments and interactions, send account and activity notifications, run safety and reporting systems, handle blocking and account deletion, prevent abuse, and keep the Service reliable.

We do not sell personal data. The current app build identified for this policy does not use third-party advertising tracking. If advertising, analytics SDKs, or additional tracking are added, this policy and App Store privacy disclosures should be updated before release.

2. Data we collect

We collect the data needed to provide lash, keep accounts secure, publish user content, and protect the community.

Account and authentication data

  • Email address, account identifier, sign-in method, and Apple sign-in information where used.
  • Email verification, password reset, email-change, delivery, security, and timestamp records.
  • Username, display name, profile completion status, legal acceptance timestamps, and accepted legal document versions.
  • Password credentials handled through secure sign-in systems. We do not store your plain-text password.

Profile and settings data

  • Profile image, avatar URL, biography, home base or profile location, and whether location is shown on your profile.
  • Phone number or birthday where added or used in Account Settings.
  • Email verification status, account lifecycle status, account deletion or recovery state, blocked users, and local app preferences.

User content and interaction data

  • Spot cards, travel cards, titles, captions, introductions, comments, and drafts.
  • Photos and uploaded media, thumbnails, image dimensions, aspect ratio, and similar media information needed to display images properly.
  • Location names, coordinates, location descriptions, and route or stop information that you add to posts.
  • Likes, saves, saved collections, followers, following, comment previews, mentions, activity notifications, reports, and related timestamps.

Technical, permission, and safety data

  • Sign-in session data, notification identifiers, platform, app version, locale, time zone, and active status.
  • IP addresses, request information, error logs, security logs, and operational diagnostics.
  • Camera, photo library, and location data only when you grant access and use features that need them.
  • Safety data such as submitted text or image references, reports, blocks, review outcomes, enforcement decisions, and related timestamps.

3. Where data comes from

We collect data directly from you, from your device and app permissions, from your interactions with lash, from our safety and security systems, from other users when they interact with or report your content, and from service providers that help us operate the Service.

4. How we use data

Where the GDPR applies, we rely on contract performance, consent, legitimate interests, and legal obligations depending on the purpose.

  • Provide and manage lash: account creation, sign-in, profiles, posts, comments, saves, follows, search, notifications, and account settings.
  • Verify and secure accounts: email verification, password reset, email changes, sign-in checks, and abuse-prevention controls.
  • Store and display user content: photos, captions, comments, public profile data, and location information you choose to share.
  • Moderate content and protect users: automated moderation, reports, blocking, enforcement, and abuse prevention.
  • Send transactional messages: verification, reset, email-change, account security, account event emails, and push notifications after device permission.
  • Improve reliability and performance: logs, diagnostics, request metadata, abuse analysis, and error analysis.
  • Comply with law and enforce terms: legal requests, disputes, recordkeeping, investigations, and user safety.

Our legitimate interests include operating a safe social travel platform, preventing abuse and fraud, protecting accounts and infrastructure, enforcing our Terms, improving reliability, and protecting the rights and safety of users and third parties.

5. Device permissions

The app may request access to your photo library, camera, location, and notifications. These permissions support features such as selecting images, capturing images, resolving your current location or nearby places, and sending account or activity notifications.

You can change device permissions in iOS settings. If you disable a permission, related features may not work.

6. Sharing and recipients

We share personal data only where needed for the Service, safety, compliance, or with your direction. Recipient categories include:

  • Other users, where you publish public profile information, posts, comments, location content, or interactions.
  • Service providers that help us with account sign-in, hosting, data storage, media storage, notifications, email delivery, maps, location features, safety review, and similar product operations.
  • App stores, operating systems, and device platforms where needed for app distribution, device permissions, and platform features.
  • Legal, safety, or professional advisors where needed.
  • Public authorities, courts, or law enforcement where required by law or necessary to protect rights, safety, and security.
  • A successor or potential successor in a merger, acquisition, financing, restructuring, or transfer of all or part of the Service, subject to appropriate safeguards.

We require service providers to process data only for agreed purposes and to protect it appropriately.

7. International transfers

We are based in Germany, but some providers may process personal data in other countries, including outside the European Economic Area. Where required, we rely on adequacy decisions, Standard Contractual Clauses, or other appropriate safeguards for international transfers.

8. Retention

We keep personal data only for as long as needed for the purposes described in this policy, unless a longer period is required or permitted by law.

  • Account and profile data is retained while your account exists, then deleted or restricted according to account deletion, legal, and security requirements.
  • Posts, photos, comments, saves, follows, and related interaction data are retained while available in the Service or until deleted, removed, or cleaned up.
  • Drafts and uploaded media are retained while needed for publishing, draft recovery, or account operation, then deleted when removed or during account deletion cleanup where technically available.
  • Verification, reset, and email-change records are kept only for limited periods needed to complete or secure those flows.
  • Verification and account security records are retained as needed to prevent abuse, diagnose failures, and secure account flows.
  • Notification identifiers are retained while active and disabled when invalid, inactive, or during account deletion cleanup.
  • Reports, block records, moderation decisions, and safety logs are retained as long as needed for user safety, dispute handling, legal compliance, abuse prevention, and enforcement.
  • Operational records, diagnostics, and backups are retained for limited operational periods according to internal retention schedules.

9. Account deletion and controls

You can update certain account information in the app. Account Settings may let you manage email, password, username, phone number, birthday, blocked users, map preferences, account deactivation, and account deletion.

When you delete your account, lash attempts to remove your account, profile, posts, drafts, media, social graph references, notifications, saved collections, block references, username reservation, and authentication user. Some data may remain where necessary for legal compliance, safety, dispute resolution, security, backups, or because it relates to other users' accounts or content.

10. Your rights

Where the GDPR applies, you may have the right to access, correct, delete, restrict, object to processing, receive data portability, withdraw consent, and receive information about automated processing where legally available.

To exercise your rights, contact us at contact@longasssectionhike.com. We may need to verify your identity or account ownership. We will respond without undue delay and generally within one month where GDPR applies.

You may lodge a complaint with your local data protection authority. If the relevant authority is Schleswig-Holstein, Germany, you may contact the Unabhaengiges Landeszentrum fuer Datenschutz Schleswig-Holstein (ULD), Holstenstrasse 98, 24103 Kiel, Germany, mail@datenschutzzentrum.de, https://www.datenschutzzentrum.de.

11. Automated processing and moderation

lash may use safety tools and review processes to evaluate content and detect abuse. These tools can affect whether content is published, blocked, removed, limited, or sent for review. We may also consider user reports, safety indicators, and review history.

We do not intend to make decisions based solely on automated processing that produce legal effects concerning you. If you believe an automated moderation or account decision significantly affects you, contact us and request review.

12. Security

We use technical and organizational measures designed to protect personal data, including secure sign-in, access controls, limited employee access, misuse prevention, and safeguards for account recovery.

No online service is completely secure. You are responsible for keeping your login credentials secure and for using current device and operating-system security protections.

13. Children and minors

lash is not intended for children under 13. If we learn that we have collected personal data from a child under 13 without valid authorization, we will take steps to delete it.

If local law requires parental consent for users under a higher age, users under that age may use lash only with valid parental or guardian consent.

14. Third-party links and services

The Service may link to websites or services we do not operate. Their privacy practices are governed by their own policies. Review those policies before using third-party services.

15. Changes to this policy

We may update this Privacy Policy as the Service changes or as legal requirements evolve. We will update the "Last updated" date and, where required or where changes are significant, provide notice through the app, website, email, or another appropriate channel.