OutPack logo showing a feather with mountains
Sign In

Privacy Policy

Last Updated: May 9, 2026

1. Introduction

This Privacy Policy describes how Carmur Labs Ltd ("Carmur Labs," "we," "us," or "our") collects, uses, discloses, and safeguards information when you use OutPack, including the OutPack website (outpack.app), the OutPack mobile applications for iOS and Android, and any related services we provide (together, the "Service"). It forms part of, and should be read together with, our Terms of Service.

Data Controller: Carmur Labs Ltd (legal name: CARMUR LABS LTD), a company registered in Scotland, is the controller responsible for your personal data under UK GDPR. The OutPack mobile applications are published on the Apple App Store and Google Play under the Carmur Labs developer accounts. You can contact us about privacy at support@outpack.app.

Definitions

Personal Data: Any information that relates to an identified or identifiable individual. This includes, for example, your name, email address, IP address, device identifiers, and Geolocation Data.

Usage Data: Information collected automatically through your interaction with the Service (browser type, operating system, screens viewed, timing of interactions, and similar telemetry).

User Content (or Contributions): All materials and information that you create, submit, post, or transmit on the Service, including gear lists, kits, packs, trips, planned and recorded routes, GPX tracks, waypoints, timeline events, food and meal plans, macros and weights, photographs, profile information, trip reports and journals, comments, ratings, gear sentiment, feedback, and notes.

2. Data We Collect

A. Information You Provide Directly

Account Information: When you register, we collect your email address, authentication identifiers, and the information needed to keep you signed in (such as one-time codes or, in future, single-sign-on provider identifiers).

Profile Information: You may choose to provide a username, display name, profile picture, bio, country, social-media links, units preference (metric/imperial), and similar profile details.

User Content: We collect the content you create and share, including gear, kits, packs, trips, planned and recorded routes, GPX tracks and waypoints, timeline events, food plans, photos, trip reports and journals, gear reviews and sentiment, feedback, comments, ratings, and notes. Photos may include embedded metadata (such as the time and location a photo was taken); we use this only as necessary to render or organise your content.

Sensitive Information You Choose to Add: OutPack is not designed to collect medical, biometric, financial, or other highly sensitive information. If you choose to include information such as allergies, dietary restrictions, health notes, emergency details, or similar sensitive information in your User Content, we process it only as part of providing the Service to you and applying the visibility settings you choose. Where this information is special category data under UK GDPR, our Article 9 condition is your explicit consent, which you give by choosing to enter or upload that information. You can withdraw that consent by deleting the information or contacting us.

Subscriptions and Payments: If you purchase a paid plan, the relevant app store (Apple, Google) or payment processor handles your payment and shares with us only the limited information needed to confirm your subscription status (such as a transaction identifier and plan tier). We do not receive or store full payment-card details.

Communications: If you contact us (for example, via the in-app feedback form or support@outpack.app), we will receive the contents of that communication and any information you choose to include.

B. Information Automatically Collected

Usage and Diagnostic Data: We automatically collect information about your device and how you interact with the Service, including IP address, browser type, app version, device type, operating system, referring URLs, screens viewed, timestamps, and crash and performance diagnostics.

Geolocation Data: We collect location information you provide or that you ask the Service to use, including: coordinates derived from your device's GPS when you choose to centre a map on your current location, coordinates you enter manually for a trip, route, or timeline event, the location metadata embedded in photos you upload, and approximate location derived from your IP address. We do not collect location data in the background and we do not track your movements outside of features you actively use.

C. Mobile App Permissions

Camera: The mobile app requests camera access only when you choose features that need it, such as scanning a barcode or taking a photo of gear, a trip, a pack, or your profile.

Photos and Media: The mobile app requests photo library access only when you choose to select an image to upload.

Location: The mobile app requests location access only when you choose features that need it, such as centring a map on your current location or adding a location to a trip, route, or timeline event. We use foreground location only and do not collect location in the background.

Notifications: If you opt in, we may use push notifications for service-related messages (for example, share-link activity or a collaborator invite). You can turn off notifications at any time in your device settings.

D. Cookies and Tracking Technologies

We use cookies, local storage, and similar technologies on the website. Essential cookies are used to keep you signed in and remember your preferences. Analytics cookies are only set if you accept them via our cookie consent banner. See Section 9, "Cookies and Tracking Technologies."

3. How We Use Your Data (Purposes of Processing)

We use the information we collect for the following purposes:

  • To provide and maintain the Service: operating the platform, displaying your content, syncing data between devices, generating share links, and monitoring for issues.
  • To manage your account: registration, authentication, account security, and access control.
  • To personalise your experience: remembering your preferences (such as units), and showing you relevant trip, pack, gear, route, food-plan, weather, and map information.
  • To enable sharing and collaboration: letting you share profiles, packs, trips, routes, and reports according to the visibility and collaboration settings you choose, and supporting public community features such as feeds and follows.
  • To process subscriptions and usage limits: verifying entitlement to paid features and enforcing per-plan usage quotas (for example, limits on AI-assisted features).
  • To provide AI-assisted features: processing content or inputs through AI service providers when you choose to use features that generate, extract, classify, summarise, or estimate information (see Section 4).
  • To improve the Service: understanding how users interact with the Service so we can improve features, performance, and usability, generally using aggregated or anonymised data.
  • For security and fraud prevention: protecting the Service, our users, and the public from malicious, fraudulent, or illegal activity.
  • To communicate with you: sending essential service-related messages (account verification, security notices, policy changes, and similar). With your consent, we may send marketing messages you can opt out of at any time.
  • To comply with legal obligations: tax, accounting, regulatory, and law-enforcement requirements.

4. AI-Assisted Features and Automated Processing

Some features of the Service use artificial intelligence or machine-learning systems to generate, extract, classify, summarise, or estimate information from inputs you choose to provide. Depending on the feature, these inputs may include photos, product identifiers, route or trip details, gear information, food and nutrition information, notes, comments, or other User Content.

When an AI-assisted feature requires external processing, we transmit only the information reasonably needed to provide that feature to the relevant AI service provider or product-data provider. We do not intentionally share your account password, payment-card details, or unrelated private account content with those providers. AI-assisted outputs may be stored in your account or used to update the content you choose to save.

We do not intentionally use your private User Content to train our own AI or machine-learning models. Where provider controls or contractual terms are available, we configure or require our AI subprocessors not to use your inputs or outputs to train their general models. AI outputs are estimates and may be wrong; you are responsible for reviewing them before relying on them.

We do not make decisions about you that produce legal or similarly significant effects based solely on automated processing.

5. Lawful Bases for Processing (UK GDPR)

We rely on the following lawful bases:

  • Contract: processing necessary to provide the Service you have asked us to provide (account, sync, sharing, subscription).
  • Consent: for analytics cookies, marketing communications, and any optional features that ask for your consent at the point of use. For special category data you choose to add, we rely on your explicit consent as our Article 9 condition.
  • Legitimate interests: for service improvement, security, fraud prevention, and protecting our rights and the rights of others, where those interests are not overridden by your rights and freedoms.
  • Legal obligation: where processing is required by applicable law.

6. Data Sharing and Disclosure

We do not sell your personal data. We may share information in the following situations:

With Service Providers (Subprocessors): We share data with vendors who process information on our behalf and only for the purposes we instruct. Categories include:

  • Cloud hosting and infrastructure: providers of compute, database, storage, content delivery, image hosting, email delivery, backups, and related infrastructure.
  • Authentication: our auth provider for sign-in, one-time-code email delivery, and session management.
  • Analytics and product telemetry: providers that help us understand and improve use of the Service. Website interaction analytics are only captured with your cookie consent; limited server-side operational events may be captured under our legitimate interests where needed to operate, secure, and improve the Service.
  • Error monitoring and diagnostics: providers that help us identify crashes, errors, and performance issues.
  • Mapping, routing, and geocoding: providers used to render maps, resolve places, plan routes, calculate distances and elevation, and support trip-planning features.
  • Weather and environmental data: providers used to show forecast, historical weather, daylight, terrain, elevation, and similar contextual information relevant to your trips.
  • Food, nutrition, product, and catalogue data: providers used to retrieve or enrich product, nutrition, barcode, gear, and catalogue information.
  • AI service providers: providers used to support optional AI-assisted features, such as extraction, classification, summarisation, estimation, and content assistance.
  • App stores and payment processing: Apple and Google for in-app subscription processing and entitlement.

These providers are required by contract to protect your data and to process it only for the services they provide to us. We list categories rather than fixed vendors so that we can change providers without needing to update this Policy each time; we will update the list when we make a material change.

With Other Users: Some parts of the Service are designed for sharing and collaboration. If you make a profile, pack, trip, route, or report public, share a link, invite collaborators, follow another user, or post to the public community feed, your username, profile picture, and the shared content can be seen by other users or by anyone with the link, and public pages may be indexed by search engines. Once content is shared, recipients may copy, screenshot, or redistribute it, and we cannot guarantee its removal from third parties. Default visibility for personal content is private; you control visibility through the settings provided in the Service.

For Business Transfers: If we are involved in a merger, acquisition, restructuring, or sale of all or part of our assets, your information may be transferred to the acquirer. We will notify you before your personal information is transferred and becomes subject to a different privacy policy.

For Legal Compliance and Safety: We may disclose information where we reasonably believe it is required by law, regulation, legal process, or governmental request, or where disclosure is necessary to protect the rights, property, or safety of Carmur Labs, our users, or the public, or to investigate or prevent fraud, abuse, or violations of our Terms.

7. International Transfers

Some of our subprocessors operate outside the United Kingdom and the European Economic Area, including in the United States. Where we transfer personal data outside the UK/EEA, we rely on appropriate safeguards such as the UK International Data Transfer Agreement, EU Standard Contractual Clauses, or adequacy decisions, and we take reasonable steps to ensure your data is treated securely and in accordance with this Privacy Policy.

8. Data Retention and Security

Retention

We retain personal data only for as long as necessary for the purposes set out in this Privacy Policy. In general, we keep account information and User Content while your account is active; support communications and operational records for as long as needed to resolve the request or protect the Service; payment, subscription, tax, and accounting records for the period required by law; and security, fraud-prevention, diagnostic, and audit records for a limited period based on operational need. Backup copies may persist for a short period before they are overwritten or deleted in the normal backup cycle.

When you delete your account, we delete or anonymise your personal data and User Content within a reasonable period, except where we need to retain limited information to comply with law, resolve disputes, enforce our agreements, maintain security, prevent fraud or abuse, or honour previous public sharing choices that cannot reasonably be withdrawn from third parties.

Security

We use administrative, technical, and physical security measures designed to protect your personal data, including encryption in transit (TLS), encryption at rest where supported, access controls, and routine review of our security practices. No method of transmission over the internet or electronic storage is completely secure.

On mobile devices, authentication tokens are stored using platform secure storage (iOS Keychain and Android Keystore). Some User Content is cached locally on your device to support performance and offline use, and is synchronised with the Service when connectivity is available.

9. Cookies and Tracking Technologies

We use cookies and similar technologies on our website. Cookies are small text files stored on your device.

How we use them: for essential functions (such as keeping you signed in), for remembering your preferences, and (with your consent) for analysing site performance.

Third-party cookies: we may use third-party analytics services that set cookies to help us understand how users interact with the Service. These cookies are only set if you accept them via our cookie consent banner.

Your choices: you can manage your preferences for non-essential cookies via our cookie consent banner, and you can configure your browser to refuse cookies. Some parts of the Service may not function properly without certain cookies.

10. Your Data Rights and Controls

Subject to applicable law, you have the following rights:

  • Right of access: request a copy of the personal data we hold about you.
  • Right to rectification: ask us to correct inaccurate or incomplete personal data.
  • Right to erasure ("right to be forgotten"): ask us to delete personal data we hold about you, subject to certain exceptions (such as compliance with legal obligations).
  • Right to restrict processing: ask us to temporarily halt processing of your data under certain conditions.
  • Right to data portability: receive your personal data in a structured, commonly used, machine-readable format.
  • Right to object: object to our processing of your data where we rely on legitimate interests.
  • Right to withdraw consent: where we rely on consent, withdraw it at any time.
  • Rights related to automated decision-making: not be subject to a decision based solely on automated processing, including profiling, that produces legal or similarly significant effects, except where permitted by law.
  • Right to complain: lodge a complaint with a supervisory authority, including the ICO in the UK or your local supervisory authority in the EEA.

You can exercise many of these rights directly in the Service (for example, editing your profile, changing visibility settings, deleting individual content, or deleting your account). To exercise any other right, email us at support@outpack.app. We will respond within one month of receipt, subject to verifying your identity.

How to Delete Your Account and Data

You can delete your OutPack account and all associated data at any time:

  • In the OutPack mobile app or website: open Settings, then your profile (Edit profile), scroll to "Delete Account," and confirm.
  • By email: send a deletion request from the email address on your account to support@outpack.app. We will verify your identity and complete the deletion within 30 days.

Deleting your account permanently removes your profile, gear, kits, packs, trips, routes, photos, and other User Content from our active systems. Limited information may be retained as described in Section 8 (for example, to comply with legal obligations, resolve disputes, or honour previous public sharing choices). Backup copies may persist for a short period before they are overwritten in the normal backup cycle.

11. Children's Privacy

The Service is intended for users aged 18 and over and is not directed to children under 18. We do not knowingly collect personal data from anyone under 18. If you are a parent or guardian and you believe your child has provided personal data to us, please contact us so that we can take appropriate action.

12. Complaints

If you have any concerns about our use of your personal data, please contact us first using the details below. You also have the right to make a complaint to the Information Commissioner's Office (ICO), the UK supervisory authority for data protection (www.ico.org.uk), or to your local supervisory authority in the EEA.

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will update the "Last Updated" date at the top of this page and, where the changes are material, we will provide reasonable additional notice (for example, by email or an in-Service notice).

14. Contact Us

If you have any questions about this Privacy Policy or our data practices, please contact us at:

Email: support@outpack.app

Postal address: CARMUR LABS LTD, 5 South Charlotte Street, Edinburgh, EH2 4AN, United Kingdom.