MomentTrail·
Begin your story

Privacy Policy

Last updated: 2026-05-08 · MomentTrail is in beta. This page is a good-faith scaffold; it has not been reviewed by a lawyer. Treat it as a description of current behaviour, not as a complete legal contract.

What we collect

  • Account profile from Google sign-in: your name, email address, profile picture URL, and a Google account identifier.
  • Stories you create: titles, subtitles, descriptions, notes, dates, and locations you choose to add.
  • Media you upload: photos and voice notes. Photos are processed into web-friendly versions and stored on our servers.
  • External video links you add (e.g. YouTube, Vimeo) and provider-supplied thumbnails.
  • Photo metadata: when present in the photo, we extract date taken and GPS coordinates server-side and store them with the photo. This data is used internally (e.g. for future grouping or maps) and is not exposed publicly without your explicit opt-in.
  • Network metadata: your IP address is read by the request handler for rate limiting and abuse prevention. We do not tie IP addresses to your identity in long-term storage.
  • Cookies: a session cookie set by NextAuth (strictly necessary for sign-in) and a locale preference cookie. No marketing or analytics cookies are set.

How we use it

  • To run the service: render your stories, sign you in, enforce plan limits.
  • To prevent abuse: short-window rate limits keyed by your account or by IP address for anonymous traffic.
  • For server-side debugging: we log errors and significant events on the server. Logs do not include the contents of your stories or upload bodies.

What we do not do

  • We do not sell your data.
  • We do not send marketing email.
  • We do not use AI to process the contents of your stories. (No AI features are wired in beta.)
  • We do not show your private (DRAFT) or unlisted (link-only) stories to anyone except via the URL you choose to share.

Where your media lives

During beta, uploaded media is stored on the application server. In production we expect to use S3-compatible cloud object storage (e.g. Cloudflare R2). Storage is not encrypted at the application layer beyond what the host provides at the disk / bucket level.

Beta data-loss notice: the service is in early beta. Data may be lost during incident response, database resets, or migration. Do not store irreplaceable content here yet.

Sharing your stories

You control story visibility. The three states are:

  • Draft — only you can see it.
  • Unlisted — anyone with the link can view; not discoverable on Explore.
  • Public — anyone can view; appears on the public Explore page.

Public URLs use random 12-character slugs (lowercase letters and digits); they cannot be guessed by sequential probing.

Error monitoring

When error monitoring is enabled, we may collect technical diagnostics about crashes and unhandled exceptions, including: browser and operating system, the route or page where the error happened, the stack trace, and the app version and environment label (e.g. “production”). These diagnostics are sent to Sentry, an industry-standard error monitoring service.

We do not intentionally send the following to Sentry:

  • story content, titles, descriptions, or notes;
  • uploaded media (photos, voice notes) or their bytes;
  • OAuth tokens, session tokens, or any other access token;
  • cookies or the contents of Cookie / Authorization request headers;
  • request bodies (JSON payloads, form data, file uploads);
  • your email address, name, profile picture, or username.

Filtering happens client-side and server-side before data leaves the application via a scrubbing layer (src/lib/observability/sentry-scrub.ts). Error monitoring is used solely to diagnose crashes and security or reliability issues. If SENTRY_DSN is not set, no error monitoring data is sent at all.

Third parties

  • Google— sign-in via Google OAuth. Google's own privacy practices apply when you authenticate.
  • YouTube and Vimeo — when a story includes embedded video, the embed loads from those providers, who set their own cookies and may collect data from the visitor.
  • Map tile providers — when a story includes a journey map, tiles load from an OpenStreetMap-compatible provider (currently OpenFreeMap).
  • Sentry— error monitoring service. See “Error monitoring” above for what we send and what we don't. Active only when configured for the deployment.

Your data, your rights

  • View — your stories and media are listed in your dashboard while you are signed in.
  • Delete account or specific data — during beta, deletion requests are handled manually. Email us (see Contact below) and we will remove your account, stories, and media. A self-service delete is planned.
  • Export — during beta, export requests are also handled manually. A self-service export is planned.

Security

We apply standard web security practices: HTTPS in production, Content-Security-Policy with per-request nonces, rate limiting on authenticated and public endpoints, magic-byte validation on uploads, and HTML sanitisation on rich-text content. These measures are best-effort and do not constitute a warranty.

Changes

We may update this Privacy Policy. The “Last updated” date at the top will reflect the most recent change. Significant changes will be announced through the service.

Contact

For privacy questions or to request account deletion or data export during beta, please reach out via the contact channel listed on MomentTrail.com.