Privacy Policy
Last updated: 15 June 2026
This Privacy Policy explains how Axis Maps ("Axis Maps", "we", "us" or "our") collects, uses, and protects your personal data when you use the Outcast application and related services (the "Service"). It also describes your rights under the UK General Data Protection Regulation ("UK GDPR"), the EU General Data Protection Regulation ("EU GDPR"), and the Data Protection Act 2018.
By creating an account or using the Service, you acknowledge that you have read and understood this Policy. If you do not agree with it, please do not use the Service.
1. Who we are (Data Controller)
Axis Maps is the controller responsible for your personal data in connection with the Service.
For any privacy-related questions, requests, or complaints, contact us at:
Email: dave@axismaps.com
2. The data we collect
We collect and process the following categories of personal data.
Account and identity data. When you sign in with Google OAuth, we receive and store your name, email address, and Google account identifier. We do not receive or store your Google password.
Authentication tokens. We store OAuth access and refresh tokens issued by Google so that the Service can access your calendar availability on your behalf. These tokens are held in our database and refreshed automatically as needed.
Calendar availability data. With your consent (granted through Google's OAuth consent screen using the calendar.freebusy scope), we query your Google Calendar to read free/busy time periods. We use this only to find times when you are available and to avoid scheduling workouts during existing commitments. We request the minimum scope required and do not read the titles, descriptions, attendees, or contents of your calendar events.
Workout and plan data. We store the workout preferences you configure, including your weekly target, session length, availability windows, scheduled workout instances, commitments, and any dates you choose to skip.
Location data. If you choose to enable weather-optimised scheduling, we store the latitude and longitude of your workout location to retrieve local weather forecasts. Coordinates are rounded to approximately 1 km precision (two decimal places) for the purpose of caching shared weather forecasts. You can use the Service without providing a location, in which case weather optimisation is disabled.
Communication preferences and delivery data. We store your email reminder preference, your timezone, and (where applicable) web-push subscription details so we can deliver reminders. We record when a reminder was sent to a given workout to avoid sending duplicates.
Calendar feed token. If you subscribe to the ICS workout feed, we generate a unique feed token that authenticates access to your feed. The feed itself contains only a workout title and a weather emoji — no other personal data.
Technical data. Like most web services, our hosting and infrastructure providers may process limited technical information such as IP address, browser type, and request logs for security, performance, and abuse-prevention purposes.
3. How and why we use your data (purposes and legal bases)
We process your personal data on the following legal bases under the UK GDPR and EU GDPR.
Performance of a contract (Article 6(1)(b)). We process your account data, workout and plan data, calendar availability, and location to provide the core Service you have requested — namely, generating and maintaining a weather- and calendar-aware workout schedule, and delivering the reminders and calendar feed you configure.
Consent (Article 6(1)(a)). We rely on your consent for: (a) accessing your Google Calendar free/busy data via Google OAuth; (b) using your location for weather optimisation; and (c) sending push notifications. You may withdraw any of these consents at any time (see Section 8), without affecting the lawfulness of processing carried out before withdrawal.
Legitimate interests (Article 6(1)(f)). We process limited technical and log data to keep the Service secure, prevent abuse, debug problems, and maintain reliability. We balance these interests against your rights and freedoms.
We do not use your data for advertising, and we do not sell your personal data.
4. Third-party services and data sharing
We share data with the following third-party processors and services only to the extent necessary to operate the Service:
Google (Google LLC). Used for authentication (Google OAuth) and to read your calendar free/busy availability. Our use of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. We use Google Calendar data solely to provide user-facing features of the Service and do not transfer it to others except as needed to provide those features, to comply with applicable law, or as part of a merger or acquisition.
WeatherAPI.com. When weather optimisation is enabled, we send approximate (rounded) coordinates to WeatherAPI.com to obtain local forecasts. We do not send your identity to the weather provider.
Resend. Used to deliver transactional emails such as workout reminders. Your email address and reminder content are processed by Resend for delivery.
Hosting and database infrastructure (Vercel and Neon). The Service is hosted on Vercel and our database is provided by Neon. These providers process and store the data described above on our behalf as data processors.
We require our processors to handle your data securely and only on our instructions. We do not sell, rent, or trade your personal data to third parties for their own marketing purposes.
5. International data transfers
Some of our processors (including Google, Vercel, Neon, Resend, and WeatherAPI.com) may process data outside the UK and European Economic Area, including in the United States. Where personal data is transferred outside the UK/EEA, we rely on appropriate safeguards such as the European Commission's Standard Contractual Clauses, the UK International Data Transfer Addendum, or an adequacy decision, as applicable.
6. Data retention
We retain your personal data for as long as your account is active. Specifically:
Account data, plan data, and tokens are kept while your account exists and are deleted when you delete your account. Scheduled workouts are generated for an upcoming window and older workout records are superseded as the schedule regenerates. Weather forecast cache entries are short-lived and expire automatically (typically within 6 hours). Email action tokens expire 24 hours after creation and are cleared by routine cleanup. Google OAuth tokens are refreshed as needed and revoked when you disconnect or delete your account.
If you delete your account, we will delete or anonymise your personal data within a reasonable period, except where we are required to retain certain records to comply with legal obligations or to resolve disputes.
7. Security
We take reasonable technical and organisational measures to protect your data, including encrypted connections (HTTPS), access controls, high-entropy tokens for calendar feeds and email actions, and isolation of authentication credentials. The ICS calendar feed contains no personal identifiers beyond a workout title and weather emoji, and feed tokens can be regenerated at any time to revoke a leaked URL. No method of transmission or storage is completely secure, however, and we cannot guarantee absolute security.
8. Your rights
Under the UK GDPR and EU GDPR, you have the right to:
- Access the personal data we hold about you.
- Rectification of inaccurate or incomplete data.
- Erasure of your data ("right to be forgotten").
- Restriction of processing in certain circumstances.
- Data portability — to receive your data in a structured, commonly used, machine-readable format.
- Object to processing carried out on the basis of legitimate interests.
- Withdraw consent at any time where processing is based on consent.
You can exercise several of these rights directly within the Service — for example, by editing your plan, disabling email reminders, turning off push notifications, regenerating your calendar feed token, revoking Google Calendar access from your Google Account settings, or deleting your account. For any other request, contact us at dave@axismaps.com and we will respond within one month.
You also have the right to lodge a complaint with a supervisory authority. In the UK, this is the Information Commissioner's Office (ICO) at ico.org.uk. In the EU, you may contact your local data protection authority.
9. Cookies and similar technologies
We use only the cookies and local storage strictly necessary to operate the Service — primarily to keep you signed in (session/authentication cookies) and to remember interface preferences. We do not use advertising or third-party tracking cookies.
10. Children
The Service is not directed to children under the age of 16, and we do not knowingly collect personal data from them. If you believe a child has provided us with personal data, please contact us so we can delete it.
11. Changes to this Policy
We may update this Privacy Policy from time to time. When we make material changes, we will update the "Last updated" date above and, where appropriate, notify you through the Service or by email. Your continued use of the Service after changes take effect constitutes acceptance of the revised Policy.
12. Contact
If you have questions, requests, or complaints about this Policy or your personal data, contact:
Axis Maps
Email: dave@axismaps.com
This document is a template provided for convenience and does not constitute legal advice. You should have it reviewed by a qualified legal professional before relying on it for your business.