Privacy Policy
SendaOne is a web service operated by Sergio Marroquin Cabrera (Bogota, Colombia) that converts public Google Maps URLs into GPX files for recreational GPS use. This policy describes what data we collect, on what legal basis, how long we keep it, with whom we share it, and how to exercise your rights.
It applies to the domain sendaone.com and all its subdomains. We comply with GDPR (EU), LGPD (Brazil) and Colombia's Law 1581 of 2012 (habeas data). In addition, we voluntarily apply the principles of the CCPA/CPRA (California) to the extent applicable.
1. What data we collect
- Google Maps URL submitted by the user to the
/convertendpoint. Processed in memory to extract route coordinates and discarded once the output file is generated. - Client IP address, grouped to the /64 prefix in IPv6, used solely to apply the per-minute request limit. NOT persisted to any database.
- Standard HTTP headers (User-Agent, Accept-Language) to detect bots and resolve the interface language. NOT persisted.
- Aggregate counters (total conversions and format distribution GPX/KML/KMZ/TCX/GeoJSON/CSV) without any IP or account association. Persisted to a public GitHub file for operational transparency.
- Aggregate country of each conversion, derived from
Cloudflare's
CF-IPCountryheader (two-letter ISO code, e.g. "CO", "ES"). The originating IP is NOT stored. It is used for usage statistics by region and is included in the public aggregate file. Additionally, the last 50 conversion events are kept in memory with timestamp, format, activity and country —no IP, no user identifier— for the recent-activity panel. - Anonymous analytics (optional) via PostHog. Honors `Do Not Track`, uses no cookies, and only activates if the operator configured the PostHog token. If active, a visible notice appears in the site footer.
- Donations (optional). If you make a voluntary contribution by card, the payment is processed by Polar Software, Inc. as Merchant of Record, through its own payment subprocessors. SendaOne does not receive or store your card data or your identity; it only sees the aggregate of the payout received. The privacy policies of Polar and its payment subprocessors apply. If you donate with cryptocurrency, the transaction is publicly recorded on the Polygon blockchain (address and amount are public by network design); we do not collect your identity.
We do NOT collect name, phone, physical address, age, gender, device identifier or biometric data. We do NOT sell data to third parties under any circumstance.
2. Legal basis for processing
Under GDPR Article 6 and Colombia's Law 1581 Article 6, processing is based on:
- Legitimate interest (GDPR 6.1.f, Law 1581 6.a) for the minimum data required to operate the service: IP and URL during the request, aggregate statistics afterwards.
- Legitimate interest with easy opt-out (GDPR
6.1.f) for optional PostHog analytics: it uses no cookies and honors
your browser's
Do Not Tracksignal, which disables it. It does not rely on "continued browsing" as consent.
3. Retention
- Request URL and coordinates: until the HTTP request completes (seconds). Discarded immediately.
- Client IP: in RAM during the rate-limit window (60 seconds). Never persisted to disk.
- Aggregate metrics: indefinitely (counters with no PII).
- Error logs: up to 30 days in Sentry if enabled.
4. International transfers
SendaOne runs on infrastructure in the United States (Fly.io region Ashburn IAD) behind Cloudflare (global edge network). Due to the distributed nature of Cloudflare, requests may be processed by nodes in any region of the world. Geocoding and routing queries go to Google's servers (US/EU/AP). If you reside in the European Union this constitutes an international transfer under GDPR Chapter V; we rely on the Standard Contractual Clauses approved by the European Commission (modules signed by Cloudflare and Google).
Embedded maps in the preview. While previewing
routes, your browser directly downloads map images and tiles from two
providers: static map images from Google Maps (server
maps.googleapis.com), whose request address includes the
geometry of the previewed route (encoded polyline) and its start and end
markers, and OpenStreetMap tiles (servers of the OpenStreetMap
Foundation, United Kingdom), whose address indicates the map area being
displayed. In both cases the provider receives your IP address and, in
Google's case, the sendaone.com origin as referrer (a technical
requirement of the API key). These requests happen automatically when
the preview is shown, are governed by the privacy policies of Google and
the OpenStreetMap Foundation, and SendaOne receives no copy of them nor
stores their result. If your browser blocks them, the preview falls back
to a locally drawn sketch and the service keeps working.
Outbound links to map apps. While previewing routes or after a successful conversion, the interface may show "Open in Google Maps", "Open in Apple Maps" and "Open in Waze" links whose address contains the origin and/or destination of your route (the text or coordinates that came in the URL you pasted). Apart from the embedded maps described above, SendaOne sends nothing to those services on its own: the request only happens if you tap the link, it is made by your browser or device, and it is subject to the third party's privacy policy (see Apple Maps & Privacy). The links are generated with attributes that suppress the referrer: those services will not learn you came from sendaone.com.
5. Your rights
Under GDPR, CCPA, LGPD and Law 1581 you have the right to:
- Access the data we process about you.
- Rectify inaccurate data.
- Erasure (right to be forgotten).
- Object to processing.
- Restrict processing.
- Data portability in a structured format.
- Not be subject to automated decisions producing legal effects.
Since we do NOT maintain accounts or profiles tied to IP addresses, in most cases there is no personal data to access, rectify or erase. To exercise any of these rights, write to [email protected].
California residents (CCPA/CPRA): SendaOne does NOT sell or share ("sell"/"share" as defined by the CCPA) your personal information, and has not sold or shared it in the past twelve months. You have the right to know which categories we collect (here: network identifiers such as a truncated in-memory IP and aggregate country; no sensitive categories), to request their deletion, and not to be discriminated against for exercising these rights. To exercise them, write to [email protected].
6. Cookies
SendaOne does NOT use tracking cookies, does NOT use advertising cookies and does NOT use fingerprinting. It may only use a temporary session cookie for optional OAuth flows (Strava, Garmin Connect) when the user explicitly activates them.
7. Minors
The service is not directed to children under 13 —or the minimum age of digital consent that applies in your jurisdiction, e.g. 14 to 16 in the European Union—. We do not knowingly collect data from minors. If a parent or guardian believes a minor submitted data, write to [email protected] and we will delete it.
8. Data controller contact
Data controller: Sergio Marroquin Cabrera, Bogota, Colombia. Email: [email protected]. SendaOne does not appoint a formal Data Protection Officer as it does not exceed GDPR Article 37 thresholds, but the controller handles all requests directly at the same email. For the purposes of Brazil's LGPD (Article 41), the data processing officer (encarregado) is the operator, reachable at the same email.
9. Changes to this policy
Any substantial change will be announced in the site footer at least 30 days in advance. The last update date appears at the bottom.