Privacy Policy
Last updated: July 2026
1. Controller
The controller responsible for processing personal data on this website is the operator of tiloscope.de (see Impressum for full contact details). You can reach us at .
Legal basis for processing: Art. 6(1)(b) GDPR — processing is necessary for the performance of the contract (provision of the Tiloscope service).
2. Data We Collect
Account data
When you register, we collect your email address and a bcrypt-hashed copy of your password. Hashing the password means, that we can verify it when you log in, but we cannot see the actual password. Your email is used for authentication, password reset emails, and service communications only.
StatsHunters API key
You may optionally provide your StatsHunters API key. This key is is used exclusively to retrieve your visited tile data from the StatsHunters API on your behalf. We never use it for any other purpose, and it is never shared with third parties other than the StatsHunters API itself.
Tile data
We store the list of OSM tile indices (zoom-level 14 & 17 tile coordinates) that you have visited, as returned by the StatsHunters API or KML Upload. No GPS position or track data is stored on our servers.
Device and activity logs
When your Garmin device requests tiles from our API, we log the user ID, timestamp, requested tile bounding box, device model, firmware and app version, memory usage and active settings. These logs are used for debugging, performance analysis and detecting abuse.
Website analytics
We collect event data about how you interact with this website using our own first-party analytics system (no Google Analytics or third-party tracking). This includes: page views, login and account events, and feature usage events on the map (such as route planning, layer switching, and navigation). We record your country (resolved server-side from your IP address — the IP itself is not stored), browser language, user agent, and referring domain. Feature usage events additionally record your user account ID and whether you accessed the map on a mobile or desktop device.
Legal basis: Art. 6(1)(b) GDPR — processing is necessary for the performance of the contract (operating and improving the Tiloscope service).
Refresh logs
Each time you (or the system) refreshes your tile data from StatsHunters, we record a timestamp to enforce rate limits and show you when your data was last updated.
Authentication tokens
We issue short-lived JWT tokens stored in your browser's localStorage. These tokens contain your user ID and email and are used to authenticate API requests. We do not use cookies for authentication.
3. What We Do Not Collect
- We do not store any GPS coordinates or trace data. Everything is tile based; the transformation happens on your Garmin device.
- We do not use third-party analytics services (no Google Analytics, no tracking pixels, no fingerprinting, no marketing id's).
- We do not place advertising cookies or tracking cookies of any kind.
- We do not store your IP address. Country-level location is resolved server-side from your IP; the IP itself is discarded immediately.
- We do not sell or share your data with any third party other than StatsHunters (solely to fulfil your tile-fetch request).
4. Third Parties
StatsHunters — When you trigger a tile refresh, our server sends your StatsHunters API key to statshunters.com to retrieve your tile list. StatsHunters has its own privacy policy which applies to that interaction.
Map tile providers — The map view loads tiles from OpenStreetMap, ESRI, CyclOSM, OpenTopoMap, OpenSlopeMap and Mapy.com if enabled. Your IP address is transmitted to these providers when tiles load. Each has its own privacy policy.
OpenRouteService — When you use the route planner in hiking or cycling mode, the planned waypoint coordinates are sent to api.heigit.org (OpenRouteService) to compute a routed path. OpenRouteService has its own privacy policy.
Overpass API — When you enable the paragliding sites or parking overlays, a query is sent to overpass-api.de. Your IP address is transmitted as part of that request.
5. Data Retention
Your account data (email, hashed password, API key, tile list) is retained until you delete your account.
You can delete your account at any time from the dashboard. Deletion is immediate and permanent — all associated data is removed from our database.
6. Your Rights (GDPR Art. 15–21)
Under the General Data Protection Regulation you have the following rights:
- Art. 15 — Right of access: You may request a copy of the personal data we hold about you.
- Art. 16 — Right to rectification: You may request correction of inaccurate data.
- Art. 17 — Right to erasure: You may request deletion of your data. You can do this directly from the dashboard without contacting us.
- Art. 18 — Right to restriction: You may request that we restrict processing of your data in certain circumstances.
- Art. 20 — Right to data portability: You may request your data in a machine-readable format.
- Art. 21 — Right to object: You may object to processing based on legitimate interests.
To exercise any of these rights, contact us at . We will respond within 30 days.
You also have the right to lodge a complaint with your national data protection supervisory authority.
7. Security
All communication between your browser, your Garmin device, and our servers is encrypted via HTTPS/TLS. Passwords are hashed with bcrypt before storage. We take reasonable technical and organisational measures to protect your data from unauthorised access.
8. Changes to This Policy
We may update this Privacy Policy from time to time. Material changes will be communicated via email or a notice in the dashboard. Continued use of the service after changes are posted constitutes acceptance of the updated policy.