Privacy Policy
Last updated: July 2, 2026
This Privacy Policy explains how SDHC AS ("SDHC", "we", "us", "our") processes personal data in connection with the website trail.cam and the web application at app.trail.cam (together, the "Service").
We are committed to protecting your privacy and handling personal data in accordance with the EU General Data Protection Regulation (GDPR), as incorporated into Norwegian law through the Personal Data Act (personopplysningsloven, LOV-2018-06-15-38), and the Norwegian Electronic Communications Act (ekomloven).
1. Who we are (Data Controller)
The data controller responsible for personal data described in this policy is:
SDHC AS Organisation number: 926 038 060 Postboks 570 Vestre Glemmen, 1612 Fredrikstad Norway
Privacy contact: [email protected]
Norway is part of the European Economic Area (EEA), and the GDPR applies to our processing in full. Our supervisory authority is the Norwegian Data Protection Authority (Datatilsynet).
We have assessed that we are not required to appoint a Data Protection Officer (DPO) under Article 37 GDPR. If this changes, we will update this policy.
2. Two roles: when we are a controller and when we are a processor
The Service involves two different kinds of personal data, and our legal role differs for each. This distinction matters, so we explain it up front.
We act as the data controller for the personal data we collect to operate the Service and our relationship with you — your account and subscription details, billing information, and the analytics we collect about visits to our website. This policy governs that data.
We act as a data processor for the content you upload to the Service — in particular the images from your trail cameras and the data derived from them. When you deploy cameras and upload footage, you decide why and where images are captured and for what purpose, which makes you the data controller for that content. We process it on your behalf and on your instructions. Our responsibilities in that role, and yours, are set out in a separate Data Processing Agreement (DPA), which forms part of our agreement with you: https://trail.cam/dpa.html.
If you are an individual who has been captured in trail-camera footage and you wish to exercise your rights over that image, the controller is the customer who operates the relevant camera, not SDHC. We will assist that customer in responding to your request, but we are not able to act on the footage independently of them.
3. Personal data we process as controller
3.1 Account and subscription data
When you register and subscribe, we collect and process:
- Name
- Email address
- Country
- Account and subscription status, and related support correspondence
3.2 Payment data
Payments are processed by Paddle (Paddle.com Market Limited, United Kingdom), which acts as our Merchant of Record. This means Paddle — not SDHC — is the seller of record for your subscription and collects and processes your payment details directly, under Paddle's own privacy terms. We do not receive or store your full payment-card details; we receive only the limited billing and transaction information necessary to manage your subscription. The United Kingdom is covered by an EEA adequacy decision, so transfers of personal data to Paddle in the UK are permitted on that basis.
3.3 Website analytics
We operate our own first-party, anonymous analytics on the Service. It sets no cookies and stores nothing on your device, and it does not store your IP address. When you open a page, your IP is used only momentarily, in transit — to derive a daily, salted, one-way hash (which cannot be reversed and rotates every day) and to read your country from our CDN edge — and is then discarded. What we retain is anonymous and aggregate:
- Country (your IP itself is never stored)
- Pages visited and time spent on them
- Browser type and screen resolution
- Which links and page sections were used
None of this is linked to you as an individual, builds a profile, or tracks you across other sites or over time. Because we retain no personal data and no identifier that singles you out, there is nothing to consent to and nothing to opt out of. (If we ever changed this so that it did retain personal data, we would update this policy and add the appropriate choice.)
4. Personal data we process as processor (your uploaded content)
On your instructions, and on your behalf as controller, we process:
- Images uploaded manually or received automatically from cameras (including by email). These images may contain identifiable individuals (for example, people passing within camera range) and vehicles.
- Camera location coordinates that you set when you place cameras on the map.
- Metadata extracted from images, including date, time, camera name, and camera brand (read from the image via optical character recognition).
- Automated detections: where you enable it, our locally-run AI analyses images to detect and classify species, and to flag the presence of a human or a vehicle.
Important limitation on our AI: our detection of humans and vehicles identifies only that a human or vehicle is present. It does not identify, name, recognise, or otherwise single out any specific individual, and it does not perform facial recognition or any equivalent unique identification. For that reason, this detection does not constitute processing of biometric data or other special categories of data under Article 9 GDPR. The underlying images may nonetheless show identifiable people, and are treated as ordinary personal data of those individuals, for which the customer is the controller.
You may grant access to your images and related data to other members of your team. Where you do so, those users may view the content you share with them.
5. Purposes and legal bases
| Purpose | Data | Legal basis (as controller) |
|---|---|---|
| Create and manage your account and subscription | Name, email, country, subscription data | Contract (Art. 6(1)(b)) |
| Process payments | Billing/confirmation data | Contract (Art. 6(1)(b)) |
| Provide support | Correspondence | Contract / legitimate interests (Art. 6(1)(b)/(f)) |
| Secure and maintain the Service | IP address, technical data, session cookie | Legitimate interests (Art. 6(1)(f)) |
| Anonymous website analytics — aggregate stats, no IP or identifier stored | Country, pages, duration, browser (not linked to you) | Not personal data once aggregated; the momentary IP-to-hash step relies on legitimate interests (Art. 6(1)(f)) and retains nothing |
| Displaying the interactive map (in the app) | See Sections 6 and 7 | Legitimate interests (Art. 6(1)(f)) — necessary to show the map you requested; telemetry minimized |
For processing carried out on your behalf as a processor (Section 4), the legal basis for processing the personal data of individuals captured in footage is the responsibility of the customer as controller, as set out in the DPA and Terms of Service.
Where we rely on legitimate interests, we have balanced our interests against your rights and consider the processing to be limited and expected. You may object to this processing (see Section 9).
Automated decision-making: We do not make decisions about you based solely on automated processing that produce legal effects concerning you or similarly significantly affect you (Article 22 GDPR). Our AI analysis of uploaded images (Section 4) only flags the presence of wildlife, humans, or vehicles; it makes no automated decisions about identified individuals.
6. Cookies and local storage
We keep device storage to a minimum. Under ekomloven § 3-15, storing or reading information on your device needs your consent unless it is strictly necessary for a service you have requested. On our site, the only device storage is strictly necessary:
- a session cookie (
PHPSESSID) to keep you logged in to the web application; and - your language preference, stored locally.
Our website analytics stores nothing on your device — no cookies, no browser storage (see Section 3.3) — so there is nothing to consent to, and we set no advertising or tracking cookies of any kind.
When you open the interactive map in the web application, the map provider stores a small amount of usage data on your device as part of displaying the map you requested; we have minimized this (see Section 7). It is limited to that map feature and is not used on this website.
7. Third parties and recipients
We share personal data only with the following categories of recipients, who process it on our behalf or as necessary to deliver the Service:
- Hosting provider — our servers are located in Germany (within the EEA).
- Content delivery, DNS and security provider (Cloudflare) — routes and protects traffic to the Service and processes visitors' IP addresses in doing so. Cloudflare is a US-based provider.
- Map provider (Mapbox) — provides the interactive map used to place and view cameras. Displaying the map requires your browser to request map tiles, styles and fonts from Mapbox, and Mapbox receives associated technical data (including IP address) and a limited amount of usage-event data. Mapbox is a US-based provider. We have reduced optional telemetry, but a residual usage-event flow remains inherent to using the map.
- Payment provider (Paddle) — Paddle.com Market Limited (United Kingdom), acting as Merchant of Record, processes payments and related billing.
We do not sell personal data, and we do not share it with advertising networks.
8. International transfers
Your account and image data are hosted within the EEA (Germany), so no transfer outside the EEA is required for our core hosting.
Some recipients are located outside the EEA:
- Paddle (United Kingdom) — the UK benefits from an EEA/EU adequacy decision, so transfers are permitted on that basis.
- Cloudflare and Mapbox (United States) — limited personal data (such as IP addresses and technical/usage data) may be transferred to the US when you use the Service. These transfers are made under appropriate safeguards recognised by the GDPR, such as the EU–U.S. Data Privacy Framework and/or the European Commission's Standard Contractual Clauses, as provided by those recipients.
You may contact us for more information about the safeguards in place.
9. Your rights
Under the GDPR you have the right to:
- Access the personal data we hold about you
- Rectify inaccurate or incomplete data
- Erasure ("right to be forgotten")
- Restrict processing
- Data portability (receive your data in a structured, machine-readable format)
- Object to processing based on legitimate interests
- Withdraw consent at any time, where processing is based on consent
How to exercise your rights and delete data:
- You can delete your own images and all data related to those images directly within the web application at any time.
- To delete your account, or to make any other rights request, contact us at [email protected]. We will respond without undue delay and within 30 days (this period may be extended by up to a further two months for complex requests, in which case we will inform you).
If your request concerns individuals captured in trail-camera footage, please note we act as processor for that content; see Section 2.
Right to complain: If you believe we have processed your personal data unlawfully, you may lodge a complaint with Datatilsynet (the Norwegian Data Protection Authority), www.datatilsynet.no. Decisions of Datatilsynet may be appealed to the Norwegian Privacy Appeals Board (Personvernnemnda). We would appreciate the chance to address your concerns first, so please consider contacting us before you complain.
10. Data retention
- Account data: kept for as long as you maintain an active account, and deleted when you close it (account deletion is handled via [email protected]). We do not delete your account unless you ask us to.
- Images and related data: kept for as long as your account is active; there is no fixed time limit, because the retention criterion is your continued use of the Service. You may delete your images, and all data derived from them, at any time.
- Analytics data: our website analytics is anonymous and aggregate (Section 3.3) — it holds no personal data and no identifier that singles you out, so no personal-data retention period applies to it.
- Billing records: payments are handled by Paddle as Merchant of Record (Section 3.2); any billing or accounting records we retain are kept for as long as Norwegian accounting law requires.
When you close your account, we delete or anonymise your personal data, except where we must retain specific information to meet a legal obligation (for example, statutory accounting records).
11. Security
We take appropriate technical and organisational measures to protect personal data, including transport encryption, access controls, and protection of session credentials. No system can be guaranteed completely secure, but we work to protect your data against unauthorised access, loss, or misuse. In the event of a personal data breach that is likely to result in a risk to your rights, we will notify Datatilsynet without undue delay and, where feasible, within 72 hours, and will inform affected individuals where required.
12. Children
The Service is intended for users aged 18 or over. It is a paid subscription service not directed at children, and we do not knowingly collect personal data from anyone under 18. When you create an account, you confirm that you are at least 18 years old. If you believe a minor has provided us with personal data, please contact [email protected].
13. Changes to this policy
We may update this Privacy Policy from time to time. We will post the updated version here and revise the "Last updated" date above. Where changes are significant, we will take reasonable steps to inform you.
14. Contact
For any privacy question or to exercise your rights:
SDHC AS Email: [email protected] Postboks 570 Vestre Glemmen, 1612 Fredrikstad Norway