Privacy Policy

Last updated: July 2, 2026

This Privacy Policy explains how SDHC AS ("SDHC", "we", "us", "our") processes personal data in connection with the website trail.cam and the web application at app.trail.cam (together, the "Service").

We are committed to protecting your privacy and handling personal data in accordance with the EU General Data Protection Regulation (GDPR), as incorporated into Norwegian law through the Personal Data Act (personopplysningsloven, LOV-2018-06-15-38), and the Norwegian Electronic Communications Act (ekomloven).


1. Who we are (Data Controller)

The data controller responsible for personal data described in this policy is:

SDHC AS Organisation number: 926 038 060 Postboks 570 Vestre Glemmen, 1612 Fredrikstad Norway

Privacy contact: [email protected]

Norway is part of the European Economic Area (EEA), and the GDPR applies to our processing in full. Our supervisory authority is the Norwegian Data Protection Authority (Datatilsynet).

We have assessed that we are not required to appoint a Data Protection Officer (DPO) under Article 37 GDPR. If this changes, we will update this policy.


2. Two roles: when we are a controller and when we are a processor

The Service involves two different kinds of personal data, and our legal role differs for each. This distinction matters, so we explain it up front.

We act as the data controller for the personal data we collect to operate the Service and our relationship with you — your account and subscription details, billing information, and the analytics we collect about visits to our website. This policy governs that data.

We act as a data processor for the content you upload to the Service — in particular the images from your trail cameras and the data derived from them. When you deploy cameras and upload footage, you decide why and where images are captured and for what purpose, which makes you the data controller for that content. We process it on your behalf and on your instructions. Our responsibilities in that role, and yours, are set out in a separate Data Processing Agreement (DPA), which forms part of our agreement with you: https://trail.cam/dpa.html.

If you are an individual who has been captured in trail-camera footage and you wish to exercise your rights over that image, the controller is the customer who operates the relevant camera, not SDHC. We will assist that customer in responding to your request, but we are not able to act on the footage independently of them.


3. Personal data we process as controller

3.1 Account and subscription data

When you register and subscribe, we collect and process:

3.2 Payment data

Payments are processed by Paddle (Paddle.com Market Limited, United Kingdom), which acts as our Merchant of Record. This means Paddle — not SDHC — is the seller of record for your subscription and collects and processes your payment details directly, under Paddle's own privacy terms. We do not receive or store your full payment-card details; we receive only the limited billing and transaction information necessary to manage your subscription. The United Kingdom is covered by an EEA adequacy decision, so transfers of personal data to Paddle in the UK are permitted on that basis.

3.3 Website analytics

We operate our own first-party, anonymous analytics on the Service. It sets no cookies and stores nothing on your device, and it does not store your IP address. When you open a page, your IP is used only momentarily, in transit — to derive a daily, salted, one-way hash (which cannot be reversed and rotates every day) and to read your country from our CDN edge — and is then discarded. What we retain is anonymous and aggregate:

None of this is linked to you as an individual, builds a profile, or tracks you across other sites or over time. Because we retain no personal data and no identifier that singles you out, there is nothing to consent to and nothing to opt out of. (If we ever changed this so that it did retain personal data, we would update this policy and add the appropriate choice.)


4. Personal data we process as processor (your uploaded content)

On your instructions, and on your behalf as controller, we process:

Important limitation on our AI: our detection of humans and vehicles identifies only that a human or vehicle is present. It does not identify, name, recognise, or otherwise single out any specific individual, and it does not perform facial recognition or any equivalent unique identification. For that reason, this detection does not constitute processing of biometric data or other special categories of data under Article 9 GDPR. The underlying images may nonetheless show identifiable people, and are treated as ordinary personal data of those individuals, for which the customer is the controller.

You may grant access to your images and related data to other members of your team. Where you do so, those users may view the content you share with them.


5. Purposes and legal bases

PurposeDataLegal basis (as controller)
Create and manage your account and subscriptionName, email, country, subscription dataContract (Art. 6(1)(b))
Process paymentsBilling/confirmation dataContract (Art. 6(1)(b))
Provide supportCorrespondenceContract / legitimate interests (Art. 6(1)(b)/(f))
Secure and maintain the ServiceIP address, technical data, session cookieLegitimate interests (Art. 6(1)(f))
Anonymous website analytics — aggregate stats, no IP or identifier storedCountry, pages, duration, browser (not linked to you)Not personal data once aggregated; the momentary IP-to-hash step relies on legitimate interests (Art. 6(1)(f)) and retains nothing
Displaying the interactive map (in the app)See Sections 6 and 7Legitimate interests (Art. 6(1)(f)) — necessary to show the map you requested; telemetry minimized

For processing carried out on your behalf as a processor (Section 4), the legal basis for processing the personal data of individuals captured in footage is the responsibility of the customer as controller, as set out in the DPA and Terms of Service.

Where we rely on legitimate interests, we have balanced our interests against your rights and consider the processing to be limited and expected. You may object to this processing (see Section 9).

Automated decision-making: We do not make decisions about you based solely on automated processing that produce legal effects concerning you or similarly significantly affect you (Article 22 GDPR). Our AI analysis of uploaded images (Section 4) only flags the presence of wildlife, humans, or vehicles; it makes no automated decisions about identified individuals.


6. Cookies and local storage

We keep device storage to a minimum. Under ekomloven § 3-15, storing or reading information on your device needs your consent unless it is strictly necessary for a service you have requested. On our site, the only device storage is strictly necessary:

Our website analytics stores nothing on your device — no cookies, no browser storage (see Section 3.3) — so there is nothing to consent to, and we set no advertising or tracking cookies of any kind.

When you open the interactive map in the web application, the map provider stores a small amount of usage data on your device as part of displaying the map you requested; we have minimized this (see Section 7). It is limited to that map feature and is not used on this website.


7. Third parties and recipients

We share personal data only with the following categories of recipients, who process it on our behalf or as necessary to deliver the Service:

We do not sell personal data, and we do not share it with advertising networks.


8. International transfers

Your account and image data are hosted within the EEA (Germany), so no transfer outside the EEA is required for our core hosting.

Some recipients are located outside the EEA:

You may contact us for more information about the safeguards in place.


9. Your rights

Under the GDPR you have the right to:

How to exercise your rights and delete data:

If your request concerns individuals captured in trail-camera footage, please note we act as processor for that content; see Section 2.

Right to complain: If you believe we have processed your personal data unlawfully, you may lodge a complaint with Datatilsynet (the Norwegian Data Protection Authority), www.datatilsynet.no. Decisions of Datatilsynet may be appealed to the Norwegian Privacy Appeals Board (Personvernnemnda). We would appreciate the chance to address your concerns first, so please consider contacting us before you complain.


10. Data retention

When you close your account, we delete or anonymise your personal data, except where we must retain specific information to meet a legal obligation (for example, statutory accounting records).


11. Security

We take appropriate technical and organisational measures to protect personal data, including transport encryption, access controls, and protection of session credentials. No system can be guaranteed completely secure, but we work to protect your data against unauthorised access, loss, or misuse. In the event of a personal data breach that is likely to result in a risk to your rights, we will notify Datatilsynet without undue delay and, where feasible, within 72 hours, and will inform affected individuals where required.


12. Children

The Service is intended for users aged 18 or over. It is a paid subscription service not directed at children, and we do not knowingly collect personal data from anyone under 18. When you create an account, you confirm that you are at least 18 years old. If you believe a minor has provided us with personal data, please contact [email protected].


13. Changes to this policy

We may update this Privacy Policy from time to time. We will post the updated version here and revise the "Last updated" date above. Where changes are significant, we will take reasonable steps to inform you.


14. Contact

For any privacy question or to exercise your rights:

SDHC AS Email: [email protected] Postboks 570 Vestre Glemmen, 1612 Fredrikstad Norway