Privacy Policy
Effective date: March 20, 2026
What2Pack ("we", "our", "us") is a camp and troop planning application for scouting organizations. This policy explains what information we collect, how we use it, and your choices.
1. Information We Collect
Account Information Required
When you create an account, we collect:
- Username, email address, first and last name
- Password (stored only as a bcrypt hash — we never store plaintext passwords)
- User type (parent, leader, or scout)
Roster & Membership Data Required
Unit leaders manage roster information for their organization:
- Name, position, rank, patrol assignment
- Youth or adult status, active/inactive status
- Email, phone number, date of birth, BSA member ID (optional per member)
- Youth Protection Training (YPT) certification date
- Parent-to-scout relationships
Event & Activity Data
- Event details: names, dates, locations, descriptions
- Meeting agendas, attendance, and announcements
- Camp schedules, class assignments, merit badge and rank progress
- Menu plans, shopping lists, and recipes
- Dietary restrictions (provided voluntarily during event registration)
- Hike plans with GPS waypoints
Location Data Optional
If you grant location permission, we collect:
- GPS coordinates during active hike tracking (latitude, longitude, altitude)
- Distance to campsites for proximity-based search
Location data is collected only while the app is in use and only when you have explicitly enabled location access. We do not track your location in the background.
Photos Optional
If you grant camera or photo library access, photos you attach to inventory items are uploaded and stored on our servers. We do not access your photo library beyond what you explicitly select.
Device & Session Information
When you log in, we automatically collect:
- IP address, browser/device type, and operating system
- Session identifiers for authentication
- Trusted device tokens (stored in your device Keychain) if you choose "Remember Me"
Payment Information
Event payments are processed through Zeffy, a third-party payment platform. We store:
- Transaction IDs, payment amounts, and payment status
- Payer email address (as provided by Zeffy)
We do not collect or store credit card numbers, bank account details, or other financial instrument data. All payment processing is handled entirely by Zeffy.
2. How We Use Your Information
| Purpose |
Data Used |
| Authenticate your account |
Email, password hash, session tokens |
| Manage your unit's roster and events |
Roster data, event details, schedules |
| Track scout advancement |
Merit badge and rank progress |
| Display maps and hike tracking |
GPS coordinates, campsite locations |
| Process event registrations |
Registrant name, email, dietary info |
| Send calendar reminders |
Event dates and times (local notifications only) |
| Security and audit logging |
IP address, user agent, action history |
3. Information Sharing
We do not sell, rent, or trade your personal information. We share data only in these limited circumstances:
- Within your scouting unit: Roster data, event information, and schedules are visible to other authorized members of your unit based on their role (admin, editor, viewer).
- Zeffy: Registration and payment data is shared with Zeffy to process event payments. See Zeffy's Privacy Policy.
- Legal requirements: We may disclose information if required by law or to protect the safety of our users.
4. Third-Party Services
We do not use any third-party analytics, advertising, or tracking SDKs. There is no Firebase, Google Analytics, Facebook SDK, or similar tracking in the app.
The only third-party services we integrate with are:
- Apple MapKit (iOS): For displaying maps, campsite locations, and hike routes. Subject to Apple's Privacy Policy.
- Mapbox (Android): For displaying maps, campsite locations, and hike routes. Subject to Mapbox's Privacy Policy.
- Zeffy: For event payment processing.
5. Data Storage & Security
- All data is transmitted over HTTPS (TLS encryption in transit).
- Passwords are hashed using bcrypt and never stored in plaintext.
- Authentication tokens are stored in the iOS Keychain or Android EncryptedSharedPreferences, the most secure storage available on each platform.
- Audit logs track data changes for security purposes, recording who made changes and when.
- Data is stored on secured servers in the United States.
6. Data Retention
- Account data: Retained as long as your account is active. Contact us to request deletion.
- Trusted devices: Device tokens expire automatically and can be revoked by the user at any time.
- Audit logs: Retained for security and compliance purposes.
- GPS hike data: Waypoints are stored as part of hike plans and can be deleted by the user.
7. Your Rights & Choices
- Location access: You can deny or revoke location permission at any time in your device settings. The app functions without it.
- Camera & photos: You can deny or revoke these permissions. Inventory features work without photos.
- Calendar access: Optional. Used only to add event reminders to your calendar.
- Trusted devices: You can view and remove trusted devices from your account settings.
- Data export: Contact us to request a copy of your personal data.
8. Account Deletion
You may request deletion of your What2Pack account and associated personal data at any time.
How to Request Deletion
- By email: Send a deletion request to privacy@what2pack.org from the email address associated with your account.
What Gets Deleted
When your account is deleted, the following data is permanently removed:
- Your account profile (username, email, name, password hash)
- Trusted device tokens and active sessions
- Personal preferences and settings
- Photos you uploaded to inventory items
- GPS waypoints from your hike tracking
What May Be Retained
Certain data may be retained after account deletion in limited circumstances:
- Unit roster records: If you are a member of a scouting unit, your name and role may be retained in the unit's historical records as managed by unit administrators. Contact your unit leader to request removal.
- Shared content: Recipes, events, menus, and shopping lists you created for your unit remain available to other unit members but are disassociated from your account.
- Audit logs: Security audit records (login history, data change logs) may be retained for up to 12 months for security and compliance purposes.
- Payment records: Transaction records processed through Zeffy are retained by Zeffy per their own data retention policies.
Deletion Timeline
Account deletion requests are processed within 30 days of receiving your request. You will receive an email confirmation when deletion is complete. During processing, your account will be deactivated and inaccessible.
If you are the sole administrator of a scouting unit, we will contact you to discuss transferring administrative access before completing deletion, to avoid disruption for other unit members.
9. Children's Privacy
What2Pack is used by scouting organizations that include youth members. Scout accounts for minors are created and managed by adult leaders or parents. We do not knowingly collect personal information directly from children under 13 without parental or guardian consent through the unit's adult leadership.
Parents and guardians can contact us at any time to review, modify, or request deletion of their child's information.
10. Changes to This Policy
We may update this privacy policy from time to time. Changes will be posted on this page with an updated effective date. Continued use of the app after changes constitutes acceptance of the revised policy.
11. Contact Us
If you have questions about this privacy policy or wish to exercise your data rights, contact us at:
Email: privacy@what2pack.org