Privacy Policy

Effective: 2026-05-16 · Last updated: 2026-05-16

GTFS·X is a browser-based editor for creating, maintaining, and publishing GTFS transit feeds. This page describes what personal information we collect, how we use it, who we share it with, and the choices you have. It is written to match how the service actually behaves — not to maximize what we could collect.

1. The short version

2. Who we are

"GTFS·X," "we," "us," and "our" refer to the operator of gtfsx.com and its subdomains (www.gtfsx.com, feeds.gtfsx.com, staging.gtfsx.com). For privacy questions or requests, write to support+privacy@gtfsx.com.

3. What we collect and why

3.1 Anonymous editor use

If you open the editor without an account, your work stays in your browser's IndexedDB. We do not transmit that content to our servers. The browser still loads map tiles from Mapbox, which means Mapbox sees the IP address making those requests.

3.2 Account information

When you create an account we collect:

3.3 Session and security metadata

When you sign in, we record:

This metadata exists for account security (so you can see active sessions and revoke them) and abuse review. We retain it for as long as your account is active.

3.4 Feed content

If you sign in and save a feed to the cloud, the feed's content (routes, stops, trips, shapes, calendar, fares, flex zones, etc.) is stored as a single gzipped JSON blob in Cloudflare R2 (object storage), with metadata in Cloudflare D1 (SQL). Access is gated by your session and any organization memberships you've granted. We do not look at your feed content except as needed for support work you've explicitly requested, or to investigate abuse reports.

3.5 Aggregated, cookieless analytics

We record page-view events to understand how the editor is used. Each event includes the URL pathname (no query string, no host), the country derived from your IP (via the CF-IPCountry header — we never store the IP itself in this table), an inbound ?ref= tag if one was present at session start, and a random per-tab session id that is not persisted across tabs or visits. We do not set tracking cookies, fingerprint your device, or correlate page views across sessions.

3.6 Billing information

If you upgrade to a paid plan, payment is processed by Stripe. Stripe collects your name, email, billing address, and payment method details directly — we never see or store your card number. We store the Stripe customer id, the subscription state (active / past due / canceled / trialing), the current plan, and the period dates so we can show your billing page and gate paid features.

3.7 Bot protection

The signup, login, and password-reset forms use Cloudflare Turnstile to filter automated abuse. Turnstile collects browser signals (rendering details, mouse / touch behavior, IP address) to decide if a request looks human. It does not set persistent cross-site cookies.

3.8 SMS verification and account alerts

Phone numbers collected for SMS verification and account alerts are used only to deliver those messages. We do not sell, rent, or share your mobile number or your SMS consent with third parties for marketing. Msg & data rates may apply; message frequency varies; reply STOP to opt out, HELP for help.

4. Cookies

CookiePurposeLifetime
gb_sessionSigned-in session token. HttpOnly, Secure, SameSite=Lax.Up to 90 days; refreshed on use, idle-expires after 30 days.
gb_impersonatorSet only when a staff member impersonates a user for support. Lets them return to their own account.Cleared when impersonation ends.

We do not use analytics, advertising, or social-media cookies.

5. Who we share data with

We share the minimum necessary information with a small set of vendors that operate parts of the service. Each one is bound by its own privacy terms.

VendorWhat they receiveWhy
CloudflareAll HTTP traffic to the service — request URLs, headers, IPs. Stored feeds, D1 database, KV cache, edge logs.Hosting, edge delivery, DDoS protection, the Workers runtime that serves the API.
StripeName, email, billing address, payment method (entered directly into Stripe Checkout). Subscription + invoice metadata.Payments and subscription management.
ResendRecipient email, sender, subject, and body of transactional emails (verify, magic link, password reset, organization invitations).Outbound transactional email delivery.
MapboxYour IP, requested map tile coordinates, browser User-Agent — sent directly from your browser, not via our servers.Rendering the interactive map and route geocoding.
Cloudflare TurnstileBrowser signals used to score human-ness on signup / login / reset.Bot abuse prevention on authentication forms.

We do not sell personal information. We do not share data with advertisers or data brokers. We will disclose information only when required by a valid legal process or to protect the rights, property, or safety of GTFS·X, our users, or the public — and where the law allows, we will notify you first.

6. Your rights

Regardless of where you live, you can:

If you are in the EU / UK, you also have the right to object to processing, restrict processing, and lodge a complaint with your local supervisory authority. If you are in California, you have additional rights under the CCPA / CPRA, including the right to know what we collect and to delete it; we do not "sell" or "share" personal information under those definitions.

To exercise any of these rights — including for a deleted account — write to support+privacy@gtfsx.com.

7. Data retention

8. Security

All traffic to gtfsx.com and its subdomains is served over TLS. Session cookies are HttpOnly + Secure + SameSite=Lax with a custom CSRF defense header required on state-changing requests. Passwords are stored as PBKDF2-SHA-256 hashes (600,000 iterations). Feed blobs and database rows are stored at rest on Cloudflare infrastructure. No system is perfectly secure — if you spot a vulnerability, please report it to support+security@gtfsx.com.

9. International transfers

GTFS·X is operated from the United States and uses Cloudflare's globally distributed network. If you access the service from outside the US, your data will be transferred to, and processed in, jurisdictions that may have different data-protection rules than your own. By using the service you consent to those transfers.

10. Children

GTFS·X is not directed to children under 13 (or the equivalent minimum age in your jurisdiction), and we do not knowingly collect personal information from them. If you believe a child has provided personal information to us, write to support+privacy@gtfsx.com and we will delete it.

11. Changes to this policy

We'll update this page when our practices change. Material changes (new vendor categories, new data collected, changes that affect your rights) will be flagged in-app and announced to signed-in users by email at least 14 days before they take effect. The "Last updated" date at the top will always reflect the most recent change.

12. Contact

Privacy questions or requests: support+privacy@gtfsx.com.
Security reports: support+security@gtfsx.com.
General support: support@gtfsx.com.