Privacy Policy
GTFS·X is a browser-based editor for creating, maintaining, and publishing GTFS transit feeds. This page describes what personal information we collect, how we use it, who we share it with, and the choices you have. It is written to match how the service actually behaves — not to maximize what we could collect.
1. The short version
- You can use the editor entirely anonymously. We don't require an account, and we don't track you across sites.
- If you create an account, we collect your email, display name, and a hash of your password — never the password itself.
- Feed content you save to the cloud is stored on Cloudflare infrastructure under your account and is visible only to you and any organization members you've granted access.
- We share data with the small set of vendors we depend on to operate the service (listed below). We don't sell personal data and we don't share it with advertisers.
- You can export everything we have on you at any time, and you can delete your account, which hard-purges your data after a 30-day grace window.
2. Who we are
"GTFS·X," "we," "us," and "our" refer to the operator of gtfsx.com and its subdomains (www.gtfsx.com, feeds.gtfsx.com, staging.gtfsx.com). For privacy questions or requests, write to support+privacy@gtfsx.com.
3. What we collect and why
3.1 Anonymous editor use
If you open the editor without an account, your work stays in your browser's IndexedDB. We do not transmit that content to our servers. The browser still loads map tiles from Mapbox, which means Mapbox sees the IP address making those requests.
3.2 Account information
When you create an account we collect:
- Email address — used to sign you in, send transactional emails (verify, magic link, password reset, organization invitations), and contact you about account or service changes.
- Display name — shown in the editor UI and on audit log entries for your own organizations.
- A hash of your password — produced via PBKDF2 with 600,000 iterations. We do not store, transmit, or log the password itself.
3.3 Session and security metadata
When you sign in, we record:
- A random session token (stored client-side in an
HttpOnly,Secure,SameSite=Laxcookie namedgb_session) and the SHA-256 of that token on our side. - The IP address and User-Agent of the device that started the session.
- Per-action audit events (signups, logins, project creates / publishes / deletions, organization changes, billing changes). Each event records the actor user id, the action, a metadata blob, the IP address, and a timestamp.
This metadata exists for account security (so you can see active sessions and revoke them) and abuse review. We retain it for as long as your account is active.
3.4 Feed content
If you sign in and save a feed to the cloud, the feed's content (routes, stops, trips, shapes, calendar, fares, flex zones, etc.) is stored as a single gzipped JSON blob in Cloudflare R2 (object storage), with metadata in Cloudflare D1 (SQL). Access is gated by your session and any organization memberships you've granted. We do not look at your feed content except as needed for support work you've explicitly requested, or to investigate abuse reports.
3.5 Aggregated, cookieless analytics
We record page-view events to understand how the editor is used. Each event includes the URL pathname (no query string, no host), the country derived from your IP (via the CF-IPCountry header — we never store the IP itself in this table), an inbound ?ref= tag if one was present at session start, and a random per-tab session id that is not persisted across tabs or visits. We do not set tracking cookies, fingerprint your device, or correlate page views across sessions.
3.6 Billing information
If you upgrade to a paid plan, payment is processed by Stripe. Stripe collects your name, email, billing address, and payment method details directly — we never see or store your card number. We store the Stripe customer id, the subscription state (active / past due / canceled / trialing), the current plan, and the period dates so we can show your billing page and gate paid features.
3.7 Bot protection
The signup, login, and password-reset forms use Cloudflare Turnstile to filter automated abuse. Turnstile collects browser signals (rendering details, mouse / touch behavior, IP address) to decide if a request looks human. It does not set persistent cross-site cookies.
3.8 SMS verification and account alerts
Phone numbers collected for SMS verification and account alerts are used only to deliver those messages. We do not sell, rent, or share your mobile number or your SMS consent with third parties for marketing. Msg & data rates may apply; message frequency varies; reply STOP to opt out, HELP for help.
4. Cookies
| Cookie | Purpose | Lifetime |
|---|---|---|
gb_session | Signed-in session token. HttpOnly, Secure, SameSite=Lax. | Up to 90 days; refreshed on use, idle-expires after 30 days. |
gb_impersonator | Set only when a staff member impersonates a user for support. Lets them return to their own account. | Cleared when impersonation ends. |
We do not use analytics, advertising, or social-media cookies.
5. Who we share data with
We share the minimum necessary information with a small set of vendors that operate parts of the service. Each one is bound by its own privacy terms.
| Vendor | What they receive | Why |
|---|---|---|
| Cloudflare | All HTTP traffic to the service — request URLs, headers, IPs. Stored feeds, D1 database, KV cache, edge logs. | Hosting, edge delivery, DDoS protection, the Workers runtime that serves the API. |
| Stripe | Name, email, billing address, payment method (entered directly into Stripe Checkout). Subscription + invoice metadata. | Payments and subscription management. |
| Resend | Recipient email, sender, subject, and body of transactional emails (verify, magic link, password reset, organization invitations). | Outbound transactional email delivery. |
| Mapbox | Your IP, requested map tile coordinates, browser User-Agent — sent directly from your browser, not via our servers. | Rendering the interactive map and route geocoding. |
| Cloudflare Turnstile | Browser signals used to score human-ness on signup / login / reset. | Bot abuse prevention on authentication forms. |
We do not sell personal information. We do not share data with advertisers or data brokers. We will disclose information only when required by a valid legal process or to protect the rights, property, or safety of GTFS·X, our users, or the public — and where the law allows, we will notify you first.
6. Your rights
Regardless of where you live, you can:
- Access and export everything we have on you, as a ZIP archive, from Account → Export my data.
- Correct your display name or email from Account.
- Delete your account from Account → Delete account. Deletion soft-flags the account immediately (you're signed out, paid features stop, the email becomes reusable), and the row plus all R2 blobs are hard-purged after a 30-day grace window by a nightly job. Organization-owned data you don't personally own (e.g., feeds in an org you're a member of) is not deleted by your account deletion.
- Revoke active sessions for your account from Account → Sessions.
If you are in the EU / UK, you also have the right to object to processing, restrict processing, and lodge a complaint with your local supervisory authority. If you are in California, you have additional rights under the CCPA / CPRA, including the right to know what we collect and to delete it; we do not "sell" or "share" personal information under those definitions.
To exercise any of these rights — including for a deleted account — write to support+privacy@gtfsx.com.
7. Data retention
- Active accounts: retained for as long as the account exists.
- Deleted accounts: hard-purged 30 days after deletion. Backups taken before the deletion may persist for up to 90 days before they age out.
- Audit events: retained while the actor account exists, then purged with it.
- Cookieless analytics events: retained for up to 12 months in aggregated form.
- Billing records (Stripe-side): retained by Stripe under their own retention rules, which may be longer than the above for tax / accounting reasons.
8. Security
All traffic to gtfsx.com and its subdomains is served over TLS. Session cookies are HttpOnly + Secure + SameSite=Lax with a custom CSRF defense header required on state-changing requests. Passwords are stored as PBKDF2-SHA-256 hashes (600,000 iterations). Feed blobs and database rows are stored at rest on Cloudflare infrastructure. No system is perfectly secure — if you spot a vulnerability, please report it to support+security@gtfsx.com.
9. International transfers
GTFS·X is operated from the United States and uses Cloudflare's globally distributed network. If you access the service from outside the US, your data will be transferred to, and processed in, jurisdictions that may have different data-protection rules than your own. By using the service you consent to those transfers.
10. Children
GTFS·X is not directed to children under 13 (or the equivalent minimum age in your jurisdiction), and we do not knowingly collect personal information from them. If you believe a child has provided personal information to us, write to support+privacy@gtfsx.com and we will delete it.
11. Changes to this policy
We'll update this page when our practices change. Material changes (new vendor categories, new data collected, changes that affect your rights) will be flagged in-app and announced to signed-in users by email at least 14 days before they take effect. The "Last updated" date at the top will always reflect the most recent change.
12. Contact
Privacy questions or requests: support+privacy@gtfsx.com.
Security reports: support+security@gtfsx.com.
General support: support@gtfsx.com.