Terms & Privacy Notice
Terms of Service
Your account
You are responsible for keeping your password secure and for all activity that takes place under your account. If you suspect unauthorised access, change your password immediately.
Your content
Any trips, packs, collections and items you create belong to you. We do not claim ownership of your data. We store it solely to provide the service to you.
Acceptable use
You agree not to use the service to do anything unlawful, harmful, or abusive. We reserve the right to suspend or terminate accounts that violate these terms.
Service availability
We aim to keep PackYourBag available and working, but we do not guarantee uninterrupted access or that data will never be lost. Use the service at your own risk.
Changes to these terms
We may update these terms from time to time. If we make significant changes, we will notify you by email before they take effect. Continued use of the service after that point means you accept the updated terms.
Governing law
These terms are governed by the laws of Belgium. If you are a consumer residing in the EU, the mandatory consumer protection laws of your country of residence also apply, and you may bring legal proceedings in the courts of your country of residence. If you reside outside the EU, these terms are governed exclusively by Belgian law and any disputes will be subject to the jurisdiction of the courts of Belgium.
Privacy Notice
Data controller
The data controller for PackYourBag is Carl Fremault. You can contact us about privacy matters at .
What we store and why
Your email address and a securely hashed password — we never store your password in plaintext. We process this to provide you with your account (legal basis: performance of a contract). We also store your in-app preferences (display settings, units) and any trips, packs, collections and items you create (legal basis: performance of a contract). Security and activity logs are kept to protect your account against unauthorised access (legal basis: legitimate interest). All data is stored on servers within the European Union.
Session cookie
When you register or sign in, we place a single encrypted cookie (pyb-session) on your device to keep you authenticated. It is marked HttpOnly (JavaScript on the page cannot read it) and is only transmitted over HTTPS. The cookie contains an encrypted authentication token — never your password. It expires when you log out or after 14 days. During email address verification, the encrypted cookie may temporarily hold your email address solely to pre-fill the resend form. It is removed as soon as verification is complete or you sign in, and never used for any other purpose.
Activity logging
To protect your account, we log security events such as logins, password changes, and session activity. Your IP address is truncated before it is stored, so it cannot be used to identify you. We record your browser type and the type of device you used (phone, tablet, or computer) — nothing more detailed than that.
Error monitoring
Our servers use Sentry to capture unexpected technical errors. Sentry receives limited information: the error, which page caused it, and your browser type. Passwords, email addresses, and other sensitive request data are automatically filtered out before anything is sent to Sentry. Sentry (sentry.io) acts as a data processor under a Data Processing Agreement; data is stored in the EU.
Data retention
Security logs are automatically deleted based on severity — routine events after 30 days, warnings after 60 days, critical alerts after 90 days. Expired authentication tokens are cleaned up daily.
Account deletion
You can delete your account at any time. Your account enters a 30-day grace period during which you can cancel the deletion via a link sent to your email. After 30 days, your account is permanently removed: all personal data is deleted and any remaining security logs are de-identified so they can no longer be linked to you.
No tracking or advertising
We use no analytics trackers, advertising networks, or third-party tracking cookies of any kind. We do not use your data for automated decision-making or profiling.
Your rights
Under the GDPR you have the right to access the personal data we hold about you, have inaccurate data corrected, request erasure of your data, restrict or object to how we process it, and receive a copy of your data in a portable format. To exercise any of these rights, contact us at . We will respond within 30 days.
Right to complain
If you believe we are handling your personal data unlawfully, you have the right to lodge a complaint with the Belgian Data Protection Authority (Gegevensbeschermingsautoriteit / Autorité de protection des données): www.dataprotectionauthority.be. If you reside in another EU member state, you may also contact your local supervisory authority.