Privacy Policy

Effective: April 20, 2026

This policy explains what Bodholdt Speed Testing (“we,” “us”) collects when you use bodholdtspeedtesting.com and the Bodholdt Speed Testing mobile app, how we use it, who we share it with, and the rights you have over it. We wrote this in plain English on purpose — if anything here is unclear, email us at [email protected].

1. Who we are

Bodholdt Speed Testing is an independent speed-testing and community platform. The data controller for the purposes of GDPR and CCPA is:

Bodholdt Speed Testing
Roseville, CA
Contact: [email protected]

2. What we collect

We only collect data that is needed to run speed tests, power the community features, or keep your account secure. Here is the full list.

Account information

Username and email address you provide at registration.
Password, stored only as a bcrypt hash — we never see your plaintext password.
Application Password tokens issued to your mobile app. Tokens are stored hashed on our side and in the iOS or Android secure keychain on your device.
Display name and profile slug (derived from your username).
Optional profile details you choose to fill in: about text, city, state, country, profile photo.

Speed test data

Every time you run a test, we record:

Download speed, upload speed, ping, jitter, and loaded ping (bufferbloat), each in Mbps or milliseconds.
Test type, test status (complete or failed), and test mode.
The timestamp of the test.

Device and network metadata

Device brand and model (for example, Apple iPhone 15 Pro) and your app version.
Connection type (Wi-Fi or cellular).
On cellular: carrier name, data connection generation (5G, LTE, 3G), network generation, signal strength (RSRP, RSRQ, SINR, level), cell ID, frequency band, dual-SIM flag, and roaming status.

Location data

GPS coordinates (latitude and longitude) captured at the time of each test, if you grant the permission.
A reverse-geocoded city, state, country, and postal code derived from those coordinates.
Location is used to plot the coverage map, power leaderboards by region, and show carrier quality by area. You can revoke the permission in your device settings and we will stop collecting it on subsequent tests.

Coverage map: exact storage, coarse public view

The coverage map uses a two-layer privacy model. The exact coordinates of each test are stored so we can give you accurate personal history and recompute aggregates, but the map shown to other users never exposes them. Specifically:

Exact storage, coarse display. We store the precise lat/lng, but the public /measurements/map endpoint coarsens every pin onto a grid cell roughly 500 m across (longitude is scaled by latitude so cells stay roughly square). Nearby tests collapse into the same cell.
k = 5 anonymity floor. A grid cell only appears on the map if at least five distinct users have contributed a public test to it. Cells with four or fewer contributors are dropped from the response entirely — there is no pin, no shape, no record that anyone tested there. This floor is enforced in the database query; it is not a display-layer filter that can be bypassed.
No per-test leaks. When a cell does qualify, we emit a single aggregate pin with the median download, upload, and ping across the contributing tests and the most common carrier. Individual tests, usernames, and exact test counts are never returned (the contributor count is capped at “5+” regardless of how many people actually tested there).
Your own view, on your own screen. When you are signed in and looking at your own map, your own pins are shown at exact location — it is your data. No one else can pull your exact coordinates; a request from another account is silently downgraded to the coarse, bucketed view. You can preview the anonymised public view of yourself at any time in Settings → Privacy Dashboard → What others see of you.

Your preferences

Whether each test is public (visible on the map, feed, and leaderboards) or private. The default is private.
Whether your display name appears on public tests (public identity toggle).
Whether you receive activity notifications.

Social activity

Follows, likes, and comments you create, and notifications generated for you.
If you submit a comment, the full comment text is stored.

We do not collect

We do not collect background location. GPS is only sampled at the moment you start a test, and only if you granted the permission. We never request “always allow” location.
We do not collect device identifiers (IDFA, IDFV, Android Advertising ID, or any other persistent hardware ID).
We do not use ad identifiers or any third-party advertising SDK. There is no ad tracking in this app.
We do not track you across other sites or apps.
We do not sell your personal information to anyone, ever.
We do not access your microphone, camera (except when you choose to upload a profile photo), contacts, or calendar.

Crash reports (off by default)

Crash reporting is off by default. The app ships with the Sentry SDK compiled in, but it only loads a reporting endpoint after you explicitly flip the “Share anonymous crash reports” switch in Settings or the Privacy Dashboard. Until you do, no crash data, no stack traces, and no network requests leave your device from our error-reporting layer — a claim you can verify with a packet capture.

If you turn it on, we receive stack traces only. We never receive your speed numbers, location, identity, email, or device identifiers through this channel. You can turn it back off at any time in the same place; the transport is shut down immediately.

3. How we use your data

To run the product — measure speeds, store your history, render your profile, deliver notifications.
To power the community features — only data you have explicitly marked public is visible to other users (feeds, leaderboards, maps, carrier comparisons).
To improve accuracy — aggregate, anonymised speed readings help us tune the test engine and publish coverage insights. Aggregate data cannot be tied back to you.
To keep the service safe — detect abuse, throttle brute-force login attempts, and comply with legal obligations.

Lawful basis under GDPR

Contract — we process account and test data so we can deliver the service you signed up for.
Consent — GPS location and public visibility require your explicit opt-in; you can revoke either at any time.
Legitimate interests — aggregate analytics, fraud prevention, and security monitoring, balanced against your rights.

4. Who we share data with

We share data only with the processors we need to run the service. Each one is listed below.

Cloudflare, Inc. — speed-test server (Workers) and test-file hosting (R2). Cloudflare processes your public IP address and the bytes exchanged during a test. See their privacy policy.
Google LLC — Maps Platform, used for reverse-geocoding coordinates into city, state, country, and postal code. See Google's privacy policy.
GamiPress — achievement tracking, running on our own servers as a WordPress plugin. No third-party transmission.
Email provider — transactional email (password resets, confirmations) is delivered through a reputable SMTP provider configured inside WordPress.

We never sell your personal information, and we do not share it with advertisers, data brokers, or analytics networks.

5. How long we keep it

Account data — for as long as your account is active.
Speed test results — indefinitely while your account exists, so you can see your own history and we can show community averages. You can delete individual tests, or request deletion of all of your data (see next section).
Server logs — rotated after 30 days.
When you delete your account, all personally identifiable data is removed within 30 days; anonymous, already-aggregated statistics may remain.

6. Your rights

For everyone

Access — see everything we hold about you via your profile and settings screens, or by emailing us.
Correction — update your account and profile details in the Settings screen.
Deletion — open the app, go to Settings → Danger Zone → Delete My Account, or email [email protected]. Deletion is permanent.
Portability — we can send you a machine-readable copy of your data within 30 days of a request.

If you are in the EU, UK, or EEA (GDPR)

You also have the rights to restrict processing, object to processing, and lodge a complaint with your national supervisory authority.

If you are in California (CCPA / CPRA)

You have the rights to know, delete, correct, and opt out of the sale or sharing of your personal information. We do not sell or share your personal information as defined by the CCPA.

Exercising your rights

For any of the above, email [email protected]. We will verify the request against your account and respond within 30 days.

7. Children

Bodholdt Speed Testing is intended for users 16 and older. We do not knowingly collect information from children under 16. If you believe a child has registered, contact us and we will delete the account.

8. International transfers

Our servers are located in the United States. If you access the service from outside the US, your data will be transferred to, stored, and processed there. Where data is transferred from the EU or UK, we rely on Standard Contractual Clauses and equivalent safeguards.

9. Security

All traffic between your device and our servers uses TLS (HTTPS).
Passwords are stored as bcrypt hashes; Application Password tokens are hashed on our side and held in your device's secure keychain on the client.
Rate limits and server-side monitoring defend against brute-force attacks.
No system is perfectly secure. If you suspect a breach of your account, email us immediately.

10. Changes to this policy

We may update this policy as the product evolves. Material changes will be announced in-app and by email (where we have one on file) at least 14 days before they take effect. The “Effective” date at the top of this page always reflects the current version.

11. Contact

Privacy questions, rights requests, and breach reports: [email protected].

General support: [email protected].