Compass Rose

Locograph

Back to home

Privacy Policy

Last Updated: November 2025

Locograph is a SaaS platform operated by a sole proprietor in the European Union. This policy is GDPR-compliant and applies to all users.

1. What We Collect

  • Account: Email, user ID, plan type, account creation date
  • Configuration: Domain name, script key, widget customization, SEO preferences
  • Images & Locations: Image URLs, SHA-256 hashes, page URLs, GPS coordinates, place names (we do NOT store original images)
  • Analytics (Pro+): Event types (tag_view, map_open, etc.), session ID, page URL, user agent, event timestamp, country-level location
  • SEO Logs (Pro+ SEO only): User agent, request format, access timestamp

Browser-only (not transmitted to us): Session ID (30min) in localStorage.

2. How We Use Your Data

  • Extract GPS from EXIF, reverse-geocode to place names, display tags, render maps
  • Track quotas, respond to support, analyze aggregated patterns, debug issues
  • Send billing notifications, quota alerts, support responses, service updates
  • Comply with legal obligations, enforce Terms, investigate fraud

3. Third-Party Processors

  • Supabase (EU) - Processes email, user ID, and all database records for database, authentication, and storage
  • Vercel (Global) - Processes HTTP requests and cached locations for hosting, caching, and CDN
  • Geoapify - Processes GPS coordinates for reverse geocoding
  • Inngest (USA, SCCs) - Processes image URLs, hashes, and status for background processing
  • OpenStreetMap (Various) - Processes map tile requests for map tiles
  • Sentry.io - Processes error logs and performance monitoring data
  • Resend - Processes email addresses for transactional emails
  • GitHub - Processes user feedback and issue reports

Each has their own privacy policy. See their sites for details.

4. Data Retention and Deletion

  • Email, plan - Retained until account deletion; delete via Account settings
  • Sites, config - Retained until site deletion; delete via Dashboard
  • Images, locations - Retained until manual deletion; delete via Dashboard
  • Analytics events - Retained until manual deletion; delete via Dashboard
  • SEO logs - Retained until manual deletion; delete via Dashboard
  • Browser cache - Auto-expires after 24hr or 30min
  • Backups - Auto-deleted after 30 days

When you delete your account: All data is immediately and permanently deleted. Vercel KV cache must be manually cleared; we can help.

5. Your GDPR Rights

You can:

  • Access: Request all data we hold about you (15 business days)
  • Rectify: Edit location info or email via Dashboard
  • Delete: Delete individual locations or request full account deletion
  • Restrict: Pause analytics/geocoding by disabling in Settings
  • Port: Request JSON/CSV export (15 business days)
  • Object: Disable analytics or SEO feeds anytime

Contact: support@locograph.app

We do not use automated decision-making or profiling.

6. Security

  • In Transit: HTTPS/TLS 1.2+
  • At Rest: Supabase encryption, Vercel KV encryption
  • Access: Row-Level Security (RLS), users access only their own data
  • Keys: Public keys are RLS-protected; private keys in env vars only; script keys are unique non-guessable UUIDs
  • Coordinates: Rounded for privacy (exact: 11m, city: 1.1km, region: 11km, country: 111km)
  • Authentication: Supabase Auth (email/password + OAuth)
  • Monitoring: Rate limits, quota enforcement, activity logging

Limitations: No system is 100% secure. We disclaim liability for unauthorized access beyond our reasonable control.

7. Cookies and Tracking

We use: Supabase auth cookies (7 days, HttpOnly, Secure)

We store in your browser (localStorage):

  • locograph_session_id - Analytics session ID, 30min timeout

We DON'T use: Google Analytics, Facebook Pixel, advertising networks, cross-site tracking, fingerprinting.

Clear cookies anytime in browser settings.

8. International Data Transfers

Within EU: Supabase EU region, Vercel EU edge (GDPR-compliant)

To USA: Inngest uses Standard Contractual Clauses (SCCs); only image metadata transferred, not personally identifiable data.

Within EU: Geoapify, OpenStreetMap (various).

We use Data Processing Agreements (DPAs) with all processors.

9. Children

Locograph is not for users under 13. We don't knowingly collect data from children under 13. If you believe we have, contact us and we'll delete it.

10. Changes to This Policy

We update this policy anytime. Changes take effect immediately. For significant changes (new processors, new data collection, reduced protections), we'll email 30+ days' notice. Minor changes (clarifications, typos, contact info) don't require notice.

11. Consent

Analytics (Pro+): Opt-in, disabled by default. Enable in Dashboard > Site Settings > "Enable Analytics". Disable anytime.

SEO Feeds (Pro+ only): Opt-in, requires Pro/Business plan + explicit site-level opt-in. Coordinates are rounded (see Section 6).

Email: Service notifications (billing, quotas) are required. New feature announcements are optional; unsubscribe anytime.

12. Contact

Privacy questions, data requests, complaints: support@locograph.app

Include: Request type (access, delete, port, etc.), your email, specific data/dates, signature (for formal GDPR requests).

Response: 15 business days. Use "URGENT" subject line for urgent matters.

Complaints to your DPA: Contact your local data protection authority in the EU.

Last Updated: November 2025

This policy is effective from the date above and applies to all Locograph use from that date forward.