Privacy Policy
Last updated: April 22, 2025
Thank you for choosing PlaceSpotter ("we", "our", "us"). We respect your privacy and are committed to protecting the personal information you share with us. This Privacy Policy explains what data we collect, why we collect it, how we use it, and the choices you have.
1. Scope of this Policy
This Policy applies to the PlaceSpotter web application, related APIs, and any interactive services that link to it (collectively, the "Service"). By using the Service, you agree to the practices described here.
2. Information We Collect
| Category | Types of Data | Source | Purpose |
|---|---|---|---|
| Account Data | • Email address • Name (optional) | You | Create & secure your account, authenticate via magic links, send transactional emails |
| User Content | • Uploaded images • Associated EXIF metadata (GPS, camera make/model, timestamp) | You | Provide core location‑identification functionality |
| Analysis Records | • AI‑generated location coordinates & descriptions • Confidence scores | Generated by our AI pipeline | Display results, improve accuracy, and maintain an audit trail |
| Billing & Payment | • Stripe Customer ID • Last 4 digits & expiry of card • Billing address, tax jurisdiction | Stripe | Process purchases, prevent fraud, satisfy accounting obligations |
| Usage & Technical | • IP address • Device & browser type • Log files, error reports • Cookie & local‑storage identifiers | Your device; automated collection | Secure the Service, detect abuse, compile analytics |
Special categories. We do not intentionally collect sensitive personal data (race, health, biometrics, etc.). Please do not upload imagery that contains such data.
3. How We Use Your Information
- Provide and improve the Service – run image analysis, show maps, host your results, develop new features.
- Process payments & credits – via Stripe to manage subscriptions, credit packs, and refunds.
- Communicate with you – magic‑link login emails, payment confirmations, expiry reminders, and product updates (you may opt‑out of non‑essential emails).
- Security & fraud prevention – monitor usage patterns, block malicious activity, and enforce our Terms of Service.
- Legal compliance – satisfy bookkeeping, tax, and regulatory requirements.
Lawful Bases (GDPR / UK GDPR)
- Contract: Most processing is necessary to deliver the Service you request.
- Legitimate interests: Security, product analytics, and limited marketing.
- Consent: Optional cookies/trackers and marketing emails.
4. Sharing & Disclosure
We never sell your personal information. We share it only with trusted service providers that enable core functionality:
| Processor | Role | Safeguards |
|---|---|---|
| Vercel | Hosting & edge functions | EU‑U.S. Data Privacy Framework, SCCs |
| Neon Postgres | Primary database | SCCs |
| Stripe | Payments & billing | PCI‑DSS compliant, SCCs |
| SendGrid | Transactional emails | SCCs |
| OpenAI (GPT‑4o Vision) | Image analysis | SCCs |
| Mapbox | Map tiles & geocoding | SCCs |
We may disclose data:
- To comply with law, court orders, or law‑enforcement requests
- To enforce our Terms, prevent fraud, or protect the rights and safety of users
- In connection with a merger, acquisition, or sale of assets (you will be notified of any change of ownership)
5. Cookies & Tracking Technologies
We use:
- Essential cookies – authentication, load balancing, user session state (cannot be disabled).
- Analytics (first‑party) – to understand feature adoption. No third‑party ad cookies are set.
- Preference storage – localStorage for UI settings.
Where required, we display a cookie banner and obtain consent for non‑essential cookies.
6. Data Retention
| Data type | Retention period |
|---|---|
| Uploaded images | Stored indefinitely on your behalf until you actively delete them via the dashboard or delete your account |
| Analysis results | Retained for the life of your account, or 90 days after deletion for error‑log integrity |
| Account & billing records | 7 years (tax & accounting laws) |
| Logs & security data | 30 days, unless needed to investigate abuse |
We anonymise or securely delete data when the retention period ends.
7. Your Rights
Depending on your jurisdiction, you may have the right to:
- Access a copy of the data we hold about you
- Correct or update inaccurate data
- Delete your account and personal information
- Port data to another provider
- Opt‑out of marketing communications
- Withdraw consent for non‑essential cookies or tracking
Submit requests at privacy@placespotter.app. We will verify your identity and respond within 30 days.
California & other U.S. state residents may also:
- Opt‑out of "sale" or "sharing" of personal data (we do neither)
- Limit use of sensitive personal data (we do not process it)
8. Children’s Privacy
The Service is not directed to children under 13. We do not knowingly collect personal information from children. If you believe a child has provided data, contact us and we will delete it.
9. International Transfers
Your data may be processed outside your country, including in the United States and Europe. We rely on:
- Standard Contractual Clauses (SCCs) with our processors
- Participation in the EU‑U.S. Data Privacy Framework where applicable
10. Security Measures
- TLS 1.3 encryption in transit and AES‑256 at rest
- Principle of least privilege & role‑based access controls
- Regular dependency scanning and penetration tests
- Stripe handles all card data and is PCI‑DSS Level 1 compliant
No system is 100 % secure, but we continuously work to protect your information.
11. Changes to This Policy
We may update this Policy from time to time. Material changes will be announced via email or prominent notice 30 days before they take effect. Continued use of the Service after the effective date constitutes acceptance.
12. Contact Us
Email: support@placespotter.app
Thank you for trusting PlaceSpotter with your photos. We are committed to protecting your privacy and providing a transparent, secure experience.