Skip to main content

ChibiGeo Privacy Policy

We take your privacy seriously. We collect only the personal data necessary to provide our service, and we never sell or rent your data to anyone.

This policy explains what personal data we process, why, on what legal basis, and the rights you have under the EU General Data Protection Regulation (GDPR).

Who is responsible (Controller)

ZeitFlow UG (haftungsbeschränkt) Kolonnenstraße 8, 10827 Berlin, Germany E-Mail: [email protected]

See our Impressum for full company details.

Scope

This policy applies to the ChibiGeo geocoding API and the account dashboard at app.chibigeo.com, operated by ZeitFlow UG (haftungsbeschränkt) ("we", "us"). ChibiGeo is a hosted service; we do not offer an iOS app or a self-hosted edition.

What data we process

Account data

Collected when you register and used to operate your account.

  • Email address
  • Password (stored only as a salted hash — we never see your plaintext password)
  • User ID and account status
  • API keys (stored hashed; we record the key prefix and the time it was last used)
  • Account settings

Legal basis: Art. 6(1)(b) GDPR — performance of the contract.

Billing data

If you subscribe to a paid plan, payment is handled by our third-party payment processor (Stripe). We do not receive or store your full card details; we receive the information needed to manage your subscription (e.g. plan, status, invoices, billing country).

Legal basis: Art. 6(1)(b) GDPR — performance of the contract; Art. 6(1)(c) — legal obligations (e.g. tax/invoicing).

Geocoding queries

When you call the API, the coordinates or search terms you send are processed transiently to return a result. We do not store the contents of your geocoding queries. We do keep aggregate request counts per account to enforce plan limits.

Legal basis: Art. 6(1)(b) GDPR — performance of the contract.

Technical logs and metrics

  • Server and error logs (may include IP address and request metadata), retained for a maximum of 30 days and used for security and debugging. Error traces may be sent to a bug-tracking service (e.g. Sentry).
  • Anonymous, aggregated usage metrics (e.g. total request volume). These are not used to track or profile individual users, and we do not use cross-site or advertising trackers.

Legal basis: Art. 6(1)(f) GDPR — our legitimate interest in operating, securing, and improving the service.

Where data is stored

All data is transmitted over HTTPS and stored on our infrastructure within the EU, including encrypted database storage and backups. The one exception is billing: our payment processor, Stripe, may process and transfer payment data to the United States under EU Standard Contractual Clauses and/or the EU–US Data Privacy Framework. Apart from that, we do not transfer personal data outside the EU/EEA.

Recipients and processors

We share data only with processors acting on our instructions and only as needed to run the service — for example our EU hosting provider, our payment processor (for paid plans), and our error-tracking provider. We do not sell, rent, or trade personal data.

Data retention

  • Account data: kept while your account is active. On account deletion (by you in the dashboard or on request), it is removed from live systems promptly and purged from backups within 30 days.
  • Logs: maximum 30 days.
  • Geocoding query contents: not stored.
  • Billing records: retained as required by statutory tax/commercial-law obligations.

Your rights

Under the GDPR you have the right to: access your data (Art. 15), rectification (Art. 16), erasure (Art. 17), restriction of processing (Art. 18), data portability (Art. 20), and to object to processing based on legitimate interests (Art. 21). Where processing relies on consent, you may withdraw it at any time.

To exercise any of these, email [email protected].

You also have the right to lodge a complaint with a supervisory authority. Our competent authority is the Berliner Beauftragte für Datenschutz und Informationsfreiheit (Berlin Commissioner for Data Protection and Freedom of Information).

Children

ChibiGeo is intended for users aged 18 and over and is not directed at children. We do not knowingly collect personal data from anyone under 18. If you believe a minor has provided personal data, contact us and we will remove it.

Security

We take reasonable technical and organizational measures to protect your data, including encryption in transit and at rest and access controls.

Changes to this policy

We may update this policy from time to time. Material changes will be communicated, and the "last updated" date below will be revised.

Contact

Questions about privacy? Email [email protected].

Last updated

WhenWhat
2026-06-16Rewritten for ChibiGeo; added GDPR rights, billing, retention
2025-08-22Initial version