This Privacy Policy ("Policy") describes how Open Privy ("we", "us", or "our") collects, uses, discloses, and safeguards personal data in connection with the website located at openprivy.com and the associated web application (collectively, the "Services"). It also sets out the rights available to individuals under applicable data protection laws, including the European Union and United Kingdom General Data Protection Regulation ("GDPR") and the California Consumer Privacy Act, as amended by the California Privacy Rights Act ("CCPA/CPRA"). By accessing or using the Services, you acknowledge that you have read and understood this Policy.

1. Data Controller

Open Privy, located in the United States, is the controller responsible for the personal data processed through the Services and determines the purposes and means of that processing.

General enquiries regarding this Policy may be directed to [email protected]. Requests to exercise the rights described in Section 10 should be submitted in accordance with Section 14 (Contact).

2. Personal Data We Collect

2.1 Data you provide to us

2.2 Data collected automatically

Metadata in photographs. Photographs may contain embedded metadata (EXIF), which can include the geographic coordinates and time of capture. Such metadata may be stored and displayed together with the image. Users are advised not to upload photographs containing metadata they do not wish to disclose.

2.3 Data we do not collect

We do not collect government-issued identifiers, payment card information, stored location histories, biometric data, or special categories of personal data within the meaning of Article 9 of the GDPR.

3. Purposes and Legal Bases for Processing

We process personal data for the purposes set out below. Where the GDPR applies, the corresponding legal basis is identified.

We do not use personal data for advertising, profiling, or automated decision-making that produces legal or similarly significant effects concerning an individual.

4. Public Nature of Contributions

The Services operate as a shared, community-maintained registry. Contributions — including locations, access codes, descriptions, ratings, verifications, and photographs — are published together with the contributing user's username and are accessible to all users of the Services. Email addresses are not displayed publicly, and passwords are not disclosed to any party.

Because contributions constitute a shared resource relied upon by other users, a contribution may remain available after the contributing account is closed. In such cases, personal attribution is removed, and specific content will be removed upon request where removal does not compromise the integrity of the shared registry (see Sections 8 and 10). Users should not include information they consider confidential within their contributions.

5. Cookies and Local Storage

The Services use a single first-party cookie together with a limited set of browser local-storage entries. No advertising or third-party tracking cookies are used. The only analytics identifier is the first-party, pseudonymous identifier described below, which is stored for signed-out visitors solely with their consent, requested through an in-app notice; declining has no effect on the availability of the Services.

The session cookie is strictly necessary for the provision of a service requested by the user and therefore does not require consent. Users may clear cookies and local storage through their browser at any time; clearing the session cookie will terminate the authenticated session.

6. Recipients and Third-Party Services

We limit the disclosure of personal data to the recipients described in this section. We do not sell personal data.

6.1 Services contacted directly by your browser

In order to render the map and process searches, the user's browser loads resources from the following providers, which consequently receive the user's IP address together with the information necessary to respond:

6.2 Processors acting on our behalf

We may additionally disclose personal data where required by law, to enforce our terms, or to protect the rights, safety, or security of our users or the Services.

7. International Data Transfers

Our servers are located in the United States (St. Louis, Missouri), and certain of the providers identified above may process data in the United States or other jurisdictions. Where a user accesses the Services from another jurisdiction, including the United Kingdom or the European Economic Area, personal data will be transferred to and processed in the United States. Where required by applicable law, such transfers are made subject to appropriate safeguards, such as the European Commission's Standard Contractual Clauses or an equivalent mechanism. Further information is available on request.

8. Data Retention

We retain personal data only for as long as necessary for the purposes described in this Policy:

9. Information Security

Connections to the Services are encrypted using HTTPS/TLS. Passwords are stored exclusively as salted scrypt hashes and are never stored in plaintext. The session cookie is set with the HttpOnly and Secure attributes. The application runs under an unprivileged account with a restricted filesystem, behind a firewall, and enforces rate limiting on authentication and write operations. No method of transmission or storage is entirely secure; however, we implement reasonable technical and organizational measures to protect personal data and will notify affected individuals and the competent supervisory authority of a personal data breach where required by applicable law.

10. Your Rights

Subject to and in accordance with applicable law, individuals may exercise the following rights in relation to their personal data:

Requests may be submitted using the details in Section 14. We will respond within the period required by applicable law (generally one month under the GDPR and 45 days under the CCPA/CPRA). We do not charge a fee for, or discriminate against individuals who exercise, these rights. We may require verification of identity, ordinarily by confirming control of the relevant account, before acting on a request.

11. California Privacy Rights

Residents of California are entitled under the CCPA/CPRA to know the categories and specific pieces of personal information collected and the purposes of collection (as described in this Policy), to request access to and deletion of that information, to request correction of inaccurate information, and not to be subject to discrimination for exercising these rights.

We do not "sell" personal information and do not "share" personal information for cross-context behavioral advertising, as those terms are defined under the CCPA/CPRA, and we have not done so in the preceding twelve months. The categories of personal information collected are identifiers (username, optional email address, and a random pseudonymous analytics identifier), internet or network activity processed for security and, in pseudonymous form, for product analytics, approximate geolocation processed on the user's device, and the content and photographs users elect to contribute.

12. Children's Privacy

The Services are not directed to children. A user must be at least 13 years of age to create an account, and at least 16 years of age in jurisdictions where 16 is the minimum age for consent to the processing of personal data. We do not knowingly collect personal data from children below the applicable age. If we become aware that such data has been collected, we will delete it. A parent or guardian who believes that a child has provided personal data may contact us using the details in Section 14.

13. Changes to this Policy

We may amend this Policy from time to time to reflect changes to the Services or to applicable law. The "Last updated" date at the top of this Policy indicates when it was most recently revised, and we will provide additional notice of material changes where appropriate. Continued use of the Services following the effective date of a revised Policy constitutes acceptance of the revised Policy.

14. Contact

Enquiries regarding this Policy, and requests to exercise the rights described above, may be submitted to:

Email: [email protected]
Controller: Open Privy

We will acknowledge and address requests within the timeframes required by applicable law.

← Return to Open Privy