Legal
Privacy Policy
This Privacy Policy ("Policy") describes how Open Privy ("we", "us", or "our") collects, uses, discloses, and safeguards personal data in connection with the website located at openprivy.com and the associated web application (collectively, the "Services"). It also sets out the rights available to individuals under applicable data protection laws, including the European Union and United Kingdom General Data Protection Regulation ("GDPR") and the California Consumer Privacy Act, as amended by the California Privacy Rights Act ("CCPA/CPRA"). By accessing or using the Services, you acknowledge that you have read and understood this Policy.
1. Data Controller
Open Privy, located in the United States, is the controller responsible for the personal data processed through the Services and determines the purposes and means of that processing.
General enquiries regarding this Policy may be directed to [email protected]. Requests to exercise the rights described in Section 10 should be submitted in accordance with Section 14 (Contact).
2. Personal Data We Collect
2.1 Data you provide to us
- Account registration data. A username and password are required to create an account. Passwords are stored solely as salted scrypt hashes and are not accessible to us in plaintext. An email address is optional and is collected only where the user elects to provide one.
- User contributions. Content that users submit or edit, including restroom locations, entry information and access codes, accessibility and amenity attributes, opening hours, free-text descriptions, cleanliness ratings, verification and report actions, and uploaded photographs. Each contribution is stored together with the contributing user's username and a timestamp for attribution purposes.
2.2 Data collected automatically
- Approximate device location. Where the user grants permission, the browser's Geolocation interface provides the device's location to the application in order to center the map and order results by proximity. This processing occurs on the user's device, and device location is not stored on our servers. When a user performs a search, an approximate location may be transmitted to the OpenStreetMap Nominatim service (see Section 6) to improve the relevance of results.
- IP address. Our server necessarily receives the IP address of a connecting device. IP addresses are processed transiently in server memory for the sole purpose of enforcing rate limits on authentication and write operations, and are not persisted to our database.
- Session identifier. A single first-party cookie is used to maintain an authenticated session (see Section 5).
- Diagnostic information. The server may record technical error information for the purpose of maintaining and troubleshooting the Services.
- Usage analytics (pseudonymous). To understand how the Services are used and to improve them, we record when a restroom's detail page is opened, which restroom it was, the time, and how long the page remained open. These records are associated only with a random identifier: for signed-in users, a permanent random identifier generated at account creation; for signed-out visitors who consent via the in-app notice, a random identifier stored in the browser (see Section 5). These identifiers are not derived from, and are never displayed alongside, a name, username, email address, or IP address. If an account is deleted, the link between the account and its identifier is destroyed, rendering the associated usage records anonymous. Visitors who decline consent are counted without any identifier.
Metadata in photographs. Photographs may contain embedded metadata (EXIF), which can include the geographic coordinates and time of capture. Such metadata may be stored and displayed together with the image. Users are advised not to upload photographs containing metadata they do not wish to disclose.
2.3 Data we do not collect
We do not collect government-issued identifiers, payment card information, stored location histories, biometric data, or special categories of personal data within the meaning of Article 9 of the GDPR.
3. Purposes and Legal Bases for Processing
We process personal data for the purposes set out below. Where the GDPR applies, the corresponding legal basis is identified.
| Purpose | Description | Legal basis (GDPR) |
|---|---|---|
| Account administration | Creating and maintaining user accounts and authentication | Performance of a contract |
| Publication of contributions | Operating the shared, community-maintained registry | Performance of a contract; legitimate interests in providing a public resource |
| Proximity features | Displaying and ordering results relative to the user's location | Consent (browser location permission) |
| Security and abuse prevention | Rate limiting and protecting the integrity of the Services | Legitimate interests in security |
| Session management | Maintaining authenticated sessions | Strictly necessary; legitimate interests |
| Product analytics | Measuring, in pseudonymous form, how restroom pages are viewed in order to improve the Services | Consent (device identifier for signed-out visitors); legitimate interests in improving the Services (pseudonymized measurement for signed-in users) |
| Handling requests | Responding to enquiries and rights requests | Legal obligation; legitimate interests |
We do not use personal data for advertising, profiling, or automated decision-making that produces legal or similarly significant effects concerning an individual.
4. Public Nature of Contributions
The Services operate as a shared, community-maintained registry. Contributions — including locations, access codes, descriptions, ratings, verifications, and photographs — are published together with the contributing user's username and are accessible to all users of the Services. Email addresses are not displayed publicly, and passwords are not disclosed to any party.
Because contributions constitute a shared resource relied upon by other users, a contribution may remain available after the contributing account is closed. In such cases, personal attribution is removed, and specific content will be removed upon request where removal does not compromise the integrity of the shared registry (see Sections 8 and 10). Users should not include information they consider confidential within their contributions.
6. Recipients and Third-Party Services
We limit the disclosure of personal data to the recipients described in this section. We do not sell personal data.
6.1 Services contacted directly by your browser
In order to render the map and process searches, the user's browser loads resources from the following providers, which consequently receive the user's IP address together with the information necessary to respond:
| Provider | Function | Data received |
|---|---|---|
| CARTO | Base map tiles | IP address and the map areas requested |
| OpenStreetMap (Nominatim) | Geocoding of search queries | Search terms, IP address, and approximate location where used to bias results |
| unpkg (Cloudflare) | Delivery of the Leaflet mapping library | IP address when the resource is loaded |
| Google Maps | Walking directions, only where the user selects "directions" | The selected destination and associated Google Maps data |
6.2 Processors acting on our behalf
- Contabo GmbH — provides the server infrastructure on which the Services operate and the database is stored.
- Cloudflare, Inc. — provides domain registration and DNS services, and object storage (Cloudflare R2) used to retain off-site backups of the database.
- Let's Encrypt — issues the TLS certificate securing connections to the Services; no personal data is shared for this purpose.
We may additionally disclose personal data where required by law, to enforce our terms, or to protect the rights, safety, or security of our users or the Services.
7. International Data Transfers
Our servers are located in the United States (St. Louis, Missouri), and certain of the providers identified above may process data in the United States or other jurisdictions. Where a user accesses the Services from another jurisdiction, including the United Kingdom or the European Economic Area, personal data will be transferred to and processed in the United States. Where required by applicable law, such transfers are made subject to appropriate safeguards, such as the European Commission's Standard Contractual Clauses or an equivalent mechanism. Further information is available on request.
8. Data Retention
We retain personal data only for as long as necessary for the purposes described in this Policy:
- Account data (username, optional email address, password hash) is retained for the duration of the account and is deleted upon account deletion. A registered user may delete their account at any time through the account menu within the application; deletion is immediate and irreversible.
- Contributions may persist as part of the shared registry. Upon account deletion, personal attribution is removed, and specific contributed content will be deleted on request where removal does not compromise the integrity of the registry.
- Authentication sessions expire automatically (approximately 30 days) and upon logout.
- Rate-limiting data is held in memory only and is discarded within minutes.
- Usage analytics records are retained in pseudonymous form for as long as they remain useful for improving the Services. Upon account deletion, the mapping between the account and its analytics identifier is destroyed, rendering the retained records anonymous. Signed-out visitors may remove their device identifier at any time by clearing browser storage.
- Backups. Dated database backups are retained on a short rotation (approximately seven days on the server, together with off-site copies). Deleted data may persist in backups until the relevant backups are rotated and overwritten.
9. Information Security
Connections to the Services are encrypted using HTTPS/TLS. Passwords are stored exclusively as salted scrypt hashes and are never stored in plaintext. The session cookie is set with the HttpOnly and Secure attributes. The application runs under an unprivileged account with a restricted filesystem, behind a firewall, and enforces rate limiting on authentication and write operations. No method of transmission or storage is entirely secure; however, we implement reasonable technical and organizational measures to protect personal data and will notify affected individuals and the competent supervisory authority of a personal data breach where required by applicable law.
10. Your Rights
Subject to and in accordance with applicable law, individuals may exercise the following rights in relation to their personal data:
- Access — to obtain confirmation of, and a copy of, the personal data we hold about them.
- Rectification — to have inaccurate or incomplete personal data corrected.
- Erasure — to request deletion of their account and personal data. Registered users may delete their account directly within the application.
- Restriction and objection — to request restriction of, or object to, certain processing, including processing based on legitimate interests.
- Portability — to receive their personal data in a structured, commonly used, machine-readable format.
- Withdrawal of consent — where processing is based on consent (such as access to device location), to withdraw that consent at any time, including by denying or resetting the relevant browser permission.
- Complaint — to lodge a complaint with the competent supervisory authority (in the United Kingdom, the Information Commissioner's Office; in the European Economic Area, the applicable national authority).
Requests may be submitted using the details in Section 14. We will respond within the period required by applicable law (generally one month under the GDPR and 45 days under the CCPA/CPRA). We do not charge a fee for, or discriminate against individuals who exercise, these rights. We may require verification of identity, ordinarily by confirming control of the relevant account, before acting on a request.
11. California Privacy Rights
Residents of California are entitled under the CCPA/CPRA to know the categories and specific pieces of personal information collected and the purposes of collection (as described in this Policy), to request access to and deletion of that information, to request correction of inaccurate information, and not to be subject to discrimination for exercising these rights.
We do not "sell" personal information and do not "share" personal information for cross-context behavioral advertising, as those terms are defined under the CCPA/CPRA, and we have not done so in the preceding twelve months. The categories of personal information collected are identifiers (username, optional email address, and a random pseudonymous analytics identifier), internet or network activity processed for security and, in pseudonymous form, for product analytics, approximate geolocation processed on the user's device, and the content and photographs users elect to contribute.
12. Children's Privacy
The Services are not directed to children. A user must be at least 13 years of age to create an account, and at least 16 years of age in jurisdictions where 16 is the minimum age for consent to the processing of personal data. We do not knowingly collect personal data from children below the applicable age. If we become aware that such data has been collected, we will delete it. A parent or guardian who believes that a child has provided personal data may contact us using the details in Section 14.
13. Changes to this Policy
We may amend this Policy from time to time to reflect changes to the Services or to applicable law. The "Last updated" date at the top of this Policy indicates when it was most recently revised, and we will provide additional notice of material changes where appropriate. Continued use of the Services following the effective date of a revised Policy constitutes acceptance of the revised Policy.
14. Contact
Enquiries regarding this Policy, and requests to exercise the rights described above, may be submitted to:
Email: [email protected]
Controller: Open Privy
We will acknowledge and address requests within the timeframes required by applicable law.
← Return to Open Privy