Privacy Policy
1. Overview of Data Protection
We take the protection of your personal data very seriously. This Privacy Policy explains how your information is processed when using GISpo. Our core architecture is designed to focus purely on functional utility, with privacy and security embedded by default.
The responsible party (Controller) for processing personal data under the General Data Protection Regulation (GDPR) is:
Levin Cioffi
Badenyx
c/o Postflex #9658, Emsdettener Str. 10
48268 Greven
Germany
Email: levin@badenyx.studio
2. Transient File Data Processing (Zero-Retention Processing)
Since our SaaS provides translation mechanisms for geospatial file formats (e.g. Shapefile, GeoJSON, KML, GPX), we process file buffers supplied by you. This processing relies on a strict zero-retention architecture:
- Isolated Ephemeral Processing: Files uploaded for format translation are sent securely to our isolated GDAL processing worker hosted on Fly.io (server location: Frankfurt, EU).
- Isolated Temporary Processing: Files are processed in a per-request, isolated temporary working directory for the duration of the conversion only, then returned to your client. They are deleted in full immediately after the conversion finishes — including on error — and are never placed in any database or persistent storage.
- Zero-Retention Policy: No uploaded geospatial vectors, projection boundaries, coordinates, meta-records, or spatial properties are stored, cached, or persisted on our servers. The per-request temporary working directory is deleted in full as soon as the conversion completes or terminates, including on error.
- No File-Content Logging: The content within your GIS files — shapefile DBF tables, GPX GPS traces, coordinates and attributes — is never saved, parsed for analytics, or cataloged. (This is distinct from the technical server logs described in section 3.)
- Verschlüsselte Übermittlung (HTTPS): All connections and files transfers are encrypted using TLS/HTTPS standards to prevent interception by third parties.
3. Conversion Backend (Fly.io — Processor)
The actual file conversion and validation is performed by a separate backend worker operated on our behalf by Fly.io (server location: Frankfurt, Germany / EU). Uploaded files are held only in an isolated, per-request temporary working directory for the runtime of the conversion and are deleted in full immediately afterwards — including on error. No uploaded file content is written to a database or any persistent store.
For operational security and abuse prevention, the worker may record technical server logs (e.g. IP address, timestamp, request metadata). The legal basis is our legitimate interest under Art. 6 Abs. 1 lit. f GDPR.
A Data Processing Agreement (DPA) with Fly.io has been concluded, and the EU Standard Contractual Clauses apply to the processing. Technical server logs are retained only as long as necessary for operational security and abuse prevention.
4. Infrastructure Hosting (Vercel)
Our Next.js application front-end is hosted by Vercel Inc., 340 S Lemon Ave #4133, Walnut, CA 91789, USA.
When you visit or use our platform, Vercel automatically collects connection metadata to maintain web security and ensure operational stability (Server Logs). These records contain:
- Browser type and version
- Host operating system
- Referrer URL (previously visited website)
- Host address of the accessing client
- Date and time of server requests
- IP address
Vercel processes this metadata based on legitimate interests (Art. 6 Abs. 1 lit. f GDPR). A Data Processing Agreement (DPA) with Vercel is in place, ensuring that all connection data is secured in accordance with European data protection standards (EU Standard Contractual Clauses).
5. Browser States & Cookie Exclusions
To provide a modern, programmatic experience, we exclude all persistent tracking, cookie-based advertisement, and third-party analytics telemetry.
We do not currently use browser localStorage, sessionStorage, or cookies to store personal data or track you. Should we use such client-side storage in future strictly for local UI preferences (e.g. active tab selections), it would run only on your device, involve no external trackers, and never be transmitted back to us.
6. Your Legal Rights under GDPR
Under the GDPR, you possess the following rights regarding any personal data we may collect:
- Right to access your stored data (Art. 15 GDPR).
- Right to rectification of incorrect data (Art. 16 GDPR).
- Right to erasure ("Right to be forgotten" - Art. 17 GDPR) – as we wipe all converted spatial datasets immediately, there is no physical file history or coordinates history stored.
- Right to restriction of data processing (Art. 18 GDPR).
- Right to data portability (Art. 20 GDPR).
- Right to object to data processing (Art. 21 GDPR).
- Right to lodge a complaint with a supervisory data protection authority (Art. 77 GDPR).