ViaPlot
Back to home

Privacy Policy

Last updated: March 2026

1. Data Controller

The data controller responsible for processing your personal data on this website and platform is:

[LEGAL ENTITY NAME]
[Street and house number]
[Postal code, City]
[Country — EU Member State]
Email: hello@viaplot.com

If you have any questions about this Privacy Policy or about how we handle your data, please contact us at the address above.

2. Scope of This Policy

This Privacy Policy explains what personal data we collect when you visit viaplot.com (the “Website”) or use the ViaPlot platform (the “Service”), why we collect it, how we use it, and what rights you have under the General Data Protection Regulation (GDPR — EU 2016/679).

3. Personal Data We Collect

3.1 Account Data

When you create an account, we collect your name, email address, and a hashed password. If you sign in with a passkey, we store the public-key credential. Optionally, you may upload a profile picture.

3.2 Content Data

All content you create on ViaPlot — maps, Points of Interest, text blocks, media files (images, video, audio), captions, and translations — is stored on our servers and associated with your account.

3.3 Usage Data

We use a self-hosted, cookieless instance of Plausible Analytics hosted at metrics.viaplot.com (EU server). Plausible does not use cookies, does not track you across sites, and does not collect any personally identifiable information. The data collected (page views, referrer, browser, country) is fully anonymised and never shared with third parties.

3.4 Waitlist Email

If you submit your email address to join the launch waitlist, we store that address in our database (EU server) and in our email marketing platform (Resend, see Section 6). We use it solely to notify you when ViaPlot launches. You can request deletion at any time by emailing hello@viaplot.com.

3.5 Payment Data

Payments are processed by Stripe, Inc. We do not store full card numbers on our servers. Stripe creates a customer record linked to your account. Stripe's privacy policy is available at stripe.com/privacy.

3.6 Log and Security Data

Our servers automatically record standard access logs (IP address, HTTP method, path, status code, timestamp) for security and debugging purposes. These logs are retained for a maximum of 30 days and then deleted.

4. Legal Basis for Processing

We process your personal data on the following legal bases under Article 6 GDPR:

  • Contract performance (Art. 6(1)(b) GDPR) — Account data and content data are necessary to provide the Service you signed up for.
  • Legitimate interests (Art. 6(1)(f) GDPR) — Server logs and anonymised analytics are processed to ensure the security and performance of our service.
  • Consent (Art. 6(1)(a) GDPR) — Waitlist submissions are based on your explicit consent given when submitting the form. You may withdraw consent at any time.
  • Legal obligation (Art. 6(1)(c) GDPR) — Where required by applicable law (e.g. tax records).

5. Data Storage and EU Hosting

All ViaPlot infrastructure is located within the European Union. This includes:

  • Application servers — hosted in the EU
  • PostgreSQL database — EU server
  • Object storage (images, videos, audio) — EU data centre using S3-compatible Garage storage
  • Analytics — self-hosted Plausible at metrics.viaplot.com, EU server
  • Background workers & queue — Redis + BullMQ, EU server

We do not transfer your personal data to countries outside the EEA unless covered by an adequacy decision or appropriate safeguards (e.g. Standard Contractual Clauses). Third-party services that may process data outside the EU are listed in Section 6.

6. Third-Party Data Processors

We share data with the following processors who act on our behalf under Data Processing Agreements:

  • Resend (resend.com) — Transactional and marketing email. Data may be processed in the US; Resend is certified under the EU–US Data Privacy Framework.
  • Stripe (stripe.com) — Payment processing. Stripe is certified under the EU–US Data Privacy Framework and offers Standard Contractual Clauses.
  • Cloudflare Turnstile — Bot protection on forms. Cloudflare is subject to the EU–US Data Privacy Framework and processes only minimal data (challenge solving, no tracking cookies).
  • Mapbox (mapbox.com) — Map tiles and geocoding. When you view or edit a map, tile requests are made to Mapbox servers in the US. Your IP address may be transmitted. See Mapbox Privacy Policy.
  • Sentry / GlitchTip — Error monitoring. We use a self-hosted GlitchTip instance on EU servers. Error reports may contain truncated request data but no passwords or payment information.

7. Data Retention

  • Account and content data — retained for as long as your account is active. Upon account deletion, your data is permanently deleted within 30 days.
  • Waitlist emails — retained until you unsubscribe or request deletion, or until 12 months after the service launches, whichever comes first.
  • Server logs — maximum 30 days.
  • Analytics data — aggregated, anonymised, and retained indefinitely (no personal data involved).

8. Your Rights Under GDPR

As a data subject in the EU/EEA, you have the following rights:

  • Right of access (Art. 15) — You can request a copy of all personal data we hold about you.
  • Right to rectification (Art. 16) — You can correct inaccurate data via your account settings or by contacting us.
  • Right to erasure (Art. 17) — You can request deletion of your account and all associated data.
  • Right to restriction of processing (Art. 18) — You can ask us to restrict how we process your data in certain circumstances.
  • Right to data portability (Art. 20) — You can request your data in a structured, machine-readable format.
  • Right to object (Art. 21) — You can object to processing based on legitimate interests.
  • Right to withdraw consent (Art. 7(3)) — Where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of prior processing.
  • Right to lodge a complaint — You have the right to file a complaint with your national data protection authority.

To exercise any of these rights, email us at hello@viaplot.com. We will respond within 30 days.

9. Cookies and Tracking

ViaPlot uses a minimal set of cookies strictly necessary for the service to function (authentication session cookies). We do not use advertising cookies or third-party tracking pixels. For a full breakdown, see our Cookie Policy.

Our analytics tool (Plausible) is cookieless and does not track individual users.

10. Security

We implement industry-standard technical and organisational measures to protect your data, including:

  • Encrypted connections (HTTPS/TLS) for all data in transit
  • Encrypted storage for sensitive fields
  • Bcrypt-hashed passwords
  • Optional two-factor authentication (TOTP) and passkey support
  • HaveIBeenPwned integration to prevent use of compromised passwords
  • Bot protection via Cloudflare Turnstile on all sign-up forms
  • Regular security monitoring via GlitchTip

11. Children's Privacy

ViaPlot is not directed at children under the age of 16. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us and we will delete it promptly.

12. Changes to This Policy

We may update this Privacy Policy from time to time. When we do, we will revise the “Last updated” date at the top of this page. For material changes, we will notify registered users by email. Continued use of the Service after the effective date constitutes acceptance of the updated Policy.