PRIVACY POLICY

Summary

• We collect your email (for sign-in) and your published maps. That's the core.
• We share payment data with Stripe, hosting with Vercel, database with Neon, file storage with Cloudflare R2, email delivery with Resend, AI compose calls (Pro only) with Anthropic, and run our own GIS compute on a Raspberry Pi we operate.
• We do not sell your data, run third-party ad trackers, or use analytics that builds a profile of you across sites.
• You can delete your account and all your data at any time by emailing support@geoclip.xyz.

1. Who we are

GeoClip is operated by Nikki Griffin as a sole proprietor in the United States. "We," "us," and "our" in this policy refer to GeoClip. "You" refers to anyone using the GeoClip website, hosted maps, or API.

2. What we collect

From visitors (not signed in)

• Server logs: standard web logs (IP, user-agent, timestamp, requested URL) kept by Vercel for security and abuse prevention. Retained ~30 days.
• Vercel Analytics: aggregate, privacy-preserving pageview counts. No cookies, no cross-site tracking. We can see "how many people viewed the pricing page today," not "who Visitor #4823 is."
• Rate-limit cookie: a random session id (`geoclip_sid`) for the AI compose endpoint. No PII; used only to enforce per-session limits.

When you sign up

• Email address. Used to send magic-link sign-in emails and any service-critical notifications. We never sell, share, or rent this.
• Auth session token (httpOnly cookie). Lets you stay signed in across visits.

When you create a map

• The map selection geometry (the polygon or bbox you drew), the layers you picked, your per-layer color overrides, the title you typed.
• If you publish: the rendered HTML uploaded to Cloudflare R2, served at geoclip.xyz/m/<token>. Hosted maps are public by default — anyone with the URL can view. You can unpublish at any time.
• For Pro users: the generated download bundle (GeoJSON / Shapefile / GeoPackage), stored in our private R2 bucket and served via short-lived signed URLs to you only.

When you upgrade to Pro

• Stripe customer ID and subscription record. Stripe holds the actual payment card data — we never see your card number, CVC, or full PAN.
• Billing email (defaults to your account email, can differ in Stripe).

When you use AI compose (Pro only)

• Your prompt text is sent to Anthropic to generate the structured map config. Anthropic's data policy applies to that text. We do not retain the prompts long-term ourselves.

3. Why we collect it

• Provide the service — render your maps, save your drafts, deliver your downloads.
• Process payments — Stripe needs to know which customer paid which subscription.
• Send transactional email — magic-link sign-in, occasional service notices (e.g. "your subscription is about to renew"). Never marketing newsletters without your separate opt-in.
• Detect abuse — server logs and rate-limit cookies prevent scraping and abuse of paid endpoints.
• Improve the service — aggregate Vercel Analytics tells us which features are used and where pages are slow.

4. Who we share with (processors)

We use the following third-party processors. Each has their own privacy policy; clicking a name takes you to it.

• Stripe — payment processing, subscription management
• Vercel — web hosting, server logs, privacy-preserving analytics
• Neon — Postgres database hosting (auth + map metadata)
• Cloudflare — R2 storage for hosted maps + download bundles, email routing for our support address
• Resend — transactional email delivery (magic-link sign-in)
• Anthropic — AI compose feature for Pro users only
• GeoClip-operated infrastructure — we run a Raspberry Pi 5 ("Cicero") at our location that holds the federal-data PostGIS database and renders your published maps. It receives your selection geometry and layer choices over an encrypted tunnel; no third party operates this server.

We do not use ad networks, retargeting pixels, or cross-site tracking. There is no Google Analytics, no Meta pixel, no Hotjar / FullStory / Mixpanel session recording on this site.

5. Public maps

Hosted maps at geoclip.xyz/m/<token> are public by default. Anyone with the URL can view them. The token is unguessable (random 12-character id), so they're not indexed by search engines unless you share the URL publicly or embed the map on an indexed page.

You can unpublish a map at any time from /account — the map row stays in your account as a draft, but the public URL starts returning a "private" page.

Public hosted maps do not show your email, name, or any account-level identifier — only the map title you set and the data layers you picked.

6. Cookies & similar technologies

• next-auth.session-token — your sign-in session. HttpOnly, sameSite. Removed when you sign out.
• geoclip_sid — random AI compose session id for rate limiting. No PII. 30-day expiry.
• Stripe checkout / portal cookies — set only on the Stripe-hosted pages; see Stripe's policy.

We use no cookies for advertising, retargeting, or cross-site analytics. There is no consent banner because there is nothing to consent to.

7. Your rights

Regardless of where you live, you can:

• Access your data — email us and we'll send you everything we hold.
• Correct your data — sign in and edit it directly, or email us.
• Delete your account and all associated data — email us; we'll process within 30 days.
• Port your data — your published maps can be downloaded as GeoJSON / Shapefile / GeoPackage from /account (Pro tier).
• Object to processing or restrict it — email us.

EU/UK residents have rights under GDPR. California residents have rights under CCPA. Either way, the request path is the same — email support@geoclip.xyz.

8. Data retention

• Account + map data: kept as long as your account exists. Deleted within 30 days of an account-deletion request.
• Server logs: ~30 days at Vercel, per their policy.
• Stripe billing records: per Stripe's retention (typically 7 years for tax/audit).
• Email logs (Resend delivery records): per Resend's policy, typically 30-90 days.

9. Children

GeoClip is not directed at children under 13. We do not knowingly collect personal information from anyone under 13. If you believe we have, contact us and we'll delete it.

10. International transfers

GeoClip is operated from the United States. Our processors (Stripe, Vercel, Neon, Cloudflare, Resend, Anthropic) operate globally. By using the service, you understand that your data may be stored and processed in the United States and in other countries where our processors operate. We rely on each processor's standard cross-border safeguards (e.g. Standard Contractual Clauses for EU data).

11. Changes to this policy

We'll update this page when our practices change. The Effective date at the top reflects the latest revision. For material changes, we'll send a notice to your account email at least 30 days before the change takes effect.

12. Contact

Privacy questions, deletion requests, or anything in this policy you don't understand: support@geoclip.xyz.