Privacy Notice — Beta
About this Notice
Viscar is currently in closed beta, distributed through Apple TestFlight, the website at https://viscarapp.com, and a free-tier developer API. This Notice explains how your personal information is handled during the beta period.
The beta is expected to run for approximately six months from the Effective Date. We are in the process of incorporating Viscar Inc. (Delaware C-Corporation). Upon incorporation, this Notice will be replaced by a full Privacy Policy and your acceptance will be requested again.
1. Who operates this beta
The Viscar beta is operated jointly during the pre-incorporation period by two individuals:
- [Operator A — TBD], located in California, United States
- [Operator B — TBD], located in Poland, European Union
The primary contact for any privacy-related request is: legal@viscar.com
If you are located in the European Economic Area, you may direct any privacy enquiry to [Operator B — TBD] at the same address (legal@viscar.com), in their capacity as the EU-based operator.
The operators undertake to incorporate Viscar Inc. within approximately six months. Upon incorporation, all rights and obligations under this Notice will be assumed by the company.
2. What information we collect
2.1. Information you provide directly
Account information. When you create an account on the website or in the iOS app, we collect:
- Email address
- Password, stored as a salted hash (we never see or store your plaintext password)
- Email verification code, generated server-side and validated upon entry
Support communications. If you submit a support request through the in-app contact form or the website contact form, we receive the content of your message and, if provided, your email address for response. To deliver these support requests to the operators, we use the Telegram Bot API operated by Telegram Messenger Inc. — the content of your message and your email address are transmitted through Telegram's infrastructure during this delivery. You do not need a Telegram account to contact us, and we do not require any Telegram identifier from you. Replies from the operators are sent to you by email.
2.2. Information collected automatically by the iOS app
Trip and routing data — collected anonymously. When you use the navigation features, the app records:
- GPS coordinates along your route
- Motion sensor readings (accelerometer, gyroscope)
- Aggregated motion patterns derived from these sensors
- Timestamps
This data is uploaded under a randomly generated trip identifier that is not linked to your user account in any database we maintain. The operators cannot determine which trips belong to which user. Once uploaded, trip data exists in our systems as anonymous infrastructure data used to build aggregated routing and traffic information.
Location data for routing. When you request a route, your device sends current location coordinates to our servers to compute and return the route. These real-time location queries are not retained against your account after the route is delivered.
2.3. Information collected automatically by the website and API
Account-related requests. When you sign up, sign in, or interact with your account on the website, we receive your email address, request metadata, and any data you submit through forms.
API usage. If you use the developer API (free beta tier), we receive your API key identifier, the endpoints you call, the timestamps of those calls, request counts, and the IP address making the call. We do not retain the content of your route queries against your API key beyond what is necessary to compute and return responses.
Technical data. Our infrastructure logs each request to our servers, including:
- IP address
- Device or browser information
- App or API version
- Request timestamps
- Error events and crash data
These logs are processed by our logging provider, Better Stack (Logtail), and retained for 90 days.
3. Cookies and similar technologies
Our website uses only essential cookies required for authentication and security. We do not use analytics cookies, marketing cookies, or third-party tracking technologies.
| Cookie | Purpose | Type | Duration |
|---|---|---|---|
viscar_session | Maintains your signed-in session | First-party, essential | Session |
csrf_token | Protects against cross-site request forgery | First-party, essential | Session |
We may also store a small flag in your browser's localStorage to remember that you have dismissed the cookie notice on the website. This is not a cookie and is not transmitted to our servers.
The iOS app does not use browser cookies. It may use equivalent on-device identifiers necessary for authentication, as described in Section 2.
We do not use third-party advertising trackers, behavioral analytics, or social media pixels.
4. Device permissions on iOS
The iOS app requests the following permissions:
| Permission | Purpose | Required? |
|---|---|---|
| Location (When In Use / Always) | Navigation and trip recording for service improvement | Yes, for navigation features |
| Motion & Fitness | Telemetry collection used to improve service accuracy | Yes, for telemetry-based features |
| Push Notifications | Routing alerts and weather notifications (when activated) | Optional |
You can grant, revoke, or modify any of these permissions at any time through your device's Settings. Revoking a permission may disable any feature that depends on it.
5. How we use your information
We process personal information for the following purposes. For users in the European Economic Area, the legal basis under GDPR is indicated.
| Purpose | Legal basis (GDPR) |
|---|---|
| Creating and managing your account | Contract — Art. 6(1)(b) |
| Providing navigation, routing, and API services | Contract — Art. 6(1)(b) |
| Email verification and password reset | Contract — Art. 6(1)(b) |
| Improving the Service through anonymous trip data | Legitimate interest — Art. 6(1)(f) |
| Service-related communications | Contract / Legitimate interest |
| Customer support | Contract — Art. 6(1)(b) |
| API rate limiting, security, and abuse prevention | Legitimate interest — Art. 6(1)(f) |
| Compliance with legal obligations | Legal obligation — Art. 6(1)(c) |
6. Service providers and sub-processors
We share personal information with the following service providers, each of which processes data on our behalf under appropriate contractual or industry-standard safeguards:
| Provider | Purpose | Data processed | Location |
|---|---|---|---|
| Amazon Web Services, Inc. | Cloud infrastructure: compute, database, storage | All Service data | United States (us-east-1) |
| Apple Inc. | Map tiles, geocoding, TestFlight distribution, App Store services | Location queries, account identifiers | United States / global |
| Open-Meteo | Weather data lookup along requested routes | Approximate route coordinates | Germany / European Union |
| Stripe, Inc. | Payment processing (when paid plans become active) | Email, payment information | United States / global |
| Google LLC (Workspace) | Business email infrastructure for the operators (handling of privacy and legal correspondence to legal@viscar.com) | Email addresses and email content received at the contact address | United States / global |
| Resend, Inc. | Transactional email delivery (verification codes, password resets, account notifications) | Email address, email content | United States / European Union |
| Better Stack (Logtail) | Application logging and infrastructure monitoring | Server logs, IP addresses, request metadata | European Union |
| Telegram Messenger Inc. | Delivery of in-app and website support requests to the operators (no user-side Telegram interaction required) | Email address and message content of support inquiries | Global |
| [Polish development company — TBD] | Software development services performed for the Viscar Service; developers engaged by this entity have technical access to production systems for development, maintenance, and incident response | Limited technical access to Service data | Poland, European Union |
We do not sell your personal information. We do not engage in cross-context behavioral advertising or share data for marketing purposes.
7. International data transfers
Our primary infrastructure is hosted in the United States (AWS, us-east-1 region, Virginia). If you are located in the European Economic Area, the United Kingdom, Switzerland, or Canada, your personal information is transferred to and processed in the United States.
For these transfers we rely on the following safeguards:
- Standard Contractual Clauses approved by the European Commission (Decision 2021/914) where applicable to direct provider relationships
- The EU-US Data Privacy Framework for transfers to participating US recipients
- The UK Addendum to the SCCs for transfers from the United Kingdom
- The Swiss-US Data Privacy Framework for transfers from Switzerland
- For Canadian users, transfers are conducted in accordance with PIPEDA
A copy of the relevant transfer mechanism is available on request from legal@viscar.com.
8. Data retention
| Data category | Retention period |
|---|---|
| Account information | While your account is active |
| Account information after deletion request | 6 months as a soft-deleted account, then permanently deleted |
| Anonymous trip data | Retained beyond beta as anonymous infrastructure data |
| Server logs | 90 days |
| API usage records | 12 months for rate limiting and abuse prevention |
| Support communications | 12 months from resolution |
| Backups containing personal data | Up to 35 days after deletion from the primary database |
Maximum retention of identifiable personal data during beta: 12 months from collection, unless required by law to retain longer.
9. Your privacy rights
Depending on your jurisdiction, you have the following rights:
9.1. European Economic Area and United Kingdom (GDPR / UK GDPR)
- Access — request a copy of the personal data we hold about you
- Rectification — correct inaccurate or incomplete data
- Erasure — request deletion of your data, subject to lawful exceptions
- Restriction — restrict processing in certain circumstances
- Data portability — receive your data in a structured, machine-readable format
- Object — object to processing based on legitimate interests
- Withdraw consent — where processing is based on consent, withdraw it at any time
- Lodge a complaint with your local data protection supervisory authority
9.2. California (CCPA / CPRA)
- Right to know what personal information we collect, use, and share
- Right to delete your personal information
- Right to correct inaccurate information
- Right to opt out of "sale" or "sharing" — we do not sell or share personal information for cross-context behavioral advertising
- Right to limit use of sensitive personal information, which includes precise geolocation
- Right to non-discrimination for exercising these rights
9.3. Canada (PIPEDA, Quebec Law 25)
- Access to your personal information
- Correction of inaccurate information
- Withdrawal of consent subject to legal or contractual restrictions
- Right to be informed of significant decisions affecting you that rely on automated processing
- Complaint to the Office of the Privacy Commissioner of Canada, or the Commission d'accès à l'information du Québec for Quebec residents
9.4. How to exercise your rights
Send a request to legal@viscar.com. We may ask for information to verify your identity. We will respond within 30 days, or within the period required by applicable law. You can also delete your account directly in the app or on the website, which initiates the retention schedule described in Section 8.
10. Security
We implement technical and organizational measures appropriate to the risk, including:
- Encryption in transit using TLS 1.2 or higher
- Encryption at rest for database storage
- Password hashing using industry-standard algorithms
- Access controls and audit logging on production systems
- Regular security updates to our infrastructure
No system can be guaranteed fully secure. We will notify affected users and applicable supervisory authorities of any personal data breach as required by law.
11. Children's privacy
The Service is not directed at individuals under 18 years of age. We do not knowingly collect personal information from anyone under 18. If you believe a child has provided us with personal information, contact legal@viscar.com and we will promptly delete it.
12. Changes to this Notice
We may update this Notice from time to time. Each version is numbered and dated.
- Minor updates — clarifications, formatting, or contact information changes — are published with an incremented version number; continued use of the Service constitutes acknowledgment.
- Material changes — new categories of data, new processing purposes, new third-party recipients, new international transfers — are notified by email and/or in-app message at least 14 days before they take effect. You will be asked to acknowledge the new version on your next login.
Upon incorporation of Viscar Inc., this Notice will be replaced by a full Privacy Policy. You will be asked to accept the new document at that time.
Previous versions of this Notice are archived and available on request from legal@viscar.com.
13. Contact
For any question, concern, or request relating to this Notice or our handling of your personal data:
Email: legal@viscar.com
Operators:
- [Operator A — TBD], California, United States
- [Operator B — TBD], Poland, European Union (EU-based contact for EEA users)