VISCAR // Legal

Privacy Notice — Beta

Version 2.1.1 · Effective: July 4, 2026 · Applies to: iOS app (TestFlight), beta website, beta API

About this Notice

Viscar is currently in closed beta, distributed through Apple TestFlight, the website at https://viscarapp.com, and a free-tier developer API. This Notice explains how your personal information is handled during the beta period.

Viscar Inc. is an early-stage company and the Service is in beta. Our practices and this Notice will continue to evolve as the Service matures. When the beta ends, this Notice will be replaced by a full Privacy Policy and your acceptance will be requested again.

1. Who we are

The Viscar Service is operated by Viscar Inc., a Delaware C-Corporation with its principal place of business at 1119 Linden Ave, Glendale, CA 91201, United States. Viscar Inc. is the controller of the personal data processed through the Service.

The contact for any privacy-related request is: contact@viscarapp.com

Viscar Inc. is established in the United States. We do not currently maintain an establishment or an appointed representative in the European Economic Area or the United Kingdom. If you are located in those regions and have a privacy question, please contact us at the address above.

2. What information we collect

2.1. Information you provide directly

Account information. When you create an account on the website or in the iOS app, we collect:

  • Email address
  • Password, stored as a salted hash (we never see or store your plaintext password)
  • Email verification code, generated server-side and validated upon entry

Support communications. If you submit a support request through the in-app contact form or the website contact form, we receive the content of your message and, if provided, your email address for response. To deliver these support requests to us, we use the Telegram Bot API operated by Telegram Messenger Inc. — the content of your message and your email address are transmitted through Telegram's infrastructure during this delivery. You do not need a Telegram account to contact us, and we do not require any Telegram identifier from you. Replies are sent to you by email.

2.2. Information collected automatically by the iOS app

Trip and routing data — collected under a pseudonymous identifier. When you use the navigation features, the app records:

  • GPS coordinates along your route
  • Motion sensor readings (accelerometer, gyroscope)
  • Aggregated motion patterns derived from these sensors
  • Timestamps

This data is uploaded under a randomly generated trip identifier that is not stored alongside your account credentials and is not directly linked to your user account in our databases. We do not maintain a mapping between trip identifiers and user identities, and we do not attempt to re-identify individual users from trip data.

However, because location traces can in principle be associated with an individual (for example, by inference from frequently visited locations), we treat this data as pseudonymised rather than fully anonymous, and we handle it in accordance with this Notice. We use it to build aggregated routing and road-quality information. We do not use trip data to identify you or to build individual profiles.

Location data for routing. When you request a route, your device sends current location coordinates to our servers to compute and return the route. These real-time location queries are not retained against your account after the route is delivered.

2.3. Information collected automatically by the website and API

Account-related requests. When you sign up, sign in, or interact with your account on the website, we receive your email address, request metadata, and any data you submit through forms.

API usage. If you use the developer API (free beta tier), we receive your API key identifier, the endpoints you call, the timestamps of those calls, request counts, and the IP address making the call. We do not retain the content of your route queries against your API key beyond what is necessary to compute and return responses.

Technical data. Our infrastructure logs each request to our servers, including:

  • IP address
  • Device or browser information
  • App or API version
  • Request timestamps
  • Error events and crash data

These logs are processed by our logging provider, Better Stack (Logtail), and retained for 90 days.

3. Cookies and similar technologies

Our website uses only essential cookies required for authentication and security. We do not use analytics cookies, marketing cookies, or third-party tracking technologies.

CookiePurposeTypeDuration
viscar_sessionMaintains your signed-in sessionFirst-party, essentialSession
csrf_tokenProtects against cross-site request forgeryFirst-party, essentialSession

We may also store a small flag in your browser's localStorage to remember that you have dismissed the cookie notice on the website. This is not a cookie and is not transmitted to our servers.

The iOS app does not use browser cookies. It may use equivalent on-device identifiers necessary for authentication, as described in Section 2.

We do not use third-party advertising trackers, behavioral analytics, or social media pixels.

4. Device permissions on iOS

The iOS app requests the following permissions. The app remains usable if a permission is declined; features that depend on that permission are disabled and the app explains why, but the app does not stop functioning.

PermissionPurposeIf declined
Location — When In UseComputing routes and recording trips while you navigateNavigation and routing features are unavailable; the rest of the app remains accessible. The app explains that location is needed and offers a link to Settings.
Location — Always (if enabled)Continuing trip recording in the background while navigatingBackground trip recording is disabled; foreground navigation still works.
Motion & FitnessTelemetry (accelerometer, gyroscope) used to assess road qualityRoad-quality telemetry is not collected; navigation still works.
Push NotificationsRouting and weather alertsNo alerts are sent; all other features work.

You can grant, revoke, or modify any permission at any time in your device's Settings.

5. How we use your information

We process personal information for the purposes below. Where the GDPR applies to a given processing activity, the legal basis is indicated.

PurposeLegal basis (GDPR)
Creating and managing your accountContract — Art. 6(1)(b)
Providing navigation, routing, and API servicesContract — Art. 6(1)(b)
Email verification and password resetContract — Art. 6(1)(b)
Improving the Service through pseudonymised trip dataLegitimate interest — Art. 6(1)(f)
Service-related communicationsContract / Legitimate interest
Customer supportContract — Art. 6(1)(b)
API rate limiting, security, and abuse preventionLegitimate interest — Art. 6(1)(f)
Compliance with legal obligationsLegal obligation — Art. 6(1)(c)

6. Service providers and sub-processors

We share personal information with the following service providers, each of which processes data on our behalf:

ProviderPurposeData processedLocation
Amazon Web Services, Inc.Cloud infrastructure (compute, database, storage) and transactional email delivery via Amazon SES (verification codes, password resets, account notifications)Service data, email address, email contentUnited States (us-east-1)
Apple Inc.Map tiles, geocoding, TestFlight distribution, App Store servicesLocation queries, account identifiersUnited States / global
Open-MeteoWeather data lookup along requested routesApproximate route coordinatesGermany / European Union
Better Stack (Logtail)Application logging and infrastructure monitoringServer logs, IP addresses, request metadataEuropean Union
Telegram Messenger Inc.Delivery of in-app and website support requests to us (no user-side Telegram interaction required)Email address and message content of support inquiriesGlobal
Google LLC (Workspace)Receiving and handling correspondence sent to contact@viscarapp.comEmail address and content of messages you send usUnited States / global

We do not process payments during the beta. If paid plans launch, a payment processor will be added and this Notice updated before any payment data is collected.

We do not sell your personal information. We do not engage in cross-context behavioral advertising or share data for marketing purposes.

7. International data transfers

Our primary infrastructure is hosted in the United States (AWS, us-east-1, Virginia). Some providers (for example Open-Meteo and Better Stack) are located in the European Union.

If you access the Service from outside the United States, your personal information will be transferred to and processed in the United States and in other countries where we or our service providers operate. These countries may have data-protection laws that differ from those in your country.

As an early-stage beta, we rely on the contractual and technical protections offered by our service providers. We are not currently certified under any specific cross-border data-transfer framework. If you would like more detail about how your data is handled, contact us at contact@viscarapp.com.

8. Data retention

Data categoryRetention period
Account informationWhile your account is active
Account information after deletion request30 days as a soft-deleted account, then permanently deleted
Pseudonymised trip dataRetained beyond beta as aggregated infrastructure data
Server logs90 days
API usage records12 months for rate limiting and abuse prevention
Support communications12 months from resolution
Backups containing personal dataUp to 35 days after deletion from the primary database

We keep identifiable personal data only as long as needed for the purposes described in this Notice, unless a longer period is required by law.

9. Your privacy rights

Depending on where you live, and to the extent the relevant data-protection laws apply to us, you may have some or all of the following rights.

9.1. European Economic Area and United Kingdom (GDPR / UK GDPR)

  • Access — request a copy of the personal data we hold about you
  • Rectification — correct inaccurate or incomplete data
  • Erasure — request deletion of your data, subject to lawful exceptions
  • Restriction — restrict processing in certain circumstances
  • Data portability — receive your data in a structured, machine-readable format
  • Object — object to processing based on legitimate interests
  • Withdraw consent — where processing is based on consent, withdraw it at any time
  • Lodge a complaint with your local data protection supervisory authority

9.2. California (CCPA / CPRA)

To the extent the CCPA applies to us, you have the:

  • Right to know what personal information we collect, use, and share
  • Right to delete your personal information
  • Right to correct inaccurate information
  • Right to opt out of "sale" or "sharing" — we do not sell or share personal information for cross-context behavioral advertising
  • Right to limit use of sensitive personal information, which includes precise geolocation
  • Right to non-discrimination for exercising these rights

9.3. Canada (PIPEDA, Quebec Law 25)

  • Access to your personal information
  • Correction of inaccurate information
  • Withdrawal of consent subject to legal or contractual restrictions
  • Complaint to the Office of the Privacy Commissioner of Canada, or the Commission d'accès à l'information du Québec for Quebec residents

9.4. How to exercise your rights

Send a request to contact@viscarapp.com. We may ask for information to verify your identity. We will respond within a reasonable time and within any period required by applicable law. You can also delete your account directly in the app or on the website, which initiates the retention schedule described in Section 8.

10. Security

We use reasonable technical and organizational measures appropriate to a beta-stage service, including:

  • Encryption in transit using HTTPS / TLS
  • Passwords stored only as salted hashes
  • Access controls on production systems
  • Logging and monitoring of infrastructure
  • Regular updates to our infrastructure

No system can be guaranteed fully secure, and as a beta-stage company our security program is still maturing. We will notify affected users and, where required, the applicable authorities of a personal data breach as required by law.

11. Children's privacy

The Service is not directed at individuals under 18 years of age. We do not knowingly collect personal information from anyone under 18. If you believe a child has provided us with personal information, contact contact@viscarapp.com and we will promptly delete it.

12. Changes to this Notice

We may update this Notice from time to time. Each version is numbered and dated.

  • Minor updates — clarifications, formatting, or contact-information changes — are published with an incremented version number; continued use of the Service constitutes acknowledgment.
  • Material changes — new categories of data, new processing purposes, new third-party recipients, or a change in who controls your data — are published as a new version, and you will be asked to acknowledge the new version on your next login.

When Viscar leaves beta, this Notice will be replaced by a full Privacy Policy. You will be asked to accept the new document at that time. Previous versions of this Notice are archived and available on request.

13. Contact

For any question, concern, or request relating to this Notice or our handling of your personal data:

Viscar Inc.
1119 Linden Ave, Glendale, CA 91201, United States
Email: contact@viscarapp.com

Viscar Privacy Notice (Beta) v2.1.1 · All documents · Beta Tester Agreement