Privacy Notice — Beta
About this Notice
Viscar is currently in closed beta, distributed through Apple TestFlight, the website at https://viscarapp.com, and a free-tier developer API. This Notice explains how your personal information is handled during the beta period.
Viscar Inc. is an early-stage company and the Service is in beta. Our practices and this Notice will continue to evolve as the Service matures. When the beta ends, this Notice will be replaced by a full Privacy Policy and your acceptance will be requested again.
1. Who we are
The Viscar Service is operated by Viscar Inc., a Delaware C-Corporation with its principal place of business at 1119 Linden Ave, Glendale, CA 91201, United States. Viscar Inc. is the controller of the personal data processed through the Service.
The contact for any privacy-related request is: contact@viscarapp.com
Viscar Inc. is established in the United States. We do not currently maintain an establishment or an appointed representative in the European Economic Area or the United Kingdom. If you are located in those regions and have a privacy question, please contact us at the address above.
2. What information we collect
2.1. Information you provide directly
Account information. When you create an account on the website or in the iOS app, we collect:
- Email address
- Password, stored as a salted hash (we never see or store your plaintext password)
- Email verification code, generated server-side and validated upon entry
Support communications. If you submit a support request through the in-app contact form or the website contact form, we receive the content of your message and, if provided, your email address for response. To deliver these support requests to us, we use the Telegram Bot API operated by Telegram Messenger Inc. — the content of your message and your email address are transmitted through Telegram's infrastructure during this delivery. You do not need a Telegram account to contact us, and we do not require any Telegram identifier from you. Replies are sent to you by email.
2.2. Information collected automatically by the iOS app
Trip and routing data — collected under a pseudonymous identifier. When you use the navigation features, the app records:
- GPS coordinates along your route
- Motion sensor readings (accelerometer, gyroscope)
- Aggregated motion patterns derived from these sensors
- Timestamps
This data is uploaded under a randomly generated trip identifier that is not stored alongside your account credentials and is not directly linked to your user account in our databases. We do not maintain a mapping between trip identifiers and user identities, and we do not attempt to re-identify individual users from trip data.
However, because location traces can in principle be associated with an individual (for example, by inference from frequently visited locations), we treat this data as pseudonymised rather than fully anonymous, and we handle it in accordance with this Notice. We use it to build aggregated routing and road-quality information. We do not use trip data to identify you or to build individual profiles.
Location data for routing. When you request a route, your device sends current location coordinates to our servers to compute and return the route. These real-time location queries are not retained against your account after the route is delivered.
2.3. Information collected automatically by the website and API
Account-related requests. When you sign up, sign in, or interact with your account on the website, we receive your email address, request metadata, and any data you submit through forms.
API usage. If you use the developer API (free beta tier), we receive your API key identifier, the endpoints you call, the timestamps of those calls, request counts, and the IP address making the call. We do not retain the content of your route queries against your API key beyond what is necessary to compute and return responses.
Technical data. Our infrastructure logs each request to our servers, including:
- IP address
- Device or browser information
- App or API version
- Request timestamps
- Error events and crash data
These logs are processed by our logging provider, Better Stack (Logtail), and retained for 90 days.
3. Cookies and similar technologies
Our website uses only essential cookies required for authentication and security. We do not use analytics cookies, marketing cookies, or third-party tracking technologies.
| Cookie | Purpose | Type | Duration |
|---|---|---|---|
viscar_session | Maintains your signed-in session | First-party, essential | Session |
csrf_token | Protects against cross-site request forgery | First-party, essential | Session |
We may also store a small flag in your browser's localStorage to remember that you have dismissed the cookie notice on the website. This is not a cookie and is not transmitted to our servers.
The iOS app does not use browser cookies. It may use equivalent on-device identifiers necessary for authentication, as described in Section 2.
We do not use third-party advertising trackers, behavioral analytics, or social media pixels.
4. Device permissions on iOS
The iOS app requests the following permissions. The app remains usable if a permission is declined; features that depend on that permission are disabled and the app explains why, but the app does not stop functioning.
| Permission | Purpose | If declined |
|---|---|---|
| Location — When In Use | Computing routes and recording trips while you navigate | Navigation and routing features are unavailable; the rest of the app remains accessible. The app explains that location is needed and offers a link to Settings. |
| Location — Always (if enabled) | Continuing trip recording in the background while navigating | Background trip recording is disabled; foreground navigation still works. |
| Motion & Fitness | Telemetry (accelerometer, gyroscope) used to assess road quality | Road-quality telemetry is not collected; navigation still works. |
| Push Notifications | Routing and weather alerts | No alerts are sent; all other features work. |
You can grant, revoke, or modify any permission at any time in your device's Settings.
5. How we use your information
We process personal information for the purposes below. Where the GDPR applies to a given processing activity, the legal basis is indicated.
| Purpose | Legal basis (GDPR) |
|---|---|
| Creating and managing your account | Contract — Art. 6(1)(b) |
| Providing navigation, routing, and API services | Contract — Art. 6(1)(b) |
| Email verification and password reset | Contract — Art. 6(1)(b) |
| Improving the Service through pseudonymised trip data | Legitimate interest — Art. 6(1)(f) |
| Service-related communications | Contract / Legitimate interest |
| Customer support | Contract — Art. 6(1)(b) |
| API rate limiting, security, and abuse prevention | Legitimate interest — Art. 6(1)(f) |
| Compliance with legal obligations | Legal obligation — Art. 6(1)(c) |
6. Service providers and sub-processors
We share personal information with the following service providers, each of which processes data on our behalf:
| Provider | Purpose | Data processed | Location |
|---|---|---|---|
| Amazon Web Services, Inc. | Cloud infrastructure (compute, database, storage) and transactional email delivery via Amazon SES (verification codes, password resets, account notifications) | Service data, email address, email content | United States (us-east-1) |
| Apple Inc. | Map tiles, geocoding, TestFlight distribution, App Store services | Location queries, account identifiers | United States / global |
| Open-Meteo | Weather data lookup along requested routes | Approximate route coordinates | Germany / European Union |
| Better Stack (Logtail) | Application logging and infrastructure monitoring | Server logs, IP addresses, request metadata | European Union |
| Telegram Messenger Inc. | Delivery of in-app and website support requests to us (no user-side Telegram interaction required) | Email address and message content of support inquiries | Global |
| Google LLC (Workspace) | Receiving and handling correspondence sent to contact@viscarapp.com | Email address and content of messages you send us | United States / global |
We do not process payments during the beta. If paid plans launch, a payment processor will be added and this Notice updated before any payment data is collected.
We do not sell your personal information. We do not engage in cross-context behavioral advertising or share data for marketing purposes.
7. International data transfers
Our primary infrastructure is hosted in the United States (AWS, us-east-1, Virginia). Some providers (for example Open-Meteo and Better Stack) are located in the European Union.
If you access the Service from outside the United States, your personal information will be transferred to and processed in the United States and in other countries where we or our service providers operate. These countries may have data-protection laws that differ from those in your country.
As an early-stage beta, we rely on the contractual and technical protections offered by our service providers. We are not currently certified under any specific cross-border data-transfer framework. If you would like more detail about how your data is handled, contact us at contact@viscarapp.com.
8. Data retention
| Data category | Retention period |
|---|---|
| Account information | While your account is active |
| Account information after deletion request | 30 days as a soft-deleted account, then permanently deleted |
| Pseudonymised trip data | Retained beyond beta as aggregated infrastructure data |
| Server logs | 90 days |
| API usage records | 12 months for rate limiting and abuse prevention |
| Support communications | 12 months from resolution |
| Backups containing personal data | Up to 35 days after deletion from the primary database |
We keep identifiable personal data only as long as needed for the purposes described in this Notice, unless a longer period is required by law.
9. Your privacy rights
Depending on where you live, and to the extent the relevant data-protection laws apply to us, you may have some or all of the following rights.
9.1. European Economic Area and United Kingdom (GDPR / UK GDPR)
- Access — request a copy of the personal data we hold about you
- Rectification — correct inaccurate or incomplete data
- Erasure — request deletion of your data, subject to lawful exceptions
- Restriction — restrict processing in certain circumstances
- Data portability — receive your data in a structured, machine-readable format
- Object — object to processing based on legitimate interests
- Withdraw consent — where processing is based on consent, withdraw it at any time
- Lodge a complaint with your local data protection supervisory authority
9.2. California (CCPA / CPRA)
To the extent the CCPA applies to us, you have the:
- Right to know what personal information we collect, use, and share
- Right to delete your personal information
- Right to correct inaccurate information
- Right to opt out of "sale" or "sharing" — we do not sell or share personal information for cross-context behavioral advertising
- Right to limit use of sensitive personal information, which includes precise geolocation
- Right to non-discrimination for exercising these rights
9.3. Canada (PIPEDA, Quebec Law 25)
- Access to your personal information
- Correction of inaccurate information
- Withdrawal of consent subject to legal or contractual restrictions
- Complaint to the Office of the Privacy Commissioner of Canada, or the Commission d'accès à l'information du Québec for Quebec residents
9.4. How to exercise your rights
Send a request to contact@viscarapp.com. We may ask for information to verify your identity. We will respond within a reasonable time and within any period required by applicable law. You can also delete your account directly in the app or on the website, which initiates the retention schedule described in Section 8.
10. Security
We use reasonable technical and organizational measures appropriate to a beta-stage service, including:
- Encryption in transit using HTTPS / TLS
- Passwords stored only as salted hashes
- Access controls on production systems
- Logging and monitoring of infrastructure
- Regular updates to our infrastructure
No system can be guaranteed fully secure, and as a beta-stage company our security program is still maturing. We will notify affected users and, where required, the applicable authorities of a personal data breach as required by law.
11. Children's privacy
The Service is not directed at individuals under 18 years of age. We do not knowingly collect personal information from anyone under 18. If you believe a child has provided us with personal information, contact contact@viscarapp.com and we will promptly delete it.
12. Changes to this Notice
We may update this Notice from time to time. Each version is numbered and dated.
- Minor updates — clarifications, formatting, or contact-information changes — are published with an incremented version number; continued use of the Service constitutes acknowledgment.
- Material changes — new categories of data, new processing purposes, new third-party recipients, or a change in who controls your data — are published as a new version, and you will be asked to acknowledge the new version on your next login.
When Viscar leaves beta, this Notice will be replaced by a full Privacy Policy. You will be asked to accept the new document at that time. Previous versions of this Notice are archived and available on request.
13. Contact
For any question, concern, or request relating to this Notice or our handling of your personal data:
Viscar Inc.
1119 Linden Ave, Glendale, CA 91201, United States
Email: contact@viscarapp.com