Legal

Privacy Policy

Effective date: March 16, 2026 · Last updated: March 16, 2026

1. Data Controller

GeoPin is operated from the Netherlands. For the purposes of the General Data Protection Regulation (EU) 2016/679 ("GDPR"), the data controller is:

GeoPin

The Netherlands

Email: info@geopin.nl

2. Data We Collect

We collect and process the minimum amount of personal data necessary to provide and improve our geolocation service. The categories of data we process are as follows:

2.1 Account Data

When you create a GeoPin account, we collect:

Email address — used for account authentication, service communications and billing.
API key(s) — generated upon account creation and stored securely. API keys are hashed at rest; we do not store them in plaintext after initial display.
Billing information — if you subscribe to a paid plan, we collect your name, company name (if applicable), VAT number and billing address. Payment processing is handled by our billing sub-processor.

2.2 Usage & Technical Data

When you visit our website or use our API, we automatically collect:

IP address — used for rate limiting and abuse prevention. IP addresses are hashed and cannot be traced back to your identity.
API request metadata — timestamps, endpoint called, response status codes and processing duration. This data is used for billing accuracy, service monitoring and debugging.
HTTP headers — user agent, referrer and accept-language headers are collected for service compatibility and analytics purposes.

2.3 Images Submitted for Geolocation

See Section 5 (Image Processing) for detailed information on how we handle images submitted through our service.

2.4 Data We Do Not Collect

We do not collect or process:

Precise GPS coordinates or real-time location data from your device.
Social media profiles or data from third-party accounts.
Data from tracking cookies or cross-site advertising networks.

3. Legal Basis for Processing

Under Article 6 of the GDPR, we process your personal data on the following legal bases:

Processing Activity	Legal Basis
Account creation and management	Performance of a contract (Art. 6(1)(b))
Provision of the API service	Performance of a contract (Art. 6(1)(b))
Billing and invoicing	Performance of a contract (Art. 6(1)(b)) and legal obligation (Art. 6(1)(c))
Trial usage tracking via hashed IP	Legitimate interest (Art. 6(1)(f)) — preventing service abuse
Website analytics (Cloudflare Analytics)	Legitimate interest (Art. 6(1)(f)) — service improvement
Security and abuse prevention	Legitimate interest (Art. 6(1)(f)) — protecting service integrity
Transactional email communications	Performance of a contract (Art. 6(1)(b))

4. How We Use Your Data

We use the data collected for the following purposes:

Service delivery — processing your geolocation requests and returning results via our API.
Account management — authenticating your access, managing your subscription and providing customer support.
Billing and invoicing — generating invoices, processing payments and fulfilling our tax obligations under Dutch and European law.
Service monitoring — monitoring API performance, uptime, error rates and capacity planning.
Abuse prevention — detecting and preventing service abuse, including enforcing rate limits and our Acceptable Use Policy.
Service improvement — aggregated, anonymised usage statistics to improve model accuracy and service reliability. Individual requests are never used for model training.
Legal compliance — fulfilling our obligations under Dutch tax law, the GDPR and other applicable legislation.

5. Image Processing

The processing of images submitted for geolocation is a core privacy consideration. We have designed our processing pipeline with privacy as the primary concern:

In-memory processing only — images uploaded to GeoPin are processed entirely in memory on our inference infrastructure. Images are never written to persistent storage (disk, object storage or database).
No retention — once geolocation inference is complete and the result has been returned to you, the image data is immediately discarded from memory. We do not retain copies of your images.
No use for training — images submitted through the GeoPin service are never used to train, fine-tune or otherwise improve our machine learning models or any third-party models.
EXIF data — if your image contains EXIF metadata (including GPS coordinates, camera model, timestamps, etc.), this data may be read during processing to improve geolocation accuracy. EXIF data is discarded along with the image after processing.
Inference infrastructure — image inference is performed on RunPod GPU infrastructure. Images are transmitted to inference workers via encrypted connections and processed in ephemeral containers that do not retain data between requests.

6. Cookies & Analytics

We use a minimal set of cookies and browser storage mechanisms. For full details, please refer to our Cookie Policy.

6.1 Cloudflare Analytics

We use Cloudflare Web Analytics, a privacy-first analytics service that does not use cookies and does not track individual users across websites. Cloudflare Analytics collects aggregated, anonymised data such as page views, referrers and country-level visitor statistics. No personal data is collected by this service.

6.2 Cloudflare Turnstile

We use Cloudflare Turnstile as a CAPTCHA alternative to protect forms and API endpoints from automated abuse. Turnstile may set functional cookies required for bot detection. These cookies are strictly necessary for service security.

6.3 Local Storage

We use your browser's localStorage to store your API key locally on your device for convenience when using our web-based search interface. This data never leaves your browser and is not sent to our servers (your browser sends it directly with API requests). You can clear this data at any time via your browser settings.

6.4 No Tracking Cookies

GeoPin does not use advertising cookies, social media tracking pixels or any other third-party tracking technologies. We do not participate in cross-site tracking or retargeting programmes.

7. Sub-processors

We engage the following third-party sub-processors to deliver our service. Each sub-processor is bound by a data processing agreement and processes data solely on GeoPin's instructions.

Sub-processor	Purpose	Data Processed	Location
Cloudflare, Inc.	Hosting, CDN, DNS, DDoS protection, D1 database, R2 object storage, Vectorize, Web Analytics, Turnstile	All data transiting our infrastructure, account data stored in D1, analytics data	Global (EU data centres preferred); HQ in the US, EU Standard Contractual Clauses in place
RunPod, Inc.	GPU inference infrastructure	Images submitted for geolocation (in-memory processing only, no retention)	EU data centres; HQ in the US, EU Standard Contractual Clauses in place
Moneybird B.V.	Invoicing and financial administration	Billing name, email, address, VAT number, invoice history	The Netherlands
Emailit	Transactional email delivery	Email address, email content (account confirmations, API key delivery, service notifications)	EU

We will notify existing customers by email at least 30 days before adding a new sub-processor. If you object to a new sub-processor, you may terminate your subscription in accordance with our Terms of Service.

8. International Data Transfers

Some of our sub-processors are located outside the European Economic Area (EEA). When personal data is transferred outside the EEA, we ensure that appropriate safeguards are in place in accordance with Chapter V of the GDPR, including:

EU Standard Contractual Clauses (SCCs) — established under European Commission implementing decisions.
Adequacy decisions — where the European Commission has determined that the receiving country provides an adequate level of protection.
Data localisation — where technically feasible, we configure our sub-processors to process and store data within the EEA.

9. Retention Periods

We retain personal data only for as long as necessary for the purposes described in this policy or as required by law:

Data Category	Retention Period
Account data (email, API keys)	Duration of the account plus 30 days after deletion request
Billing and invoice data	7 years after the end of the financial year (Dutch tax obligation)
API request logs	90 days (rolling)
Hashed IP addresses (trial usage tracking)	30 days (rolling)
Uploaded images	Not retained — processed in memory and immediately discarded
Support correspondence	2 years after resolution, unless required for legal proceedings

10. Your Rights Under the GDPR

If you are located in the European Economic Area, you have the following rights with respect to your personal data:

Right of access (Art. 15) — you may request a copy of the personal data we hold about you.
Right to rectification (Art. 16) — you may request correction of inaccurate personal data.
Right to erasure (Art. 17) — you may request deletion of your personal data, subject to our legal retention obligations.
Right to restriction of processing (Art. 18) — you may request that we restrict the processing of your data in certain circumstances.
Right to data portability (Art. 20) — you may request your data in a structured, commonly used and machine-readable format (JSON).
Right to object (Art. 21) — you may object to processing based on legitimate interests. We will cease processing unless we demonstrate compelling legitimate grounds.
Right to withdraw consent — where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of prior processing.
Right to lodge a complaint — you have the right to lodge a complaint with the Dutch Data Protection Authority or your local supervisory authority.

To exercise any of these rights, please contact us at info@geopin.nl. We will respond within 30 days of receiving your request. We may ask you to verify your identity before processing your request.

Dutch Data Protection Authority (Autoriteit Persoonsgegevens)

Website: autoriteitpersoonsgegevens.nl

11. Children's Privacy

GeoPin is not directed at individuals under the age of 16. We do not knowingly collect personal data from children. If you believe that a child under 16 has provided us with personal data, please contact us at info@geopin.nl and we will promptly delete such data.

12. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements or other factors. When we make material changes, we will:

Update the "Last updated" date at the top of this page.
Notify registered users by email at least 14 days before the changes take effect.
Where required by law, seek your consent for material changes.

We encourage you to review this page periodically.

13. Contact & Data Protection Officer

If you have questions about this Privacy Policy, your personal data, or wish to exercise your rights, please contact us:

GeoPin — Data Protection

Email: info@geopin.nl

We aim to respond to all privacy-related enquiries promptly. If you are not satisfied with our response, you have the right to lodge a complaint with the Dutch Data Protection Authority or your local supervisory authority.