Privacy Policy

Last updated: 2 May 2026

Quietlands respects your privacy. This policy explains what data we collect, why, and what choices you have. We aim for the minimum that lets the Service function; we do not sell or rent your data to anyone.

What we collect

• Account data: email, hashed password, optional organisation name, signup IP (kept 30 days for fraud control), preferred language.
• Billing data: handled by our payment processor (Stripe). We store the customer ID, last 4 digits, expiry, and country code. We never see or store full card numbers.
• Usage data: map views, CSV exports (timestamp, response code). Used for capacity planning and abuse detection. Not joined to your identity beyond your account ID.
• Communications: messages you send to support@ or legal@, retained for 24 months for service quality.

What we do NOT collect

• We do not track which cells you click or which regions you query, beyond aggregate volume metrics. Individual click streams are not retained.
• We do not embed third-party analytics (no Google Analytics, no Facebook pixels, no marketing trackers).
• We do not have access to your real-world location and do not infer it from IP for any purpose other than fraud prevention at signup.

How we use it

• To operate the Service (authenticate sessions, enforce plan quotas).
• To bill you (via Stripe).
• To send transactional email (receipts, password resets, expiry warnings) and a single welcome email. We do not send marketing email.
• To detect and respond to abuse or security incidents.

Cookies

We set one essential session cookie after login. We do not use any non-essential cookies. There is no cookie banner because there is nothing to consent to beyond the session cookie, which is exempt under GDPR Recital 30.

Data location

Account and billing data are stored on EU-based infrastructure. Backups are encrypted and retained for 30 days, then deleted. Source datasets we re-aggregate (OpenSky, OpenCelliD, etc.) are public and live on their own infrastructure — we only cache derived per-cell summaries.

Sharing

We share data only with:

• Stripe (payment processing)
• Our email delivery provider (transactional only)
• Hosting infrastructure (storage of account data)

We never share with marketing partners, data brokers, or advertising networks.

Your rights (GDPR)

• Access: ask us what we hold about you — emailed to you within 30 days.
• Rectification: correct any inaccurate data.
• Erasure: close your account and we delete account data within 30 days.
• Portability: request a JSON export of your account + your CSV exports.
• Objection: opt out of any optional processing at any time.
• Complaint: file with your national data protection authority.

Retention

• Account data: until you close the account, then 30 days.
• Billing records: 7 years (legal requirement for invoicing).
• Server access logs: 90 days.
• Usage analytics (aggregate): indefinitely, no personal identifiers.

Children

The Service is not directed at children under 16. We do not knowingly collect data from children. Contact us if you believe we have inadvertently done so.

Changes

Material changes are emailed to all account holders at least 14 days before they take effect.

Contact

Privacy questions: privacy@quietlands.io
Data Protection Officer: same address, marked DPO.