Privacy Policy

RadOrigin LLC is the data controller for personal data processed through Feraust. For data-protection questions, email support@feraust.com.

Account data: email address, hashed password, display name if you set one, account creation timestamp. This is the minimum needed to let you sign in and recover access.

Content you create: pins, trips, itineraries, gear checklists, safety check-ins, AI query text. Photos you upload (after EXIF stripping and re-encoding).

Billing data: for paying customers, Stripe holds your card details. Feraust never sees card numbers. I store the Stripe customer ID and subscription ID so I know which account maps to which Stripe record.

Usage data: rolling counts of AI queries per month, offline-region download size, sign-in timestamps. Used for quota enforcement and abuse prevention.

Diagnostic data: error logs (no personal content in the logs themselves), IP addresses of signup attempts (kept for 1 hour to enforce the 3-signups-per-IP throttle — see Security below). No clickstream, no behavioral telemetry.

No third-party advertising cookies or tracking pixels. No Facebook Pixel, no Google Analytics, no user-facing analytics of any kind in beta.

No persistent browsing-history tracking across sessions.

No device-fingerprinting for marketing purposes.

No data shared with ad networks or data brokers. Ever.

To run the service: provide maps, species data, weather, safety check-ins, AI features, billing. Standard operational use.

To enforce tier limits and prevent abuse: AI quota counting, pin-count enforcement, IP signup throttling, chargeback detection.

To communicate with you: signup confirmation, safety check-in escalation emails to your emergency contact, billing receipts, service-related announcements.

That's it. I don't build user profiles for advertising, I don't recommend content based on behavioral tracking, and I don't train models on your data.

Supabase (database, auth, file storage): hosts your account data + pins + trips + photos. U.S.-based. SOC 2 Type 2 compliant. Data encrypted at rest and in transit.

Hostinger (virtual private server): runs the Next.js application. Server logs may include IP addresses and request paths for operational purposes, retained 30 days.

Cloudflare (CDN, Workers, KV): handles API gateway routing, edge caching, and the signup-rate-limit counter (your IP is stored for up to 1 hour in their KV store, then evicted). Cloudflare can see traffic metadata (headers, request paths) in transit.

Stripe (payments): processes all payments. Holds your card data — I never see full card numbers. Stripe's privacy policy is at stripe.com/privacy.

Resend (transactional email): sends safety check-in escalation emails and billing notifications. Resend sees the recipient address and email body.

Anthropic (Claude) and Google (Gemini): receive the prompts you submit to AI features. Per their current terms, your prompts are not used to train their models for the consumer API. Both are U.S.-based.

OpenWeatherMap, U.S. National Park Service, GBIF, Nominatim / OpenStreetMap, AWS Open Data (terrain): receive your requested location coordinates to return weather / park / species / map data. They see lat/lng queries, not account identifiers.

Self-hosted error monitoring (GlitchTip on radesjardins.cloud): captures application errors with sanitized context. No account passwords, no full request bodies.

If I add a new processor, it gets listed here before it receives data.

Pin coordinates you create are stored at full precision in the Feraust database. Access is governed by the sensitivity-tier model: Standard pins are visible at 1 km blur to free viewers, 250 m to Pro viewers, and exact only to you. Sensitive-tier pins are visible to non-owners only via a random decoy offset within a 10 km radius (the decoy is generated server-side and stays stable per pin). Protected-tier pins are never visible to anyone but you.

Photo EXIF data (including GPS coordinates encoded by your camera) is stripped before upload via client-side re-encoding. This happens for every pin image on every tier.

The tier floor for flagged species cannot be lowered: if a pin's species tags match CITES Appendix I or the curated safe-distance table, the sensitivity selector prevents setting a less restrictive tier than the table recommends.

While your account is active: your content is retained until you delete it.

On account deletion: your pins, trips, photos, and personal data are fully deleted within 30 days. Backups that contain pre-deletion copies are rotated out within 90 days.

Billing records: retained for 7 years to meet U.S. tax and accounting requirements.

Signup-IP throttle counters: evicted automatically after 1 hour.

Server logs: 30 days, then purged.

Access: export your pins, trips, and account data via settings. I can generate a complete data export on request within 30 days if the self-serve export doesn't cover what you need.

Correction: edit or delete any content directly in the app.

Deletion: delete your account via settings. No "contact us to cancel" gating.

Portability: exports are in open formats (JSON, GPX, ICS) wherever possible.

Restriction and objection: email support@feraust.com if you want to restrict processing or object to a specific use. I'll respond within 30 days.

GDPR / CCPA: if you're in the EU, UK, or California, the above rights apply under GDPR / CCPA terminology. You also have the right to lodge a complaint with your local data-protection authority.

Passwords are hashed using bcrypt by Supabase Auth. I never see your cleartext password.

All traffic between your browser, my servers, Cloudflare, Supabase, and Stripe uses TLS 1.2 or higher.

Database access is controlled by row-level security policies — one user cannot query another user's data.

Email verification is required before AI features are unlocked, and before trial or beta codes can be redeemed. This raises the cost of automated signup abuse.

New signups are throttled to 3 per IP per hour via a Cloudflare KV counter.

If I discover a security incident affecting your data, I will notify you without undue delay and within 72 hours per GDPR standards.

Feraust is not directed at children under 13. I do not knowingly collect data from children under 13. If you're a parent and you think your child has created an account, email me and I'll delete it.

Feraust is operated from the United States. If you're outside the U.S., your data is transferred to and processed in the U.S. By using the service, you consent to this transfer.

Material changes will be emailed to account holders at least 14 days before they take effect. The "Last updated" date at the top reflects the most recent change.

Privacy questions: support@feraust.com.

I'm one person — response times are human-scale.