Privacy Policy

Effective 2026-04-22 (entity name updated 2026-05-08). GeoClear is operated by GeoClear, Inc., a Virginia C Corp. We collect only what's required to operate the service, and we never sell your data.

1. Information we collect

When you use GeoClear (operated by GeoClear, Inc.), we collect:

• Account data, your email address (for API key delivery) and billing information (processed by Stripe; we never store full card numbers).
• API request data, the addresses and coordinates you query, timestamps, API keys used, and the responses we return. We retain 90 days of query logs for operational purposes.
• Technical data, IP address, user-agent, and rate-limit counters for abuse prevention and service reliability.

2. How we use information

• Provide the API service you purchased.
• Bill you accurately via Stripe.
• Detect and prevent abuse (rate limits, fraud signals).
• Improve the quality of responses using aggregate, de-identified analytics only.

3. What we do NOT do

• We do not sell your data.
• We do not use your queries to train third-party AI models.
• We do not share query-level data with advertisers.

4. Data retention

Account data: retained while your account is active and for 7 years after closure (tax/financial records). Query logs: 90 days rolling. Billing records: 7 years. You may request earlier deletion at any time.

5. Sub-processors

We use Amazon Web Services (hosting, data storage), Stripe (payments), Resend and SendGrid (transactional email), Sentry and Axiom (observability), and Upstash (cache). Each is contractually bound to the same data-protection standards required of GeoClear.

6. California residents, CCPA / CPRA

If you are a California resident, the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA) gives you specific rights regarding your personal information. You have the right to:

• Know what categories and specific pieces of personal information GeoClear has collected about you, the sources, the purposes of collection, and the categories of third parties (sub-processors) with whom we share it.
• Delete your personal information, subject to limited exceptions (e.g., tax/financial records we must retain by law).
• Correct inaccurate personal information we maintain.
• Opt out of the sale or sharing of your personal information. GeoClear does not sell or share personal information as those terms are defined under CCPA/CPRA, including for cross-context behavioral advertising. There is nothing to opt out of, and we do not process any sensitive personal information for purposes that would require an opt-out.
• Limit use of sensitive personal information. We do not collect or process sensitive personal information (SSNs, precise geolocation of individuals, genetic/biometric data, health data, etc.). Customer-submitted addresses are geographic data points, not individual-level sensitive information.
• Non-discrimination. We will not deny service, charge different prices, or provide a different quality of service because you exercised a privacy right.

To exercise any of these rights, email privacy@geoclear.io from the email on your account, or provide equivalent verification. We will respond within 45 days (extendable to 90 days for complex requests with notice). You may also designate an authorized agent to submit requests on your behalf; we will verify the agent's authorization.

7. EU / UK residents, GDPR

If you are in the European Economic Area, the United Kingdom, or Switzerland, you have the rights under GDPR / UK GDPR to: access, rectification, erasure ("right to be forgotten"), restriction of processing, data portability, and objection. GeoClear is the data controller for your account data and a data processor for personal data you submit through our API. Our lawful basis for processing is the performance of our contract with you (service delivery) and legitimate interests (abuse prevention, service reliability). International transfers rely on Standard Contractual Clauses (SCCs).

To exercise your rights or lodge a complaint with your local supervisory authority, contact privacy@geoclear.io. We respond within 30 days.

8. Data Processing Addendum (DPA) for business customers

If you are processing personal data through the Service on behalf of your end users and need a DPA for GDPR Article 28 or CCPA Service Provider requirements, email legal@geoclear.io to request one. Our DPA incorporates the European Commission's Standard Contractual Clauses (2021/914) for international transfers and designates GeoClear as a Processor / Service Provider with appropriate technical and organizational measures.

9. Children

The GeoClear Service is a B2B API intended for businesses and developers. It is not directed to children under 16, and we do not knowingly collect personal information from children under 16. If we learn we have collected such information, we will delete it promptly.

10. Security

All traffic is TLS-encrypted. API keys are stored hashed (SHA-256). Database access uses IAM-scoped short-lived credentials (no static passwords). See our security overview for details.

11. Web analytics

We use Google Analytics 4 (GA4) on geoclear.io to measure aggregate site usage, pageviews, demo starts, content downloads, and conversion events. The following discipline applies and is enforced in code:

• No PII transmitted to Google. We never send your email, name, API key, or any free-text identifier into GA4 events.
• Identity is a hashed Cognito subject identifier when you are signed in, a one-way SHA-256 hash. Anonymous client IDs are used otherwise.
• We do not track admin.geoclear.io. The internal admin app does not load any third-party analytics.
• Consent Mode v2 default-deny. Until you accept the cookie banner, no analytics cookies are set.
• IP anonymization is on globally. Your full IP address is never stored by Google.
• Google Signals is off. We do not opt into Google's cross-device user matching.
• Data retention is 14 months. Older event detail is automatically purged.
• Bot traffic is filtered at the source. If your User-Agent identifies as automated, the analytics script is never loaded. Machine-to-machine API observability uses a separate stack that does not share an event store with GA4.
• You can opt out at any time by clearing the consent cookie or using your browser's tracking-prevention features.

12. Changes to this policy

We will post any material changes at geoclear.io/privacy with 30 days' advance notice to the email on record. The "Last updated" date at the bottom of this page reflects the current effective version. Continued use of the Service after the effective date constitutes acceptance of the updated policy.

13. Contact

Privacy questions or rights requests: privacy@geoclear.io. Legal matters: legal@geoclear.io. Security reports: security@geoclear.io.

Data controller: GeoClear, Inc., Commonwealth of Virginia, United States.

Last updated: 2026-05-08