The General Data Protection Regulation (GDPR) is European Union
legislation to strengthen and unify data protection laws for all
individuals within the European Union. The regulation came into effect
from May 25th, 2018.
As an EU business, founded and run by EU (German) citizens,
but also as people
who value privacy, we are fully committed to being compliant with GDPR
and all data protection best practices.
This page lays out our commitment to data protection and makes
transparent what data we store about our users.
Should you have any questions about this topic feel free to write to
write to us at firstname.lastname@example.org or via
our contact form
What data do we collect?
On our website:
Our website (as opposed to our geocoding API) is hosted by
a division of SalesForce, in Europe.
On our website we use
us understand, in anonymized form, how the site is being used.
Fathom does not track or store any personal data.
Fathom data policy
To display maps on our demo page (and in the map view of our API results)
For speed we host some static content on
jsDelivr's Content Delivery Network (CDN)
When registering for our free trial tier, you need to provide us with
an email address. We then confirm that the address works by emailing
you a confirmation link. We need an email address so we can contact
you regarding any changes to our service or, for example, to this privacy
policy. We send the email to you via the email delivery service
which is operated by Wildbit LLC.
Unfortunately we occasionally see people trying to abuse our demo page
or to signup many accounts as a way to exploit our free trial.
In this case we may use
a service provided by Google (see Google's
Terms of Service
tests as a way to veryify that requests are from a human and thus prevent
high volume abuse.
We store the IP address you used when you register. We do this so
we can detect when people try to abuse the service by registering for
In addition, at the time of registration we ask for (but do not require)
a few other bits of information
like name, how you found out about our service, and which programming
languages you use. We ask these questions so we can better help you get
started with using our service. You answers are stored in a database
within Heroku and accessible to our employees.
You can see the
information you provided us with on your account dashboard.
Our user database is encrypted and regularly backed up to
in Switzerland. Rsync has no ability to unencrypt this information.
Registering for a free trial requires
acceptance of our publicly available
terms and conditions
Via our API:
Our API servers are leased from hosting service
and physically in the EU (in Germany, specifically). All of Hetzner's
certified in accordance with DIN ISO/IEC 27001
an internationally recognized standard for information security.
Please see the
Hetzner statement on security and privacy (pdf)
When you send us
an API request we send you a response and then log the query. We later
analyze the logs to see how we can improve our service. All logs are
deleted after six months.
While you should only ever be sending us
geographic data and NOT personal data, if you use
we will not store your query in our logs. In this case we have no record
of what the query was. We encourage you to use this parameter.
Customer/Financial transaction information:
If you become a paying customer (as opposed to just using our free trial)
you will need to provide us and our payment partners
for the billing,
for the invoicing) with valid billing information. We will be able to
see your name, billing address, email address, and VAT number (if you
have provided one). We are not able to see your credit card number, only
Stripe has access to that.
As you would expect of any business, we of course share transaction
data with our accountants and with the relevant tax authorities
when we pay VAT and file our annual tax return.
In addition, we use the business analytics service
for internal business analysis. They also have details of customer
Data Processing Agreement
Becoming a customer of our service implies acceptance of our
Data Processing Agreement
unless otherwise explicitly agreed with us in writing.
Any user (paid or free-trial) can request to have their account deleted
at any time, this can be done inside your account dashboard or by
Free trial accounts that have not been active (defined as having made
at least one API request or logged into their account dashboard) for six
months are deleted automatically.
For paying customers we of course have to keep records of all completed
transactions for tax purposes.
This document was edited on:
|2 June 2020
minor design tweak, added mention of hCaptcha, reCAPTCHA
|30 April 2020
Added link to our security bounty program
|1 Oct 2019
Added link to Hetzner's security certification
|12 July 2019
Service is now operated by OpenCage GmbH, Brexit section removed
|29 May 2019
added link to blog post with details of transition of operations
to OpenCage GmbH
|11 April 2019
OpenCage Data Ltd is now 100% subsidiary of OpenCage GmbH
We make every effort to keep your data secure. If you find a vulnerability
please report it to security @ opencagedata.com, we will follow up with
you promptly. You can find our public key on
We welcome vulnerability reports via our
security bounty program
Meaningful changes to this document will be announced on
our twitter account