Privacy Policy

This policy applies to all visitors of the Ground Source Project (GSP) web application, located at its published domain and any subdomain operated by Cliche ID. It covers data processed when you browse the public map, analytics workspace, or survey tool, and when you access the commercial API (v1) using an API key.

The underlying flood dataset (GroundSource, Google / Zenodo) is geospatial and temporal in nature. It contains no personally identifiable information.

We distinguish between data you actively provide and data collected automatically:

• Automatically collected: standard HTTP request headers (IP address, browser user-agent, referrer, timestamp) processed by our hosting infrastructure (Vercel). These are used solely for security, abuse prevention, and aggregate analytics. Vercel does not sell this data.
• Session preferences: a lightweight cookie (gs_analytics) stores your last-visited region slug and preferred forecast horizon. This contains no personal data.
• API key registration: commercial API users provide an email address and organisation name. API keys are stored as bcrypt hashes; the plaintext key is never retained after generation.

We do not collect names, passwords, payment information, or any sensitive personal data for public use.

GSP uses a single first-party session cookie:

No third-party advertising or tracking cookies are set. You may disable cookies in your browser; this will reset UI preferences on each visit but will not limit access to any content.

We use the following third-party analytics services to understand aggregate usage patterns:

• Vercel Analytics: privacy-focused, cookieless page-view tracking. No cross-site fingerprinting. Data is processed under Vercel's data processing agreement.
• Google Analytics (GA4): anonymised page-view and event data. IP anonymisation is enabled. You may opt out via the Google Analytics Opt-out Browser Add-on.

Neither service is used to build individual user profiles or serve targeted advertisements.

Access to the /api/v1/ endpoints requires a valid API key. Key provisioning and usage logging follow these principles:

• Keys are generated cryptographically and stored as bcrypt hashes. The plaintext key is shown once at generation and not stored.
• Usage logs record the hashed key identifier, endpoint path, response status, and timestamp. No request body content is logged.
• Usage log data is retained for 90 days for billing and abuse monitoring, then purged.
• API key holder email addresses are used only for key lifecycle notifications (rotation, revocation). They are never shared with third parties or used for marketing.

Server-side analytics caches expire automatically via TTL (30–60 minutes). Session cookies expire at browser close. API usage logs are purged after 90 days. We do not maintain long-term databases of individual visitor behaviour.

If you are a resident of the European Economic Area, United Kingdom, or another jurisdiction with applicable data protection law, you may have the right to access, correct, or delete personal data we hold about you. For API key holders, you may request deletion of your email address and associated usage logs by contacting us. We will respond within 30 days.

Public visitors who have not registered an API key have no personal data on file beyond transient server logs held by Vercel.

Questions about this policy or requests to exercise your data rights should be directed to the operator:

See also: Data Reference & Usage · Legals