Privacy Policy

Information pursuant to Art. 13 GDPR

1. Controller

Marcus Gier
Thüringer Straße 15, 50733 Cologne, Germany
Email: marcusgier@gmail.com

There is no legal obligation to appoint a data protection officer for this service. For data protection requests, please use the address above.

2. General

orecast.app is an information service. The map can be used anonymously; for orecast Pro you can optionally create an account (see section 6d). On the website we use no cookies and no third-party tools (e.g. Google Analytics). To improve the service we only collect anonymous, cookieless usage statistics on our own server (see section 6a) – without storing IP addresses, without profiling, without personal reference.

3. Hosting and server log files

The website is hosted by Hetzner Online GmbH (Industriestr. 25, 91710 Gunzenhausen, Germany) in a data centre in Germany, acting as a processor. When the site is accessed, the web server automatically stores access data in log files:

The purpose is the technical operation, stability and IT security of the website. The legal basis is our legitimate interest in secure, functional operation (Art. 6(1)(f) GDPR). Log data is stored only for as long as necessary for these purposes and then deleted.

4. Map display and external services

To display the map and the address search, the site embeds third-party resources. For technical reasons your IP address is transmitted to the respective providers; without this transmission the map could not be displayed. The legal basis in each case is our legitimate interest in a functional map display (Art. 6(1)(f) GDPR).

The map software “Leaflet” is delivered from our own server; no transmission to a content delivery network (e.g. Cloudflare/USA) takes place for it.

a) Map tiles from OpenStreetMap

The map material comes from the servers of the OpenStreetMap Foundation (St John's Innovation Centre, Cowley Road, Cambridge, CB4 0WS, United Kingdom). When the tiles are loaded, your IP address is transmitted to OpenStreetMap. Privacy notice: osmfoundation.org/wiki/Privacy_Policy.

b) Address search (geocoding) via Nominatim

If you use the address/place search, the search term you enter is transmitted together with your IP address to the Nominatim geocoding service of the OpenStreetMap Foundation in order to determine the corresponding coordinates. Please do not enter any sensitive information here.

5. Location (GPS)

Using the “GPS” button you can use your location. The request is only made after your active confirmation via your browser's location prompt (consent, Art. 6(1)(a) GDPR). The determined coordinates are processed only locally in your browser in order to centre the map and retrieve the assessment for that point; no permanent server-side storage of your location takes place.

6. Assessment requests

For the technical assessment, the selected coordinates are sent to our own server and queried there against local geodata holdings. These coordinates refer to a map point, not necessarily to you; they are not combined into a personal profile. The log file rules under section 3 apply.

6a. Anonymous usage statistics (own server logging)

To understand which features are used and to improve the service, we collect anonymous, cookieless usage statistics on our own serverno third-party service, no cookies, no storage of your IP address, no device identifier and no combination into a profile.

Per event we only store: the type of event (e.g. “page view”, “map opened”, the layer/button used), the page concerned, the chosen language, an optional short label, and – if transmitted by the browser – the host name of the referring page (not the full address). This data does not allow any conclusions about your identity.

The legal basis is our legitimate interest in a needs-based, low-error design of the service (Art. 6(1)(f) GDPR). As collection is anonymous and without cookies, no consent is required. Analysis is carried out exclusively in aggregate.

6b. AI explanation (Anthropic)

If you click the optional “What would be beneath me here? (AI)” button, our server creates a plain-text explanation from the local geodata of the selected point. For this, the relevant geodata (coordinates of the map point, geology/layer and mineral information) are transmitted to our processor Anthropic PBC (USA) and processed there. No further personal data is sent; the coordinates refer to a map point, not necessarily to you.

The transfer only takes place when you actively trigger it (click). The legal basis is our legitimate interest in providing the explanation, expressed through your use (Art. 6(1)(f) GDPR); the transfer to the USA is based on the standard contractual clauses or the EU-US Data Privacy Framework. If you do not want a transfer, simply do not use the AI button.

6c. Advertising in the mobile app (Google AdMob)

This section applies only to the mobile orecast app (iOS); the website itself shows no advertising. To finance the free service, the app displays advertising via Google AdMob (provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; where applicable Google LLC, USA).

We only serve non-personalised advertising. No cross-app tracking and no advertising profile about you is created. For technical reasons Google nevertheless processes certain data to deliver ads and prevent fraud (e.g. IP address, device and ad information, and data for frequency capping of impressions).

Where required (in particular in the EEA), the app obtains your decision via a consent banner (Google UMP) before advertising is loaded. The legal basis is our legitimate interest in financing the free service (Art. 6(1)(f) GDPR) or your consent where such consent is obtained (Art. 6(1)(a) GDPR). Any transfer to the USA is based on the standard contractual clauses or the EU-US Data Privacy Framework.

Subscribers to orecast Pro see no advertising. Further information and settings from Google: policies.google.com/technologies/ads.

6d. User account, sign-in and orecast Pro

The map can be used anonymously. For orecast Pro (app subscription or web unlock) you can optionally create an account. We then process only your email address and your password – the password exclusively as a cryptographic hash (Argon2), never in clear text. We do not request any further data.

The purpose is to provide the account and Pro access (e.g. AI explanation, full web scope). The legal basis is performance of the user contract (Art. 6(1)(b) GDPR). Accounts are stored in our own database at Hetzner (Germany); no third-party login service is used.

After signing in we store a signed sign-in token (JWT) in your browser's local storage (key gt_token) so you stay logged in. It serves solely for authentication, is not tracking, and remains on your device until you log out.

Subscription status (RevenueCat): to verify the app subscription we use the processor RevenueCat, Inc. (USA). Only a pseudonymous account identifier (not the email) is transmitted to mirror “Pro active until”. The transfer to the USA is based on the standard contractual clauses or the EU-US Data Privacy Framework.

Unlock codes: a random unlock code may be associated with your account; it contains no personal data.

Retention & deletion: we store account data for as long as the account exists. You can delete your account at any time (app: “Delete account” in the account area; web: in the account menu) – this removes the email, password hash and associated codes (Art. 17 GDPR). Alternatively, an informal email to the address in section 1 is sufficient.

7. Local browser storage (localStorage)

To store your language setting (key gt_lang) and – after sign-in – the sign-in token (gt_token, see section 6d) we use your browser's local storage. This information is not used for advertising/tracking and remains on your device. You can delete it at any time via your browser settings.

8. Your rights

Within the statutory requirements you have the right to information (Art. 15), rectification (Art. 16), erasure (Art. 17), restriction of processing (Art. 18), data portability (Art. 20) and a right to object to processing based on legitimate interests (Art. 21 GDPR). You can withdraw any consent given at any time with effect for the future.

You also have a right to lodge a complaint with a supervisory authority. The competent authority is the State Commissioner for Data Protection and Freedom of Information of North Rhine-Westphalia (LDI NRW), Postfach 20 04 44, 40102 Düsseldorf, Germany.

9. Changes to this policy

We adapt this privacy policy as soon as the underlying technology or legal situation changes. The version published here at the time applies.

Last updated: June 2026