Privacy Policy

This Privacy Policy describes how osm2cdr.ru collects, processes, and stores personal data.

1. Data Controller

The website is operated by an individual entrepreneur through the osm2cdr.ru service. Contact: [email protected].

2. Data We Collect

• Account data: email address (upon registration)
• Technical data: IP address, User-Agent, browser type, OS
• Export data: area coordinates (bbox), selected format, detail level
• Payment data: processed by Tinkoff Bank; we do not store card details
• Cookies: functional (language, theme) and analytics

3. Purpose of Processing

• Providing map export service
• Payment processing and subscription management
• Service quality improvement and bug fixing
• Usage statistics (anonymized)
• Export readiness notifications

4. Data Storage

Data is stored in a PostgreSQL database on a dedicated server at Hetzner Online GmbH data center (Germany, EU). Personal data is retained until the user deletes their account or requests deletion.

Access logs retain anonymized (truncated last octet) client IP for 14 days for security and abuse investigation. Error logs retain full IP for up to 7 days. Sentry error reports contain no personal data by default (cookies, headers, and user identifiers are not transmitted).

5. Third-Party Sharing

• Tinkoff Bank -- payment processing
• Resend Inc. -- email notifications
• Sentry (Functional Software) -- error monitoring (technical data only)
• Yandex LLC (Yandex.Metrica) -- anonymous web analytics (only after you grant cookie consent)
• Google LLC (Google Analytics 4) -- anonymous web analytics (only after you grant cookie consent; data may be transferred to Google servers in the United States)

We do not sell or share personal data with advertising networks or data brokers.

6. Cookies and Consent

• Functional (no consent required): selected language, theme, map settings
• Analytics (explicit consent required): Yandex.Metrica and Google Analytics 4. Trackers are not loaded until you click “Accept” in the cookie banner. You can change your choice at any time by clearing your browser's local storage.

7. Your Rights

Under GDPR and applicable data protection laws, you have the right to:

• Access your personal data
• Rectify inaccurate data
• Request erasure of your data
• Withdraw consent
• Data portability

To exercise your rights, contact [email protected].

8. California Privacy Rights (CCPA / CPRA)

This section applies to residents of California, USA, under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA, 2026).

If you are a California resident, you have the following rights:

• Right to Know — you may request information about the categories of Personal Information we collect (page views, IP address with the last octet anonymized, language preferences, browser type, OS; we do not collect Sensitive Personal Information), the purposes (web analytics via Yandex.Metrica and Google Analytics 4 with anonymize_ip), and the parties with whom we share data (Yandex LLC and Google LLC act as service providers; data is not sold and is not shared for cross-context behavioral advertising).
• Right to Delete — you may request deletion of your Personal Information, including aggregated analytics data and any account data.
• Right to Correct — you may request correction of inaccurate Personal Information.
• Right to Opt-Out of Sale or Sharing — we do not sell your Personal Information and we do not share it for cross-context behavioral advertising as defined by CCPA. Clicking “Reject” in the cookie banner = opt-out from analytics tracker loading. The “Your Privacy Choices” link in the site footer reopens the banner so you can change your choice.
• Right to Limit Use of Sensitive Personal Information — we do not collect Sensitive PI as defined by CPRA (no SSN, biometrics, precise geolocation, health information, etc.). IP addresses are anonymized to /24 (last octet zeroed by Google Analytics).
• Right to Non-Discrimination — exercising your rights will not result in degraded service. The free tier remains available; no price discrimination is applied.
• Global Privacy Control (GPC) — we automatically honor the navigator.globalPrivacyControl signal as an opt-out: if your browser sends GPC=true, analytics trackers are not loaded, and your choice is recorded locally (localStorage, consent schema v2, field gpc:true).
• Authorized Agent — you may designate an authorized agent to submit a request on your behalf; please attach written authorization.
• Identity Verification — to fulfill Right to Know and Right to Delete requests, we will verify your identity (matching the email address on your account).

To exercise CCPA / CPRA rights, contact [email protected] with “CCPA Request” in the subject line. We will respond within the statutory timeframe (45 days, extendable to 90 days).

9. Personal Information Rights for Users in China (PIPL)

This section applies to users located in the People's Republic of China, under the Personal Information Protection Law (PIPL, 2021).

Cross-Border Transfer Notice. When you use osm2cdr.ru, your Personal Information may be transferred to servers outside the PRC: Google Analytics transfers data to Google servers in the United States; Yandex.Metrica transfers data to Yandex servers in the Russian Federation. Transfers occur only after you grant consent in the cookie banner.

Categories of Data Transferred:

• Page views (URL, referrer)
• IP address with the last octet anonymized
• Browser information (User-Agent, language, OS)
• Session identifier, device type

Purpose: aggregated web analytics for understanding service usage patterns and UX optimization. Data is not used for direct marketing.

Recipient Identity and Contact Information:

• Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA, USA — privacy policy: policies.google.com/privacy
• Yandex LLC, 16 Lva Tolstogo St, Moscow 119021, Russia — privacy policy: yandex.com/legal/privacy

Your Rights with Overseas Recipients. You may contact Google or Yandex directly to exercise rights of access, correction, and deletion under their respective privacy policies (linked above). Locally, you may withdraw consent at any time by clicking “Reject” in the cookie banner.

Separate Consent. The cookie banner with “Accept” / “Reject” buttons constitutes the separate consent for cross-border Personal Information transfer required by Articles 38–39 of PIPL.

Categories of Data We Do NOT Collect: biometric data, religious beliefs, medical information, real-time precise geolocation, device contacts or photos.

For PIPL requests, contact [email protected] with “PIPL Request” in the subject line.

10. Brazilian Users (LGPD)

This section applies to users located in the Federative Republic of Brazil, under the Lei Geral de Proteção de Dados (LGPD, Lei 13.709/2018).

Legal Basis for Processing. We process Personal Information based on your consent (cookie banner) and legitimate interest (basic analytics for service operation).

Data Subject Rights (Article 18 LGPD):

• Confirmation of processing
• Access to data
• Correction of incomplete, inaccurate, or outdated data
• Anonymization, blocking, or deletion of unnecessary data
• Data portability
• Information about data sharing with third parties
• Information about consent withdrawal options and consequences
• Withdrawal of consent at any time

Cross-Border Transfer to USA / Russia. Google (USA) and Yandex (Russia) act as service providers for web analytics; see the section for users in China above for details.

DPO Contact. Direct LGPD requests to [email protected] with “LGPD Request” in the subject line.

Complaint to Supervisory Authority. You may lodge a complaint with the Brazilian Data Protection Authority (ANPD): gov.br/anpd.

11. Changes

We may update this policy. The current version is always available on this page. Registered users will be notified of significant changes by email.