Privacy Policy

Acarta is a social field guide for architecture, monuments, public art, and landscapes. You can browse a map of places, check in when you visit them, earn experience points and badges, follow friends, and build lists of places you care about. Acarta is operated by Väder AB, a Swedish limited company with its registered office in Stockholm, Sweden.

For the purposes of GDPR, Väder AB is the data controller for your personal data.

You provide us with information directly when you use Acarta:

• Account. Email address, a display name, and an optional avatar. Used to sign you in, to attribute your check-ins and contributions, and to contact you about the Service.
• Sign-in identifiers. If you sign in with Apple or with Google, the provider returns a stable identifier and, if you allow it, a display name and email. We store only what we need to keep you signed in.
• Check-ins. The place you checked in at, the timestamp, the coordinates your device reported at the moment you pressed Check in, any note you wrote, and any photos you attached.
• Photos and media. Photos of places you upload from your camera roll or take inside the app. Stored in Cloudflare R2 and served over our CDN at cdn.acarta.app.
• Profile content. Lists you create, places you save to folders, people you follow, comments and reactions you post on friends' check-ins, and edits you suggest to place data.
• Support messages. Email you send to hello@acarta.app and any attached context.

When you use Acarta we automatically collect some technical and usage information:

• Product events. Basic events such as "check-in created," "map searched," or "list shared," used to understand how Acarta is used and to improve it. We do not run third-party analytics trackers or advertising SDKs.
• Technical logs. IP address, user agent, request path, response code, and timestamps, used for security, rate limiting, abuse prevention, and debugging. Logs are kept for a limited rolling window.
• Device and app diagnostics. Crash reports, performance traces, and anonymous diagnostics used to fix bugs.
• Subscription status. Whether you have an active subscription, which plan, and when it renews or expires. Managed through RevenueCat on top of App Store and Google Play billing.

Acarta is a place-based app, and we take location data seriously.

• Location is only read when you actively use a location feature — when you tap Check in, when you open the map, or when you search for places "near me."
• We do not read your location in the background, and we do not ask for "always allow" permission.
• When you check in, the coordinates your device reported are stored with the check-in so we can confirm you were at the place. If you retro-date a past visit, no fresh coordinates are recorded — only the place itself and the date you specified.
• Your precise coordinates are never shown to other users. What other people see, if you make the check-in public, is the place you checked in at, not the raw coordinates.
• We do not sell, share, or disclose your location data to advertisers, data brokers, or any other third parties beyond the processors needed to run the Service.

We do not run third-party advertising trackers, fingerprinting scripts, session replay tools, or behavioural advertising SDKs. We do not read your contacts, your calendar, your microphone, or any other device data beyond what you explicitly share. We do not sell your data. We do not share your data with data brokers. We do not use Your Content, your photos, your check-ins, or your notes to train artificial intelligence or machine learning models, and we do not grant that right to any of our processors.

We use the information we collect to:

• provide, maintain, and improve the Service, including the map, search, check-ins, XP, badges, lists, profiles, and the social feed;
• authenticate you and keep your account secure;
• attribute check-ins, photos, comments, and contributions to your profile;
• verify GPS check-ins against the coordinates of the place;
• show you notifications relevant to the Service (a friend's check-in, a comment on your post, a new badge);
• respond to support requests and enforce these Terms;
• detect, prevent, and investigate fraud, spam, abuse, and security incidents;
• comply with legal obligations, such as tax and accounting laws.

We process your personal data on the following legal bases:

• Performance of a contract. To provide the Service you asked us to provide — the map, check-ins, photos, profiles, lists, and social features.
• Legitimate interests. To secure the Service, prevent abuse, bill for paid plans, improve features, respond to support, and keep the map and place data accurate.
• Consent. Where required by law, for example when we ask for location or photo permissions on iOS and Android. You can withdraw consent from your device settings at any time.
• Legal obligation. To comply with tax, accounting, and other mandatory legal requirements.

The map and the place catalogue in Acarta are compiled from openly licensed third-party sources as well as our own research and user contributions. We preserve the original attribution and license for every image and fact we import. Where a license requires it (for example CC BY-SA 4.0), attribution is displayed alongside the image inside Acarta.

When you upload a photo, post a check-in, write a note, build a list, or suggest an edit to place data, that content is attributed to your account. Check-ins and photos default to the visibility setting you choose (public, friends, or private). By default, your contributions to shared place data (suggested corrections, new photos attached to a place's public gallery) are visible to other Acarta users.

You can delete your contributions at any time from your profile. Deleted photos and check-ins are removed from the live database and from our CDN within a reasonable period; encrypted backups are rotated out on a rolling schedule.

We rely on a small number of trusted sub-processors to run the Service. Each of them is bound by a data processing agreement that restricts how they can use your data.

• Vercel — hosting of the marketing site, web app, and API;
• Neon — managed PostgreSQL database with PostGIS;
• Cloudflare — R2 object storage and CDN delivery for photos and media;
• Mapbox — map tiles, search, and geocoding;
• Apple and Google — sign-in, App Store and Google Play billing, push notifications, crash reporting;
• RevenueCat — subscription state management on top of App Store and Google Play;
• Resend — transactional email (notifications, support replies);
• Anthropic — translation of place descriptions and articles between languages. No personal data is sent, and outputs are not used to train models;
• Expo / EAS — mobile build and over-the-air update infrastructure.

We may change sub-processors from time to time. Material changes will be reflected here. If you need an up-to-date list for a procurement process, email hello@acarta.app.

Some of the processors listed above are based in, or transfer data to, countries outside the European Economic Area, including the United States. Where personal data is transferred outside the EU/EEA, we rely on appropriate safeguards — in most cases the European Commission's Standard Contractual Clauses, supplemented by additional technical and organisational measures such as encryption in transit and at rest — or on an adequacy decision by the European Commission. You can request a copy of the transfer safeguards by contacting hello@acarta.app.

We take the confidentiality and integrity of your data seriously. Technical and organisational measures include:

• encryption in transit (HTTPS/TLS) for all application and API traffic;
• encryption at rest for secrets and credentials;
• short-lived access tokens and rotating refresh tokens (access 1h, refresh 7d);
• scoped database roles and principle of least privilege for internal tooling;
• access controls, audit logs, and regular dependency updates.

No system is perfectly secure. If you discover a vulnerability, please report it to hello@acarta.app and we will respond as quickly as we can.

We retain personal data for as long as your account is active and for a limited period afterwards, so you can recover data you deleted by mistake and so we can meet our legal obligations. Specifically:

• Account, check-ins, photos, lists, and profile content — retained while your account is open. On deletion, content is removed from the live database and CDN within a reasonable period; encrypted backups are rotated out on a rolling schedule.
• Technical and security logs — retained for a short rolling window (typically up to 30 days) for debugging and abuse prevention.
• Billing records — retained for as long as required by Swedish tax and accounting law (normally seven years after the end of the financial year).

Under GDPR and comparable laws in other jurisdictions, you have the right to:

• access the personal data we hold about you;
• request correction of inaccurate data;
• request deletion of your personal data (the "right to be forgotten");
• request restriction of processing, or object to processing based on legitimate interests;
• request data portability in a common, machine-readable format;
• withdraw consent for processing based on consent, at any time;
• lodge a complaint with your local data protection authority. In Sweden, that is Integritetsskyddsmyndigheten (IMY).

To exercise any of these rights, email hello@acarta.app from the address on your account. We will respond within 30 days as required by GDPR.

You can request deletion of your account and all the content you created at any time. Step-by-step instructions are at acarta.app/privacy/data-deletion.

When we receive a deletion request we will:

• disconnect any linked sign-in providers (Apple, Google);
• delete your profile, check-ins, photos, lists, comments, and reactions from the live database and from Cloudflare R2;
• remove your account from the user table.

Our response time target is 30 days for all personal data, as required by GDPR. Encrypted backups are rotated on a rolling schedule and remaining copies will be overwritten within that cycle. Billing records that we are legally required to keep under Swedish accounting law will be retained for the period required by law.

The Acarta mobile apps for iOS and Android request the following permissions, and only use them for the stated purpose:

• Location (when in use). Used to centre the map on your current location, to show places "near me," and to verify GPS check-ins. Only read while the app is in the foreground; never in the background.
• Camera. Used to take photos of places from inside the app when you tap the camera button during a check-in or upload.
• Photo Library (read). Used to import photos you select from your camera roll when you attach them to a check-in or upload. Only the specific photos you pick are imported; Acarta never reads your camera roll in the background.
• Photo Library (add). Used to save a photo you took inside Acarta back to your camera roll if you tap Save.
• Push notifications. Used to notify you when a friend checks in, when someone comments on your check-in, or when a new city is added.

Acarta does not use the iOS App Tracking Transparency (ATT) framework for cross-app or cross-site tracking, and does not include any advertising SDKs. If iOS shows an ATT prompt, you can safely decline; it has no effect on the Service. Acarta is not linked to SKAdNetwork or to any ad attribution provider.

Acarta is not directed at children under 13. We do not knowingly collect personal information from anyone under 13. If you believe a child has provided us with personal information, please contact hello@acarta.app so we can remove it.

We may update this Privacy Policy from time to time. Material changes will be communicated by email or by a notice in the Service, and by updating the date at the top of this page. Continued use of the Service after changes take effect constitutes acceptance of the revised policy.

If you have any questions about this policy or about how Acarta handles your data, contact us at hello@acarta.app or by post at:

Väder AB
Stockholm, Sweden