1. Data Controller Identity
Café Cartographer is operated by HBDS, LLC, a limited liability company registered in the State of North Carolina, United States.
Data Controller: HBDS, LLC
Trading as: Café Cartographer
Address: 1608 Queen St, Wilmington, NC 28401
Email: info@cafecartographer.com
All references to "we," "our," or "us" in this policy refer to HBDS, LLC. We are the data controller for all personal information processed in connection with Café Cartographer. Third parties we engage to process data on our behalf are data processors, listed in Section 7.
2. Information We Collect
We collect the following categories of personal data:
- Account Information: Email address and display name when you register an account or sign in via Apple or Google.
- Community Contributions: Content you voluntarily share, including café reviews, vibe tags, map inputs, photos, and ratings.
- Technical Data: Device type, operating system, browser type, IP address (last octet anonymized in logs), app version, and usage analytics.
- Location Data: Approximate or precise device location, collected only with your explicit permission, to power café discovery and mapping features. You may revoke this permission at any time in your device settings.
- Feedback Contributions: Suggestions or roadmap ideas you submit through UserJot, which require an email address for follow-up.
- Communications: Messages you send us directly (e.g., support requests via email).
3. How We Collect Your Information
- Directly from you: Account registration forms, in-app contribution flows, and feedback widgets.
- Automatically: Firebase Analytics and Google Analytics collect usage events and device/browser data when you use the app or visit our website. Analytics are only loaded on the website with your cookie consent.
- From third-party sign-in providers: When you authenticate via Apple Sign-In or Google Sign-In, we receive your email address and display name from those providers.
- From your device: With permission, we read your device's location via the operating system's location services.
4. How We Use Your Information
- To create and manage your account.
- To provide and improve our café discovery and mapping services.
- To personalize your experience (e.g., vibe-based café recommendations).
- To display and moderate community contributions.
- To maintain community safety and enforce our Terms of Service.
- To communicate service updates, feature announcements, or launch notifications.
- To follow up on feedback or roadmap suggestions you provide via UserJot.
- To analyze aggregate usage trends and improve app performance.
- To detect and prevent abuse, fraud, and security incidents.
- To comply with legal obligations.
5. Cookies and Tracking Technologies
Our website uses the following technologies:
- Essential cookies: Required for the site to function (e.g., storing your cookie consent preference in localStorage). These are loaded regardless of consent.
- Analytics cookies (Google Analytics): Loaded only with your explicit consent. Used to measure page visits, scroll depth, and feature engagement. You may decline via the cookie banner; analytics will not load.
Our mobile app uses Firebase Analytics for in-app event tracking. This does not use browser cookies. You may opt out by disabling analytics in your device settings (iOS: Settings → Privacy → Analytics; Android: Google Settings → Usage & Diagnostics).
We do not use cookies for advertising or cross-site tracking.
6. User Content & Licensing
By contributing reviews, vibe tags, ratings, photos, or other content, you:
- Retain ownership of your content.
- Grant HBDS, LLC a non-exclusive, worldwide, royalty-free license to use, display, and distribute your contributions for community features, promotional purposes, and service improvement.
- Agree that you are responsible for the accuracy and legality of your content.
- Understand that ratings and vibe contributions are aggregated anonymously into overall café scores. These aggregated contributions cannot be removed, even if your personal data is later deleted, to preserve the integrity of community ratings.
7. Third-Party Data Processors
We do not sell your personal information. We share data only with the processors listed below, each engaged under a data processing agreement or equivalent contractual terms, and only to the extent necessary to provide our services.
| Processor | Purpose | Data Shared | Location |
|---|---|---|---|
| Google / Firebase (Firebase Auth, Firestore, Storage, Analytics, Cloud Functions, Remote Config, Cloud Messaging) | Authentication, database, file storage, analytics, serverless compute, push notifications | Email, display name, user-generated content, device identifiers, usage events | United States (and Google Cloud regions) |
| Google reCAPTCHA / Firebase App Check | Bot protection and API abuse prevention (web platform only). Effective April 2, 2026, Google acts as a data processor for reCAPTCHA, not a data controller. End-user use of reCAPTCHA is governed by Google's Cloud Data Processing Addendum, not Google's public Privacy Policy or Terms of Use. | Browser/device signals used to generate integrity tokens. No personally identifiable information is shared. | United States (Google Cloud) |
| Google Analytics | Website traffic analysis (consent-gated) | Anonymized usage events, browser type, referring URL | United States |
| UserJot | Product feedback collection and roadmap display | Email address, feedback text (only when you voluntarily submit) | Per UserJot's privacy policy |
| OpenStreetMap Nominatim | City-name geocoding for café discovery | City name strings only. No personal data transmitted. | OpenStreetMap Foundation servers |
| Apple (Sign In with Apple / DeviceCheck) | Authentication (iOS), device integrity attestation | Apple-anonymized email relay, device tokens | United States (Apple servers) |
| Google (Sign In with Google) | Authentication (optional) | Google account email and display name (with your consent) | United States |
We may also share data with legal or regulatory authorities where required by applicable law.
8. Data Storage, Security & Retention
Storage: Personal data is stored in Google Firebase services hosted primarily in the United States. Images are stored in Firebase Cloud Storage.
Security measures include:
- Firebase App Check enforcement on all API endpoints (prevents unauthorized app access).
- Firestore Security Rules restricting read/write to authenticated users for their own data.
- EXIF metadata (including GPS coordinates) stripped from photos client-side before upload.
- Rate limiting on all write operations (e.g., max 20 check-ins/hour, 10 posts/hour per user).
- PII anonymization in audit logs (last IP octet removed; only user IDs stored).
- Immutable audit log records for moderation actions.
- TLS encryption in transit for all network requests.
- Environment-segregated Firebase projects (development, staging, production).
Retention periods:
- Account data: Retained for the lifetime of your account. Deleted within 30 days of a verified account deletion request (except aggregated, anonymized community contributions).
- Audit logs: 12 months, then automatically deleted.
- Moderation queue entries: 30 days after resolution.
- Soft-deleted content: 30 days, then permanently deleted.
- Expired check-in validation records: 90 days.
- Website analytics data: Per Google Analytics data retention settings (default 14 months).
While we employ industry-standard security measures, no system is 100% secure. In the event of a data breach, we will notify affected users and relevant authorities as required by applicable law. See our internal Data Breach Response Plan for procedures.
9. Feedback via UserJot
- Providing feedback (suggestions, roadmap items) is optional.
- An email address is required to submit feedback, and it will only be used by Café Cartographer to follow up on your idea.
- Your email will be stored securely by UserJot in accordance with their privacy policy.
- Feedback contributions are separate from ratings and vibes, and do not affect café scores.
10. Account Registration & Security
- You must provide accurate information when creating an account.
- You are responsible for maintaining the confidentiality of your login credentials.
- Notify us immediately at info@cafecartographer.com if you suspect unauthorized use of your account.
11. International Use & Data Transfers
HBDS, LLC is based in the United States. If you access our services from outside the United States, your data will be transferred to and processed in the United States, which may have different data protection laws than your home country. By using our services, you consent to this transfer. Where required, we rely on standard contractual clauses or equivalent safeguards for international transfers.
12. Your Rights
Depending on your location, you may have the following rights regarding your personal data:
- Access: Request a copy of the personal data we hold about you.
- Correction: Request correction of inaccurate or incomplete data.
- Deletion: Request deletion of your personal data. Note: anonymous aggregated contributions (ratings and vibes) cannot be removed as they are no longer linked to you.
- Portability: Request your data in a machine-readable format.
- Restriction: Request that we restrict processing of your data in certain circumstances.
- Objection: Object to processing based on legitimate interests.
- Withdraw Consent: Withdraw consent for location tracking or analytics at any time (via device settings or cookie preferences).
- Opt out of communications: Unsubscribe from any marketing emails via the link in each email or by contacting us.
To exercise any of these rights, contact us at info@cafecartographer.com. We will respond within 30 days. If you are in the European Economic Area, you also have the right to lodge a complaint with your local supervisory authority.
13. Children's Privacy
Café Cartographer is not directed at children under 13. We do not knowingly collect personal data from minors. If you believe a child under 13 has provided us with personal data, please contact us and we will delete it promptly.
14. Termination & Moderation
We reserve the right to remove content or suspend accounts that violate community guidelines, legal requirements, or this policy. Moderation decisions are logged for accountability and reviewed upon appeal.
15. Liability & Dispute Resolution
- HBDS, LLC is not liable for indirect, incidental, or consequential damages arising from use of the service.
- Disputes may be resolved through binding arbitration or mediation under the laws of the State of North Carolina, United States, depending on applicable law.
16. Updates to This Policy
We may update this policy from time to time to reflect changes in our practices, technology, legal requirements, or third-party service terms. When we make material changes, we will:
- Post the updated policy on our website with a revised effective date and version number.
- Notify registered users via email or in-app notification where required by law.
- Maintain a version history of prior policy versions upon request.
Continued use of our services after the effective date of any update constitutes your acceptance of the revised policy.
17. Contact Us
For privacy-related questions, requests to exercise your rights, or concerns about our data practices, contact us at:
HBDS, LLC (Café Cartographer)
Email: info@cafecartographer.com
Address: 1608 Queen St, Wilmington NC 28401
We aim to respond to all privacy inquiries within 30 days.