Privacy Policy

Acarta is a social field guide for architecture, monuments, public art, and landscapes. You can browse a map of places, check in when you visit them, earn badges, follow friends, and build maps of places you care about. Acarta is operated by Väder AB, a Swedish limited company with its registered office in Stockholm, Sweden.

For the purposes of GDPR, Väder AB is the data controller for your personal data.

You provide us with information directly when you use Acarta:

• Account. Email address, a display name, and an optional avatar. Used to sign you in, to attribute your check-ins and contributions, and to contact you about the Service.
• Sign-in identifiers. If you sign in with Apple or with Google, the provider returns a stable identifier and, if you allow it, a display name and email. We store only what we need to keep you signed in.
• Check-ins. The place you checked in at, the timestamp, the coordinates your device reported at the moment you pressed Check in, any note you wrote, and any photos you attached.
• Photos and media. Photos of places you upload from your camera roll or take inside the app. Stored with our infrastructure provider and served through a CDN.
• Profile content. Maps you create, places you save, image collections you create, people you follow, comments and reactions you post on friends' check-ins, and edits you suggest to place data.
• Demographics. An age bracket and a gender, collected during onboarding. You can change them at any time from Settings. See Section 05 ("Demographics and aggregated insights") for how we use this.
• Brand claim data. If you claim an architect, place, or organization profile as the official representative, we collect verification information you provide: an organization email, your role at the organization, supporting links, and any evidence you attach (documents, screenshots, or letters of authority). Used only to verify ownership, prevent impersonation, and manage the claim record. Retained while the claim is active and for a reasonable period afterwards for audit and dispute purposes.
• Reports and moderation submissions. When you report another user, a place, a photo, or other content, we record the report, the target, the reason category, any free-text context you wrote, and your account so we can follow up if needed.
• Support messages. Email you send to hello@acarta.app and any attached context.

When you use Acarta we automatically collect some technical and usage information:

• Product analytics (PostHog). We use PostHog (EU-hosted, eu.i.posthog.com) to log product events such as map browsing, place views, searches, check-ins saved, photos uploaded, maps/lists created, content reports filed, subscription events, and onboarding completion. When you are signed in, these events are linked to your account ID, username, subscription tier, and (where applicable) admin role, so we can understand product funnels per user. We do not send your demographic answers (age or gender), your raw check-in coordinates, your private notes, your photo content, or your direct messages to PostHog. We also derive your approximate city from your IP address for analytics purposes. We do not use advertising SDKs, data brokers, or cross-app advertising trackers.
• Technical logs. IP address, user agent, request path, response code, and timestamps, used for security, rate limiting, abuse prevention, and debugging. Logs are kept for a limited rolling window.
• Device and app diagnostics (Sentry). Crash reports, performance traces, and anonymous diagnostics used to fix bugs. When you are signed in, errors are tagged with your account ID, subscription tier, and (where applicable) admin role so we can investigate user-specific issues. Free-text payloads (notes, comments, descriptions) are scrubbed before being sent.
• Subscription status (RevenueCat). Whether you have an active subscription, which plan, and when it renews or expires. Managed through our subscription provider and the platform or checkout used for purchase.

Acarta is a place-based app, and we take location data seriously.

• Location is only read when you actively use a location feature - when you tap Check in, when you open the map, or when you search for places "near me."
• We do not read your location in the background, and we do not ask for "always allow" permission.
• When you check in, the coordinates your device reported are stored with the check-in so we can confirm you were at the place. If you retro-date a past visit, no fresh coordinates are recorded - only the place itself and the date you specified.
• Your precise coordinates are never shown to other users. What other people see, if you make the check-in public, is the place you checked in at, not the raw coordinates.
• We do not sell your location data. We do not share raw coordinates or individual place visits with advertisers, data brokers, or other third parties. Aggregated and anonymized insights may be based on check-ins, but only under the safeguards in Section 05.

During onboarding we ask you for a self-reported age bracket and gender. You can change them at any time from Settings, and you can clear them entirely (in which case no demographic record is retained). We do not ask for, and do not collect, your ethnicity, your income, your health, your politics, your religion, your sexual orientation, or any other special-category data under GDPR Article 9.

Why we ask. We use these answers for three purposes, disclosed at the point of collection and in this policy:

1. Personalization. To tailor place recommendations, badges, stats, and insights inside the app to what users with similar interests tend to enjoy.
2. Internal product understanding. To understand onboarding completion, product usage, and feature performance across age and gender segments. These analyses run on our own EU-hosted database; demographic answers are not sent to our third-party product analytics provider (see Section 03).
3. Aggregated, anonymized community insights. To share aggregated and anonymized reports with city governments, tourism bodies, museums, heritage organizations, and cultural partners - for example, to help them understand how different audience groups engage with public architecture and public art in their city. The goal is to support better, more inclusive public space, not to profile any individual.

Legal basis. We process your demographic answers on the basis of our legitimate interests under GDPR Article 6(1)(f). Our interest is in delivering a personalized place-discovery experience, understanding how different audience segments engage with the Service, and producing the aggregated public-interest insights described above. We have balanced this interest against your rights and concluded the processing is proportionate because: we only collect a coarse age bracket and a self-reported gender, we never collect special-category data, partner exports use the technical safeguards listed below, and you can clear your answers from Settings at any time.

You have the right to object to processing based on legitimate interests under GDPR Article 21. To object, clear your demographic answers in Settings or email hello@acarta.app.

What "aggregated and anonymized" means in practice. When we prepare insight reports for city or cultural partners, we apply the following technical safeguards:

• No individual rows. Partners never receive data at the user or device level. They receive only counts, percentages, and ratios.
• Minimum group size (k-anonymity). Any reported segment - for example "users aged 25-34 who visited brutalist buildings in a given neighborhood" - must cover at least five distinct users for adult segments. Segments smaller than this are dropped from the export so no individual can be singled out.
• Stricter bar for young adults (16-17). Segments covering users aged 16-17 must cover at least ten distinct users, not five, and we suppress 16-17 segments entirely for categories of place that are especially sensitive or where the local teen population is small enough to risk re-identification. This reflects the heightened care we take with young-adult data.
• Under-16 never exported. If you indicated an age bracket of "Under 16," your data is never included in any external aggregated report, regardless of the safeguards above. Under-16 demographic data is used solely for your own in-app experience and is retained only for personalization inside Acarta.
• Coarse geography. We use city or neighborhood-level geography in reports. Raw coordinates and individual place visits are never shared.
• Coarse time. We use weekly or monthly time buckets, never individual timestamps.
• No free text. Notes, comments, descriptions, usernames, emails, and other free-text fields are never included in partner exports.

Your demographic answers are personal data while they are stored on your account. With the safeguards above in place, the reports we share with partners are anonymous within the meaning of GDPR Recital 26 - they cannot reasonably be used, alone or in combination, to re-identify any individual. We do not sell identifiable personal data, and we do not share raw user-level records with partners for any purpose.

Retention. Your demographic answers are retained while your account is active unless you clear them earlier, and are deleted together with the rest of your account data when you delete your account (Section 18). The anonymized aggregates already shared with partners are, by construction, not linked to you and cannot be individually recalled.

We do not run advertising trackers, fingerprinting scripts, session replay tools, or behavioural advertising SDKs. We do not read your contacts, your calendar, your microphone, or any other device data beyond what you explicitly share. We do not sell your data. We do not share your data with data brokers. We do not use Your Content, your photos, your check-ins, or your notes to train artificial intelligence or machine learning models, and we do not grant that right to any of our processors.

Acarta uses automated systems alongside human review to keep the community safe and to enforce our Terms of Service.

• Text moderation. Free-text you submit - check-in notes, comments, biographies, place descriptions, suggested edits, usernames, reports - may be scanned by Anthropic's Claude API (Haiku class) to classify content for abuse, hate speech, harassment, spam, sexual content, threats, private information, impersonation, and other Terms violations. The classifier is also instructed to ignore any instructions embedded in user content. Cheap pattern-based rules (e.g. obvious slur lists, repeated-URL spam) run first locally; the Claude call only runs when the local rules return no decision.
• Image moderation. Photos and avatars you upload may be scanned by Cloudflare Workers AI - currently a ResNet-50 visual classifier and a Gemma vision language model running inside Cloudflare's edge network - to classify visual content for safety violations, including possible CSAM, sexual content, graphic violence, and irrelevant or off-topic uploads.
• Reports and admin review. Reports filed by other users, and content flagged by the automated systems above, are reviewed by Acarta administrators before any account action is taken in non-obvious cases. Severely harmful content (for example credible threats or apparent CSAM) may be hidden automatically pending human review.

Processors. Anthropic, PBC (text classification, run in Anthropic's standard regions under Standard Contractual Clauses) and Cloudflare, Inc. (image classification on Workers AI). Both providers are contractually prohibited from using your content to train their models, and we do not retain raw classification payloads longer than needed to operate the safety pipeline.

Purpose and legal basis. We process this content for safety, abuse prevention, legal compliance, and community enforcement. Legal basis: legitimate interests (GDPR Article 6(1)(f)) in maintaining a safe community, and, where applicable, compliance with our legal obligations including the EU Digital Services Act and equivalent platform laws.

Appeals. If you believe a moderation decision was wrong, email hello@acarta.app. A human will review the case and, where appropriate, restore content or reinstate access. See also our moderation and appeals process described in our Terms of Service.

We use the information we collect to:

• provide, maintain, and improve the Service, including the map, search, check-ins, badges, maps, profiles, and the social feed;
• authenticate you and keep your account secure;
• attribute check-ins, photos, comments, and contributions to your profile;
• verify GPS check-ins against the coordinates of the place;
• show you notifications relevant to the Service (a friend's check-in, a comment on your post, a new badge);
• respond to support requests and enforce these Terms;
• detect, prevent, and investigate fraud, spam, abuse, and security incidents, including via the automated moderation described in Section 07;
• comply with legal obligations, such as tax and accounting laws.

We process your personal data on the following legal bases:

• Performance of a contract. To provide the Service you asked us to provide - the map, check-ins, photos, profiles, maps, and social features.
• Legitimate interests. To secure the Service, prevent abuse, bill for paid plans, improve features, respond to support, keep the map and place data accurate, run product analytics, operate automated safety moderation (Section 07), and process the demographic data described in Section 05. You can object to legitimate-interests processing under GDPR Article 21.
• Consent. For device permissions such as location or photos on iOS and Android, and for any future processing where we ask you to opt in explicitly (for example, marketing emails). You can withdraw consent at any time from the Acarta settings screen or from your device settings.
• Legal obligation. To comply with tax, accounting, content moderation (DSA), and other mandatory legal requirements.

The map and the place catalogue in Acarta are compiled from openly licensed third-party sources as well as our own research and user contributions. We preserve the original attribution and license for every image and fact we import. Where a license requires it (for example CC BY-SA 4.0), attribution is displayed alongside the image inside Acarta.

When you upload a photo, post a check-in, write a note, build a map, or suggest an edit to place data, that content is attributed to your account. Check-ins and photos default to the visibility setting you choose (public, friends, or private). By default, your contributions to shared place data (suggested corrections, new photos attached to a place's public gallery) are visible to other Acarta users.

You can delete your contributions at any time from your profile. Deleted photos and check-ins are removed from the live database and from our image delivery systems within a reasonable period; encrypted backups are rotated out on a rolling schedule.

We rely on a small number of trusted sub-processors to run the Service. Each of them is bound by a data processing agreement or equivalent terms that restrict how they can use your data.

• Infrastructure and hosting (Cloudflare, Neon, Resend). API runtime, website, database, object storage, CDN, queues, rate limiting, security, and transactional email delivery.
• Maps and place search (Mapbox). Map tiles, search, geocoding, and place suggestions.
• Platform services (Apple, Google, Expo). Apple and Google sign-in, app stores, payments, push notifications, and mobile app runtime and update infrastructure.
• Subscriptions (RevenueCat). Subscription state, receipts, and purchase history. Paired with Apple App Store and Google Play for actual billing.
• Product analytics (PostHog EU). Usage analytics linked to your account ID, username, and subscription tier as described in Section 03.
• Diagnostics (Sentry). Crash reports and error diagnostics with PII scrubbing applied to free-text payloads.
• Automated safety moderation (Anthropic, Cloudflare Workers AI). Text and image classification for safety enforcement as described in Section 07. Contractually prohibited from training on your content.
• Content support (Anthropic). Translation and editorial support for place descriptions and articles. Outputs are not used to train models. We do not intentionally send account identifiers, emails, or private user content through this path.

We may change sub-processors from time to time. Material changes will be reflected here. If you need an up-to-date vendor list for a procurement process, email hello@acarta.app.

Some of the processors described above are based in, or transfer data to, countries outside the European Economic Area, including the United States. Where personal data is transferred outside the EU/EEA, we rely on appropriate safeguards - in most cases the European Commission's Standard Contractual Clauses, supplemented by additional technical and organisational measures such as encryption in transit and at rest - or on an adequacy decision by the European Commission. You can request a copy of the transfer safeguards by contacting hello@acarta.app.

Acarta uses local storage and small token files on your device to operate the Service. We do not use third-party advertising cookies or cross-site trackers.

• Session and authentication storage. On the web app, we store an HTTP-only session cookie set by our API, plus an access/refresh token pair in browser localStorage, to keep you signed in across page reloads. In the mobile app, the same tokens are stored in platform secure storage (iOS Keychain / Android Keystore).
• Preference and cache storage. We store small amounts of data on your device - selected language, last-used filters, offline city downloads, and a cached copy of recent API responses - so the app loads quickly and works offline. Most of this is in AsyncStorage on mobile and localStorage on web.
• Analytics storage. PostHog stores a small anonymous identifier in localStorage (web) or device storage (mobile) so events from the same browser/install can be grouped. We do not use any persistent advertising identifier.

You can clear local storage and cookies at any time from your browser settings or by deleting the app. Doing so will sign you out and remove cached data; your account on our servers is not affected.

We take the confidentiality and integrity of your data seriously. Technical and organisational measures include:

• encryption in transit (HTTPS/TLS) for all application and API traffic;
• encryption at rest for secrets and credentials;
• short-lived access tokens and rotating refresh tokens (access tokens expire after 1 hour; refresh tokens can last up to 180 days and are rotated when used);
• scoped database roles and principle of least privilege for internal tooling;
• access controls, audit logs, and regular dependency updates.

No system is perfectly secure. If you discover a vulnerability, please report it to hello@acarta.app and we will respond as quickly as we can.

We retain personal data for as long as your account is active and for a limited period afterwards, so you can recover data you deleted by mistake and so we can meet our legal obligations. Specifically:

• Account, check-ins, photos, maps, and profile content - retained while your account is open. On deletion, content is removed from the live database and image delivery systems within a reasonable period; encrypted backups are rotated out on a rolling schedule.
• Behavioral analytics - map browsing, place views, and search history are retained for 12 months with your account linked. After 12 months the link to your account is removed, but anonymous aggregate data is kept.
• Technical and security logs - retained for a short rolling window (typically up to 30 days) for debugging and abuse prevention.
• Moderation records - reports, classifier outputs, and admin actions are retained while the relevant account or content exists, and for a reasonable audit window afterwards, so we can investigate repeat abuse and respond to legal requests.
• Billing records - retained for as long as required by Swedish tax and accounting law (normally seven years after the end of the financial year).

Under GDPR and comparable laws in other jurisdictions, you have the right to:

• access the personal data we hold about you;
• request correction of inaccurate data;
• request deletion of your personal data (the "right to be forgotten");
• request restriction of processing, or object to processing based on legitimate interests;
• request data portability in a common, machine-readable format;
• withdraw consent for processing based on consent, at any time;
• lodge a complaint with your local data protection authority. In Sweden, that is Integritetsskyddsmyndigheten (IMY).

To exercise any of these rights, email hello@acarta.app from the address on your account. We will respond within 30 days as required by GDPR.

You can delete your account at any time from the app settings. Step-by-step instructions are at acarta.app/privacy/data-deletion.

Acarta is a community-curated guide to architecture. Much of what you add - photos attached to a place, places and architects you submitted, corrections to place data - becomes part of the public guide used by everyone else. We handle deletion in two stages so that your personal data is removed while the guide's integrity is preserved.

Immediately when you delete your account:

• you are signed out on every device and active sessions are revoked;
• your profile page is removed from public view;
• your name, username, and avatar stop appearing anywhere on the Service - your photos and contributions are shown as "Deleted user" with no link back to you.

You can restore the account during this 30-day grace period by signing in again with the same Apple or Google account.

After the 30-day grace period, if you have not signed back in to restore the account, we permanently remove all personal data tied to you:

• your email address, display name, avatar, bio, and linked Apple/Google identifiers are scrubbed from our database;
• your avatar image and the raw, EXIF-bearing original versions of your uploaded photos are deleted from our object storage;
• location metadata (GPS coordinates, capture timestamps) stored with your photos is cleared;
• your check-ins, comments, reactions, private maps, image collections, follows, blocks, reports, notifications, and push tokens are deleted.

What stays in the public guide after the 30 days, with no attribution to you:

• photos you uploaded that are attached to a place's public gallery (processed, resized, EXIF-stripped version only);
• places and architects you submitted to the database;
• edits and corrections you made to place data.

We retain these contributions on a pseudonymized basis (GDPR Recital 26) because they belong to the community-curated guide, not to any individual account. You can delete specific photos or withdraw specific contributions yourself from the app, before deleting your account, if you want them removed entirely.

Why the 30-day window. It lets you recover the account if you change your mind, protects you against account takeover, and gives us a window to investigate abuse that surfaces after a deletion. You can email hello@acarta.app to request immediate hard-deletion instead of the standard 30-day path.

Subscriptions are billed by Apple or Google, not by Acarta. Deleting your Acarta account does not cancel any active App Store or Google Play subscription. To cancel a subscription, manage it in your Apple ID subscriptions or your Google Play subscriptions before or after deleting your Acarta account.

Backups and legal obligations. Encrypted database backups are rotated on a rolling schedule and remaining copies are overwritten within that cycle. Billing records that we are legally required to retain under Swedish accounting law are kept for the period required by law.

The Acarta mobile apps for iOS and Android request the following permissions, and only use them for the stated purpose:

• Location (when in use). Used to centre the map on your current location, to show places "near me," and to verify GPS check-ins. Only read while the app is in the foreground; never in the background.
• Camera. Used to take photos of places from inside the app when you tap the camera button during a check-in or upload.
• Photo Library (read). Used to import photos you select from your camera roll when you attach them to a check-in or upload. Only the specific photos you pick are imported; Acarta never reads your camera roll in the background.
• Photo Library (add). Used to save a photo you took inside Acarta back to your camera roll if you tap Save.
• Push notifications. Used to notify you when a friend checks in, when someone comments on your check-in, or when a new city is added.

Acarta does not use the iOS App Tracking Transparency (ATT) framework for cross-app or cross-site tracking, and does not include any advertising SDKs. If iOS shows an ATT prompt, you can safely decline; it has no effect on the Service. Acarta is not linked to SKAdNetwork or to any ad attribution provider.

Acarta is not directed at children under 13. We do not knowingly collect personal information from anyone under 13. If you believe a child has provided us with personal information, please contact hello@acarta.app so we can remove it.

We may update this Privacy Policy from time to time. Material changes will be communicated by email or by a notice in the Service, and by updating the date at the top of this page. Continued use of the Service after changes take effect constitutes acceptance of the revised policy.

If you have any questions about this policy or about how Acarta handles your data, contact us at hello@acarta.app or by post at:

Väder AB
Stockholm, Sweden