Privacy Policy
Last updated: June 2025
1. Information We Collect
When you create a KurdGeo account, we collect:
- • Your name and email address
- • API key names and usage metadata (not the keys themselves — those are hashed)
- • Request logs (IP, endpoint, timestamp, response status) for analytics and abuse prevention
- • Audit logs for sensitive actions (login, key rotation, etc.)
2. How We Use Your Data
We use your data to:
- • Operate the Service and provide analytics dashboards
- • Enforce rate limits and quotas
- • Detect and prevent abuse, fraud, and unauthorized access
- • Send service notifications (security alerts, maintenance notices)
3. Data Security
API keys are stored as HMAC-SHA256 hashes — we never store plaintext keys after creation. Passwords are hashed with argon2id. All secrets are encrypted at rest with AES-256-GCM. JWT tokens are short-lived with rotating refresh families.
4. Data Retention
Request logs are retained for 60 days by default. Audit logs are retained indefinitely. You can request deletion of your account and associated data at any time.
5. Third-Party Services
KurdGeo proxies requests to self-hosted OSM and OSRM services. Your API requests (coordinates, routing queries) are forwarded to these services to generate responses. We do not share your account data with third parties.
6. Cookies
We use httpOnly, Secure cookies for authentication (access token, refresh token). We do not use tracking cookies or third-party advertising cookies.
7. Your Rights
You have the right to access, correct, or delete your personal data. To exercise these rights, contact us at enterprise@kurdgeo.site
8. Contact
Questions about privacy? Email us at enterprise@kurdgeo.site