Privacy Policy for GDTH

Effective Date: April 22, 2025

1. Introduction

Purpose and Scope

This document constitutes the Privacy Policy ("Policy") for the website located at https://gdth.fun and any associated services, tools, or applications provided by gdth (collectively, the "Service"). Throughout this Policy, "gdth," "we," "us," and "our" refer to the entity operating the Service. This Policy is designed to inform users ("you," "your") about how personal data is collected, used, processed, shared, and protected when you interact with the Service. Gdth is committed to safeguarding user privacy and handling personal data responsibly and in accordance with applicable data protection laws.

For clarity, certain terms used in this Policy have specific meanings derived from applicable data protection regulations, including the EU General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA), and the Virginia Consumer Data Protection Act (VCDPA). Key terms include:

Personal Data: Any information relating to an identified or identifiable natural person ('data subject'). An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier (like an IP address or cookie ID), or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. This definition is intended to be broad to encompass the requirements of GDPR, CCPA/CPRA, and VCDPA. CCPA/CPRA also extends this definition to information linkable to a household.
Processing: Any operation or set of operations performed on personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
Controller: The natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data. For the purpose of this Policy, gdth is the Controller.
Processor: A natural or legal person, public authority, agency, or other body which processes personal data on behalf of the controller.

Establishing clear definitions at the outset is crucial for transparency and ensuring a common understanding of the terms used throughout this Policy, a requirement under major data privacy regulations. The broad definition of Personal Data ensures that information like IP addresses and cookie data, which can be used to identify individuals online, falls within the scope of this Policy and relevant legal protections.

Acceptance of Policy

By accessing, browsing, or using the Service, you acknowledge that you have read, understood, and agree to be bound by the terms described in this Privacy Policy. This Policy should be read in conjunction with our Terms of Service.

Where required by applicable law (such as GDPR or VCDPA for sensitive data), your explicit consent will be obtained for specific processing activities, such as the use of non-essential cookies or the processing of sensitive personal data. Such consent will be requested through clear, affirmative actions (e.g., ticking a checkbox, clicking an "Accept" button on a cookie banner) and not assumed merely from your continued use of the Service. Your use of the Service signifies your agreement to the terms outlined in this Policy, but specific consent mechanisms will be employed where legally mandated for particular data processing operations. This distinction is important because passive acceptance ("browsewrap") is generally insufficient for consent under regulations like GDPR.

2. Information We Collect

Gdth collects various types of information to provide and improve the Service. This includes information that directly or indirectly identifies you (Personal Data) and information that does not (Non-Personal Data).

Categories of Personal Data

We collect the following categories of Personal Data, as defined under laws like the CCPA/CPRA and VCDPA:

Identifiers: Such as your real name, email address, account username, and Internet Protocol (IP) address. This is collected during account registration or when you contact us.
Customer Records Information (as defined in Cal. Civ. Code § 1798.80(e)): Such as your name, billing address, and payment information (processed via third parties like Stripe). This is collected when you subscribe to paid tiers.
Commercial Information: Records of services purchased, obtained, or considered (e.g., subscription tier history, types of weather data accessed). This is collected through your interactions with the Service.
Internet or Other Electronic Network Activity Information: Including, but not limited to, browsing history, search history (locations, date ranges, weather parameters queried), and information regarding your interaction with our website, application, or advertisements. This includes IP address, browser type, operating system, device identifiers, pages visited, features used, access times, and referring URLs.
Geolocation Data: We may collect imprecise location data inferred from your IP address or the locations you search for within the Service. This location data is used to fulfill your historical weather data requests via the Open-Meteo API and potentially for routing via Grasshopper API. If we seek to collect precise geolocation data from your device (e.g., via browser APIs), we will obtain your explicit opt-in consent beforehand. The nature of a weather planning service necessitates the use of location information. It is important to distinguish between location data you actively provide (e.g., searching for "weather history in London"), location inferred from technical data (IP address mapping), and precise device geolocation, which requires specific consent under laws like VCDPA.
Information Submitted Voluntarily: Any information you provide when contacting us via email or contact forms, including your name, email address, and the content of your message.
Cookie Data: Information collected through cookies and similar tracking technologies, as detailed in Section 10 (Cookie Policy).

Sensitive Personal Data

Gdth does not intentionally collect or process "Sensitive Personal Information" as defined by CCPA/CPRA or "Sensitive Data" as defined by VCDPA, or special categories of personal data under GDPR. These categories typically include data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data for unique identification, data concerning health, or data concerning a natural person's sex life or sexual orientation, and under VCDPA, precise geolocation data.

However, users should be aware that certain search queries made within the Service (e.g., frequent searches for pollen counts, air quality, or UV index for specific locations) could potentially allow for inferences about health conditions (e.g., allergies, respiratory issues). Gdth does not use such potential inferences for profiling, targeted advertising, or decision-making concerning individuals. The Service is intended for general historical weather planning and not for health monitoring or diagnosis. If we ever need to collect data considered sensitive under applicable law, we will obtain your explicit opt-in consent prior to collection and processing. Users who may fall under CPRA should be aware of their right to limit the use and disclosure of sensitive personal information, as described in Section 9.

Non-Personal Data

We also collect information that cannot reasonably be used to identify you, such as aggregated usage statistics (e.g., total number of users, most frequently queried locations in aggregate) or anonymized data derived from personal data but stripped of identifiers. This Policy does not restrict our collection or use of Non-Personal Data. Clearly distinguishing between personal and non-personal data helps clarify the scope of this Policy and the applicability of user rights, which primarily pertain to personal data.

3. How We Collect Your Information

We collect information in the following ways:

Directly from You:

Account Creation: When you register for an account, you provide your name, email address, and create a password.
Purchases: When you subscribe to a paid tier, our third-party payment processor, Stripe, collects billing and payment information necessary to complete the transaction. Gdth does not store your full credit card number.
Communications: When you contact us via email or web forms, we collect the information you provide, such as your name, email address, and the content of your message.
Service Use: When you input search parameters (locations, dates, weather variables) or configure preferences within the Service. Location data provided for weather queries is sent to the Open-Meteo API. Location or routing data may also be processed via Grasshopper API as part of the service functionality.

Automatically When You Use the Service:

Server Logs: Our servers automatically record information ("Log Data") created by your use of the Service. Log Data may include information such as your IP address, browser type, operating system, the referring web page, pages visited, location (inferred from IP), search terms, and cookie information.
Cookies and Similar Technologies: We use cookies (small text files placed on your device) and similar technologies like pixels or web beacons to operate and improve the Service, understand usage, and potentially for marketing purposes. This includes session cookies (expire when you close your browser) and persistent cookies (remain until they expire or are deleted). We use both first-party cookies (set by gdth) and third-party cookies (set by partners like analytics providers or Stripe for billing). Detailed information about the specific cookies used, their purposes, and how you can manage them is available in Section 10 (Cookie Policy).
Analytics Services: We utilize third-party analytics services, such as Google Analytics, to help us understand how the Service is used. These services collect information sent by your browser or mobile device, including the pages you visit and other usage information. These providers use cookies to collect this data and provide aggregated reports to us. Their use of information is governed by their own privacy policies. We have configured Google Analytics to anonymize IP addresses where possible. You can learn about Google's practices by going to www.google.com/policies/privacy/partners/, and opt-out of them by downloading the Google Analytics opt-out browser add-on, available at https://tools.google.com/dlpage/gaoptout. Use of such analytics tools, especially those involving cookies, requires transparency and adherence to consent or opt-out requirements depending on the user's jurisdiction.
Device Information: We may collect information about the device you use to access the Service, including hardware model, operating system and version, and potentially unique device identifiers (though collection of persistent unique identifiers requires careful justification and often consent under laws like GDPR).

4. How We Use Your Information

Gdth processes your Personal Data only for specific, explicit, and legitimate purposes, and does not process it in a manner that is incompatible with those purposes. This principle of purpose limitation is central to data protection laws like GDPR and VCDPA. We use the information we collect for the following purposes:

To Provide and Maintain the Service: To operate the gdth website, authenticate users, deliver historical weather data and planning tools based on your queries (processed via Open-Meteo API), process search requests (potentially involving Grasshopper API for routing), and ensure the Service functions correctly. This includes using account information to manage your access and usage data to deliver requested weather information.
To Process Payments: To facilitate payment processing for subscriptions to paid tiers through our secure third-party payment processor, Stripe. We do not store full payment card details ourselves.
To Communicate with You: To respond to your inquiries submitted via contact forms or email, send important service-related announcements (e.g., updates to Terms of Service or this Policy, security alerts, maintenance notifications), and provide customer support.
To Improve and Personalize the Service: To analyze how users interact with the Service, understand user preferences and trends, identify areas for improvement, troubleshoot technical issues, develop new features, and personalize your experience (e.g., remembering settings). Analytics data is crucial for this purpose.
For Analytics and Performance Monitoring: To monitor and analyze usage trends and activities in connection with our Service, generate aggregated statistical data about our user base and Service usage patterns, and measure the effectiveness of our features.
For Security and Fraud Prevention: To maintain the security and integrity of our Service, protect gdth and our users from fraud, abuse, or unauthorized access, verify accounts, and enforce our Terms of Service. This may involve analyzing Log Data and Usage Data.
For Legal Compliance: To comply with applicable laws, regulations, legal processes (like subpoenas or court orders), or enforceable governmental requests, and to establish, exercise, or defend legal claims.
For Marketing (Subject to Consent/Opt-Out): With your explicit consent where required by law (e.g., GDPR), or with an opportunity to opt-out (e.g., CCPA, CAN-SPAM), we may send you emails about new features, special offers, promotions, or other news about gdth. You can opt-out of receiving marketing communications at any time by following the unsubscribe link in the emails or contacting us directly. We will not use your Personal Data for marketing purposes without providing the legally required choice mechanism.

5. Legal Basis for Processing Personal Data (GDPR)

For individuals located in the European Economic Area (EEA), United Kingdom, or Switzerland, our processing of your Personal Data is based on the legal grounds provided under the General Data Protection Regulation (GDPR). Clearly identifying the legal basis for each processing activity is a core requirement of GDPR. We rely on the following legal bases:

Consent: We rely on your freely given, specific, informed, and unambiguous consent for certain processing activities. This includes sending direct marketing communications via email, placing non-essential cookies and similar technologies on your device (as detailed in our Cookie Policy), and processing any sensitive personal data (if applicable and explicitly consented to). You have the right to withdraw your consent at any time for future processing, without affecting the lawfulness of processing based on consent before its withdrawal. Withdrawal instructions are provided where consent is obtained (e.g., unsubscribe link in emails, cookie preference center).
Contractual Necessity: We process certain Personal Data because it is necessary for the performance of a contract with you, namely our Terms of Service. This includes processing necessary to create and manage your account, provide access to the core functionalities of the Service (including processing your weather queries via Open-Meteo and potentially routing via Grasshopper API), process payments for subscribed services via Stripe, and provide essential customer support related to the Service contract.
Legitimate Interests: We process some Personal Data based on our legitimate interests, provided that these interests are not overridden by your fundamental rights and freedoms. Our legitimate interests include:
- Improving and developing the Service: Analyzing usage data (often in aggregated or pseudonymized form) to understand how the Service is used, identify bugs, and enhance features.
- Ensuring Network and Information Security: Protecting the Service from unauthorized access, fraud, and abuse by monitoring logs and usage patterns.
- Internal Administrative Purposes: Managing our user base and service operations.
We have conducted balancing tests for processing based on legitimate interests to ensure they are justified and that appropriate safeguards are in place. You have the right to object to processing based on legitimate interests (see Section 9).
Legal Obligation: We may process your Personal Data when necessary to comply with a legal obligation to which gdth is subject, such as responding to lawful requests from public authorities, complying with tax obligations related to payments processed by Stripe, or meeting regulatory requirements.

Failure to clearly link each processing purpose (Section 4) to a valid legal basis (this Section) constitutes a GDPR violation. This section aims to provide that necessary transparency.

6. Sharing and Disclosure of Information

Gdth respects the privacy of its users and does not sell Personal Data in the conventional sense of exchanging it for monetary compensation. However, the definitions of "sale" and "sharing" under laws like the CCPA/CPRA and "sale" under VCDPA can be broader and may encompass activities like sharing data with third parties for targeted advertising through cookies or other tracking technologies. We provide users with the right to opt-out of such "sales" or "sharing" as described in Section 9.

We disclose Personal Data to third parties only in the following limited circumstances:

Third-Party Service Providers (Processors): We engage trusted third-party companies and individuals to perform services on our behalf. These include:
- **Stripe:** For secure payment processing and subscription management. Stripe's use of your information is governed by their privacy policy.
- **Open-Meteo:** To retrieve historical weather data based on your location queries. While your specific query location is sent to Open-Meteo, personally identifiable information (like your name or email) is not shared with them.
- **Grasshopper API:** Potentially used for routing or location processing as part of the service functionality. Personally identifiable information is not shared unless necessary for the specific API function and covered by this policy.
- Cloud hosting (e.g., AWS, Google Cloud), data analytics (e.g., Google Analytics), email delivery, and customer support platforms.
These third parties act as Data Processors and are only provided with access to the Personal Data necessary to perform their specific functions. They are contractually obligated (through Data Processing Agreements where required by GDPR) to maintain the confidentiality and security of the data and are prohibited from using it for any other purpose. Links to the privacy policies of major processors like Google Analytics and Stripe will be provided where feasible or upon request.
Legal Requirements and Safety: We may disclose your Personal Data if we believe in good faith that such disclosure is necessary to: (a) comply with a law, regulation, legal process, or governmental request (e.g., subpoena, court order); (b) enforce our Terms of Service, including investigation of potential violations; (c) detect, prevent, or otherwise address fraud, security, or technical issues; or (d) protect the rights, property, or safety of gdth, our users, or the public as required or permitted by law.
Business Transfers: In the event that gdth is involved in a merger, acquisition, reorganization, bankruptcy, or sale of all or a portion of its assets, your Personal Data may be transferred as part of that transaction. We will notify you via email and/or a prominent notice on our Service before your Personal Data is transferred and becomes subject to a different privacy policy.
Aggregated or De-identified Data: We may share aggregated or de-identified information, which cannot reasonably be used to identify you, with third parties for research, analysis, reporting, or other purposes.
Sharing with Raw Weather Data Sources (via Open-Meteo): As mentioned above, while your query location is sent to Open-Meteo to fulfill your request, we do not share personally identifiable information (like your name, email, or specific IP address) directly with the underlying providers of the raw weather data (e.g., NOAA, ECMWF, DWD) via Open-Meteo. Any usage information shared with these sources (for example, aggregated query volumes for certain geographic regions or specific weather parameters to understand data demand) will be strictly in an anonymized or aggregated form that does not permit the identification of individual users.
With Your Consent: We may share your Personal Data with other third parties when we have your explicit consent to do so.

The use of certain analytics or advertising cookies may constitute "sharing" or "selling" under CCPA/CPRA, triggering opt-out rights detailed in Section 9. This policy acknowledges these definitions to ensure compliance.

7. Data Retention Periods

Gdth retains Personal Data only for as long as necessary to fulfill the purposes for which it was collected, as outlined in Section 4 of this Policy, unless a longer retention period is required or permitted by law. The principle of storage limitation dictates that data should not be kept indefinitely.

The criteria used to determine our retention periods include:

Duration of Your Account: Account registration data (name, email, hashed password) is typically retained for the duration your account is active and for a reasonable period afterward to allow for account reactivation or to comply with legal obligations.
Provision of Services: Data necessary to provide the Service (e.g., current subscription status, recent query history) is retained while you are an active user.
Legal and Regulatory Requirements: We retain certain information as required by law, such as financial records related to payments processed by Stripe for tax and accounting purposes, or data needed to comply with legal processes or defend legal claims. Retention periods are determined by applicable statutes of limitation or regulatory mandates.
Operational Needs: Usage logs and analytics data may be retained for a defined period (e.g., 12-24 months) for service improvement, security analysis, and troubleshooting purposes. This data is often aggregated or pseudonymized after a shorter period.
User Consent: Data collected based on consent (e.g., for marketing) is retained until consent is withdrawn.

Specific retention periods (examples, subject to change and specific circumstances):

Account Information: While account is active +1 year post-inactivity/closure, unless required longer by law.
Payment Transaction Data (via Stripe): As required by Stripe's terms and financial regulations (often several years).
Usage Logs (IP address, etc.): 12 months, unless needed for security investigation or legal compliance.
Analytics Data (Aggregated/Pseudonymized): May be retained for longer periods (e.g., 2-3 years) for trend analysis.
Contact Form/Email Correspondence: Retained as long as necessary to resolve the inquiry and for record-keeping purposes.

Upon expiration of the applicable retention period, Personal Data will be securely deleted or anonymized so that it can no longer be associated with you. You may request the deletion of your Personal Data earlier, subject to legal exceptions, as described in Section 9.

Providing specific retention periods or clear criteria for determining them is crucial for transparency and compliance with laws like GDPR and CPRA.

8. Data Security Measures

Gdth takes the security of your Personal Data seriously and implements reasonable administrative, technical, and physical safeguards designed to protect it from unauthorized access, use, disclosure, alteration, or destruction. These measures are implemented considering the volume and nature of the personal data involved, as required by laws like GDPR, CCPA, and VCDPA.

Our security measures include, but are not limited to:

Encryption: Using encryption technologies (such as TLS/SSL) to protect data during transmission over the internet and employing encryption for sensitive data stored at rest.
Access Controls: Implementing role-based access controls and the principle of least privilege to ensure that only authorized personnel have access to Personal Data on a need-to-know basis.
Secure Infrastructure: Utilizing secure server environments provided by reputable hosting providers (e.g., AWS, Google Cloud) with robust physical and network security measures.
Regular Security Assessments: Conducting periodic reviews of our security practices and vulnerability assessments to identify and address potential risks.
Employee Training: Providing data privacy and security training to employees who handle Personal Data.
Data Minimization: Limiting the collection of Personal Data to what is adequate, relevant, and reasonably necessary for the disclosed purposes.
**Third-Party Security:** Relying on the robust security measures implemented by our trusted third-party service providers like Stripe, Open-Meteo, and Grasshopper API for the data they process on our behalf.

Despite these measures, it is important to acknowledge that no method of transmission over the Internet or method of electronic storage is 100% secure. Therefore, while we strive to use commercially acceptable means to protect your Personal Data, we cannot guarantee its absolute security.

In the event of a data breach involving Personal Data that poses a risk to individuals, we will comply with applicable legal requirements for notifying relevant authorities and affected individuals.

9. Your Privacy Rights

Depending on your location and applicable data protection laws, you may have certain rights regarding your Personal Data. Gdth is committed to facilitating the exercise of these rights. These rights may include:

Right to Know / Access: The right to request confirmation of whether we process your Personal Data and, if so, to access specific pieces of that data, along with information about its collection, use, and disclosure (Applicable under GDPR, CCPA/CPRA, VCDPA).
Right to Correct / Rectification: The right to request the correction of inaccurate Personal Data we hold about you (Applicable under GDPR, CPRA, VCDPA).
Right to Delete / Erasure: The right to request the deletion of your Personal Data, subject to certain exceptions provided by law (e.g., data needed to complete a transaction, comply with a legal obligation, or for security purposes) (Applicable under GDPR, CCPA/CPRA, VCDPA).
Right to Opt-Out of Sale / Sharing (CCPA/CPRA): The right to direct us not to "sell" or "share" your Personal Data, as those terms are defined under the CCPA/CPRA. This may include opting out of the use of certain third-party cookies for targeted advertising. You can exercise this right via the link: Do Not Sell or Share My Personal Information.
Right to Opt-Out (VCDPA): The right to opt out of the processing of your Personal Data for purposes of (i) targeted advertising, (ii) the sale of personal data, or (iii) profiling in furtherance of decisions that produce legal or similarly significant effects concerning you (Applicable under VCDPA). You can exercise this right via the methods described below or potentially through the "Do Not Sell or Share" link provided for CCPA/CPRA compliance.
Right to Limit Use and Disclosure of Sensitive Personal Information (CPRA): If we collect sensitive personal information (as defined by CPRA), you have the right to limit its use and disclosure to that which is necessary to perform the services or provide the goods reasonably expected. If applicable, you can exercise this right via the link: Limit the Use of My Sensitive Personal Information.
Right to Data Portability: The right to obtain a copy of your Personal Data in a structured, commonly used, and machine-readable format, and to transmit it to another controller where technically feasible (Applicable under GDPR, VCDPA).
Right to Non-Discrimination: We will not discriminate against you for exercising any of your privacy rights, such as by denying services, charging different prices, or providing a different level or quality of service.
Right to Withdraw Consent (GDPR): Where our processing is based on your consent, you have the right to withdraw that consent at any time. Withdrawal will not affect the lawfulness of processing before withdrawal.
Right to Object (GDPR): You have the right to object to the processing of your Personal Data based on our legitimate interests. We must stop processing unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights, and freedoms, or for the establishment, exercise, or defense of legal claims.
Right to Lodge a Complaint (GDPR): You have the right to lodge a complaint with a data protection supervisory authority in the EU/EEA if you believe our processing of your Personal Data infringes GDPR.

How to Exercise Your Rights:

To exercise any of these rights, please contact us using the methods provided in Section 15 (Contact Information). We are required by laws like CCPA/CPRA and VCDPA to provide at least two methods for submitting requests. These methods include:

Email: admin@gdth.fun
Web Form: Privacy Request Form

We will need to verify your identity before processing your request to protect your privacy and security. The verification process may involve asking you to provide information matching the data we have on file for you. You may also designate an authorized agent to make a request on your behalf, subject to verification of the agent's authority.

We will respond to your verifiable request within the timeframes mandated by applicable law (typically 45 days for CCPA/CPRA and VCDPA, potentially extendable by another 45 days with notice; and 1 month for GDPR, potentially extendable by two further months for complex requests). If we deny your request, we will provide a reason for the denial. Under VCDPA, you have the right to appeal our decision, and we will provide instructions on how to do so in our denial response.

Summary Table of Key Rights:

The following table provides a simplified overview of key rights under major applicable laws. This is for informational purposes; the specifics of each right depend on the exact provisions of the relevant law and potential exceptions.

Right	GDPR	CCPA/CPRA	VCDPA	Notes
Access / Right to Know	Yes	Yes	Yes	Scope of information details may vary slightly.
Correction / Rectification	Yes	Yes (CPRA)	Yes	Right added by CPRA amendment.
Deletion / Erasure	Yes	Yes	Yes	Subject to legal exceptions in all laws.
Opt-Out of Sale	N/A	Yes	Yes	Definition of "sale" differs; VCDPA focuses on monetary exchange.
Opt-Out of Sharing (for Ads/Profiling)	N/A	Yes (CPRA)	N/A	CPRA's "sharing" definition often covers cross-context behavioral advertising cookies.
Opt-Out of Targeted Advertising	N/A	Yes (via Opt-Out of Sale/Sharing)	Yes	VCDPA has a specific right to opt-out of targeted ads.
Opt-Out of Profiling (Significant Effect)	Yes (Object)	Yes (CPRA)	Yes	Right to object/opt-out of automated decisions with legal/significant effects.
Limit Use of Sensitive Data	Yes (Consent/Object)	Yes (CPRA)	Yes (Consent)	GDPR/VCDPA require opt-in consent for sensitive data; CPRA provides right to limit use.
Data Portability	Yes	Yes	Yes	Right to receive data in a usable format.
Non-Discrimination	Yes	Yes	Yes	Cannot be penalized for exercising rights.
Withdraw Consent	Yes	N/A	Yes	Applicable where processing is based on consent.
Object to Processing	Yes	N/A	N/A	Right to object to processing based on legitimate interests.
Lodge a Complaint	Yes	N/A	N/A	Right to complain to supervisory authority.

This table serves as a high-level guide. Please refer to the specific laws or consult legal counsel for detailed understanding.

10. Cookie Policy

This section explains how gdth uses cookies and similar tracking technologies (such as web beacons or pixels) on our Service. By using the Service, subject to your choices made via our consent mechanisms, you agree to the use of these technologies as described here.

What are Cookies?

Cookies are small text files stored on your device (computer, tablet, mobile phone) when you visit certain websites. They are widely used to make websites work, or work more efficiently, as well as to provide information to the owners of the site. Similar technologies like pixels or web beacons function similarly by tracking user interactions.

Why We Use Cookies:

We use cookies and similar technologies for various purposes, including:

Ensuring the Service functions properly (e.g., keeping you logged in).
Analyzing how the Service is used to improve performance and user experience.
Remembering your preferences and settings.
Potentially delivering relevant advertising (subject to your consent/opt-out).

Types of Cookies We Use:

We use the following categories of cookies on our Service:

Strictly Necessary Cookies: These cookies are essential for you to browse the Service and use its features, such as accessing secure areas and maintaining your login session. Without these cookies, services like user login and payment processing via Stripe cannot be provided. These cookies do not require consent under most laws, but their use should be disclosed. They are typically session cookies.
Performance / Analytics Cookies: These cookies collect information about how you use our Service, such as which pages you visit most often, and if you get error messages. The information collected is typically aggregated and anonymous and is used only to improve how the Service works. We use third-party analytics providers like Google Analytics for this purpose. Under GDPR, consent is typically required for these cookies. Under CCPA/CPRA, if the data shared with the analytics provider is considered "sharing," an opt-out must be provided.
Functionality Cookies: These cookies allow the Service to remember choices you make (such as your username, language, or the region you are in) and provide enhanced, more personal features. The information these cookies collect may be anonymized, and they cannot track your browsing activity on other websites. Consent is generally required under GDPR.
Targeting / Advertising Cookies: These cookies are used to deliver advertisements more relevant to you and your interests. They are also used to limit the number of times you see an advertisement and help measure the effectiveness of advertising campaigns. They are usually placed by advertising networks with our permission. They remember that you have visited a website, and this information might be shared with other organizations such as advertisers. Use of these cookies requires explicit opt-in consent under GDPR. Under CCPA/CPRA, their use likely constitutes "sharing" requiring an opt-out. Under VCDPA, they facilitate "targeted advertising" requiring an opt-out.

Third-Party Cookies:

Some cookies may be placed by third-party service providers, such as analytics services (Google Analytics), payment processors (Stripe), or advertising partners, when you use our Service. We do not control the placement or use of these third-party cookies, and you should review the privacy and cookie policies of these third parties for more information.

Managing Your Cookie Preferences:

You have choices regarding the use of cookies:

Cookie Consent Tool: When you first visit our Service (or as required by law), you will be presented with a cookie consent banner or tool. This tool allows you to accept or reject non-essential cookies and manage your preferences granularly (e.g., by category). Your preferences will be stored, and you can change them at any time via a persistent link or button on our website.
Browser Settings: Most web browsers allow you to control cookies through their settings preferences. You can set your browser to refuse all cookies or to indicate when a cookie is being sent. However, if you do not accept cookies, some parts of our Service may not function properly. You can find information on managing cookies in popular browsers via resources like https://www.usa.gov/optout_instructions.shtml.
Opt-Out Links (CCPA/CPRA/VCDPA): For cookies related to "selling," "sharing," or "targeted advertising" under applicable laws, you can exercise your opt-out rights via the "Do Not Sell or Share My Personal Information" link provided in Section 9.

Cookie Details Table:

The following table provides more detail on the types of cookies that may be used on the Service. Specific cookie names may change, and this list is representative. **Note: This table requires a technical audit of your website to list the actual cookies being set.**

Cookie Category	Provider(s)	Purpose	Duration	Type
Strictly Necessary	gdth (First-party)	Session management, user authentication, security, maintaining shopping cart (if applicable)	Session or Short-term Persistent	Essential
Strictly Necessary	Stripe (Third-party)	Payment processing functionality, fraud prevention	Varies	Essential (for paid users)
Performance / Analytics	Google Analytics (Third-party)	Website traffic analysis, usage statistics, performance monitoring	Persistent (e.g., 2 years)	Performance (Requires Consent/Opt-Out*)
Functionality	gdth (First-party)	Remembering user preferences (e.g., location defaults, display settings), remembering login state	Persistent (e.g., 1 year)	Functionality (Requires Consent/Opt-Out*)

* Consent/Opt-Out requirements depend on user jurisdiction (GDPR requires opt-in for non-essential; CCPA/CPRA/VCDPA require opt-out for sale/sharing/targeted ads).

This detailed cookie information and the provision of user control mechanisms are essential for compliance with GDPR's ePrivacy Directive implications and the opt-out rights under US state laws.

11. Children's Privacy

Our Service is not intended for or directed at children under the age of 13 (or 16 in certain jurisdictions like the EEA, unless national law provides for a lower age). We do not knowingly collect Personal Data from children under these ages.

Compliance with the Children's Online Privacy Protection Act (COPPA) in the United States is critical. COPPA imposes specific requirements on operators of websites or online services directed to children under 13, or those with actual knowledge of collecting personal information from such children. These requirements include obtaining verifiable parental consent before collection, providing parents access and deletion rights, and maintaining strict data security.

Gdth does not target children under 13 as its primary audience and does not have actual knowledge that it is collecting Personal Data from children under 13. If we become aware that we have inadvertently collected Personal Data from a child under the relevant age threshold without verifiable parental consent, we will take steps to delete that information from our servers as soon as possible.

If you are a parent or guardian and believe that your child has provided us with Personal Data without your consent, please contact us immediately using the contact information provided in Section 15. We will take steps to remove that information from our systems.

12. International Data Transfers

Gdth operates primarily in the United States. Our servers are located in the United States. If you are accessing the Service from outside this location, please be aware that your Personal Data may be transferred to, stored, and processed in the **United States**, where our servers are located and our central database is operated. *(Note: Update 'United States' if processing occurs in other specific countries)*

Data protection laws in the United States may differ from those in your country of residence. Specifically, if you are located in the European Economic Area (EEA), UK, or Switzerland, the transfer of your Personal Data to countries outside the EEA (like the United States) requires specific legal safeguards under GDPR to ensure an adequate level of data protection.

Where we transfer Personal Data of individuals from the EEA, UK, or Switzerland to third countries not deemed adequate by the European Commission, we rely on legally-provided mechanisms to lawfully transfer data across borders. These mechanisms may include:

Standard Contractual Clauses (SCCs): Implementing SCCs approved by the European Commission with third-party service providers (processors) located outside the EEA (e.g., with Stripe, Google Analytics, hosting providers).
Adequacy Decisions: Transferring data to countries that the European Commission has determined provide an adequate level of data protection.
Binding Corporate Rules (BCRs): For intra-group transfers where applicable and approved.
**Derogations:** In limited circumstances, we may rely on specific derogations for international transfers, such as the necessity of the transfer for the performance of a contract with you (e.g., sending your location query to Open-Meteo or routing via Grasshopper API to provide the requested service).

By using our Service, you understand that your Personal Data may be transferred to our facilities and those third parties with whom we share it as described in this Privacy Policy, located in the **United States**, subject to the implementation of the aforementioned safeguards where required by law.

13. Links to Other Websites

Our Service may contain links to other websites or services that are not owned or controlled by gdth. This Privacy Policy applies only to our Service.

We have no control over and assume no responsibility for the content, privacy policies, or practices of any third-party websites or services. If you click on a third-party link, you will be directed to that third party's site. We strongly advise you to review the privacy policy of every site you visit. We are not liable for any harm or damages related to the purchase or use of goods, services, resources, content, or any other transactions made in connection with any third-party websites. This is a standard clause necessary to limit gdth's liability concerning external sites.

14. Changes to This Privacy Policy & Notification

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. We reserve the right to modify this Policy at any time.

If we make material changes to this Policy, we will notify you by posting the updated Policy on this page and updating the "Effective Date" at the top. We may also provide notice through other means, such as via email (for registered users) or a prominent notice on the Service, prior to the change becoming effective, particularly for significant changes. Providing clear notification beyond simply updating the page is advisable for transparency and potential legal requirements depending on the nature of the change.

We encourage you to review this Privacy Policy periodically for any changes. Changes to this Privacy Policy are effective when they are posted on this page. Your continued use of the Service after any modifications to the Privacy Policy will constitute your acknowledgment of the modifications and your consent to abide and be bound by the modified Policy.

Note that under laws like CCPA/CPRA, privacy policies must be reviewed and updated at least once every 12 months.

15. Contact Information

If you have any questions, concerns, or complaints about this Privacy Policy, our data handling practices, or if you wish to exercise your privacy rights as described in Section 9, please contact us using the following details:

Email: admin@gdth.fun

If applicable (e.g., if required by GDPR due to processing activities or scale), please also include:

Data Protection Officer (DPO) Contact: admin@gdth.fun
EU/UK Representative Contact: admin@gdth.fun

Providing clear and accessible contact information is essential for users to exercise their rights and for overall compliance.

16. Legal Disclaimer

This Privacy Policy is provided for informational purposes only and does not constitute legal advice. Data protection laws are complex and vary by jurisdiction. While this document aims to be comprehensive based on provided requirements and general principles of laws like GDPR, CCPA/CPRA, and VCDPA, it may not fully address all specific legal obligations applicable to your unique business operations, data flows, or user base.

We strongly recommend that you consult with a qualified legal professional specializing in data privacy law to review this policy, ensure its adequacy for your specific circumstances, and confirm compliance with all applicable local, state, national, and international laws and regulations before publishing or relying on it. Gdth assumes no liability for the use or interpretation of this document without independent legal counsel review.