Privacy Policy
Last updated: April 2, 2026
Our philosophy in one sentence:
We collect only what we need to run the service, we never sell or share your data for advertising, and we give you full control to delete everything at any time.
1. Who We Are
Nomad Forecast is operated by XXI-IXD LLC, Beta Building, Oficina 6, Próspera ZEDE, Roatán, Honduras. Contact: [email protected]
We do not currently have a designated EU representative (GDPR Art. 27). For all data protection inquiries, contact us directly at the email above. We respond within 30 days.
2. What Data We Collect
Data you provide
| Category | Data | Purpose |
|---|---|---|
| Account | Email, password (stored as bcrypt hash), name, nickname | Authentication & identification |
| Family profile | Family name, parent names, children's names & birthdays, nationality, passports | Trip planning, community matching |
| Location | Home base coordinates, trip stop locations & dates | Map display, trip planning |
| Contact info | Messenger handles (WhatsApp, Signal, Threema, Telegram), social links (Instagram, YouTube, TikTok, website) | Connecting families (only shared when you choose to) |
| Nostr login | Nostr public key | Authentication (alternative to email) |
Data about children
Parents enter their children's names and birthdays to enable age-based matching with other traveling families. This data is entered by the parent or legal guardian and is only shared with other users according to your visibility settings. You can delete this data at any time by editing your family profile or deleting your account.
Data collected automatically
| Data | Purpose | Storage |
|---|---|---|
| IP address | Rate limiting (bot protection) | In-memory only, never written to disk, cleared on server restart or after 1 hour |
We do not use analytics, tracking pixels, advertising cookies, or fingerprinting. We do not track your behavior on our site.
3. Cookies & Browser Storage
Cookies
We set exactly one cookie:
| Name | Type | Purpose | Duration |
|---|---|---|---|
tv-session | Functional (httpOnly, secure, sameSite: lax) | Keeps you logged in. Contains an encrypted token with your user ID and role. No personal data is readable from the cookie. | 30 days |
Because this is a strictly functional cookie required for authentication, no cookie consent banner is needed under TDDDG § 25(2). We do not set any analytics, marketing, or third-party cookies.
Local storage (browser-only)
We store UI preferences in your browser's localStorage. This data never leaves your device and is not sent to our servers:
- Theme preference (light/dark)
- Map layer toggles (Bitcoin merchants, airports, community pins, routes)
- Calendar size, pinned families, skipped profile checks
4. How We Share Your Data Within the App
Your visibility is designed in three levels:
- Level 0 — Always active: When you create a trip with dates, an anonymous pin appears on the community map showing only: location, family size, children's ages, and nationality. No name or contact info is shown.
- Level 1 — Opt-in sharing: You can choose to make a trip stop public. Only the fields you enable in your visibility settings are shown (name, social links, etc.).
- Level 2 — Connections: When two families mutually connect via invite code, they can see each other's full profiles.
5. Third-Party Services
We use a small number of external services. We do not share your personal data for advertising or profiling.
| Service | What is sent | Why | Their privacy policy |
|---|---|---|---|
| Resend (email delivery) | Your email address, family name | Sending verification and password reset emails | resend.com/legal/privacy-policy |
| Hetzner (hosting) | All data (server hosting) | Server infrastructure, located in Germany | hetzner.com/legal/privacy-policy |
| OpenStreetMap / Nominatim | Your search query, your IP address (browser request) | Location search (geocoding) | osmfoundation.org/wiki/Privacy_Policy |
| CARTO (map tiles) | Map viewport coordinates, your IP address (browser request) | Rendering the map | carto.com/privacy |
| BTC Map | Map viewport coordinates, your IP address (browser request) | Showing Bitcoin-accepting merchants | btcmap.org/about |
Note: Google Fonts (Inter, Comfortaa) are self-hosted — no requests are made to Google servers.
6. Legal Basis (GDPR Art. 6)
| Processing | Legal basis |
|---|---|
| Account, trips, connections | Contract performance (Art. 6.1.b) — necessary to provide the service you signed up for |
| Bot protection, rate limiting | Legitimate interest (Art. 6.1.f) — security of the service |
| Sharing trips publicly, connecting with families | Consent (Art. 6.1.a) — you explicitly choose to share |
| Email verification | Legitimate interest (Art. 6.1.f) — preventing abuse |
7. Data Retention & Deletion
- Your data is stored as long as your account exists.
- You can delete your account at any time from your profile settings. This permanently deletes all your data: account, family profile, trips, connections, and feedback.
- We do not retain backups of deleted accounts beyond our regular server backup cycle (up to 7 days).
- Rate limiting data (IP addresses) is stored in memory only and cleared automatically after 1 hour or on server restart.
8. Your Rights (GDPR Art. 15–22)
You have the right to:
- Access your personal data (Art. 15)
- Rectify inaccurate data (Art. 16) — you can edit your profile at any time
- Delete your data (Art. 17) — via account deletion in settings
- Restrict processing (Art. 18)
- Data portability (Art. 20) — request an export of your data
- Object to processing (Art. 21)
To exercise any of these rights, email [email protected]. We will respond within 30 days.
You also have the right to lodge a complaint with a supervisory authority. If you believe your data is being processed in connection with our German-hosted server, you may contact the relevant German data protection authority.
9. Security
- Passwords are securely hashed using industry-standard algorithms — we never store or see your password
- All connections use HTTPS/TLS
- Session cookies are httpOnly and secure — not accessible to JavaScript
- Bot protection via honeypot fields, timing checks, and rate limiting
- No sensitive data in URLs, logs, or error messages
10. Data Sources & Open Data Attribution
Nomad Forecast uses the following open data sources. We are grateful to these projects and communities:
| Source | Data | License |
|---|---|---|
| OpenStreetMap | Map data, geocoding | ODbL 1.0 |
| CARTO | Map tiles | Free tier, uses OpenStreetMap data (ODbL) |
| Leaflet | Map rendering library | BSD-2-Clause |
| BTC Map | Bitcoin-accepting merchant locations | Open data |
| FBCE | Bitcoin circular economy communities | Public data from fbce.io |
| Meteostat | Historical climate normals | CC BY-NC-SA 4.0 |
| World Bank CCKP | Climate data (fallback) | CC BY 4.0 |
| OurAirports | Airport locations & IATA codes | Public domain |
| Passport Index Dataset | Visa requirements | MIT |
11. Changes to This Policy
We may update this policy to reflect changes in our practices or for legal reasons. We will note the date of the last update at the top. For significant changes, we will notify registered users by email.
12. Contact
For any questions about this privacy policy or your data:
[email protected]