This Privacy Policy explains how World Price Atlas ("we", "us") collects, uses and protects personal data when you use our website and API (the "Service"). We act as the data controller for the personal data described here.

Template notice: this document is a good-faith starting point. Before public launch, have it reviewed by qualified counsel and insert your registered legal entity name, address and Data Protection contact.

1. Data we collect

• Account data — when you sign in with Google: your name, email address and profile picture. We do not receive your Google password.
• Contributions — prices you submit (amount, currency, country, city, category, date, optional note).
• Billing data — if you purchase a plan, payments are processed by Stripe. We store a Stripe customer ID and your plan; we never store card numbers.
• API usage — request counts associated with your API keys, for quota enforcement.
• Technical data — standard server logs (IP address, user-agent, timestamps) and essential cookies (session, theme, currency/unit preferences).

2. Why we use it (lawful bases)

• To provide the Service and your account — performance of a contract.
• To process payments and prevent fraud — contract / legal obligation / legitimate interests.
• To maintain security, prevent abuse and debug — legitimate interests.
• To comply with law — legal obligation.

3. Sharing & processors

We share data only with service providers acting on our instructions:

• Google — authentication (OAuth).
• Stripe — payment processing.
• Vercel — hosting and serverless functions.
• Neon — managed PostgreSQL database.

We also load public assets (map geometry, flag images) and exchange rates (Yahoo Finance) from third-party sources; your browser may contact those providers when rendering pages. We do not sell your personal data.

4. International transfers

Our processors may process data outside your country (e.g. the EU/EEA and the US). Where required, transfers rely on appropriate safeguards such as the EU Standard Contractual Clauses.

5. Retention

Account and billing data are kept while your account is active and as required by law. Submitted prices are retained as part of the public dataset; if you delete your account, your prices are anonymized rather than removed, to preserve dataset integrity.

6. Your rights

Subject to applicable law (including the GDPR), you have the right to access, rectify, erase, restrict, object to processing, and data portability, and to withdraw consent. You can export your data and delete your account at any time from your account page. You may also lodge a complaint with your local data protection authority.

7. Security

We use encryption in transit (HTTPS), hashed API keys, secure authentication cookies, security headers and the principle of least privilege. No system is perfectly secure; we work continuously to protect your data. See our security overview in the repository.

8. Children

The Service is not directed to children under 16, and we do not knowingly collect their data.

9. Changes & contact

We may update this policy and will revise the date above. Questions or requests: trossini.02@icloud.com.