Privacy Policy

Last updated: March 3, 2026

Overview

Heimdallr is a real-time natural disaster monitoring application that displays publicly available data about earthquakes, volcanic activity, tsunamis, wildfires, cyclones, severe weather alerts, ISS tracking, and tectonic plate boundaries on an interactive map. This privacy policy explains how the app handles your data.

In short: Heimdallr does not collect personal data itself. Your settings and cached data stay on your device. Some third-party services used by the app (Cloudflare, MapTiler) may process limited metadata as described below.

Data We Do NOT Collect

No personal information (name, email, phone number, address)
No account or login credentials
No device identifiers or advertising IDs
No location data collected or transmitted to us (if you use the map's geolocation button, your browser handles the location request locally and the coordinates are never sent to our servers)
No crash reports or diagnostics collected by us (Cloudflare may collect request-level error data through its infrastructure — see CORS Proxy section below)
No first-party cookies or cross-site tracking

Data Stored Locally on Your Device

Heimdallr stores the following data exclusively on your device using your browser's local storage. This data never leaves your device and is not accessible to us or any third party:

User preferences — Map settings, filter selections, notification thresholds, language preference, module order, enabled/pinned module state, and other configuration choices
UI state — Collapsed panel sections and layout preferences for a consistent experience across sessions
Event cache — Temporarily cached natural disaster data to reduce unnecessary network requests
Notification tracking — IDs of previously seen events to avoid duplicate notifications (maximum 5,000 IDs per domain)
Geocode cache — Cached location names from reverse geocoding to reduce API calls (coordinates rounded to ~1 km precision, maximum 5,000 entries)

All locally stored data is deleted when you uninstall the app or clear the app's data through your device settings.

Third-Party Services

Heimdallr fetches publicly available data from the following government and scientific sources. These requests are read-only (the app only downloads data, it does not upload any information):

Source	Data	Provider
USGS Earthquake Hazards	Earthquake data	U.S. Geological Survey
USGS Volcano Hazards	Volcano alert data	U.S. Geological Survey
INGV	Italian seismic data	Istituto Nazionale di Geofisica e Vulcanologia
EMSC	European seismic data	Euro-Mediterranean Seismological Centre
NWS	Tsunami alerts (US)	National Weather Service (NOAA)
NOAA NWS	Severe weather alerts (US)	National Oceanic and Atmospheric Administration
GDACS	Volcanic eruptions, tsunami alerts	Global Disaster Alerting Coordination System (UN/EC)
NASA FIRMS	Satellite fire hotspots	NASA
NIFC	US fire perimeters	National Interagency Fire Center
Smithsonian GVP	Global volcano catalog	Smithsonian Institution
WMO SWIC	Severe weather alerts	World Meteorological Organization
EUMETNET MeteoAlarm	European severe weather warnings	EUMETNET (Network of European Meteorological Services)
EUMETNET E-SOH	European surface observations (temperature, wind, humidity, pressure)	EUMETNET MeteoGate
Esri Active Hurricanes	Tropical cyclone tracking	NHC/JTWC via Esri ArcGIS
Where the ISS at?	ISS position	Open community API

MapTiler

Heimdallr uses MapTiler for map rendering, weather overlays, location search (forward geocoding), and reverse geocoding of map coordinates (for wildfire hotspots and the "What's here?" context menu feature). When the app loads map tiles, performs a location search, or resolves coordinates to a place name, your device sends requests to MapTiler's servers that include the geographic coordinates or search query. MapTiler's handling of this data is governed by their privacy policy.

Third-Party Cookies

Heimdallr itself does not set any cookies. However, MapTiler's servers set two third-party cookies on the api.maptiler.com domain:

_hjSessionUser — Used by Hotjar, MapTiler's analytics provider
_cfuvid — Used by Cloudflare, MapTiler's CDN provider

These cookies are set by MapTiler's infrastructure, not by Heimdallr, and we have no control over them. Third-party cookies may be blocked by your browser depending on your privacy settings.

Cloudflare Web Analytics

The web version of Heimdallr uses Cloudflare Web Analytics to collect anonymous, aggregate page view metrics (e.g. page loads, referrers, country). This service does not use cookies, does not collect personal data, and does not track individual users across sites. Cloudflare's handling of this data is governed by their privacy policy. The Android app does not include any analytics.

CORS Proxy

On the web version only, some API requests are routed through a self-hosted Cloudflare Worker that acts as a CORS proxy to work around browser security restrictions. This worker forwards requests to public data sources and returns the responses — the worker code itself does not store or inspect any request data, but Cloudflare's infrastructure may collect standard request metadata (such as IP addresses, URLs, and response status codes) as part of its Workers Observability service, which we use to monitor errors and performance. This data is retained by Cloudflare according to their privacy policy. The worker's source code is part of this project. On the Android app, all requests go directly to the data sources via the native HTTP layer and no proxy is used.

Legal Basis for Processing

Heimdallr does not collect personal data itself. However, third-party services used by the app (Cloudflare, MapTiler) may process limited technical data such as IP addresses as part of delivering their services. Under the EU General Data Protection Regulation (GDPR), the UK GDPR, Switzerland's Federal Act on Data Protection (nFADP), and Brazil's Lei Geral de Proteção de Dados (LGPD), we rely on legitimate interest as the legal basis for this processing:

Infrastructure delivery (EU GDPR Article 6(1)(f) / UK GDPR Article 6(1)(f) / nFADP Article 31 / LGPD Article 7(IX)) — Cloudflare provides hosting, CDN, and CORS proxy infrastructure essential for the app to function. MapTiler provides map rendering and geocoding essential for the app's core features. The limited metadata processed by these services (IP addresses, request URLs) is necessary for service delivery and does not override your rights or freedoms, as no personal profiles are built and no data is used for marketing or tracking.
Anonymous analytics (EU GDPR Article 6(1)(f) / UK GDPR Article 6(1)(f) / LGPD Article 7(IX)) — Cloudflare Web Analytics collects anonymous, aggregate page view metrics without cookies or personal identifiers. This helps us understand overall usage patterns to maintain and improve the service.

Local Storage and the ePrivacy Directive

Heimdallr stores data on your device using the browser's localStorage API. Under the EU ePrivacy Directive (2002/58/EC, Article 5(3)) and its national implementations, storing information on a user's device requires either consent or a "strictly necessary" exemption. All data Heimdallr stores locally (user preferences, event caches, notification tracking, geocode cache, UI state) is strictly necessary for the service you have requested — the app cannot function without remembering your settings and caching data to reduce network requests. No consent is required for this storage. This data never leaves your device and is not accessible to us or any third party.

International Data Transfers

Cloudflare and MapTiler process data globally through their infrastructure networks. When your browser makes requests to these services, technical data (such as your IP address) may be processed outside the European Economic Area (EEA), the United Kingdom, Switzerland, or Brazil. Both providers maintain appropriate safeguards for international data transfers:

Cloudflare — Relies on the EU Standard Contractual Clauses (SCCs) for EEA transfers, the UK Addendum to the EU SCCs for UK transfers, and has been certified under the EU-US Data Privacy Framework. Switzerland benefits from an adequacy decision under both EU GDPR and UK GDPR, and Cloudflare applies the same contractual safeguards for Swiss data transfers. For transfers involving Brazilian users, Cloudflare maintains appropriate contractual safeguards under the LGPD framework.
MapTiler — MapTiler AG is headquartered in Switzerland, which benefits from adequacy decisions under both EU GDPR and UK GDPR, permitting unrestricted data transfers from the EEA and the UK. MapTiler processes data in accordance with their privacy policy.

Public data source APIs (USGS, EMSC, WMO, etc.) are operated by government and scientific institutions. On the web version, most requests to these sources are routed through the Cloudflare CORS proxy, so only the proxy's IP address reaches the upstream server. On Android, requests go directly to each source.

Data Retention

Heimdallr does not retain any data on its own servers. For third-party services:

Cloudflare Web Analytics — Aggregate metrics are retained by Cloudflare for the duration configured in their dashboard (no personal data is stored).
Cloudflare Workers / CDN logs — Standard request metadata is retained by Cloudflare according to their data retention policies.
MapTiler — API access logs are retained according to MapTiler's privacy policy.
Local device storage — Data persists on your device until you clear it manually or uninstall the app. Some caches (volcanic data, geocode results) expire automatically.

Notifications

Heimdallr can send local notifications to alert you about new natural disaster events. These notifications are generated entirely on your device based on data already fetched from public sources. No notification data is sent to any server. You can disable notifications at any time in the app's settings or through your device's notification settings.

Background Activity

On Android, Heimdallr can optionally run a background monitoring service to continue checking for new events while the app is not in the foreground. This service runs entirely on your device and does not transmit any data to us. You can enable or disable this feature in the app's settings.

Children's Privacy

Heimdallr does not knowingly collect any personal information from anyone, including children under 13 (or the applicable age of digital consent in your jurisdiction, such as 16 under the EU GDPR). The app displays publicly available scientific data and does not contain advertising, in-app purchases, or social features. If a parent or guardian believes their child has provided any information through the app, they may contact us at worldviewheimdall@gmail.com and we will promptly delete any such information.

Data Security

All network communication uses HTTPS encryption. The app enforces a strict Content Security Policy and does not allow cleartext (unencrypted) traffic.

Your Rights

Because Heimdallr does not collect or store personal data on its servers, most data subject rights apply to the third-party processors (Cloudflare, MapTiler) rather than to us directly. Nonetheless, we respect and facilitate the rights granted to you by your applicable data protection law, including the EU GDPR, UK GDPR, Switzerland's nFADP, Brazil's LGPD, India's DPDPA, Japan's APPI, South Korea's PIPA, and other regulations described below.

EU/EEA and UK Residents (GDPR)

Under the EU General Data Protection Regulation and the UK GDPR, you have the following rights:

Right of access — You may request confirmation of whether your personal data is being processed and obtain a copy. Since we do not hold personal data ourselves, requests concerning data processed by Cloudflare or MapTiler should be directed to those providers.
Right to rectification — You may request correction of inaccurate personal data.
Right to erasure — You may request deletion of your personal data. All data stored locally on your device can be cleared by clearing the app's data in your device settings or uninstalling the app.
Right to restriction of processing — You may request that processing of your data be restricted in certain circumstances.
Right to data portability — You may request your data in a structured, machine-readable format. Local storage data is already on your device in standard browser-accessible formats.
Right to object — You may object to processing based on legitimate interest. If you object to Cloudflare Web Analytics, you can block the static.cloudflareinsights.com domain using a browser content blocker.

To exercise these rights, contact us at worldviewheimdall@gmail.com. We will respond within 30 days.

Brazilian Residents (LGPD)

Under Brazil's Lei Geral de Proteção de Dados (LGPD), you have rights that include:

Right to confirmation and access — You may confirm that your data is being processed and request access to it.
Right to correction — You may request correction of incomplete, inaccurate, or outdated data.
Right to anonymization, blocking, or deletion — You may request anonymization, blocking, or deletion of unnecessary, excessive, or non-compliant data.
Right to information on sharing — You may request information about the public and private entities with which your data has been shared. See the Third-Party Services section above for a complete list.
Right to data portability — You may request your data in a structured format.
Right to deletion — You may request deletion of personal data processed with your consent. All data stored locally on your device can be cleared by clearing the app's data in your device settings or uninstalling the app.

To exercise these rights, contact us at worldviewheimdall@gmail.com. This email also serves as our LGPD communication channel. We will respond within 15 days as required by LGPD.

California Residents (CCPA/CPRA)

Heimdallr is a free, non-commercial project that does not meet the applicability thresholds of the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA) — it has no revenue, does not sell or share personal information, and does not process data of 100,000 or more California consumers. No "Do Not Sell or Share" mechanism is required. California residents may contact us at worldviewheimdall@gmail.com with any privacy questions.

Swiss Residents (nFADP)

Under Switzerland's revised Federal Act on Data Protection (nFADP, effective September 1, 2023), you have rights including access, rectification, erasure, data portability, and the right to object to processing. This is particularly relevant as MapTiler AG, one of the third-party services used by this app, is headquartered in Switzerland. MapTiler processes map tile requests and geocoding queries in accordance with Swiss data protection law and their privacy policy. To exercise your rights under the nFADP, contact us at worldviewheimdall@gmail.com. The supervisory authority is the Federal Data Protection and Information Commissioner (FDPIC).

Indian Residents (DPDPA)

Under India's Digital Personal Data Protection Act (DPDPA, 2023), you have rights as a data principal including:

Right to access — You may request a summary of your personal data being processed and the processing activities.
Right to correction and erasure — You may request correction of inaccurate or misleading data and erasure of data no longer necessary for its purpose.
Right to grievance redressal — You may raise grievances about data processing.
Right to nominate — You may nominate another individual to exercise your rights on your behalf.

Since Heimdallr does not collect personal data itself, these rights primarily concern the limited technical metadata processed by third-party services. To exercise these rights or raise a grievance, contact us at worldviewheimdall@gmail.com.

Japanese Residents (APPI)

Under Japan's Act on the Protection of Personal Information (APPI), you have the right to request disclosure, correction, cessation of use, and deletion of your personal information held by a business operator. Heimdallr does not hold personal information itself. Third-party API requests made by the app transmit only your IP address as an inherent part of HTTP communication. Japan and the EU maintain a mutual adequacy arrangement for cross-border data transfers. To exercise your rights, contact us at worldviewheimdall@gmail.com.

South Korean Residents (PIPA)

Under South Korea's Personal Information Protection Act (PIPA, as amended September 2023), you have rights including access, correction, deletion, and suspension of processing of your personal information. South Korea holds an EU adequacy decision (December 2023), facilitating cross-border data transfers under appropriate safeguards. Since Heimdallr does not collect personal information, these rights primarily concern the limited technical metadata processed by third-party services. To exercise your rights, contact us at worldviewheimdall@gmail.com. The supervisory authority is the Personal Information Protection Commission (PIPC).

Users in Other Jurisdictions

If you are located in a jurisdiction with applicable data protection laws, you may have similar rights regarding your personal data. Since Heimdallr does not collect personal data itself, your rights primarily concern the limited technical metadata processed by third-party services (Cloudflare, MapTiler) as described above. Applicable laws include but are not limited to:

Canada — Personal Information Protection and Electronic Documents Act (PIPEDA)
South Africa — Protection of Personal Information Act (POPIA)
Singapore — Personal Data Protection Act (PDPA)
Thailand — Personal Data Protection Act (PDPA, B.E. 2562)
Australia — Privacy Act 1988 and the Australian Privacy Principles (APPs)
New Zealand — Privacy Act 2020
Indonesia — Personal Data Protection Law (UU PDP, Law No. 27 of 2022)
China — Personal Information Protection Law (PIPL)
Nigeria — Nigeria Data Protection Act (NDPA, 2023)
Philippines — Data Privacy Act (Republic Act 10173)
Turkey — Personal Data Protection Law (KVKK, Law No. 6698)
Argentina — Personal Data Protection Act (PDPA, Law 25.326)
Colombia — Habeas Data Law (Law 1581 of 2012)
Mexico — Federal Law on Protection of Personal Data (LFPDPPP)
Chile — Personal Data Protection Law (Law 19.628, as reformed)

Under these and any other applicable data protection laws, you generally have the right to access, correct, and delete your personal data, as well as to object to or restrict certain types of processing. All data stored locally on your device can be cleared by clearing the app's data in your device settings or uninstalling the app. Contact us at worldviewheimdall@gmail.com to exercise any applicable rights.

Supervisory Authorities

You have the right to lodge a complaint with your local data protection supervisory authority if you believe your data protection rights have been violated. Key authorities include:

EU/EEA — Your national data protection authority (e.g., CNIL in France, Garante in Italy)
United Kingdom — Information Commissioner's Office (ICO)
Switzerland — Federal Data Protection and Information Commissioner (FDPIC)
Brazil — Autoridade Nacional de Proteção de Dados (ANPD)
India — Ministry of Electronics and Information Technology (MeitY)
Japan — Personal Information Protection Commission (PPC)
South Korea — Personal Information Protection Commission (PIPC)
Canada — Office of the Privacy Commissioner of Canada (OPC)
South Africa — Information Regulator
Australia — Office of the Australian Information Commissioner (OAIC)
New Zealand — Office of the Privacy Commissioner
Singapore — Personal Data Protection Commission (PDPC)
Thailand — Personal Data Protection Committee (PDPC)

Data Controller

The data controller for Heimdallr is Luca Brunelli Lovera, based in the European Union. You can contact the data controller at worldviewheimdall@gmail.com.

Changes to This Policy

We may update this privacy policy from time to time. Any changes will be reflected in the "Last updated" date at the top of this page.

Contact

If you have questions about this privacy policy, you can reach us at worldviewheimdall@gmail.com.