topologis

Privacy Policy

Last updated: April 15, 2026

This Privacy Policy describes how Topologis VCC ("Topologis," "we," "us," or "our") collects, uses, and protects your personal information when you use the Topologis platform at topologis.com (the "Service").

Topologis is operated by Topologis VCC, registered in Bulgaria. Our data infrastructure is hosted in Germany (Hetzner).

If you have questions about this policy, contact us at contact@topologis.com.

1. Information we collect

Information you provide

  • Account information : name, email address, and avatar when you create an account.
  • Payment information : when you subscribe to a paid plan, payment is processed by Stripe. We store your Stripe customer ID and invoice records (amounts and status). We do not store credit card numbers or bank details — Stripe handles that directly.
  • Geodata you upload : files you import (CSV, GeoJSON, Shapefile, GeoPackage) and data from connected Google Sheets. This data is stored in our database and is used solely to provide the Service to you.
  • Workspace and collaboration data : workspace names, project names, editor invitations (email addresses of invitees), and layer configurations.
  • Contact form submissions : your name, email, and message when you reach out through our contact form.

Information collected automatically

  • Session data : IP address, user agent (browser/device information), session tokens, and session expiration times. This is used for authentication and security.
  • Usage logs : anonymized usage events stored in a time-series database on our infrastructure to help us understand how the Service is used and to identify issues. These logs do not contain geodata content.
  • Analytics : we use Plausible Analytics, which is a privacy-friendly analytics tool that does not use cookies and does not collect personal data. Plausible collects aggregate page views, referral sources, and browser/device information without identifying individual users.

Information from third parties

  • Google OAuth : if you sign in with Google, we receive your name, email address, and profile picture from Google. We do not access any other Google data unless you explicitly connect a Google Sheet, in which case we store a refresh token to maintain that connection.

2. Lawful basis for processing

Under the General Data Protection Regulation (GDPR), we process your personal data on the following legal bases:

Processing activityLawful basis
Providing the Service (authentication, data storage, map rendering, sharing, embedding)Performance of a contract (Art. 6(1)(b))
Processing payments and managing subscriptionsPerformance of a contract (Art. 6(1)(b))
Sending transactional emails (verification, password resets, product updates)Performance of a contract (Art. 6(1)(b))
Security, fraud detection, abuse prevention, session managementLegitimate interest (Art. 6(1)(f))
Anonymized usage logs and privacy-friendly analyticsLegitimate interest (Art. 6(1)(f))
Google Sheets integration (storing refresh tokens)Consent (Art. 6(1)(a))
Responding to contact form submissionsLegitimate interest (Art. 6(1)(f))
Retaining invoice records for tax complianceLegal obligation (Art. 6(1)(c))

3. How we use your information

We use your information to:

  • Provide and operate the Service (authentication, data storage, map rendering, sharing, and embedding).
  • Process payments and manage subscriptions via Stripe.
  • Send transactional emails (email verification, password resets). We may also send occasional product updates to active users, who can opt out at any time. We do not send unsolicited marketing emails.
  • Maintain security (fraud detection, abuse prevention, session management).
  • Understand usage patterns through anonymized logs and privacy-friendly analytics to improve the Service.
  • Respond to your contact form submissions.

We do not sell your personal information. We do not use your geodata for any purpose other than providing the Service to you.

4. How we share your information

We share personal information only with the following third-party subprocessors, and only to the extent necessary to operate the Service. We have data processing agreements in place with each subprocessor.

SubprocessorPurposeData sharedLocation
StripePayment processingEmail, name, Stripe customer ID, payment amountsUnited States
GoogleOAuth sign-in and Sheets integrationOAuth tokens; name and email received from Google during sign-inUnited States
HetznerInfrastructure hostingAll data is hosted on Hetzner servers in GermanyGermany (EU)
Plausible AnalyticsPrivacy-friendly website analyticsNo personal data (aggregate pageview data only)Germany (EU)

We may also disclose information if required by law or to protect the rights, safety, or property of Topologis, our users, or the public.

We do not share, sell, or provide your geodata to any third party.

Business transfers

If Topologis is involved in a merger, acquisition, or sale of assets, your personal data may be transferred as part of that transaction. We will notify you by email and/or by a prominent notice on our website before your personal data becomes subject to a different privacy policy.

5. Data storage and security

  • All data is stored on servers located in Germany (Hetzner), within the European Union.
  • Passwords are hashed and never stored in plain text.
  • OAuth tokens are stored securely and used only for their intended purpose (authentication, Google Sheets access).
  • All traffic to and from Topologis is encrypted via TLS/HTTPS.
  • Sessions expire automatically and can be invalidated by logging out.

While we take reasonable measures to protect your data, no method of transmission or storage is 100% secure. If you become aware of a security issue, please contact us immediately at contact@topologis.com.

Data breach notification

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours of becoming aware of the breach, as required by GDPR Article 33. Where the breach is likely to result in a high risk to your rights and freedoms, we will also notify affected users without undue delay, as required by GDPR Article 34.

6. Cookies

Topologis uses only essential session cookies for authentication. These cookies are necessary for the Service to function and cannot be disabled.

We do not use advertising cookies, tracking cookies, or third-party cookies. Plausible Analytics is cookie-free.

7. Your rights

Under the General Data Protection Regulation (GDPR) and other applicable laws, you have the right to:

  • Access your personal data.
  • Correct inaccurate personal data.
  • Delete your account and associated personal data.
  • Export your data (data portability).
  • Object to or restrict certain processing of your data.
  • Withdraw consent where processing is based on consent (for example, disconnecting a Google Sheets integration).

To exercise any of these rights, contact us at contact@topologis.com. We will respond within 30 days.

When you delete your account, we delete your personal data, including your geodata, workspaces, projects, and layers, within 30 days. Some data may be retained where required by law (for example, invoice records for tax purposes).

8. Data retention

  • Account data : retained as long as your account is active. Deleted within 30 days when you delete your account.
  • Geodata : retained as long as your account is active. Deleted within 30 days when you delete your account or the relevant project/layer.
  • Invoice records : retained for up to 10 years after creation as required by tax law.
  • Usage logs : retained for up to 12 months, then automatically deleted.
  • Session data : automatically expires and is cleaned up periodically.

9. International data transfers

All data is stored and processed within the European Union (Germany). If you access the Service from outside the EU, your data will be transferred to and stored in the EU.

We share limited data with Stripe (headquartered in the United States) and Google (headquartered in the United States) for payment processing and authentication respectively. Both are certified under the EU-U.S. Data Privacy Framework, which provides a legal mechanism for transferring personal data from the EU to the United States in compliance with GDPR. See Stripe's privacy policy and Google's privacy policy for full details.

10. Data Processing Agreement

If you require a Data Processing Agreement (DPA) for your organization's compliance needs, please contact us at contact@topologis.com and we will provide one.

11. Data protection officer

Given the nature and scale of our data processing activities, we have not appointed a Data Protection Officer (DPO) at this time. For any data protection inquiries, contact us at contact@topologis.com.

12. Children

Topologis is not intended for use by anyone under the age of 16. We do not knowingly collect personal information from children. If you believe we have collected data from a child, please contact us and we will delete it.

13. Changes to this policy

We may update this Privacy Policy from time to time. When we make material changes, we will update the "Last updated" date at the top of this page and, where appropriate, notify you by email.

Your continued use of the Service after changes take effect constitutes acceptance of the updated policy.

14. Contact

If you have questions or concerns about this Privacy Policy or our data practices, contact us at:

Email : contact@topologis.com

Topologis VCC
Bulgaria