Privacy Policy
Last updated: February 20, 2026
We take the protection of your personal data very seriously. This privacy policy informs you about the nature, scope, and purpose of the processing of personal data within the mobile app Iceland Explorer (hereinafter "App") and the website icelandexplorer.app (hereinafter "Website").
This privacy policy is based on the Swiss Federal Act on Data Protection (FADP/nFADP) and the EU General Data Protection Regulation (GDPR), insofar as it applies to our data processing activities.
1. Controller
Markus Leiter
Fichtenstrasse 8
9230 Flawil, Switzerland
Email: info@icelandexplorer.app
Website: icelandexplorer.app
If you have any questions about data protection, you can contact us at any time by email.
2. Overview of Data Processing
| Data Category | Where | Storage Location | Shared |
|---|---|---|---|
| Location data (GPS) | App | Only on your device | No |
| Favorites (POI IDs) | App | Only on your device | No |
| App settings | App | Only on your device | No |
| Email address | Website | Google Sheets (Google LLC) | Yes (Google) |
| Server log data | Website | Netlify Inc. | Yes (Netlify) |
| Purchase data (in-app purchase) | App | RevenueCat, Inc. (USA) | Yes (RevenueCat, Apple) |
| Firebase (Google) | App | Anonymous device ID, GPS coordinates for sighting reports | Yes (Google, EU) |
| YouTube video (after click) | Website | IP address, device data at Google | Yes (Google) |
3. Data Processing in the App
3.1 Location Data
The App uses GPS location data for the following features:
- Displaying your position on the map
- Calculating the distance to points of interest (POIs)
- Travel companion mode: navigation to route stops, arrival detection, and ETA calculation
Important: Your location data is processed exclusively on your device. It is not transmitted to our servers or to third parties.
Permission: The App requests the "Location While Using" permission. You can revoke this at any time in your device's system settings. The App works without location access – location-based features will simply not be available.
Legal basis: Your consent (Art. 6(1)(a) GDPR; Art. 31(1) FADP).
3.2 Favorites and Settings
When you save points of interest as favorites or change app settings (e.g., language), this data is stored locally on your device (AsyncStorage).
- Only technical IDs are stored (no personal data)
- There is no transmission to servers or third parties
- You can delete this data at any time by uninstalling the App or clearing App data in system settings
Legal basis: Legitimate interest in the functionality of the App (Art. 6(1)(f) GDPR).
3.3 Images from External Sources
The App and the Website load images from external servers. When loading these images, your IP address is technically transmitted to the respective server.
- Pexels (Pexels GmbH, Germany): Privacy Policy
- Unsplash (Unsplash Inc., Canada): Privacy Policy
- Wikimedia Commons (Wikimedia Foundation, USA): Privacy Policy
Legal basis: Legitimate interest in displaying image content (Art. 6(1)(f) GDPR).
3.4 External Navigation
The travel companion mode offers the option to hand off turn-by-turn navigation to Apple Maps or Google Maps. This opens the respective external app. The privacy policies of Apple and Google apply to data processing in those apps.
3.5 No Tracking or Analytics Services
The App uses no tracking, analytics, or advertising services. No user profiles are created, no crash reports are automatically sent, and no data is shared with third parties for advertising purposes.
3.6 In-App Purchases (RevenueCat)
For processing in-app purchases (one-time "Premium" purchase), we use the service RevenueCat, Inc. (San Francisco, USA). The following data is processed:
- Encrypted purchase receipts (Apple App Store Receipt)
- Anonymous user ID (device-specific, no account)
- App version, operating system, and device type
- Entitlement status (Premium active/inactive)
Provider: RevenueCat, Inc., San Francisco, USA. Privacy Policy: revenuecat.com/privacy.
Data transfer to the USA: RevenueCat is based in the USA. The data transfer is based on the EU Standard Contractual Clauses (Art. 46(2)(c) GDPR).
Legal basis: Performance of a contract (Art. 6(1)(b) GDPR; Art. 31(2)(a) FADP) – the processing is necessary for the execution of the purchase contract.
3.7 Aurora Sightings (Firebase)
For the "Community Sightings" feature in the Aurora section (Premium), we use Firebase by Google:
- Firebase Anonymous Authentication: When you first open the Aurora screen, an anonymous device ID is automatically created. No personal data (name, email, phone number) is collected. The anonymous ID is used solely for attributing sighting reports and rate limiting (max. 1 report per hour).
- Cloud Firestore: When you report an aurora sighting, the following data is stored: GPS coordinates of the reporting location, sighting intensity (weak/visible/spectacular), timestamp. This data is automatically deleted after 1 hour (TTL policy). The coordinates indicate the observation location, not your home address.
- Data processing: Google Cloud, region europe-west1 (Belgium, EU). Google acts as a data processor pursuant to Art. 28 GDPR.
Legal basis: Performance of contract (Art. 6(1)(b) GDPR; Art. 31(2)(a) Swiss FADP) — this feature is part of the Premium subscription.
4. Data Processing on the Website
4.1 Hosting (Netlify)
Our website is hosted by Netlify Inc. (San Francisco, USA). When you visit the website, technical data is automatically recorded in server log files:
- IP address
- Date and time of access
- Page requested (URL)
- Browser type and version
- Operating system
- Referrer URL
This data is necessary for the technical operation of the website and is processed by Netlify in accordance with their Privacy Policy.
Data transfer to the USA: Netlify is based in the USA. The data transfer is based on the EU Standard Contractual Clauses (Art. 46(2)(c) GDPR) and the adequate level of data protection as assessed by the Swiss Federal Data Protection and Information Commissioner (FDPIC).
Legal basis: Legitimate interest in operating the website (Art. 6(1)(f) GDPR).
4.2 Email Notification
On our website, you can leave your email address to be notified about the App launch. We use a double opt-in procedure for this:
- You enter your email address and submit the form.
- You receive a confirmation email with a link.
- Only after clicking the confirmation link is your email address stored.
Processing: Your email address is processed via Google Apps Script and stored in a Google Sheet. The following data is collected:
- Email address
- Time of registration
- Confirmation status (double opt-in)
- Selected language
- User agent (browser identifier) – for technical analysis and abuse prevention
Data transfer to the USA: Google LLC is based in the USA. The data transfer is based on the EU Standard Contractual Clauses and certification under the EU-U.S. Data Privacy Framework. Google Privacy Policy: policies.google.com/privacy.
Withdrawal: You can revoke your consent at any time by sending an email to info@icelandexplorer.app. We will then delete your email address without delay.
Legal basis: Your consent (Art. 6(1)(a) GDPR; Art. 31(1) FADP).
4.3 No Cookies
Our website uses no cookies and no local tracking. Neither first-party nor third-party cookies are set. A cookie banner is therefore not required.
4.4 Self-Hosted Fonts
We use the "Inter" font, which is loaded directly from our server (self-hosting). No connection is made to Google Fonts or other external font services.
4.5 Embedded Videos (YouTube)
We embed an app trailer video on our website. We use YouTube's enhanced privacy mode (domain: youtube-nocookie.com). The following applies:
- Before playback: Only a thumbnail image is loaded from
img.youtube.com. In this mode, YouTube sets no cookies and receives no personal data. - After clicking "Play": An iframe from
youtube-nocookie.comis loaded. From this point, Google's Privacy Policy applies. YouTube may then process technical data (IP address, browser type, device information).
Provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland (parent company: Google LLC, USA). Data transfers to the USA are based on EU Standard Contractual Clauses.
Legal basis: Legitimate interest in the appealing presentation of our offering (Art. 6(1)(f) GDPR).
5. Sharing with Third Parties
We do not share your personal data with third parties, except:
- As explicitly described in this privacy policy (Netlify hosting, Google Apps Script, image sources)
- You have given your explicit consent
- There is a legal obligation to do so
There is no sale of data and no sharing for advertising purposes.
6. Data Security
We take appropriate technical and organizational measures to protect your data:
- The website is served exclusively via HTTPS (TLS encryption)
- App data is stored in the operating system's protected sandbox
- Location data does not leave your device
- No storage of passwords (the App has no login)
7. Retention Period
| Data | Retention Period |
|---|---|
| Location data (App) | Only during active use, not persistent |
| Favorites / Settings (App) | Until uninstallation or manual deletion |
| Email address (notification) | Until withdrawal or sending of the launch notification, then immediate deletion |
| Server log data (Netlify) | According to Netlify policies (max. 30 days) |
| Purchase data (in-app purchase) | According to RevenueCat policies; Premium status stored locally until uninstallation |
| Firebase sighting data (GPS, intensity, timestamp) | 1 hour (automatic deletion via TTL policy) |
8. Your Rights
Under the Swiss Federal Act on Data Protection (FADP/nFADP)
- Right of access (Art. 25 FADP): You may request information about whether and what data we process about you.
- Right to rectification (Art. 32(1) FADP): You may request the correction of inaccurate data.
- Right to erasure (Art. 32(2)(c) FADP): You may request the deletion of your data.
- Right to data portability (Art. 28 FADP): You may request the transfer of your data in a common electronic format.
Under the EU General Data Protection Regulation (GDPR)
If the GDPR applies, you additionally have the following rights:
- Right of access (Art. 15 GDPR)
- Right to rectification (Art. 16 GDPR)
- Right to erasure (Art. 17 GDPR)
- Right to restriction of processing (Art. 18 GDPR)
- Right to data portability (Art. 20 GDPR)
- Right to object (Art. 21 GDPR)
- Right to withdraw consent (Art. 7(3) GDPR)
- Right to lodge a complaint with a supervisory authority (Art. 77 GDPR)
To exercise your rights, please contact: info@icelandexplorer.app
9. Supervisory Authorities
Switzerland:
Federal Data Protection and Information Commissioner (FDPIC)
Feldeggweg 1, 3003 Bern
www.edoeb.admin.ch
EU:
You have the right to lodge a complaint with your competent data protection supervisory authority. An overview can be found at: edpb.europa.eu
10. Children's Privacy
Our App and Website are not directed at children under 16 years of age. We do not knowingly collect personal data from children. If we inadvertently receive data from a child, we will delete it without delay.
11. Changes to This Privacy Policy
We reserve the right to update this privacy policy as necessary to reflect changes in legal requirements or changes to the App or Website. The current version is always available on this page. In the event of significant changes, we will notify you via the App or the Website.