Privacy Policy

1. What we collect

Our data collection is tiered — we collect less from anonymous visitors and more only when you choose to sign up or pay. Specifically:

• Anonymous visitors— addresses you query, the resulting hazard scores, and a brief IP address for rate limiting. No account, no email, no identity from any provider.
• Signed-in users— everything above, plus your account email, optional display name, and (only if you used Sign in with Google or Sign in with Facebook) the basic profile fields described below.
• Paying users— everything above, plus a payment reference returned by Paymongo (no card or wallet credentials).

The full list of fields, by source:

• Addresses and coordinates you query.Whatever you type into the address bar, plus the latitude and longitude returned by the Google Maps Platform Geocoding API. (This is a server-to-server call from CheckHazard to Google’s API; it doesn’t involve your Google account.)
• The generated hazard score and report. Cached so the same address returns the same result without re-running the heavy spatial queries.
• Account information, if you sign up. Email address (for sign-in and receipts) and an optional display name. Passwords, when you set one, are hashed by Supabase Auth — we never see them in plaintext.
• Google user data, if you choose “Sign in with Google”. We receive the OpenID Connect claims returned by the openid, email, and profilescopes (your email address, name, locale, and profile picture URL) from your Google account. That’s it. See § 2a for what we do with it.
• Facebook user data, if you choose “Sign in with Facebook”. We receive the same set of basic-profile fields via the email and public_profile scopes. See § 2a for what we do with it.
• Your IP address, briefly. Used by our rate limiter (Upstash Redis) to stop abuse. Stored for short rolling windows, not tied to your queries.
• Payment data, via Paymongo. When you pay ₱99, our payment processor (Paymongo) handles the GCash or Maya transaction. We see a payment reference, status, and amount — not your card or wallet credentials.
• Basic analytics. Vercel Analytics and Plausible collect aggregate page views and referrers. Neither uses tracking cookies or follows you across sites.

2. What we don’t collect

• No advertising or cross-site tracking layer. The analytics we run (Vercel Analytics, Plausible) are cookieless and aggregate-only— they don’t set identifying cookies, don’t build a profile of you, and don’t follow you across other sites.
• No location data from your device — only the address you type.
• From Google or Facebook sign-in, we request only the standard basic-profile scopes (Google: openid, email, profile; Facebook: email, public_profile). We don’t request friends lists, contacts, posts, photos, page or business management, ads, mailboxes, calendars, or any sensitive or restricted scope.

2a. Sign in with Google or Facebook

Both options are routed through Supabase Auth’s OAuth integration. When you choose either provider:

• What scopes we request: Google — openid, email, and profile (returns your email address, name, locale, and profile picture URL). Facebook — email and public_profile (returns the same set of fields). We do not request any sensitive or restricted scopes from either provider, and we don’t add new scopes without updating this policy first.
• What we use it for: creating or signing you into your CheckHazard account, displaying your name and avatar in the dashboard, and sending purchase receipts. We never post on your behalf, message anyone, read your friends/contacts/photos/posts, or use the data to enrich a marketing profile.
• What we will not do with it.We do not sell, license, transfer, or rent your provider data to anyone. We do not use it to train any artificial-intelligence or machine-learning model (including the Anthropic narrative described in § 8a — the LLM never sees your email, name, or identity). We do not use it for advertising, retargeting, profiling, or analytics beyond the cookieless aggregate analytics in § 1.
• What the provider learns about you:Google and Meta each know that you signed into an app called “CheckHazard” using your account. The provider’s own privacy policy applies to that interaction (see Google Privacy Policy and Meta Privacy Policy).
• Disconnecting:you can revoke CheckHazard’s access from your Google account’s Apps with access to your account page, or from Facebook’s Apps and Websites settings, at any time. Revoking provider access does not by itself delete your CheckHazard account — email us if you also want the corresponding CheckHazard account and any associated data deleted (see § 7).

3. Where it lives (international data transfer)

Cached scores, reports, and account data are stored in Supabase Postgres in the Singapore (ap-southeast-1) region. Operational logs and rate-limit counters live in Upstash Redis. We use Vercel for hosting and Sentry for error monitoring; both may briefly process request metadata to deliver pages and surface errors.

Because our infrastructure is hosted outside the Philippines, your data is transferred internationally to Singapore (Supabase, Upstash) and the United States (Vercel, Sentry, Anthropic). Each provider operates under its own data-processing agreement and standard contractual clauses; we do not transfer your data anywhere outside these documented processors.

3a. Security

We protect your data with industry-standard safeguards: TLS 1.2+ encryption in transit on every request, encryption at rest on Supabase Postgres and Upstash Redis, and bcrypt-hashed passwords managed by Supabase Auth (we never see plaintext passwords). Administrative access to production is limited to a small set of named operators, scoped to specific roles, and logged. If a security incident affecting your personal data occurs, we will notify the Philippine National Privacy Commission and affected users within 72 hours of discovery, as required under RA 10173.

4. Why we keep it

The cached address-to-score table exists for two reasons:

1. So a paid report stays accessible at its shareable URL after you close the tab.
2. So we don't re-run expensive PostGIS queries every time someone checks the same address.

5. Sharing

We don't sell your data, and we don't share it with marketers. The only third parties that touch any part of it are the ones strictly required to run the service:

• Google Maps Platform (Places API + Geocoding API) — to autocomplete and convert your address into coordinates. This is a server-to-server call from us to Google; no Google account data is involved.
• Google Identity (Sign in with Google) — onlywhen you click “Continue with Google”. We receive the OpenID Connect openid + email + profileclaims and use them as described in § 2a.
• Meta (Facebook Login) — onlywhen you click “Continue with Facebook”. We receive the email + public_profileclaims as described in § 2a.
• MapTiler / OpenStreetMap — to serve base map tiles on the report.
• Paymongo — to process the ₱99 payment.
• Brevo — to send transactional email (purchase receipts, password resets, signup confirmations).
• Anthropic — to draft the narrative summary on the report page. Only the queried address and the structured hazard score are sent to the model; we never send your email, name, profile picture URL, or any data received from Google or Facebook sign-in.
• Supabase (Auth + Postgres) / Upstash / Vercel / Sentry — infrastructure providers under standard data-processing agreements.

We may disclose data if required by Philippine law, a valid court order, or to protect the safety of users.

What we will never do with Google or Facebook user data. We do not sell, rent, license, or transfer Google user data or Facebook user data to data brokers, advertising networks, marketing affiliates, or any third party. We do not use it for advertising, retargeting, ad personalization, or to build a marketing profile of you. We do not use it to train, fine-tune, or evaluate any artificial-intelligence or machine-learning model. We only retain Google or Facebook user data for as long as your CheckHazard account exists; if you delete your account (see § 7), the provider-derived fields are deleted with it.

Compliance with provider policies.Our use of data received from Google’s OAuth APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. Our use of data received from Meta’s APIs adheres to the Meta Platform Terms and Developer Policies, including its analogous Limited Use requirements.

6. Cookies & local storage

We only set cookies and local-storage keys that the service needs to function. None of them track you across other sites, and we don’t use any advertising or marketing cookies.

• Session cookies (Supabase Auth). When you sign in, Supabase Auth sets HTTP-only session cookies (typically named sb-<project>-auth-token and related) so we can recognise you across pages and refreshes. These are scoped to checkhazard.com and expire on sign-out or after the session lifetime ends.
• OAuth state / PKCE.During the “Sign in with Google” or “Sign in with Facebook” flow, Supabase Auth briefly sets a state and PKCE-verifier cookie to protect against CSRF attacks. These are deleted as soon as the callback completes.
• Cloudflare Turnstile (signup). The captcha challenge on signup uses Cloudflare-issued cookies for the duration of the verification. They expire on completion.
• UI preference keys (local storage).Small on-device keys for things like “you’ve dismissed this banner” or “you prefer the Classic tab.” They never leave your browser.
• Analytics.Vercel Analytics and Plausible are cookieless — no identifier is stored on your device for analytics purposes.

7. Your rights & data deletion

Under the Philippine Data Privacy Act of 2012 (RA 10173) you can ask us to:

• Tell you what data we have on you, your account, your queried addresses, or your payment references.
• Correct anything that’s wrong.
• Delete your account, your queried addresses, your payment references, or all of the above.

How to delete your CheckHazard account and all associated data, including any data received from Sign in with Google or Sign in with Facebook:

1. Email checkhazardofficial@gmail.com from the address tied to your account (or quote a payment reference if you don’t have an account) with the subject line “Delete my account”.
2. We confirm receipt within 48 hours and complete the deletion within 14 days.
3. Deletion removes your profile row, severs the link between your Google or Facebook identity and CheckHazard (the OpenID Connect claims we received are erased), detaches your queried addresses from your account, and removes you from any saved-report links you created.
4. We may retain anonymised payment records for at least five years to satisfy Bureau of Internal Revenue (BIR) record-keeping (see § 8). These records carry the Paymongo reference and amount; they no longer link to your account or identity after deletion.

You can also revoke CheckHazard’s OAuth access from the provider side at any time (Google: Apps with access to your account; Facebook: Apps and Websites). Revoking provider access stops future sign-ins but does not by itself delete the data we’ve already received — for that, follow the steps above.

8. Retention

Cached scores and the address-to-coordinate lookups behind them stay until deletion is requested or until we retire the cache (whichever comes first). The geocode cache is an internal performance store — it spares us from re-billing Google for an address someone already looked up — and is never re-displayed publicly or shared with third parties. Payment records are kept for at least five years to satisfy BIR record-keeping. Rate-limit counters expire within minutes.

Inactive accounts.If an account hasn’t been signed into for 24 months and has no associated payment records, we may close it and delete the associated profile data (we’ll email a 30-day warning first if email contact is still working). Paid users retain access to their purchased reports regardless of sign-in activity.

8a. AI-drafted narratives

The plain-English Summary section of each report is drafted by a large language model (currently Anthropic’s Claude). The model receives only the queried address and the structured hazard score we computed for it. It does notreceive your email, name, profile picture URL, payment data, IP address, Google user data, Facebook user data, or any other personal identifier. We do not use the LLM provider, or any model output, to derive insights about you as a user. The narrative is cached per address so we don’t re-bill the model on repeat views; you can flag a narrative that reads as wrong or misleading via the contact email below and we’ll review and re-generate it on request.

9. Children

CheckHazard isn't aimed at children. We don't knowingly collect data from anyone under 18.

10. Changes

If we change this policy materially, we'll update the "Last updated" date and post a notice on the homepage.

11. Contact

Privacy questions, data requests, or to flag something that looks wrong: email checkhazardofficial@gmail.com. We aim to respond within 48 hours on business days. Data-deletion requests follow the timeline in § 7.