Skip to main content
Legal · Privacy

Privacy Policy

How we collect, use, and protect your information. Written in plain language where possible.

Effective Date · April 26, 2026

CaveFinder (cavefinder.app) is operated by Buzzy LLC, a New Mexico limited liability company. This Privacy Policy describes how we collect, use, and protect your information when you use our terrain analysis service.

Contact us: help@cavefinder.app

1. Information We Collect

Account Data

When you create an account, we collect:

  • Email address — used for account authentication, password resets, and service notifications
  • Display name — shown in the application interface
  • Password — stored only as a bcrypt hash; we never store or have access to your plaintext password

Usage Data

When you use CaveFinder, we automatically collect:

  • IP address — used for rate limiting and abuse prevention
  • Browser session ID — a random identifier for analytics
  • Search locations — the geographic bounding boxes you analyze (latitude/longitude coordinates defining the area)
  • Analysis parameters — data source selections, filter settings, and feature usage
  • Timestamps — when actions occur

Payment Data

Payment processing is handled entirely by Stripe. We never receive, process, or store your credit card number, bank account details, or other payment instrument data. We store only your Stripe customer ID to link your account to your subscription.

2. How We Use Your Data

  • Provide the service — process your terrain analysis requests and deliver results
  • Enforce subscription tier limits — track usage against your plan allowances
  • Prevent abuse — rate limiting, fraud detection, and enforcing acceptable use
  • Improve detection accuracy — we analyze aggregate usage patterns (such as which data sources and regions are most popular) to improve the service. We never use individual location data to train or improve our proprietary analysis methods.
  • Communicate with you — service announcements, security notices, and responses to support requests

3. Cookies

CaveFinder uses a minimal number of cookies, all essential to the operation of the service:

Cookie Purpose Duration Type
cavefinder_session Session tracking and authentication. Identifies your browser session for analytics and maintaining login state. 30 days Essential, HttpOnly, Secure (production)
cf_tier Stores your current subscription tier (Free or Pro) so the application can display the correct features and limits. 1 year Essential, HttpOnly, Secure (production)

Both cookies are set with the HttpOnly flag (inaccessible to JavaScript) and the Secure flag in production (transmitted only over HTTPS). We do not use advertising cookies, tracking pixels, or third-party analytics cookies.

4. Third-Party Service Providers

We share data with the following third-party processors only as necessary to operate the service:

  • Stripe (stripe.com) — payment processing. See Stripe's Privacy Policy.
  • OpenTopography (opentopography.org) — digital elevation model data downloads. Your requested geographic coordinates are sent to retrieve terrain data.
  • USGS (usgs.gov) — digital elevation model data from the 3D Elevation Program. Your requested geographic coordinates are sent to retrieve terrain data.
  • Cloudflare (cloudflare.com) — CDN, DDoS protection, and SSL/TLS. See Cloudflare's Privacy Policy.
  • OpenStreetMap / Overpass API (openstreetmap.org) — public cave location data. Geographic coordinates are sent to query publicly available cave data.

5. Data Retention

  • Analytics data (usage events, session logs) — retained for 90 days, then deleted
  • Analysis job results (candidate lists, overlays) — purged after 24 hours or on server restart, whichever comes first. Results are not permanently stored.
  • Account data (email, display name, hashed password) — retained until you request account deletion
  • Payment records (Stripe customer ID, subscription status) — retained as long as your account is active or as required for billing/legal purposes

6. Your Rights

Depending on your jurisdiction (including under the GDPR and CCPA), you may have the following rights regarding your personal data:

  • Access — request a copy of the personal data we hold about you
  • Correction — request correction of inaccurate personal data
  • Deletion — request deletion of your account and associated data. You can delete your account directly within the application, or contact us.
  • Data portability — request your data in a structured, machine-readable format
  • Opt-out of analytics — contact us to opt out of non-essential usage data collection
  • Do Not Sell (CCPA) — we do not sell your personal information to third parties

To exercise any of these rights, contact us at help@cavefinder.app or use the account deletion feature within the application. We will respond within 30 days.

7. Data Security

We protect your data through:

  • Passwords stored using bcrypt hashing (never in plaintext)
  • HTTPS encryption for all data in transit (enforced via HSTS in production)
  • HttpOnly and Secure cookie flags to prevent client-side access
  • Rate limiting to prevent brute-force attacks
  • Security headers (X-Content-Type-Options, X-Frame-Options, Referrer-Policy)

8. Children's Privacy

CaveFinder is not directed at children under the age of 13. We do not knowingly collect personal information from children under 13. If you believe a child under 13 has provided us with personal information, please contact us at help@cavefinder.app and we will promptly delete it.

9. International Data Transfers

CaveFinder is operated from the United States. If you access the service from outside the US, your data will be transferred to and processed in the United States. By using the service, you consent to this transfer.

10. Changes to This Policy

We may update this Privacy Policy from time to time. If we make material changes, we will notify registered users by email before the changes take effect. The “Effective Date” at the top of this page indicates when the policy was last revised.