Last Updated: December 28, 2025
This Privacy Policy describes how the OSM Notes API ("we", "our", or "the Service") collects, uses, and protects information when you use our service.
When you access the Service, we automatically collect:
Request Information:
- IP address
- User-Agent string (as required by the Service)
- Request timestamp
- Requested endpoint/URL
- HTTP method
- Response status code
- Response time
Technical Information:
- Request headers (User-Agent, Accept, etc.)
- Referrer (if provided)
- Request size and response size
User-Agent Header:
- The Service requires a User-Agent header in the format:
AppName/Version (contact@example.com) - This email address is logged for contact purposes
- You are responsible for ensuring the email address is valid and you have permission to use it
Optional Information:
- OAuth tokens (when authentication is implemented)
- API keys (if provided)
We do NOT collect:
- Personal identification information beyond what is in the User-Agent
- Payment information (Service is free)
- Location data beyond what is in API requests
- Cookies or tracking technologies
- Third-party analytics data
We use collected information to:
- Provide and maintain the Service
- Process API requests
- Monitor service performance
- Detect and prevent abuse
- Debug issues and improve the Service
Purpose:
- Security monitoring
- Abuse prevention
- Performance optimization
- Troubleshooting
Retention: Logs are retained for a limited period (typically 30-90 days) and then deleted.
IP addresses and User-Agents are used to enforce rate limiting and prevent abuse.
Aggregated, anonymized data may be used for:
- Service usage statistics
- Performance metrics
- Capacity planning
Logs:
- Stored securely on our servers
- Encrypted at rest (where possible)
- Access restricted to authorized personnel
Database:
- Contains only OpenStreetMap notes data (public data)
- No personal user data stored
- Backed up according to our backup strategy
We implement security measures to protect your information:
- Secure server infrastructure
- Access controls and authentication
- Regular security updates
- Monitoring and intrusion detection
- Rate limiting and abuse prevention
However, no method of transmission over the Internet is 100% secure.
We do NOT sell, trade, or rent your information to third parties.
We may share information only in the following circumstances:
Legal Requirements:
- To comply with legal obligations
- To respond to lawful requests from authorities
- To protect our rights and safety
Service Providers:
- With trusted service providers who assist in operating the Service
- These providers are bound by confidentiality agreements
Public Data:
- OpenStreetMap notes data is public and may be shared as part of the Service
- This is inherent to the Service's purpose
We may share aggregated, anonymized statistics that do not identify individuals.
- Request Logs: Retained for 30-90 days
- Error Logs: Retained for 90 days
- Security Logs: Retained for 1 year
- Prometheus Metrics: Retained for 200 hours (8.3 days)
- Aggregated Statistics: Retained indefinitely (anonymized)
- No Personal Data Stored: The Service does not store personal user accounts or profiles
- User-Agent Information: Retained in logs per retention policy above
You have the right to:
- Request information about what data we have about you
- Request a copy of your data (if applicable)
How to Request:
- Open a GitHub issue: https://github.com/OSM-Notes/OSM-Notes-API/issues
- Provide your IP address and User-Agent for identification
You may request deletion of your data:
- Request log deletion (subject to retention policies)
- Note: Aggregated, anonymized data cannot be deleted
You may request correction of inaccurate data:
- Contact us via GitHub Issues
- Provide details of the inaccuracy
You may object to processing of your data:
- Stop using the Service
- Contact us if you have concerns
If you are located in the European Union, you have additional rights under the General Data Protection Regulation (GDPR):
We process your data based on:
- Legitimate Interest: Service operation, security, abuse prevention
- Legal Obligation: Compliance with applicable laws
- Right to access
- Right to rectification
- Right to erasure ("right to be forgotten")
- Right to restrict processing
- Right to data portability
- Right to object
- Right to withdraw consent (where applicable)
For GDPR-related inquiries, contact us via GitHub Issues.
The Service is not intended for children under 13 years of age. We do not knowingly collect information from children. If you believe we have collected information from a child, please contact us immediately.
The Service provides access to OpenStreetMap data. Your use of this data is subject to OpenStreetMap's terms and licenses.
We use hosting providers to operate the Service. These providers may have access to technical information necessary for service operation.
We use monitoring services (Prometheus, Grafana) for service operation. These services collect technical metrics.
Your information may be transferred to and processed in countries other than your country of residence. These countries may have different data protection laws.
By using the Service, you consent to the transfer of your information to these countries.
We may update this Privacy Policy from time to time. Changes will be effective immediately upon posting.
Notification: Significant changes will be announced via:
- GitHub repository updates
- Service status page (if available)
Last Updated: The "Last Updated" date at the top indicates when this policy was last revised.
By using the Service, you consent to:
- This Privacy Policy
- Collection and use of information as described
- Data processing as described
For questions about this Privacy Policy or your data, please contact:
- GitHub Issues: https://github.com/OSM-Notes/OSM-Notes-API/issues
- Repository: https://github.com/OSM-Notes/OSM-Notes-API
Data Controller: OSM Notes Team
Contact: Via GitHub Issues at https://github.com/OSM-Notes/OSM-Notes-API/issues
Note: This is a template Privacy Policy. You should review and customize it according to your specific legal requirements, jurisdiction, and actual data practices. Consider consulting with a legal professional, especially for GDPR compliance, before using this in production.