Last updated: 22 March 2025

Hexmap ("the service") is a service provided by The Artificial Creative BV, a limited private company (besloten vennootschap) of the Netherlands registered in Amsterdam with the KvK number 61953679.

This document (the Privacy Policy) describes what data we collect and how we use it. It also describes the rights and options you have regarding your personal data. By using Hexmap, you agree to the collection and use of information in accordance with this policy, our Terms & Conditions, and the laws of the Netherlands and European Union.

Your rights

We comply with the EU citizen rights of the General Data Protection Regulation, for all users of Hexmap. Additionally, residents of the U.S. state of California have rights under the California Consumer Privacy Act of 2018.

Sale of data

Hexmap does not sell or trade your personal data.

Children

If you are under the age of 16, or under the age of 13 in the United States, you must not create a Hexmap account or otherwise provide us with personal data. If we learn a user is under 16, or under 13 in the United States, we will delete the user's data.

Data security

Privacy guarentees are only as strong as our ability to keep data from leaking unintentionally.

Every reasonable effort has been made to keep your data at Hexmap secure. We use industry-standard Postgresql for data storage, and our server application code is exclusively written in Rust to reduce attack risks. Sensitive data such as passwords are never written to storage unencrypted, and best practices are used to encrypt them. Our servers are exclusively based in the EU where legal defenses for privacy are strongest.

Nonetheless, the only secure data is data that does not exist. While we are proud to take privacy and data security seriously, we are not equipped to defend against or even detect attacks from serious threats like state-sponsored actors. You should not use Hexmap to store sensitive data.

Retention of data

We will retain your personal data as long as we consider your account valid. This includes accounts that are inactive but not deleted. If you request account deletion, we will make every reasonable effort to remove your personal data from our systems within 7 days, in accordance to the the GDPR right of erasure for EU citizens. This should comply with your rights that may apply in other jurisdictions.

Profile data

When you sign up for Hexmap, we ask you to provide an email address. The email address is used to send you messages such as password reset emails, periodic reports, and updates about the service. We may also use it to for customer support purposes, including correlating your email address with your account.

We do not share your email address with third parties. We do not sell your email address. We do not use your email address for marketing purposes.

We also request you provide a username, which is displayed on the Hexmap website and is used to uniquely identify your account.

Visits data

The time and place data you enter, upload, or import from a third party to Hexmap, is used to generate your visits data which represents your visits to map cells per day. By providing your data to Hexmap, you consent to the use of visits data as described in this policy.

Your visits data is stored and used to create your maps. Based on how you configure your Hexmap account, these maps may be sent to you via email or published elswhere. Your visits data is also used along with other Hexmap users to create aggregate maps, which may be published elsewhere.

When you set your profile to private, your maps will no longer be visible to other users on Hexmap. We cannot remove maps that have previously been sent or published elsewhere. Also when your profile is set to private, your data will be removed from the aggregate maps in Hexmap; these maps also may have been published elsewhere and cannot be retracted.

Third-party importing ("sync")

When you connect to a third-party service, such as Strava, we store credential information specific to the service. In most cases, this is in the form of tokens that are meaningful only in the context of our connection to the service, but these credentials may include identifying information. When you disconnect (via Hexmap or if the service informs us you have deauthorized Hexmap), these credentials are permanently deleted.

These services provide Hexmap with records of your location at specific times. We use this information to populate your maps, and may keep more precise details for troubleshooting or future features.

Some of these services bind Hexmap to their data handling terms. For example, Strava requires us to remove the data they have shared with us if you deauthorize Hexmap. As of 22 March 2025, it is not clear whether this must result in the removal of visits data.

Some services provide additional data about you; they may send us identifying details such as gender, birthday, et al. We do not store any of these details.

Hexmap usage

When you use the Hexmap website or one of our applications, we may collect information about which activities you perform and what network resources you request, including via browser cookies. This is used only to tune performance and audit reliability, but may not always be anonymous.

Legal basis for processing

We process your personal data on the following legal grounds: (a) your consent when you connect third-party services; (b) performance of our contract with you to provide the Hexmap service; (c) our legitimate interests in maintaining and improving our service; and (d) compliance with legal obligations where applicable.

International data transfers

Your data is stored on servers located in the European Union. We do not transfer your personal data outside the EU except where necessary to fulfill our obligations to you or where we have appropriate safeguards in place as required by GDPR.

Automated decision-making

Hexmap does not use your personal data for automated decision-making or profiling that produces legal or similarly significant effects.

Other data disclosures

We may disclose personal data about you to others: (a) if we have your valid consent to do so; (b) to comply with a valid subpoena, legal order, court order, legal process, or other legal obligation; (c) to enforce any of our terms and conditions or policies; or (d) as necessary to pursue available legal remedies or defend legal claims. We may also transfer your personal data to an affiliate, a subsidiary or a third party in the event of any reorganization, merger, sale, joint venture, assignment, transfer or other disposition of all or any portion of our business, assets or stock, including, without limitation, in connection with any bankruptcy or similar proceeding, provided that any such entity that we transfer personal data to will not be permitted to process your personal data other than as described in this Privacy Policy without providing you notice and, if required by applicable laws, obtaining your consent.

Changes to this policy

Circumstances may require we update this Privacy Policy. Changes will apply immediately upon publication. The "last updated" note on this page will indicate when changes have been made. If the changes are material, we will provide notice to users via email. When required by law, we will obtain consent before such changes apply.

Data Protection Officer

To contact our Data Protection Officer, please email hans@theartificial.nl.