Privacy Policy

1. Who We Are

Touge Atlas ("we", "us", "our") is a mobile application that helps drivers discover touge roads, circuits, and car-related locations in Japan.

For the purposes of the EU General Data Protection Regulation ("GDPR"), we are the controller of the personal data processed through the app.

Data Controller: Chris Lamb
Email: info@tougeatlas.com

2. What Data We Process

We designed Touge Atlas to minimize personal data collection. While the app requires sign-in to access full features, we collect only the minimum data needed to operate the service.

2.1 Account and Authentication Data

To use Touge Atlas, you sign in using Apple Sign In (on iOS) or Google Sign In (on Android). When you sign in, we receive and store the following data from your authentication provider:

• Your email address (as provided by Apple or Google).
• A unique user identifier (UUID) generated by our authentication system.
• Your authentication provider (Apple or Google).
• Sign-in timestamps (account creation date, last sign-in).

We do not receive or store:

• Your Apple or Google account password.
• Your contacts, photos, or other data from your Apple or Google account.
• Payment information (handled entirely by Apple or Google — see Section 2.9).

If you sign in with Apple and choose to hide your email, we receive only the private relay address that Apple generates. We have no way to discover your real email address.

Your account data is stored securely by our database provider (see Section 5.4). A session token is stored securely on your device and is used to authenticate API requests. This token is never shared with third parties.

2.2 Driving Records (Check-in Data)

When you use the Logbook feature to log a location visit, we store a check-in record in our database. Each record contains:

• Your user ID (UUID).
• The identifier of the location you checked in at (a text slug, not GPS coordinates).
• The timestamp of the check-in.

We do not store your GPS coordinates server-side. Location proximity is verified on your device only. However, because a check-in record links your account to a known location at a specific time, this constitutes location data linked to your identity.

Legal basis: Art. 6(1)(b) GDPR — performance of a contract. Driving records are the core function of the Logbook feature you have chosen to use.

2.3 Location Data (On-Device Only)

If you enable location access in the app and grant permission, we read your device's current location.

We use this location only on your device to:

• Calculate approximate distance to routes and points of interest.
• Sort or filter lists by distance.
• Center the map around your position and show a "you are here" indicator.

We do not:

• Send your precise location coordinates to our servers.
• Store your location long-term.
• Use location for advertising, profiling, or cross-app tracking.

2.4 App Usage and Performance Data (Optional Analytics)

If you choose to enable analytics, we collect certain information about how you use the app, such as:

• Which screens you open (Map, List, Events, Settings, route detail pages).
• Search terms and filter types you apply (for example category, prefecture, vehicle type).
• Non-identifying performance metrics (for example loading times and Web Vitals such as LCP, INP, CLS).
• Technical information from your device (for example OS version, device model, app version, approximate region via IP).

We do not intentionally send to analytics:

• Your precise GPS coordinates.
• Driving behaviour (for example speed, exact path driven).
• Names, email addresses, or free-text user content.

2.5 Technical Data and Logs (Necessary)

When you use the app or our backend API, we necessarily process:

• Standard HTTP request data: IP address, user-agent, requested URL, timestamp.
• Route and filter parameters: for example limit, offset, category, prefecture.

This is used strictly to deliver content, keep our service secure and reliable, and apply simple rate limiting to prevent abuse.

2.6 Local Preferences on Your Device

We store certain preferences in your browser or WebView storage (for example localStorage) so the app behaves consistently between sessions:

• Interface language (English or Japanese).
• Distance unit (km or miles).
• Whether you have completed the onboarding tutorial (touge-onboarding-completed).
• Whether you have enabled location access inside the app (separate from OS permissions).
• The set of locations you have "favorited".
• Whether you have enabled analytics.
• Technical cache data for performance optimization (last API fetch timestamps, schema versions, cache timestamps).

This information is stored locally on your device only. We do not read or sync it to our own servers.

2.7 Session Storage (Temporary UI State)

We use browser session storage (which automatically clears when you close the browser/app) to preserve temporary UI state within a single session:

• Map view position and zoom level.
• Active filters and search terms (categories, course-only, road-only filters).
• List view scroll position and filter selections (search terms, prefecture filters).
• Events view state.

This data is automatically cleared when you close the app and is never sent to our servers. It is used solely to improve user experience by maintaining your view state during a single session.

2.8 Website Contact and Submissions (Optional)

If you use our website forms to submit a spot, photo, or business inquiry, we collect the information you provide, including:

• Contact details (name, email, company/website if provided).
• Submission content (location name, description, coordinates, links).
• Photos you upload and the license consent you grant.

This information is used to review submissions, update the map, and respond to you.

2.9 User Submissions (Photo Contributions, Location Suggestions)

When you submit content via the app (e.g. Contribute Photos or Suggest a Location) or via our website and provide your name, handle, or email for credit or contact, you voluntarily provide personal data. We process it only to attribute your content, to process your submission, and to reply if needed. We do not use it for marketing or share it with third parties.

You can ask us to remove your credit or delete this data at any time by contacting info@tougeatlas.com.

2.10 Push Notifications (Optional)

If you enable push notifications, we store a device token (push notification service token) in our database. This token is encrypted at rest (AES-256-GCM) before storage. We also store:

• Your user ID (UUID).
• The platform (iOS or Android).
• Your preferred language (for localized notifications).

Push tokens are used solely to deliver notifications you have opted into (for example, event reminders or parking area status updates). You can disable push notifications at any time in your device settings or by revoking notification permissions.

Legal basis: Art. 6(1)(a) GDPR — consent. You explicitly grant permission for push notifications through your device's notification dialog.

2.11 PA Live Community Reports

When you submit a parking area status report through PA Live, we store:

• Your user ID (UUID).
• The parking area identifier.
• The status you reported (for example, crowded, closed, or open).
• The timestamp of the report.

Reports are used to provide real-time crowd information to other users. We do not store your GPS coordinates with PA reports.

Legal basis: Art. 6(1)(b) GDPR — performance of a contract (providing the community feature you chose to use).

2.12 Subscription Feedback (Cancel Survey)

If you initiate the subscription cancellation flow in the app, we may ask you to complete an optional exit survey. If you respond, we store:

• Your user ID (UUID).
• The reason you selected.
• Any optional free-text feedback you provide.
• Your subscription type and platform.

This data is used to improve the product. It is not shared with third parties.

Legal basis: Art. 6(1)(f) GDPR — legitimate interests (understanding why subscribers cancel, to improve the service).

2.13 Service Usage Metadata

To maintain service quality and detect inactive accounts for operational purposes, we record when authenticated users last interacted with the service. This includes:

• Your user ID (UUID).
• The date and time of your most recent authenticated request.
• A session count (how many times the app has been opened).
• Your platform (iOS, Android, or web).

This is not behavioral analytics. It does not track which screens you visit, what you search for, or how you use the app. It records only that you used the app, not what you did in it. This data is collected regardless of your analytics consent setting, as it is operational data necessary for service delivery.

Legal basis: Art. 6(1)(f) GDPR — legitimate interests (maintaining service health and managing inactive accounts).

2.14 Purchases and Subscriptions

Touge Atlas offers optional paid features: Atlas Pass (a subscription with monthly, annual, or lifetime options) and Trip Plans (one-time purchases). All payments are processed entirely by Apple (via the App Store) or Google (via Google Play). We never receive or store your payment card details, bank account information, or billing address.

To manage subscriptions and restore purchases across devices, we use our subscription management provider. They receive:

• An anonymous app user ID (linked to your account for purchase restoration).
• Purchase and subscription status (which products you own, subscription expiry dates).
• Platform (iOS or Android) and app version.

Our subscription management provider does not receive your email address, name, location, or any other personal information. For details on how our subscription management provider handles data, see their privacy policy.

3. Purposes and Legal Bases

Under GDPR we must have a lawful basis for each purpose of processing. The following bases refer to Article 6 GDPR.

3.1 Providing the App and Core Features (Contract / Legitimate Interests)

Purpose:

• Serve maps, lists of routes and events.
• Apply search, filters, and sorting.
• Load our static datasets and call our Touge Atlas API.

Data involved: technical data (IP, user-agent, request parameters), local UI preferences.

Legal basis: Art. 6(1)(b) — performance of a contract (providing the app you choose to use) and Art. 6(1)(f) — legitimate interests (operating and securing the service). These operations are strictly necessary to provide the service you request.

3.2 User Account and Authentication (Contract)

Purpose:

• Authenticate you and maintain your session across the app.
• Restore your purchases and subscription status across devices.
• Deliver authenticated API responses and protected content.

Data involved: email address, user ID, authentication provider, session tokens, sign-in timestamps.

Legal basis: Art. 6(1)(b) — performance of a contract (providing the service you signed up for). Account creation is necessary to deliver the app's core functionality and to manage purchases.

3.3 Purchases and Subscription Management (Contract)

Purpose:

• Verify your purchase and subscription status.
• Unlock premium features (Atlas Pass, Trip Plans).
• Enable purchase restoration across devices.

Data involved: anonymous app user ID, purchase records, subscription status.

Legal basis: Art. 6(1)(b) — performance of a contract (fulfilling your purchase).

3.4 Optional Geolocation for Distances and Map Centering (Consent)

Purpose:

• Show distances to locations from your current position.
• Sort and filter lists by distance.
• Center the map around your approximate location.

Data involved: your current location, processed on-device only.

Legal basis: Art. 6(1)(a) — consent. You grant or deny permission through your system or browser location dialog, and you can also turn location on or off in the app Settings.

3.5 Optional Usage and Performance Analytics (Consent)

Purpose:

• Understand which screens and filters are used, to prioritise improvements.
• Measure performance and reliability (for example loading speed, layout stability).

Data involved: screen views, searches, filters, performance metrics, and technical identifiers from our analytics service.

Legal basis: under the ePrivacy Directive (Article 5(3)), analytics SDKs such as our analytics service are considered "cookies or similar technologies" that are not strictly necessary and therefore require prior consent. Under GDPR we rely on Art. 6(1)(a) — your consent before enabling analytics.

Analytics are disabled by default. You can enable or disable Analytics & Performance in the app Settings or via the optional choice on the final onboarding step. No analytics events are sent unless and until you opt in, and you can withdraw consent at any time.

3.6 Security and Anti-Abuse (Legitimate Interests / Legal Obligations)

Purpose:

• Protect our service from abuse and attacks.
• Monitor API health and error rates.

Data involved: limited logs from our API (IP address, timestamps, error messages/traces).

Legal basis: Art. 6(1)(f) — legitimate interests and, where applicable, Art. 6(1)(c) — legal obligations (for example responding to lawful requests).

3.7 Handling Submissions and Inquiries (Consent / Legitimate Interests)

Purpose:

• Review user-submitted locations and photos.
• Update our database and showcase approved content in the app.
• Respond to business inquiries.

Data involved: contact details, submission content, and uploaded photos.

Legal basis: Art. 6(1)(a) — consent (for your submission and photo license) and Art. 6(1)(f) — legitimate interests (running and improving the service).

4. Data Storage Locations

Your data is stored in the following locations:

• On your device: Preferences, favorites, cache data, and your authentication session token are stored locally on your device.
• Database provider: Your account data (email, user ID, auth provider, sign-in timestamps) is stored by our database provider (servers in Tokyo, Japan). See Section 5.4.
• Subscription management: Your anonymous app user ID and purchase/subscription status are stored by our subscription management provider. See Section 5.5.
• Infrastructure/CDN (API and submissions): Technical API logs and any submissions you make (photos, location suggestions) are stored in our infrastructure provider's systems.

We do not store your GPS coordinates, driving behavior, favorites, or app preferences on our servers. These remain on your device only.

5. How and Where Your Data is Processed

5.1 Backend API (Infrastructure Provider)

Our API is hosted on our infrastructure provider and accessed over HTTPS. Requests include non-personal parameters (limits, categories, prefectures) and standard HTTP metadata (IP address, user-agent). Our infrastructure provider acts as our processor and CDN provider and may process limited traffic data for security and performance in line with its own privacy policy.

5.2 Weather Data (WeatherAPI.com)

When you view weather information for a location, the app requests weather data via our API from WeatherAPI.com. WeatherAPI.com receives the latitude and longitude of the location you are viewing (not your personal location) and standard HTTP request metadata. See their privacy policy.

5.3 Analytics Service (Only if You Opt In)

If you enable analytics, we send usage events to our analytics service. Our analytics service processes app usage data and certain device identifiers as an independent or joint controller under their terms and privacy policy.

Data may be stored on servers outside the EEA (for example in the United States). We rely on our analytics provider's use of Standard Contractual Clauses and other safeguards as provided in their data protection terms.

5.4 Database Provider (Authentication and Database)

We use our database provider to manage user authentication and as our backend database. Our database provider stores your account data (email, user ID, auth provider, timestamps) and acts as our data processor under GDPR.

Our database provider's servers for this project are located in Tokyo, Japan. For details on how our database provider handles data, see their privacy policy and Data Processing Agreement.

5.5 Subscription Management Provider

We use our subscription management provider to manage in-app purchases and subscriptions. They receive an anonymous app user ID and purchase transaction data from Apple or Google to verify and manage your subscription status. Our subscription management provider acts as our data processor under GDPR. Data may be stored in the United States.

For details, see their privacy policy and Data Processing Agreement.

5.6 Local Storage on Your Device

Preferences, favorites, and cache data are stored locally on your device. Persistent data (preferences, favorites) remains until you clear app data or uninstall. Temporary data (map position, filters) clears automatically when you close the app.

Deleting the app or clearing your app data removes all locally stored entries.

6. Data Retention

• Account data (email, user ID, auth provider) is retained for as long as your account exists. When you delete your account, this data is permanently deleted within 30 days.
• Driving records (check-in history) are stored for as long as your account exists. They are permanently deleted when you delete your account, within 30 days.
• Push notification tokens are stored (encrypted) for as long as your account exists or until you disable notifications. They are deleted when you delete your account.
• PA Live reports are stored for as long as your account exists. They are deleted when you delete your account.
• Cancel survey responses are retained indefinitely in anonymized aggregate form for product improvement. The association with your user ID is deleted when you delete your account.
• Service usage metadata (last active date, session count) is stored for as long as your account exists. It is deleted when you delete your account.
• Purchase and subscription data is retained by our subscription management provider for as long as your account exists, and by Apple/Google as part of your purchase history with them.
• Local preferences (language, units, favorites, location/analytics toggles, cache data) remain on your device until you clear app data or uninstall.
• Session storage (map position, filters, search terms) is automatically cleared when you close the app.
• Backend logs (API access logs, error logs) are kept for limited periods needed for security and troubleshooting (typically 30-90 days), after which they are deleted or irreversibly anonymised.
• Analytics data retained by our analytics service is subject to retention settings in our analytics project and to our analytics provider's own policies. We configure retention to the shortest period consistent with meaningful aggregate statistics (typically 14 months).

7. Your Rights

If you are in the EU/EEA, UK or Switzerland, you have the following rights under data protection law, subject to conditions and exceptions:

• Right of access (Art. 15 GDPR) — ask us to confirm whether we process your personal data and receive a copy.
• Right to rectification (Art. 16 GDPR) — ask us to correct inaccurate or incomplete data.
• Right to erasure (Art. 17 GDPR) — ask us to delete your personal data where there is no longer a lawful basis to keep it.
• Right to restriction (Art. 18 GDPR) — ask us to restrict processing in certain circumstances.
• Right to data portability (Art. 20 GDPR) — where processing is based on consent or contract and carried out by automated means, request a copy of your data in a structured, commonly used, machine-readable format.
• Right to object (Art. 21 GDPR) — object to processing based on our legitimate interests.
• Right to withdraw consent (Art. 7(3) GDPR) — where we process data based on your consent (location, analytics), withdraw that consent at any time.

Withdrawing consent does not affect the lawfulness of processing that took place before withdrawal. To exercise your rights, contact us at info@tougeatlas.com. We may need to reasonably verify your identity before responding.

You also have the right to lodge a complaint with your local data protection authority (for example, in the EU the supervisory authority of your habitual residence or place of work). A list of EU supervisory authorities can be found at https://edpb.europa.eu/about-edpb/board/members_en.

Japan APPI Rights

Under Japan's Act on the Protection of Personal Information (APPI), all users whose data is handled by Touge Atlas have the following rights:

• Right to disclosure (Art. 33): Request disclosure of your retained personal data. We will respond without delay.
• Right to correction (Art. 34): Request correction, addition, or deletion of inaccurate personal data.
• Right to cessation of use (Art. 35): Request that we stop using or erase your personal data if it was processed beyond the stated purpose or obtained improperly.
• Right to cessation of third-party provision (Art. 35): Request that we stop providing your personal data to third parties.
• Right to receive data electronically (Art. 33(2)): Request a copy of your personal data in electronic format.

To exercise any of these rights, contact us at info@tougeatlas.com. We will respond without undue delay.

Obligation to Provide Data

Creating an account (via Apple Sign In or Google Sign In) is required to use the app. Without an account, you cannot access the app's features. This is a contractual requirement, not a statutory one.

8. Children's Data

Touge Atlas is not directed at children under 16. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us so we can delete it.

9. International Data Transfers

Where data is transferred outside the EEA, the UK or Switzerland (for example, by our analytics service, our infrastructure provider, our database provider, or our subscription management provider), we rely on appropriate safeguards under GDPR, such as Standard Contractual Clauses (Art. 46 GDPR), or transfers to countries for which the European Commission has issued an adequacy decision (including Japan, which has an adequacy decision from the European Commission). Further details are available in the respective provider's data protection documentation, and we can provide more information upon request.

Cross-Border Transfer Details (APPI Art. 28)

Under Japan's APPI, the following countries receive personal data from Touge Atlas:

• Japan: Our database provider (database hosting, Tokyo region). Domestic processing, no cross-border transfer.
• United States: Our infrastructure/CDN provider (CDN, API proxy), our subscription management provider, our analytics service (opt-in analytics). The United States does not have a personal data protection system recognized by Japan's Personal Information Protection Commission (PPC) as equivalent to APPI. We ensure these providers maintain organizational and contractual safeguards that meet APPI standards, including encryption of data in transit and at rest, access controls, and data processing agreements.

Japan and the EU have mutual adequacy recognition. For transfers from the EU to Japan, Japan's supplementary rules under the adequacy framework apply.

10. External Transmission of User Information

In accordance with Article 27-12 of Japan's Telecommunications Business Act, we disclose the following information about data transmitted to third parties when you use the Touge Atlas app or website.

For details on how each service handles your data, please refer to their respective privacy policies linked in Section 5 above.

11. Data Security

We implement appropriate technical and organizational measures to protect your personal data against unauthorized access, alteration, disclosure, or destruction. These measures include:

• Encryption of data in transit and at rest.
• Secure hosting infrastructure.
• Secure token storage on device.
• Token-based authentication with expiry and refresh.
• Regular security assessments and updates.
• Limited access controls to personal data.

12. Data Breach Notification

In the event of a personal data breach that is likely to result in a high risk to your rights and freedoms, we will notify you and the relevant supervisory authority without undue delay, in accordance with Art. 33-34 GDPR.

13. Automated Decision-Making

We do not use automated decision-making, including profiling, that produces legal effects concerning you or similarly significantly affects you.

14. How to Delete Your Data or Stop Processing

Delete Your Account

You can delete your account and all associated server-side data at any time by going to Settings > Account > Delete Account in the app. This permanently deletes:

• Your authentication record (email, user ID, sign-in history) from our database provider.
• Your driving records (check-in history, locations visited and timestamps) from our database provider.
• Your push notification tokens from our database provider.
• Your PA Live reports and PA subscriptions from our database provider.
• Your cancel survey responses from our database provider.
• Your service usage metadata (last active date, session count) from our database provider.
• Your anonymous user ID and subscription data from our subscription management provider.
• Any submission credits linked to your account.

Account deletion is processed within 30 days. Active subscriptions should be cancelled through the App Store or Google Play before deleting your account, as we cannot process refunds after account deletion.

Delete Local Data

Preferences, favorites, and cached data are stored only on your device. To delete this data:

• Uninstall the app from your device; or
• Clear app data in your device settings.

Withdraw Consent for Analytics

Turn off Analytics & Performance in the app Settings. This stops future analytics events. If you ask us to delete data and we can reasonably identify data relating to your device in a third-party service, we will delete or anonymise it to the extent technically possible.

Request Data Export

You can request a copy of all personal data we hold about you by contacting info@tougeatlas.com. We will provide your data in a structured, machine-readable format within 30 days.

For more information, see our Data Deletion Request page.

15. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will update the "Last updated" date below and, where appropriate, show a notice in the app. Please review this policy periodically.

16. Contact

If you have questions about this policy or how we handle your data, or if you want to exercise your rights, you can contact:

Data Controller: Chris Lamb
Email: info@tougeatlas.com