Privacy Policy

GeoEdge AI ("we", "our", or "the Service") is a geospatial AI assistant embedded in QGIS. This policy explains what data we collect, why we collect it, how we use it, and your rights as a user. We are committed to handling your data responsibly and transparently.

By using the GeoEdge AI plugin or the app.geoedge.com.au web application, you agree to the practices described in this policy.

We collect only what is necessary to provide and improve the Service:

• Account data — email address, display name, and (for OAuth sign-in) a provider-issued identifier.
• Authentication tokens — short-lived JWTs and hashed refresh tokens used to maintain your session.
• Usage data — token counts per session and per billing period, used for quota enforcement and billing.
• Billing data — subscription plan and payment status, processed via Stripe. We do not store raw card numbers.
• Plugin telemetry — anonymous error reports and feature-usage signals to improve reliability. No QGIS project data, layer contents, or file paths are transmitted.
• AI session data — the text prompts you send to the agent during an active session, processed to generate responses. Sessions are not stored beyond the active turn unless you explicitly save them.

• Authenticate you and maintain your session across devices.
• Enforce your subscription quota and generate billing records.
• Deliver AI-generated geospatial analysis in response to your prompts.
• Send transactional emails (account verification, password reset, receipts).
• Detect abuse and enforce our Terms of Service.
• Improve the reliability and accuracy of the Service through aggregated, anonymised analytics.

We do not sell your personal data, use it for advertising, or share it with third parties for their own marketing purposes.

GeoEdge AI offers "Sign in with Google" as an optional authentication method. This section fully discloses how we interact with Google user data in compliance with the Google API Services User Data Policy and the Limited Use requirements.

4.1 — OAuth scopes requested

When you choose "Sign in with Google", we initiate a standard OAuth 2.0 authorisation code flow and request only the following three identity scopes:

• openid — confirms your identity with Google and returns a unique subject identifier (sub).
• email — returns your primary Google account email address and whether it has been verified by Google.
• profile — returns your Google display name.

We do not request access to Gmail, Google Drive, Google Calendar, Google Contacts, Google Photos, or any other Google service. No Google Refresh Token is requested or stored.

4.2 — Specific data accessed and collected

At the conclusion of the OAuth flow, our server makes a single HTTPS request to the Google userinfo endpoint (https://www.googleapis.com/oauth2/v3/userinfo) using the short-lived access token provided by Google. We receive and store only the following three fields:

No other fields from the Google userinfo response (such as picture, locale, or hd) are read, stored, or processed. The Google OAuth access token is used for this single userinfo request and is immediately discarded — it is never written to disk, logged, cached, or transmitted to any other service.

4.3 — How Google user data is used

The three fields retrieved from Google are used solely to provide the GeoEdge AI authentication service. Specifically:

• Account creation (first sign-in). If no GeoEdge account exists for your email address, we create one using your email, display name, and Google subject identifier. A free Starter subscription tier is automatically activated. No additional data is requested from you at this step.
• Account login (returning users). We look up your existing GeoEdge account by matching your Google sub (or email as a fallback) and sign you in. No new data is written to your account record during a normal login.
• Session token issuance. Your email address is embedded in a short-lived, server-signed JWT (2-hour TTL) that is returned to your browser. This token is used to authenticate subsequent API requests to the GeoEdge backend. The JWT is not sent to Google or any other external service.
• Billing customer record. Your email address and display name are transmitted to Stripe Inc. to create or retrieve a billing customer record. This is required to issue invoices and process subscription payments. Stripe's use of this data is governed by the Stripe Privacy Policy.
• Transactional communications. Your email address may be used to send account-related emails (e.g., payment receipts, service notices) via our transactional email provider, Resend. It is not used for marketing without your separate consent.

Google user data is not used for any AI model training, geospatial analysis, product analytics, advertising, re-identification, or any purpose beyond the five uses described above.

4.4 — How Google user data is stored

• The three fields are stored in our production database (PostgreSQL, Railway-hosted infrastructure) in the users table. Database connections use TLS in transit; storage at rest is encrypted by the infrastructure provider.
• Application logs do not record the values of these fields — only anonymised event identifiers (e.g., "oauth_login_success") are logged for debugging.
• No copy of any Google user data is held by the QGIS plugin on the user's device. The plugin receives only the GeoEdge-issued JWT, which does not contain the Google subject identifier.

4.5 — Sharing of Google user data

We share Google user data with the following parties and no others:

• Stripe — email and display name only, for billing customer creation (see §4.3 above).
• Resend — email address only, for transactional email delivery.

We do not sell, rent, broker, or otherwise transfer Google user data to any other third party. We do not allow any third party to use Google user data for their own independent purposes.

4.6 — Retention and deletion of Google user data

Google user data (email, display name, and Google subject identifier) is retained for as long as your GeoEdge account remains active. When you delete your account, these fields are deleted or irreversibly anonymised within 30 days, subject to legal retention obligations (see §6). To request deletion, contact privacy@geoedge.com.au.

4.7 — Google API Limited Use compliance

GeoEdge AI's use of data received from Google APIs complies with the Google API Services User Data Policy, including the Limited Use requirements. Specifically:

• We use Google user data only to provide and improve the user-facing GeoEdge AI authentication and account management features explicitly described in this policy.
• We do not use Google user data to develop, train, or improve generalised AI or machine-learning models.
• We do not use Google user data for advertising or for building advertising profiles.
• We do not allow humans to read Google user data except where you have given us explicit permission, or where it is necessary for security investigation or legal compliance, and only to the minimum extent necessary.
• We do not transfer Google user data to third parties except as described in §4.5, and only to the extent necessary to provide the service.

• Stripe — payment processing. Your email and name are shared to create a billing customer. Stripe's privacy policy applies to data they hold.
• Anthropic — the AI model provider that processes your text prompts. Prompts are transmitted to Anthropic's API under their data processing terms.
• Resend — transactional email delivery (account verification, receipts). Your email address is shared only for delivery purposes.

Account data is retained for as long as your account is active. If you delete your account, we delete or anonymise your personal data within 30 days, except where retention is required by law (e.g., financial records for tax purposes, which we retain for 7 years).

AI session data is not stored beyond the active session unless you explicitly save a conversation. Anonymised, aggregated usage statistics may be retained indefinitely.

We use industry-standard controls including HTTPS in transit, bcrypt-hashed passwords, hashed refresh tokens, short-lived access tokens, and server-side integrity verification of the distributed plugin. We do not store raw payment card data.

Despite these measures, no system is perfectly secure. We will notify affected users and relevant authorities in the event of a breach as required by the Privacy Act 1988 (Cth) Notifiable Data Breaches scheme.

Under the Australian Privacy Act 1988 (Cth) you have the right to:

• Access the personal data we hold about you.
• Request correction of inaccurate data.
• Request deletion of your account and associated personal data.
• Opt out of non-essential communications.

To exercise any of these rights, contact us at privacy@geoedge.com.au. We will respond within 30 days.

The web application uses browser local storage to persist your authentication session client-side. We do not use third-party tracking cookies or advertising pixels.

We may update this policy from time to time. Material changes will be communicated by email or by a prominent notice in the application at least 14 days before they take effect. Continued use of the Service after the effective date constitutes acceptance of the updated policy.

For privacy-related questions or complaints, contact us at privacy@geoedge.com.au. If you are not satisfied with our response, you may lodge a complaint with the Office of the Australian Information Commissioner (OAIC) at www.oaic.gov.au.