Last updated 2026-06-04

Privacy policy

Who we are

Viewpoint is built and operated by Marcos Barbero, an independent software developer based in the Netherlands. There is no company behind the app — just one person.

Contact for any privacy question, request, or complaint: marcos@marcosbarbero.com.

The short version

If you use Viewpoint without signing in, we store nothing about you on our servers. Your spots, photos, and notes stay on your device, and your subscription is handled entirely by Apple — you can capture, browse, and plan as a guest and we never see any of it. Signing in is optional; you do it only when you want to sync your content to your other devices and receive condition alerts.

Once you sign in, Viewpoint collects what it needs to do that job (your account, your spots, your photos, your subscription state) and nothing else. Analytics is opt-in, behavior-only, and never includes your photos, GPS coordinates, names of spots, or anything else personally identifying. We don’t sell data, we don’t run ad networks, and we don’t share with third parties beyond Apple (for sign-in + payments + push) and the named infrastructure providers below.

What we store about you

Only if you sign in. Everything in this section applies once you create an account by signing in. As a guest (not signed in) none of it leaves your device: there is no account, and your spots, photos, maps, plans, and watches live only in the app’s local database on your phone. Weather lookups still work as a guest — they send only the latitude/longitude you’re checking, never an identity (see Backend providers → Open-Meteo) — and your subscription is verified directly with Apple, so we don’t see it either.

Your account — email address, and the opaque identifier returned by Sign in with Apple or Sign in with Google if you sign in that way.
Your spots, photos, maps, plans, and watches — the data you create in the app. Captured photos are uploaded to Cloudflare R2 (object storage); the rest lives in a PostgreSQL database hosted on Neon, EU region.
Publicly-shared spots — if you explicitly publish a spot, its location, name, photos, composition notes, and access info become visible to other Viewpoint users via the public-spots surface. Private notes and per-account state (favorites, sync timestamps) never become public, regardless of the spot’s sharing state. Publishing is opt-in, friction-bearing (a confirmation sheet spells out what gets exposed before you confirm), and reversible — see Sharing a spot publicly for the full mechanics + the wildlife-protection safeguard.
Subscription state — whether you’re on the free trial or a paid subscription, and which product (monthly or yearly). The actual payment is handled by Apple’s StoreKit; we never see your card details.
Push notification token — Apple’s opaque APNs identifier so we can deliver condition alerts. Invalidated server-side immediately when you sign out (the device stops receiving alerts for the signed-out account immediately).
Analytics events (only if you turn analytics on) — see the next section.
Crash reports — when the app crashes or hangs, Apple’s own on-device MetricKit framework produces a diagnostic (stack trace, exception/signal codes, device model + OS version, app version). Crashes are visible to us through Apple’s standard developer crash reporting (App Store Connect), and a summary is also sent to a Viewpoint server so we get a timely heads-up — no third-party crash-reporting service is involved. Never your photos, GPS, notes, email, real name, or spot / map / plan content. Default is on (legitimate interest under GDPR Art. 6(1)(f) — knowing the app crashes is necessary to keep it working for you).

How location is used

Location is requested and used only in the context of the Map and capture features, to place and find spots. Persistent background location tracking is not used.

Analytics — opt-in, no PII

Analytics is OFF by default. Turn it on from Settings → Privacy → Share usage analytics. When it’s on:

We forward behavioral events (e.g., “user viewed map tab”, “user captured a spot”, “trial converted to paid”) to Mixpanel via an EU-resident ingest endpoint (api-eu.mixpanel.com).
Each event carries your user UUID (the same one in our database) and a fixed set of allow-listed properties — closed enums or booleans, never free-text from your spots, maps, or photos.
Personally identifiable info — name, email, GPS coordinates, EXIF, your spot/map/plan names, anything you typed — is never included in analytics. The backend enforces this with a closed allow-list on the event-ingest path; events that try to carry disallowed properties are rejected at the edge.
You can turn analytics off any time. The pipeline stops immediately. Deleting your account also queues a deletion request to Mixpanel that purges your historical events.

Full breakdown: How analytics work.

Backend providers

Viewpoint’s backend runs on the following providers. None of them have access to your unencrypted account or data beyond what their service requires:

Fly.io — the API server, hosted in Amsterdam.
Neon — PostgreSQL database, EU region.
Cloudflare R2 — object storage for captured photos.
Apple — Sign in with Apple, StoreKit (payments), APNs (push notifications), and crash reporting (App Store Connect + the on-device MetricKit framework). No separate crash-reporting third party is used.
Google — Sign in with Google (only if you choose that sign-in method; not used otherwise).
Mixpanel — analytics (only if you opt in; EU-resident endpoint).
Open-Meteo — weather forecasts. Calls go through our backend; your account identity is never sent to Open-Meteo, only the latitude/longitude of the location you’re checking.
Slack — when you tap Talk to Marcos in Settings, your message lands in a private Slack channel Marcos reads. Your account UUID is included; no other PII is.

What we don’t do

No advertising — no banners, no interstitials, no ad SDKs.
No cross-app tracking — no IDFA, no fingerprinting.
No data sale — your data isn’t a revenue stream and never will be.

Viewpoint launches in the EU; the EU General Data Protection Regulation applies.

The right to erasure (Article 17). Settings includes a Delete my account & data action. Triggering it permanently deletes your profile and every record that depends on it — spots, photos, maps, plans, watches, device tokens, sessions, subscriptions, audit rows. Captured photos in Cloudflare R2 are scrubbed by a background job within minutes. Mixpanel events (if you ever opted in) are queued for deletion via Mixpanel’s GDPR-erasure endpoint.
Access and portability. Self-service export isn’t built yet. Email marcos@marcosbarbero.com and we’ll send a JSON dump of everything tied to your account.
Withdrawing consent. For analytics, toggle Settings → Privacy → Share usage analytics. The change is immediate — the next event your phone would have sent is the first one suppressed. See How analytics work for the full picture.
Objection, rectification, restriction. Email marcos@marcosbarbero.com for any GDPR rights request not covered by the in-app surfaces above. We will respond within 30 days.
Cancel your subscription via Apple’s standard flow (Settings → Apple ID → Subscriptions). Cancellation is independent of account deletion — if you cancel without deleting your account, your data stays; if you delete your account without cancelling, the subscription keeps billing until you cancel it in Apple Settings.

Changes to this policy

If we change this policy in a way that affects you, the Last updated date at the top of this page reflects when. Material changes (new sub-processors, broader data collection, change in operating entity) will be announced in-app and via the email associated with your account before they take effect.

Contact

For any privacy question, request, or complaint: marcos@marcosbarbero.com.