Privacy Policy

Last Updated: January 2025

Version: 1.0

1. Introduction

FindYourFivePM is committed to protecting your privacy. This Privacy Policy explains our minimal data collection practices and how we comply with the General Data Protection Regulation (GDPR).

🔒 Key Point: We use Umami Analytics, which is GDPR-compliant by default. It does not use cookies, does not collect personal data, and anonymizes all visitor information. No consent is required for our analytics because they are privacy-focused by design.

2. Data Controller

The data controller responsible for your personal data is:

123cloud.st
Email: will@123cloud.st
Website: https://123cloud.st

For any questions about this Privacy Policy or to exercise your data protection rights, please contact us at the email address above.

3. Data We Collect

3.1 Analytics Data (Anonymized - No Consent Required)

We use Umami Analytics, a privacy-focused service that:

  • ✅ Does NOT use cookies
  • ✅ Does NOT collect personal data
  • ✅ Anonymizes all visitor data
  • ✅ Is GDPR-compliant by default
  • ✅ Does NOT track users across websites

Umami collects only anonymized information:

  • Page views (which pages you visit)
  • Referrer (where you came from)
  • Browser type and version
  • Device type and screen size
  • Country-level location (IP address anonymized immediately)

Why no consent required: Under GDPR Article 6(1)(f), consent is not required for analytics that do not use cookies and do not collect personal data. Umami meets these criteria by design, making it a legitimate interest for improving our service.

Learn more: Umami Privacy Policy

3.2 Browser Storage (Essential - No Consent Required)

We store minimal preferences in your browser to enhance your experience:

localStorage (Persistent)

  • mapStyle - Your map preference (Standard or Hybrid view)
  • fyf5pm_privacy_notice_dismissed - Whether you've dismissed the privacy notice

sessionStorage (Temporary - Deleted When Browser Closes)

  • fyf5pm_tour_completed - Tour completion status
  • fyf5pm_tour_skipped - Tour skip status
  • rikiteaMessageShown - Special Easter egg message status

Why no consent required: Under GDPR, these are considered "strictly necessary" storage items because they are essential for the website to function and remember your preferences. They contain no personal data and cannot be used to identify you.

How to clear browser storage: You can clear all stored preferences at any time through your browser settings:

  • Chrome: Settings → Privacy and security → Clear browsing data → Cookies and other site data
  • Firefox: Settings → Privacy & Security → Cookies and Site Data → Clear Data
  • Safari: Preferences → Privacy → Manage Website Data → Remove All
  • Edge: Settings → Privacy, search, and services → Clear browsing data

3.3 Server Logs (Operational - Legitimate Interest)

Our servers automatically log technical information for security and operational purposes:

  • IP address (anonymized after 7 days)
  • Request timestamp
  • Requested URL
  • HTTP status code
  • User agent string (browser information)

Legal basis: Legitimate interest under GDPR Article 6(1)(f) for security monitoring, service operation, and debugging.

3.4 Data We Do NOT Collect

We are committed to data minimization. We do NOT collect:

  • ❌ Names, email addresses, or contact information (unless you contact us)
  • ❌ User accounts or login credentials
  • ❌ Payment information
  • ❌ Precise geolocation data
  • ❌ Social media profiles
  • ❌ Tracking cookies or advertising cookies
  • ❌ Cross-site tracking data
  • ❌ Behavioral profiles

4. Third-Party Services

We use the following third-party services to provide and improve our service:

4.1 Umami Analytics

Purpose: Website analytics and usage statistics

Data Shared: Anonymized page views, browser information, country-level location

Privacy Policy: https://umami.is/privacy

GDPR Compliance: Compliant by default (no cookies, no personal data, full anonymization)

Data Location: Cloud-hosted (specific region not disclosed by Umami)

4.2 Amazon Web Services (AWS)

Purpose: Website hosting, API infrastructure, and data storage

Services Used: CloudFront (CDN), S3 (storage), Lambda (serverless functions), API Gateway, DynamoDB (database), Route53 (DNS), CloudWatch (monitoring)

Privacy Policy: https://aws.amazon.com/privacy/

Data Location: Multiple AWS regions (see Section 7)

GDPR Compliance: AWS is GDPR-compliant and provides Standard Contractual Clauses (SCCs)

4.3 GeoNames

Purpose: City and timezone data source

Data Shared: None (we use their public dataset)

License: CC BY 4.0

Website: https://www.geonames.org/

4.4 Wikipedia

Purpose: City information and articles

Data Shared: API requests for article content (no personal data)

Privacy Policy: Wikimedia Privacy Policy

Website: https://www.wikipedia.org/

Important: We do not sell, rent, or share your data with third parties for marketing purposes. All third-party services listed above are used solely to provide and improve our service.

5. Data Retention

We retain different types of data for varying periods based on their purpose:

Data TypeRetention PeriodReasonLegal Basis
Browser localStorageUntil you clear itPreserve your preferencesLegitimate interest (GDPR Art. 6(1)(f))
Browser sessionStorageUntil browser session endsTemporary session stateLegitimate interest (GDPR Art. 6(1)(f))
Umami Analytics (anonymized)365 daysHistorical trend analysisLegitimate interest (GDPR Art. 6(1)(f))
CloudWatch logs30 daysOperational monitoring and debuggingLegitimate interest (GDPR Art. 6(1)(f))
CloudTrail logs90 daysSecurity auditing and complianceLegal obligation (GDPR Art. 6(1)(c))

After the retention period expires, data is automatically deleted or anonymized beyond recovery.

6. Your Rights Under GDPR

Under the General Data Protection Regulation (GDPR), you have the following rights:

6.1 Right to Access (Article 15)

You have the right to request a copy of the personal data we hold about you. Given our minimal data collection, this typically includes only server logs (if within retention period).

6.2 Right to Rectification (Article 16)

You have the right to request correction of inaccurate personal data. Since we don't collect personal profiles, this right is limited in scope.

6.3 Right to Erasure / "Right to be Forgotten" (Article 17)

You have the right to request deletion of your personal data. You can immediately:

  • Clear browser storage through your browser settings (see Section 3.2)
  • Request deletion of server logs by contacting us

Note: Umami Analytics data is already anonymized and cannot be linked back to you.

6.4 Right to Restrict Processing (Article 18)

You have the right to request that we limit how we process your data while we verify accuracy or assess your objection to processing.

6.5 Right to Data Portability (Article 20)

You have the right to receive your personal data in a structured, commonly used, and machine-readable format. Given our minimal data collection, this typically applies only to browser storage preferences, which you can export through your browser's developer tools.

6.6 Right to Object (Article 21)

You have the right to object to processing based on legitimate interests. You can:

  • Use browser privacy features to block analytics
  • Clear browser storage to remove preferences
  • Contact us to object to server log retention

6.7 Right to Lodge a Complaint

You have the right to file a complaint with your local data protection authority if you believe we have not complied with GDPR. In the EU, you can find your local authority at:

European Data Protection Board - National Authorities

How to Exercise Your Rights

Contact us: will@123cloud.st

Response time: We will respond to your request within 30 days as required by GDPR.

Verification: We may ask for verification of your identity to protect your privacy.

No fee: Exercising your rights is free of charge unless requests are manifestly unfounded or excessive.

7. International Data Transfers

Our service uses AWS infrastructure across multiple regions worldwide. Your data may be processed in the following AWS regions:

7.1 AWS Regions

  • United States: us-east-1 (N. Virginia), us-east-2 (Ohio), us-west-2 (Oregon)
  • European Union: eu-central-1 (Frankfurt), eu-west-1 (Ireland), eu-west-2 (London), eu-south-2 (Spain), eu-north-1 (Stockholm)
  • Asia Pacific: ap-south-1 (Mumbai), ap-southeast-1 (Singapore), ap-southeast-2 (Sydney), ap-southeast-5 (Malaysia), ap-northeast-1 (Tokyo)
  • Canada: ca-central-1 (Montreal)
  • South America: sa-east-1 (São Paulo)

7.2 Legal Safeguards for International Transfers

For data transfers outside the European Economic Area (EEA), we rely on:

  • AWS Standard Contractual Clauses (SCCs): AWS has implemented EU-approved Standard Contractual Clauses for international data transfers.
  • Adequacy Decisions: Some regions (e.g., Canada) have adequacy decisions from the European Commission.
  • Data Minimization: We minimize data collection to reduce transfer risks.

Learn more about AWS GDPR compliance: AWS GDPR Center

7.3 Umami Analytics Data Location

Umami Analytics processes anonymized data in their cloud infrastructure. Since all data is anonymized and contains no personal information, GDPR transfer restrictions do not apply.

8. Data Security

We implement appropriate technical and organizational measures to protect your data:

8.1 Technical Measures

  • Encryption in Transit: All data transmitted between your browser and our servers is encrypted using HTTPS/TLS 1.2 or higher.
  • Encryption at Rest: Data stored in AWS services (S3, DynamoDB) is encrypted using AWS-managed encryption keys.
  • Access Controls: Strict access controls limit who can access production systems and data.
  • Security Monitoring: CloudWatch and CloudTrail monitor for security events and unauthorized access attempts.
  • Regular Updates: We keep all systems and dependencies up to date with security patches.

8.2 Organizational Measures

  • Data Minimization: We collect only the minimum data necessary to provide our service.
  • Privacy by Design: Privacy considerations are built into our architecture from the ground up.
  • Incident Response: We have procedures in place to detect, respond to, and report data breaches (see Section 8.3).
  • Vendor Management: We carefully select third-party services that comply with GDPR.

8.3 Data Breach Notification

In the unlikely event of a data breach that poses a risk to your rights and freedoms:

  • We will notify the relevant supervisory authority within 72 hours as required by GDPR Article 33.
  • If the breach poses a high risk to your rights and freedoms, we will notify affected individuals without undue delay as required by GDPR Article 34.
  • We maintain records of all data breaches including facts, effects, and remedial actions taken.

Note: Given our minimal data collection and anonymization practices, the risk of a meaningful data breach affecting individuals is extremely low.

9. Children's Privacy

Our service is not directed at children under 16 years of age. We do not knowingly collect personal information from children under 16.

If you are a parent or guardian and believe your child has provided us with personal information, please contact us at will@123cloud.st. We will promptly delete such information from our systems.

We do not use age verification mechanisms because:

  • Our service is not targeted at children
  • We do not collect personal data that would require age verification
  • Age verification itself would require collecting more personal data

10. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors.

When we make significant changes, we will:

  • Update the "Last Updated" date at the top of this policy
  • Increment the version number
  • Display a notice on our website for 30 days
  • For material changes affecting your rights, we may use additional notification methods

We encourage you to review this Privacy Policy periodically to stay informed about how we protect your privacy.

11. Contact Us

If you have any questions about this Privacy Policy, want to exercise your data protection rights, or have concerns about how we handle your data, please contact us:

Data Controller: 123cloud.st

Email: will@123cloud.st

Website: https://findyourfivepm.com

Response Time: Within 30 days as required by GDPR

When contacting us about data protection matters, please include:

  • Your name and contact information
  • A clear description of your request or concern
  • Any relevant details that will help us respond effectively

Supervisory Authority: If you are not satisfied with our response, you have the right to lodge a complaint with your local data protection authority. Find your authority at: EDPB Member List

📋 Privacy Policy Summary

  • ✅ We use GDPR-compliant analytics (Umami) that doesn't use cookies or collect personal data
  • ✅ We store only essential preferences in your browser
  • ✅ We don't collect names, emails, or personal information
  • ✅ You can clear browser storage anytime through your browser settings
  • ✅ You have full GDPR rights including access, erasure, and portability
  • ✅ We use AWS infrastructure with GDPR-compliant safeguards
  • ✅ We don't sell or share your data with third parties for marketing
  • ✅ Contact us at will@123cloud.st for any questions