Privacy notice

Your land data should remain understandable and removable.

Effective June 5, 2026

Local analysis first

Terrain calculations run in your browser. Drawing a boundary does not by itself create an account. Browser-only projects and interface preferences stay in your browser storage until you remove them or clear that storage.

A location submitted from the homepage is held once in storage scoped to the current browser tab, removed before the app submits the search and not added to the app navigation URL. Submitted location searches still use the search providers and short-lived cache described below.

Saved projects and uploaded terrain

When configured Cloudflare storage is available and you save a project, TopoDesigner stores the project JSON in D1. If you select a GeoTIFF, the file is analyzed locally first and may also be stored in R2 so an authorized shared view can reproduce the analysis. R2 stores the file under an opaque identifier with only a hash of its upload capability. The saved project JSON and revisions retain the matching capability so authorized project views can retrieve the file; public/read-only responses and account exports redact it.

Sharing choices

Private editor and viewer links contain separate unguessable capabilities. Treat those links as secrets. An editor can optionally add a separate private-viewer password; TopoDesigner stores only a salted password hash and does not place the password in the viewer URL, saved project JSON, browser fallback cache or export. A public project can be opened by anyone with its URL, and viewers can retrieve a referenced uploaded DEM through the project. The upload capability itself is not returned to public or read-only viewers.

Operational counters and external sources

A configured deployment stores expiring, hashed-client quota counters in KV to limit abusive use of upstream services and storage. The same KV stores location-search text and results for up to 24 hours, ArcGIS suggestion text and results for up to 1 hour, and rounded point-preview coordinates and results for up to 30 days. Esri imagery requests go directly from your browser. Terrain, location-search and point-preview elevation upstream requests use TopoDesigner server routes. Those providers apply their own terms and privacy practices.

Accounts and billing

The prepared example does not require an account. If you request a sign-in link, TopoDesigner stores your email address, expiring login token and session records in D1 and sends a transactional message through Cloudflare Email Sending. Signed-in sessions can continue a selected custom site and reopen account-owned results across devices without placing an editor capability in the dashboard URL. Stripe processes payment details and TopoDesigner stores customer, purchase, subscription and entitlement status identifiers in D1.

Optional communication preferences

A signed-in user can separately and explicitly choose optional product updates, research invitations or Pro product updates and a frequency. Those choices are not required for analysis, saving or account access. TopoDesigner records the selected categories, frequency, source, timestamp, privacy/copy version and broad request country when available. Withdrawal, marketing-profile deletion and account deletion leave a one-way email hash and minimal suppression record so marketing stays off. Any future approved marketing message can use a signed one-click unsubscribe link that records the opt-out without requiring sign-in. Exact sites, project content and terrain findings are never marketing-profile fields.

Professional research requests

A Professional workflow research request is separate from account data and optional marketing preferences. TopoDesigner stores the email address, optional company name and volunteered broad workflow answers in D1, sends one requested transactional confirmation and may reply only about that research request. It is not a purchase, sales sequence or marketing subscription.

The confirmation contains a private manage link whose raw capability stays in the URL fragment and browser; D1 stores only its hash. The link can review, update or delete the request without an account. Do not include exact sites, private project details or client information in the request.

Analytics collection

The reference application includes a strict first-party funnel event contract and an anonymous deletion capability, but production collection is disabled until its purpose, retention period and jurisdictional consent behavior are approved. It does not use a third-party analytics beacon, join analytics to an account or email, or collect exact sites, project content, capabilities, raw searches or free text.

Delete your data

An editor can delete a saved project from the workspace. TopoDesigner verifies editor authority, removes any legitimately owned stored GeoTIFF, removes the D1 project row and forgets the browser copy. You can clear browser-only projects by deleting them in the workspace or clearing browser storage. A signed-in Free or canceled account can also be deleted from the account page; TopoDesigner removes its account-owned projects and verified stored uploads, live optional marketing profile and outstanding sign-in links. The account page also provides an account-data export and separate marketing-profile deletion. Minimal consent/suppression evidence contains no raw email address and remains so a withdrawn or deleted user is not marketed to again. Cancel an active subscription in the billing portal first.

Contact

Questions about a hosted TopoDesigner deployment should be directed to its operator. For the reference deployment, contact hello@hello.topodesigner.com.