Privacy is not a feature.
It's our architecture.
Built for companies that take data sovereignty seriously. EU-only infrastructure, zero tracking, verifiable open-source engine.
GDPR Compliance — By Design
Not an afterthought. Not a checkbox. Built into the architecture from day one.
100% European Infrastructure
All servers, all databases, all processing happens within EU jurisdiction. Zero data transfers to the United States or any third country. Your routing requests never leave European soil.
Zero Third-Party Trackers
No Google Analytics. No Facebook pixels. No advertising cookies. No marketing trackers of any kind. Our APIs don't plant cookies and don't share location data with ad networks. Ever.
IP Address Scrubbing
End-user IP addresses are used transiently for rate-limiting only and are never written to disk. After the HTTP response is sent, the IP is purged from memory. We cannot reconstruct who made which request.
Data Processing Agreement
DPA available on request for enterprise customers. Compliant with GDPR Articles 25 (Privacy by Design), 28 (Processor obligations), and 32 (Security of processing). Contact [email protected].
What happens to your data
A transparent, step-by-step view of every API request lifecycle.
Request arrives
Your app sends coordinates to our API over HTTPS.
IP address: logged transiently for rate-limiting only
Route computed
Georavity Engine calculates the optimal path in-memory.
Coordinates: never written to disk, never stored in database
Response returned
JSON result sent back to your app. Connection closed.
After response: all request data is purged from memory
Counter incremented
Only an anonymous counter (+1) is persisted for billing.
We retain: request count per key. We never retain: coordinates, routes, IPs
ODbL Licensing — Simplified
Companies worry about OpenStreetMap's share-alike clause. Here's the clear rule: your business data overlaid on our maps stays 100% yours.
Safe — Your data stays private
Using our maps as a background layer for your own business data. No share-alike obligation applies.
- ✓Plotting your store locations on our map
- ✓Routing fleet vehicles through our API
- ✓Displaying delivery routes in your app
- ✓Building isochrone analysis for site selection
- ✓Using geocoded addresses in your CRM
Share-alike required
Only applies if you modify the underlying road geometry or merge your data to create a new dataset derived from OSM data.
- !Editing road shapes in the map data itself
- !Building a new routing algorithm from OSM raw data
- !Merging OSM geometry with proprietary road networks
- !Redistributing modified OSM extracts
TL;DR: If you use Georavity APIs to power your app — your data is 100% yours. Share-alike only kicks in if you modify the raw map data itself. Read the full ODbL license →
Security Architecture
Defense-in-depth from network edge to database row.
SHA-256 Key Hashing
API keys are stored as irreversible SHA-256 hashes. Even we cannot recover your raw key after creation.
TLS Everywhere
All API traffic encrypted over HTTPS. Internal services communicate through encrypted WireGuard tunnels.
Per-Key Rate Limiting
Token-bucket rate limiting per API key. Protects your account from abuse and our infra from overload.
Origin Restrictions
Lock API keys to specific domains or IPs. Stolen keys cannot be used from unauthorized origins.
Scope-Based Access
Restrict keys to specific endpoint groups (routing, geocoding, matrix). Principle of least privilege.
Usage Transparency
Real-time usage counters per key. Know exactly how many calls you've made — no opaque billing surprises.
Open Source & Transparency
Routing Engine: Georavity is powered by our proprietary geospatial engine, built on open-source technology and licensed under MIT. You can inspect every algorithm that processes your routes.
Map Data: We use OpenStreetMap data under the Open Data Commons ODbL. Updated regularly with global coverage. Community-maintained, freely available.
Your Output: Routes, isochrones, matrices, and geocoding results generated by the API are yours. We make zero claims on API output. Your request patterns, user data, and application logic remain your intellectual property.
Have security questions, need a DPA, or want to discuss compliance requirements?