Privacy Policy

Last updated: April 2026

Rochester Art is a community project that helps people discover public art in Rochester, Minnesota. This policy explains, in plain English, what information we collect, why we collect it, and what you can do about it.

The short version

  • We collect the minimum needed to run the app.
  • We do not sell your data. Ever.
  • We do not run ads or use advertising trackers.
  • Your GPS location is used on your device to show nearby art. It is not sent to our servers.
  • You can delete your account and all associated data by emailing support@rochestermnart.org.

1. Who we are

Rochester Art (operating as "Rochester Art" at rochestermnart.org and through the Rochester Art iOS and Android apps) is a personal project run by an individual developer. It is not incorporated as a company. It is maintained as a community resource for the Rochester, Minnesota area.

For any privacy questions, data requests, or complaints, contact us at support@rochestermnart.org.

2. What we collect

Here is everything we actually collect. If something is not on this list, we do not collect it.

Account information

When you create an account, we store your email address, a display name you choose, and your password. Your password is hashed using bcrypt before it hits our database. We never see or store your plain-text password.

Google Sign-In

If you sign in with Google, we receive a Google ID token, verify it with Google, and save two things: your Google user ID (a stable identifier) and your email address. We do not receive or store your Google password, your Google contacts, or any other Google account data.

Location (GPS)

The mobile apps ask for permission to access your location so we can show you nearby artworks and provide walking or driving directions. Your precise GPS coordinates stay on your device. We do not upload your location history to our servers, and we do not track your movements over time. You can say no when asked for location access; the app still works, it just will not be able to center the map on you.

Photo submissions

If you submit photos of artworks, we store a reference to your photo so it can be reviewed by an admin before it shows up publicly. Approved photos appear on the artwork's detail page. You can request deletion of any photo you submitted at any time.

Usage analytics

We record basic events like "someone viewed this artwork," "someone clicked directions," or "someone started this tour." This helps us understand which artworks and tours are popular so we can improve the app. If you are signed in, these events are linked to your account. If you are not signed in, they are anonymous. We do not use third-party analytics products like Google Analytics or Mixpanel.

API tokens

When you log in from the mobile apps, we issue an API token that lets the app make requests on your behalf. The token itself is SHA-256 hashed before it is stored in our database, and it expires after 24 hours. You can log out to invalidate it immediately.

Standard server logs

Like almost every website, our servers keep short-term logs that may include IP addresses, browser or device type, and request timestamps. These are kept briefly for troubleshooting and abuse prevention, and are not linked to your profile.

3. What we don't collect

To be explicit, Rochester Art does not collect or use any of the following:

  • Advertising identifiers (IDFA, AAID)
  • Third-party advertising trackers or ad network SDKs
  • Cross-app or cross-site tracking
  • Biometric data
  • Health or financial data
  • Your contacts, calendar, microphone, or camera roll (beyond photos you explicitly choose to submit)
  • Any data from children under 13 (we do not knowingly collect it)

4. How we use your information

We use the information above to:

  • Let you log in and manage your account
  • Show artworks and tours, including ones near you
  • Process and display photo submissions after admin review
  • Understand which artworks and tours people care about
  • Respond to your questions, reports, and support requests
  • Keep the service secure and investigate abuse

That's it. We do not use your data for advertising, profiling for third parties, or any purpose you haven't reasonably consented to by using the app.

5. Third-party services we use

Running an app means relying on a few companies for infrastructure. Here is the complete list of third parties involved, and what each one touches:

Service Purpose What they see
Railway.app Hosts our backend server All stored account and app data (as infrastructure provider)
PostgreSQL (on Railway) Database Everything we store in the database
Google Sign-In Lets you log in with your Google account Only triggered if you choose Google login; Google handles auth itself
Apple MapKit (iOS) Displays the map on iPhone Apple handles map tiles and directions on-device
Google Maps SDK (Android) Displays the map on Android Google serves map tiles; subject to Google's privacy policy

We do not share your account data with these services for marketing purposes. They are used only for the technical functions listed above.

6. How we store and secure your data

Your data lives in a PostgreSQL database hosted on Railway.app servers located in the United States. Connections between the app and our server are encrypted with HTTPS/TLS. Passwords are hashed with bcrypt. API tokens are hashed with SHA-256 and expire after 24 hours.

No system is 100% secure, and we cannot promise absolute protection. But we follow standard practices to keep your data safe, and we collect so little that the blast radius of any breach is limited.

7. How long we keep your data

  • Account data: until you delete your account
  • Photo submissions: until you ask us to remove them, or you delete your account
  • Analytics events: retained indefinitely in anonymized or account-linked form while the app is active
  • API tokens: expire automatically after 24 hours
  • Server logs: kept briefly (typically days to weeks) for troubleshooting, then deleted

8. Your rights

No matter where you live, you can do all of the following by emailing us at support@rochestermnart.org:

  • See what data we have about you
  • Correct anything that is wrong
  • Delete your account and everything associated with it
  • Export your data in a machine-readable format

We will respond within 30 days. We do not charge a fee for any of these requests.

For users in the European Union and UK (GDPR)

If you are in the EU, EEA, or UK, the GDPR gives you additional rights including the right to object to processing, the right to data portability, and the right to lodge a complaint with your local supervisory authority. Our legal bases for processing your data are: your consent (when you sign up), contract performance (running the app), and our legitimate interests (basic analytics and security).

Since Rochester Art is a small personal project, the easiest and fastest way to exercise any of these rights is to email support@rochestermnart.org.

For California residents (CCPA / CPRA)

California residents have the right to know what personal information we collect, to delete it, and to opt out of its "sale" or "sharing." Rochester Art does not sell or share your personal information for behavioral advertising, so there is nothing to opt out of. You can still exercise your right to know and right to delete by emailing us.

We will not discriminate against you (for example, by blocking your account or charging different prices) for exercising any privacy rights.

9. Children's privacy

Rochester Art is not directed at children under 13. We do not knowingly collect personal information from children under 13. If you are a parent or guardian and believe your child has given us personal information, please email support@rochestermnart.org and we will delete it.

10. International users

Our servers are located in the United States. If you use Rochester Art from outside the US, your information will be transferred to and processed in the US. By using the app, you understand and accept that.

11. Changes to this policy

If we make significant changes to this policy, we will update the "Last updated" date at the top and, for material changes, notify you by email or in the app before the new version takes effect. Continued use of Rochester Art after a change means you accept the updated policy.

12. Contact

Questions, concerns, or data requests:

Email: support@rochestermnart.org
Website: https://rochestermnart.org

App Store and Play Store disclosures

For Apple App Store and Google Play Store privacy label purposes, Rochester Art collects the following data types, all used solely for app functionality and not for tracking or advertising:

  • Contact info: email address (linked to you)
  • User content: photos you submit (linked to you)
  • Identifiers: user ID, Google ID if you use Google Sign-In (linked to you)
  • Usage data: product interaction events (linked to you)
  • Location: precise location used on-device only, not collected by us
  • Diagnostics: crash and performance logs (not linked to you)

None of this data is used for third-party advertising, analytics, or tracking across apps and websites owned by other companies.