Privacy & Telemetry

Geobridge is designed around “no raw query persistence.” Telemetry is scoped to operational signals while omitting customer payloads and secrets.

What we collect

• Structured logs: event name, trace ID, component metadata, anonymized account/key IDs, error summaries. Request bodies and raw geocoding queries are never logged.
• Metrics: bounded tags (route, outcome, cache status, job hash) and numeric counters for edge requests, bulk processing, and webhooks. Tag values are truncated to avoid free-form payloads.
• Alert telemetry: aggregated counts/ratios for webhook failures, bulk errors, cache misses. No customer identifiers beyond hashed job IDs.

Retention

Logs: 14 days. Workers Analytics Engine metrics: 90 days. Durable Object alert telemetry: 30 days, rotated per window. Bulk results TTLs follow job settings (defaults documented in the Bulk reference).

Controls

• Data minimisation: telemetry helpers drop null/undefined fields and refuse to serialize request bodies or webhook payloads.
• Access: Workers AE datasets are limited to the SRE group; alerts redact customer identifiers.
• Redaction tests: automated tests assert no raw query strings enter logs; webhook retry auditing avoids payload storage.
• Webhooks: signed with HMAC SHA-256 using caller-provided secrets; failures are retried with backoff and summarized in job status.

Customer responsibilities

• Use distinct webhook secrets per integration.
• Avoid embedding sensitive data in job record IDs or texts; they may appear in NDJSON outputs you store.
• Configure retention-appropriate TTLs when submitting bulk jobs if you need shorter windows.

Related links

• Architecture — data flow and storage surfaces.
• Bulk Jobs reference — TTL options and webhook behavior.
• Attribution — licensing and data source notices.