Privacy Policy

Last updated: 12 June 2026

1. Who we are

Frisson Map is a non-commercial fan project for the community around Tarja Turunen. We run it as a private hobby — no profit, no ads, and no third-party tracking. It was created independently and is not affiliated with Tarja, her management, or her label.

Operator: Petra (a private individual, Czech Republic).
Contact for privacy questions: info@frissonmap.com

2. What data we collect

2.1 When you leave an Echo (anonymously or signed in)

• The nickname you type (3–20 characters) — or, if you're signed in, your public account nickname (you don't type it again).
• An avatar — anonymous users pick one from a fixed gallery while writing the Echo; for signed-in users, the Echo uses the avatar set in your profile.
• A comment (required, max 500 characters) — an Echo can't be submitted without one.
• An optional song tag — you can link an Echo to a specific album song. Signed-in users can rate the song with stars right while writing the Echo (how ratings are handled: see §2.2).
• A place name — when you pick a public place as your Echo's point (e.g. "Eiffel Tower"), we save the name as the geocoder returned it (trimmed to 80 characters). You don't type any name yourself — there's no manual field for it in the app.
• The creation time — we record the moment of submission automatically on the server. You don't fill in any date.
• For registered users only: an optional grouping of Echoes into a "Journal" and its name (max 40 characters, no links). A Journal links several of your Echoes under a single marker on the map — from the same area or with the same song. It's an internal matter of your account; only you can change it. When you open a Journal to others (it becomes a "Gathering"), the name is required — the form pre-fills a suggestion you can overwrite — and it shows publicly once someone opens that marker. And if, as the founder of a Gathering, you remove and block someone, we keep an internal record of it (your account ↔ the blocked account) so the block works — you'll find it in your data export too.
• Coordinates of the place where you put the Echo. How precise they are depends on how you enter the place — and you're in control. When you use "Find my location" (GPS), your real location is fuzzed already in the browser and never leaves your device — only a random point at the chosen level goes to the database. When you instead click directly on the map or pick a specific place or address from search, we take that as your explicit choice and save the point exactly where you pointed. What this means and how to control precision is in §2.8.
• Structured place text — country code, country, city, district, and, depending on precision, a street name. House and building numbers are never stored, even when the geocoder returns them.
• For anonymous Echoes only: an optional self-stated nationality (one ISO country code, e.g. "CZ", "FI"). After you pick a place, the form pre-fills it with that place's country — you can change it or set it back to "Skip" and state nothing. If you keep it, it's saved with that Echo and shown as a small flag in its popup, labeled "self-stated by the author, anonymously" (so it's clear it isn't the verified flag of a registered user). It is never linked to your IP address or anything else that could identify you, and it isn't used in the by-country fan statistics.
• Standard browser request metadata (user-agent, language) is present in incoming requests, but we don't store it in our application logs (for what the AWS infrastructure itself may log briefly, see §5).

What's good to know about anonymous Echoes:

• Anonymous Echoes are public — everyone can see them, including search engines.
• Comments are public. Don't share sensitive personal data about yourself or others in them.
• Once you've submitted an anonymous Echo, you can't change or delete it — because we have no way to verify you're its author. The only way to have it removed is the Report button (§8), after which a moderator reviews it.
• Want control over your posts (editing, deleting, seeing your history)? Create an account — registered users have a profile linked to their Echoes.
• We don't track anonymous users. Spam protection runs in four short-lived layers, and none of them stores your IP address permanently:
  • Cloudflare Turnstile CAPTCHA on every anonymous Echo or report.
  • AWS WAF at the network edge catches bursts of abuse — when one IP sends an unreasonable number of requests within a few minutes, it drops them before they reach us.
  • A daily limit on anonymous Echoes and reports is tracked by a short-lived table keyed to your IP. It holds only the IP, a counter, and a timestamp — nothing more — and deletes itself within about a day. The daily limit for AI-assisted search works the same way, but it's keyed to your account ID, not your IP.
  • Other actions (reports, profile edits) are tracked by a counter that lives only briefly in the server's memory, is never written anywhere, and disappears on its own.
  • Amazon Cognito also rate-limits sign-up and sign-in attempts.

2.2 When you create an account (registered users)

• Your email address — for signing in, password recovery, and notices about material changes to the terms or about the service shutting down.
• A cryptographic hash of your password — managed by Amazon Cognito; we never see the password itself.
• Your chosen nickname.
• The time you accepted these terms.
• Echoes, edits, and other content you create while signed in.
• Which Echoes and events you've liked and which places you've saved. Only registered users can like and save. The number of likes is public as an aggregate, but who liked is shown to no one; saved places are visible only to you. Likes and saves are deleted with your account; an Echo's or event's likes are deleted when that Echo/event is deleted.
• Links you add to events or to the community space — we store the URL, its title, and your account as the author, so links can be managed and moderated.
• Operational timestamps — for content you create (Echoes, likes, ratings, event attendance) we keep the creation and last-edit times. You'll find them in your data export too (§7).
• Star ratings of songs and, with each rating, a snapshot of a country code (one two-letter code, e.g. "CZ"). What it's for and how the code is determined:

  The snapshot is used only for aggregate "where this song is loved" flags on the public leaderboard. A country only appears once enough fans from there have rated it — individual data is never shown.

  The country code is determined in this order:

  1. your stated nationality, if you've set it;
  2. otherwise the country of the place your Echo refers to (when you rate directly in the Echo form);
  3. otherwise the country of your internet connection.

  In the third case, our CDN (Amazon CloudFront) derives the country from your IP address right at the network edge and passes us only that two-letter code — the IP itself never reaches our database (legal basis: legitimate interest in non-identifying country-level statistics).

  The code is stored with the rating, never in your profile. If you later set a nationality in your profile, it takes priority for all your ratings, and you can change or delete it anytime. Ratings (including snapshots) are deleted when you delete your account.

In your profile settings you can additionally provide these optional details:

• Your nationality (one ISO country code). Used only for the worldwide by-country fan statistics. If you skip it, it stays empty.
• Your default Echo location — a city or place from the search menu. It pre-fills the "+ Leave an Echo" button when you haven't picked a point on the map yet. It's stored privately, just for you (it's in your profile and export, not on your public profile) as the place you picked from search — we don't keep your exact GPS location here. When it's then used to pre-fill an Echo, the point is scattered within the city or district, and the Echo itself still follows the rules in §2.8.
• Your Echo precision level — one of five (Country / City / District / Street / Exact place). For what each means, see §2.8.
• Up to five social media links — each a platform and its handle or URL. They show on your public profile so other fans can contact you. The specific handle is visible only to signed-in visitors; anonymous visitors see only the platform names. You can change or delete them anytime.

2.3 When you sign in with Google

Frisson Map offers "Continue with Google" as an alternative to email and password. When you use it:

• Google learns that you signed in to Frisson Map with your Google account. The sign-in itself is, at that moment, processed by Google (a US company) under its own policy.
• From Google we receive only your verified email address and an account ID (an opaque identifier). We don't get your contacts, photos, calendar, or anything else.
• The OAuth exchange is handled by Amazon Cognito; we never see your Google password.

You can revoke Frisson Map's access to your Google account anytime in your Google account permissions.

2.4 Events and attendance (registered users)

Signed-in users can suggest online events (livestreams, listening parties, Q&As) as well as concerts and tour dates — for concerts a source URL is required (an official tour page, festival announcement, etc.). Every fan suggestion is published only after a moderator approves it; moderators and admins can add events directly. At any event you can then mark your attendance.

• For each event suggestion we store the title, description (including a flag for whether it was created with AI help), category (frisson_tour or online), an optional subcategory, the planned date and length, an optional URL, an optional place name and location (Frisson Tour), the source URL (for concerts), optional links to discussions and streams, an optional cover photo (with required attribution and license), and the account that created the suggestion. In listings, the account's public nickname is shown with the event; the email never.
• For an attendance confirmation we store the event ID, your account, the attendance type, and the time.
• When you suggest an edit or deletion of an existing event, we store your suggestion, your reasoning, and the moderator's decision.
• When you delete your account, your attendance confirmations and likes go with it. Approved events you suggested stay in the listings with anonymized authorship — once an event is published and others have confirmed attendance, it's no longer your personal content. Suggestions awaiting approval (or rejected) are deleted with your account.

One thing about location: a concert's venue is a public place (a hall, a festival), so it's stored exactly — the location fuzzing from §2.8 doesn't apply to events.

2.5 Moderation records (audit log)

When a moderator or admin acts against content or an account (deletes an Echo, dismisses a report, issues or lifts a ban), we write to an internal audit log:

• the acting moderator's ID,
• what the action targeted (Echo / report / user),
• the time,
• and the written reason the moderator gave.

Only admins can see the audit log — it's there to oversee moderators. Rows stay even if the affected Echo or user is later deleted, as a record that the action happened.

2.6 When your account is banned

If a moderator bans your account for breaking the Terms of Use, we keep a ban record (who issued it, how long it lasts, the written reason) for as long as your account exists — as part of the moderation history. When you delete your account, this ban record goes with it; an anonymized note of the action remains only in the moderation audit log (§2.5). While banned you can still sign in, read the reason, and delete your account; you just can't add new content during the ban. The full ban rules are in the Terms of Use.

2.7 Automated content filter

Echo nicknames, comments, Journal names, and report texts pass through simple automated filters before being stored:

• A banned-words filter compares the text against a static list of slurs and strong profanity.
• A link filter rejects comments and Journal names that contain a URL — it's anti-spam; fans share thoughts and stories, not external links.
• A contact-info filter rejects comments and reports that look like they contain an email or phone number — this protects you and others from publishing someone's contact details.

None of these filters is AI and none profiles you; we store nothing about rejected attempts beyond ordinary server logs (§5). Whatever passes is stored unchanged.

2.8 Location privacy for Echoes

How precisely an Echo lands on the map depends on how you enter the place — and you decide.

When you use "Find my location" (GPS), your real location is fuzzed already in the browser, and only a random point at the level you chose goes to the database — your exact GPS location never leaves your device. The structured text (country / city / district / street) is trimmed to the same level. There are five levels:

• 1. Country — "France": a random point within the country's rough outline. Shows only the country.
• 2. City (default) — "Paris": a random point within the city limits. Shows country + city. This is what new accounts have set.
• 3. District — "Paris — 7th arrondissement": a random point within the district. Shows country + city + district.
• 4. Street — "Paris — Avenue de la Bourdonnais": a random point along the street. Shows country + city + district + street. House and building numbers are not stored.
• 5. Exact place (POI) — "Paris — Eiffel Tower": for notable places and other public points of interest, the Echo lands on the public coordinates of the place itself.

You can change the level anytime in your profile. The change applies only to future Echoes — the ones already placed keep the level they were created at (an Echo posted under "City" won't get more precise if you later switch to "Street").

When you pick a place another way — clicking directly on the map ("Pick on the map") or choosing a specific place or address from search — we take it as your explicit choice and save the point exactly where you pointed (for an address, without the house number; we never store that). In this case the coordinates are not trimmed to your profile level. So, one practical warning: don't place an Echo by clicking your home or an exact address you don't want shown publicly. For such a place, use GPS at a coarser level, or pick the nearest public place (a hall, a landmark).

2.9 Author credit for "notable places"

Notable places (festivals, concert halls, and other locations meaningful to Tarja's fandom) are added either directly by an admin or by registered users via "Suggest a place." Fan suggestions are reviewed by a moderator before the place appears publicly — until then no one else sees it.

When you suggest a place (or are listed as its source), your public nickname is recorded with it — in the place's popup you appear as "Suggested by @your nickname". Only the nickname is shown; your email or other personal data never.

When you delete your account, the credit line is automatically anonymized: the place stays, but "Suggested by" either disappears or shows "(deleted user)". The place itself isn't removed — it's not your personal content, only the credit was.

3. Why we collect it

We collect only what the map needs to work. Here's each purpose and the legal reason behind it:

• Echoes, nicknames, avatars, comments — to show them on the public map (the whole point of the app). Basis: your consent when you post.
• Email + password hash — to sign registered users in, let them manage their own Echoes, and send them important service notices (material changes to the terms, shutdown). Basis: necessary to provide the service you asked for.
• Time of consent — to have a record that you accepted these terms. Basis: our legal obligation to be accountable under GDPR.
• Country-level statistics (which songs are loved where) — always shown only in aggregate as flags, never per individual. Basis: legitimate interest in showing the community where the music resonates.
• Spam and abuse protection (limits, CAPTCHA) — to keep the map usable for everyone. Basis: legitimate interest in protecting the service.
• Reports, the moderation audit log, and ban records — to keep the community safe and allow oversight of moderators. Basis: legitimate interest in protecting the service and its users.

We don't use your data for advertising, profiling, analytics, or selling to third parties. We don't send marketing emails.

4. Where your data lives

All your primary data — account, Echoes, audit logs, application logs — sits on Amazon Web Services in the eu-central-1 (Frankfurt, Germany) region. AWS acts as our data processor under the standard GDPR data processing addendum.

A few words about data that leaves the EU. Some helper services we use to look up place names and their descriptions run partly or fully outside the EU (typically in the US) — specifically Tavily, the AI models in Amazon Bedrock, Stadia Maps, and link previews. Let's be upfront: the only thing sent to them is a place or venue name, a point's map coordinates, or a public link you entered yourself — never your account, email, or IP address. These calls go from our server, not your browser.

Two clarifications about data outside the EU: when you sign in with Google, the sign-in itself is processed by Google in the US (see §2.3). And the services your browser loads directly (map tiles, spam protection, our CDN) see your IP address like any website — see §6.

Here's the full list of third-party services we call for these purposes:

• Stadia Maps — our primary geocoding service (since May 2026), hosted at api.stadiamaps.com by Stadia Maps, Inc.; per Stadia, it runs on servers in the US and the EU. We call it for two things:
  • Reverse geocoding — turning the coordinates where you place an Echo into a readable place name (country, city, district, street).
  • Search — when you type into the location search box, your query is sent to Stadia to find matching places.
  Stadia operates under its own privacy policy and terms of service. The data it processes on our behalf is limited to the coordinates or the text of a single query; we don't send your account, IP, or any other identifier (the calls go from our backend, not your browser). We keep responses in memory for five minutes so we don't ask twice unnecessarily.
• Photon by Komoot — a free open-source geocoder at photon.komoot.io from Komoot GmbH (Berlin, Germany), our fallback (since May 2026) when Stadia is overloaded or unavailable. Same data handling: only coordinates or query text, no account, no IP. It operates under its own privacy policy.
• Openverse — an open search engine for Creative Commons photos (WordPress Foundation, api.openverse.org). When you search for a cover photo in the "Suggest an event" form, your query (a place name, city, or topic) is sent to Openverse to return a grid of CC photos. From our backend, without account or IP; we don't log queries beyond error traces.
• Wikipedia and Wikidata (en.wikipedia.org, wikidata.org, Wikimedia Foundation). When you click "Find info about a place/tour," the name you typed is sent to Wikipedia's public API (and to Wikidata to look up the right entity or coordinates) to get a short description for pre-filling. From our backend, without account or IP; we don't log queries.
• Tarja Turunen's official site (tarjaturunen.com, run by her management). "Find info about a tour" also queries its public search endpoint alongside Wikipedia (tour names are most accurate there). It isn't used for places. Only the text of the name you typed is sent, from our backend.
• Tavily AI Search (api.tavily.com, Tavily Inc., US). For places it's a last resort when Wikipedia isn't enough; for tours it adds broader web snippets. We send only the text of the search query (a place or tour name) — no identifiers, no account, no IP. Tavily operates under its own privacy policy.
• Amazon Bedrock (AI models) — AWS. We use it for two different things:
  • Pre-filling descriptions of places, concerts, and tours (us-east-1, US region): the public snippets from the sources above (Wikipedia, Tarja's site, Tavily) plus the name you typed are sent to the model to summarize into a short paragraph — none of your personal data, just public snippets and the name. We don't store the output beyond the editable description field.
  • Machine translation of an Echo (eu-central-1, EU region): when you click "translate" on an Echo, its text is sent to the model to be translated into your language. Unlike the descriptions, this may involve personal data — an Echo's text is whatever its author wrote into it. We keep the translation in a cache in our database, and it's deleted together with the Echo.
  Under the Bedrock terms, AWS doesn't use inputs to train its models (this applies to both uses).
• Reddit (reddit.com, Reddit, Inc.). When looking up info about a notable place, we also search fan subreddits (e.g. r/TarjaTurunen, r/Nightwish) for a useful description. Only the place name is sent, from our backend — no account or IP.
• Link previews (oEmbed) — YouTube, Spotify, Reddit. When you add a link to an event or the community space, the backend asks that platform's public oEmbed API for a title, so a readable name shows instead of a bare address. Only the URL is sent, from our backend — no account or IP.
• Resend (resend.com, eu-west-1, Ireland region) sends our transactional emails (verification codes, password recovery, email-change confirmations). For each one it gets only the recipient address, subject, body, and ordinary delivery metadata. It may collect minimal deliverability data (sent/bounced/complaint); we don't enable open or click tracking. It's engaged under its standard DPA.
• ImprovMX (improvmx.com, EU) receives mail to info@frissonmap.com and forwards it to the operator's personal mailbox. It deletes its short forwarding logs within about seven days.

5. How long we keep data

• Anonymous Echoes we keep with no time limit as part of the public map. Because they came in without an account, we have no way to verify a deletion request from the author — that's by design. The only way to have one removed is the Report button (§8).
• Registered users' data we keep until you delete your account. On deletion you choose whether your Echoes are deleted with you or stay on the map anonymized.
• Application logs (CloudWatch) contain only technical operational data — request IDs, durations, error traces, and audit messages about moderator actions (§2.5). No IP addresses or user-agents. They're deleted automatically after 30 days.
• Frontend error logs capture JavaScript runtime errors so we can fix them. Each entry has the error text, the page path (e.g. /index.html), the source line and column, an optional stack trace, and a random identifier we generate per browser tab to group related errors. That identifier lives in your browser's sessionStorage and disappears as soon as you close the tab — it's not a fingerprint, isn't shared across sites, and isn't linked to your account. We never send your email, password, token, IP, user-agent, or any request body into it. Retention is again 30 days.
• AWS infrastructure logs are managed by AWS on our behalf and may briefly hold technical identifiers (including IP addresses) needed to run the platform — the Cognito sign-in audit, CloudTrail, WAF abuse counters. Retention is governed by AWS defaults (on the order of up to 90 days). We only reach for them when investigating a specific abuse incident; we don't export, analyze, profile, or share them.
• Moderation audit log records (§2.5) we keep for as long as the project runs, so admin oversight of moderators stays possible. The personal identifiers in a row are set to NULL once the referenced account is deleted.

6. Cookies and browser storage

No tracking, analytics, or advertising cookies — none at all. What we do store is just a few essential things right in your browser so the app works:

• Login tokens (for signed-in users) — in localStorage. The short-lived access token lasts about 60 minutes; the refresh token that keeps you signed in, up to 90 days. Signing out deletes them.
• A cookie-bar flag — remembers that you closed the bar.
• Small functional preferences — whether you've seen the welcome card, your last location search, and (testers only) a "test mode" flag. These never leave your browser.

One third-party note: the Cloudflare Turnstile CAPTCHA (shown when an anonymous visitor posts an Echo or report) may set its own cookie to verify you're not a robot. That's controlled by Cloudflare, not us, and it's only there to tell humans from bots.

And that's the whole list. No analytics cookies, no tracking pixels, no advertising.

What your browser loads from elsewhere. Like almost every website, some parts of the map load straight from the services that provide them — the map tiles (CARTO), cover photos (from their original home, e.g. Wikimedia or Flickr), spam protection (Cloudflare), and the app itself, delivered by our CDN (Amazon CloudFront — which at the network edge derives at most a two-letter country code from your IP, see §2.2; the IP itself doesn't reach us). When your browser fetches these, the provider sees the same basic connection details as any website you visit — and some have servers outside the EU (typically in the US). None of it tracks you here.

7. Your GDPR rights

You have the right:

• To access the personal data we hold about you.
• To export your data in a machine-readable format — a JSON download is available right now in your profile under Your data.
• To rectify inaccurate data (edit it in your profile, or write to us).
• To erasure of your account and your data (the right to be forgotten). On deletion you choose whether your Echoes are deleted with you or stay on the map anonymized.
• To restrict processing — to ask us to pause what we do with your data until any question about it is resolved.
• To object to processing we base on legitimate interest.
• To withdraw consent anytime — for a single post, just delete it; for everything at once, delete your account (Profile → Your data). Withdrawal doesn't affect anything we lawfully did beforehand.
• To lodge a complaint with a data protection authority. In the Czech Republic that's the Office for Personal Data Protection (ÚOOÚ) — uoou.gov.cz.

If you want to exercise any of these rights, write to info@frissonmap.com. We try to respond within 30 days.

8. Reporting inappropriate content

Every Echo has a Report button. Reports go to admins for manual review. Echoes stay visible until they're reviewed; clearly unacceptable content is removed quickly.

When a moderator removes an Echo, it disappears from the public map right away, but for some time it stays internally in the database with a record of the time and reason for removal. If you're the signed-in author, you'll find it among your deleted Echoes until you dismiss it for good.

If you send a report while signed in, we also store your account ID internally. It's not shown to moderators — they review reports anonymously — and it's only there in case the Report button is abused. For anonymous reports, no identity is stored.

Found a bug or have an idea? You can open an issue in our public feedback repo on GitHub: github.com/petaSk98/FrissonMap-Feedback. But note — GitHub issues are public, so anything with personal data (yours or others') or reporting a specific user or post is better handled by email: info@frissonmap.com.

9. Age limit

You confirm that you're at least 16 years old every time you add content — both when creating an account and when leaving an anonymous Echo (with a checkbox right in the form) — in line with Article 8 of GDPR. An anonymous Echo doesn't require an account, but it does require this age confirmation. Simply browsing the map has no age requirement.

10. Changes to this policy

We judge what counts as a material change in good faith — when it affects your rights or how we handle your data, we update the "Last updated" date at the top and send registered users a notice to their registered email. We'll likewise notify you by email if we ever shut the project down.

11. Contact

Privacy questions, GDPR requests, or anything else: info@frissonmap.com.

← Back to map