Read this quick summary first
If you do not want to start with the full legal text, begin here. This section explains in simpler language how MapSpoto handles location, chat, public profile details, and account safety.
By default, we only use IP-based approximate location. Precise location is requested only when truly needed and only with your permission. No background tracking. No sharing of precise location with other users.
You can report, block, mute, leave groups, and delete your account yourself.
MapSpoto uses PostgreSQL Row Level Security (RLS) to restrict access. Regular clients can read only data they are permitted to see and cannot freely access other users' non-public information.
Name, region, and contact details entered in your profile may be visible to other users. If not necessary, do not enter sensitive information.
AI is used only to assist development and improve product features. It does not connect to the backend database to read or analyze private chats or similar sensitive data.
The client is built with Expo / React Native and the backend uses Supabase. Data access relies on PostgreSQL permissions and RLS rules, and storage access rules are reviewed and tightened regularly.
MapSpoto runs inside the iOS / Android app sandbox and can access only the permissions that you grant.
We use professional tools to review common security risks, including Yarn Audit, gitleaks, Semgrep, and MobSF, and we keep rechecking them over time.
Formal Privacy Policy
This Privacy Policy explains how MapSpoto collects, uses, shares, and protects information when you use the MapSpoto mobile application (the “App”), and the choices and rights available to you.
If you do not agree with this Privacy Policy, please do not use the App.
1. Controller and Contact
For the purposes of the EU General Data Protection Regulation (“GDPR”), the data controller is:
We have not appointed a Data Protection Officer (DPO). If you have questions or requests, contact us via the email above.
2. Information We Process
We process the following categories of information (depending on how you use the App):
2.1 Account and Profile
- Email address and account identifiers (e.g., user ID), authentication tokens, and sign-in metadata.
- Profile details you provide, such as username and avatar.
2.2 Location Data
- Approximate location derived from IP-based geolocation when you use location-based features without granting GPS permission. This may involve sending your IP address and device/network headers (e.g., User-Agent) to an IP geolocation provider.
- Precise location (OS/GPS) when you grant location permission in your device settings and use features that require it.
We use location data to provide location-based features for the user, such as determining the user's own position and showing relevant nearby activities. We do not share the user's real-time or precise physical location with other users.
2.3 User Content and Interactions
- Activities and event data you create, edit, join, or interact with (e.g., titles, descriptions, time, location, registrations).
- Messages and communications (private and group chats), including timestamps and conversation relationships.
- Media you choose to upload or send, such as avatar images, activity posters, comment images, chat images, and voice messages.
Important: Some media may be made accessible via public URLs for display purposes (e.g., avatars/posters). Do not upload information you do not want others to access or share.
2.4 Device, App, and Diagnostic Data
- Basic device and app information such as OS and app version.
- Crash reports and diagnostic logs (e.g., error messages and stack traces) where enabled.
2.5 Push Notifications Data
If you grant notification permission, we may:
- Obtain an Expo push token (Expo Push Token).
- Generate and store a locally generated device identifier on your device (a random identifier stored in local storage) to associate the push token with a specific device.
3. Purposes and Legal Bases (GDPR)
We process personal data for the purposes below and rely on the following legal bases under GDPR:
3.1 Provide the App and Core Features (Art. 6(1)(b) GDPR – contract)
- Create and manage accounts; provide activities, messaging, map features, and related functionality.
3.2 Location-Based Features (Art. 6(1)(b) and/or Art. 6(1)(a) GDPR)
- Approximate location via IP geolocation to show nearby content or provide baseline location experiences.
- Precise location via OS/GPS when you grant permission. You can withdraw permission at any time via system settings.
3.3 Notifications (Art. 6(1)(a) GDPR – consent)
- Send message/activity notifications if you opt in. You can disable notifications in system settings.
3.4 Security, Abuse Prevention, and Enforcement (Art. 6(1)(f) GDPR – legitimate interests)
- Prevent fraud and abuse, maintain security, troubleshoot issues, and enforce rules.
3.5 Reliability and Improvement (Art. 6(1)(f) GDPR – legitimate interests)
- Monitor performance, fix bugs, and improve user experience (e.g., via diagnostics).
4. Sharing and Service Providers
We do not sell your personal data.
We may share limited personal data with service providers (“processors”) that help us operate the App, such as:
- Supabase: authentication, database, file storage, and realtime functionality.
- Expo Notifications: push notification services (token handling).
- IP geolocation provider (ipapi.co): approximate location via IP (may receive IP address and request headers).
- Map providers (e.g., Google Maps, depending on platform/configuration): map rendering and interactions (may process device/network signals and location-related data as part of the map experience).
- Error monitoring providers (e.g., Sentry, if enabled): crash reports and diagnostics.
We may also disclose information where required by law, or to protect our rights, users, or the public.
5. International Data Transfers
Some service providers may process data outside the European Economic Area (“EEA”). Where personal data is transferred outside the EEA, we use appropriate safeguards as required by GDPR, such as Standard Contractual Clauses (SCCs) and, where appropriate, supplementary measures. Contact us if you would like more information about the safeguards used.
6. Data Retention
We retain personal data only for as long as necessary for the purposes described in this Privacy Policy, including:
- Account data: for as long as your account is active; upon deletion, we delete or anonymize it unless retention is required by law or needed for legitimate purposes (e.g., security, dispute resolution).
- User content (messages, media, activities): retained until you delete it or delete your account, subject to operational backups and legal requirements.
- Diagnostics and logs: typically retained for a limited period necessary for troubleshooting and security (unless a longer period is required for investigations).
7. Your Rights (GDPR)
If you are in the EEA/UK, you may have the right to:
- Access your personal data, and obtain a copy.
- Rectify inaccurate or incomplete data.
- Erase your data (“right to be forgotten”), in certain circumstances.
- Restrict or object to certain processing.
- Data portability, where applicable.
- Withdraw consent at any time (for processing based on consent), without affecting processing that occurred before withdrawal.
You also have the right to lodge a complaint with a supervisory authority in your EU Member State (in particular where you live, work, or where an alleged infringement took place).
To exercise rights, contact support@mapspoto.com. We may need to verify your identity before fulfilling requests.
8. Security
We implement reasonable technical and organizational measures designed to protect personal data. However, no method of transmission or storage is 100% secure.
9. Children
The App is not intended for children. Do not use the App if you are under the age required to consent to data processing under applicable law.
10. Changes to This Privacy Policy
We may update this Privacy Policy from time to time. We will update the “Last updated” date and may provide additional notice in the App where appropriate.