Privacy Policy
PRIVACY POLICY — MapSur
Last updated: March 31, 2026 — Version 2.0
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
1. WHO ARE WE?
MapSur is a community mobile application for travelers. It allows you to browse travel reviews filtered by profile, safety scores, and plan trips with confidence.
Publisher: Merta, micro-enterprise (France)
SIRET: 103 063 657 00011
Privacy contact: privacy@mapsur.com
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
2. PURPOSE OF THIS POLICY
This privacy policy informs you about:
• What personal data we collect
• Why we collect it (purposes)
• Our legal basis
• How long we keep it
• Who can access it
• Your rights and how to exercise them
It complies with the General Data Protection Regulation (GDPR), Articles 12, 13, and 14.
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
3. WHAT DATA DO WE COLLECT?
3.1 Account data (registration)
• Email address (required)
• Username (required)
• Password (required, never stored in clear text — bcrypt hashing)
• Unique UUID identifier (automatic)
3.2 Traveler profile (optional — sensitive data, GDPR Art. 9)
If you choose to fill in your traveler profile, we may collect:
• Gender (man, woman, non-binary)
• Ethnic origin (Black, Arab, Asian, Latino, etc.)
• Sexual orientation (heterosexual, gay, lesbian, bisexual)
• Religion (Muslim, Jewish, Christian, Hindu, Buddhist, no religion)
• Disability status (yes/no)
• Age range
• Travel style (solo, couple, family, group)
IMPORTANT: This is sensitive data under GDPR Article 9. It is only collected with your explicit consent. You can modify or delete it at any time (Profile > My traveler profile).
3.3 Activity data
• Travel reviews (title, text, ratings, tips, specific location)
• "Helpful" votes on other users' reviews
• Reports of abusive reviews
• Travel searches (destination + dates) — only if opted in
• Saved destinations
Reviews are visible to other users. Your traveler profile is only shown if you authorized it ("Show my profile" option).
3.4 Computed data
• Trust score (0 to 1): reflects the reliability of your contributions
• Safety scores: calculated from official data
• AI estimates (Google Gemini): score and tips, clearly labeled
3.5 Data we DO NOT collect
• Real name, date of birth
• Phone contacts
• Photos or multimedia
• Banking or payment data
• Background location
• Advertising identifiers
• Social media data
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
4. WHY DO WE COLLECT THIS DATA?
4.1 Account management
• Account creation: legal basis = contract performance (Art. 6(1)(b) GDPR)
• Authentication: contract performance
• Trust score: legitimate interest (Art. 6(1)(f))
4.2 Traveler profile
• Legal basis: explicit consent (Art. 9(2)(a) GDPR) — sensitive data
• Purpose: enable review filtering by profile (e.g., see reviews from Black travelers, LGBT+, solo women, etc.)
• You can withdraw your consent at any time by deleting your traveler profile
4.3 Travel reviews
• Legal basis: contract performance (publishing reviews is part of the service)
• Reviews remain published even after account deletion (anonymized)
4.4 Safety scores and planning
• Safety score calculation: legitimate interest
• AI estimates: legitimate interest
4.5 Travel planning
• Personal history: contract performance
• Anonymous sharing (B2B analytics): consent, explicit opt-in, disabled by default
4.6 Artificial intelligence
• Sent to Google Gemini: place name, coordinates, dates. No user identifiers transmitted.
• Shared cache (2 km radius, 30 days)
• Legal basis: legitimate interest
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
5. HOW LONG DO WE KEEP YOUR DATA?
• User account: as long as the account is active, deleted within 30 days upon request
• Traveler profile: until deleted by user or account deletion
• Travel reviews: kept indefinitely (anonymized if account is deleted)
• Travel searches: 12 months (history), 24 months if analytics opt-in (anonymized)
• Saved destinations: until deleted by user
• AI estimates: 30 days (cache)
• Local data (AsyncStorage): until logout or app uninstall
After account deletion: all personal data is deleted within 30 days. Published reviews are anonymized (username removed).
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
6. WHO HAS ACCESS TO YOUR DATA?
6.1 Technical subprocessors
• Supabase Inc.: database hosting, authentication, server functions — servers in the EU (Ireland)
• Google LLC (Gemini API): AI estimates — United States (see section 7)
6.2 Third-party services (no personal data transfer)
• Photon / OpenStreetMap: geocoding. No user identifiers transmitted.
6.3 Other users
Visible: your reviews (title, text, ratings, tips, location), your username, and your traveler profile if authorized.
Not visible: your email, saved destinations, travel searches, trust score.
6.4 Authorities
Disclosure possible in response to a legal request (court order).
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
7. TRANSFERS OUTSIDE THE EU
Most of your data is hosted in the EU (Ireland).
Transfers to the United States:
• Google (Gemini API): protected by the Data Privacy Framework (DPF), EU adequacy decision of July 10, 2023. Only place name, coordinates, and dates are transmitted.
• Supabase: no transfer, data in eu-west-1 region (Ireland).
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
8. ARTIFICIAL INTELLIGENCE
MapSur uses Google Gemini 2.5 Flash to estimate safety levels when local data is insufficient.
How it works:
1. You search for a location without sufficient local data
2. MapSur sends to the AI: place name, coordinates, dates
3. The AI generates a score (1-10), a level, a summary, and tips
4. The result is displayed with the label "AI Estimate"
What the AI does NOT do:
• It makes no decisions about you
• It does not access your profile or personal data
• It does not constitute an official safety advisory
Transparency: in compliance with the AI Act (Regulation 2024/1689, Article 50), each AI estimate is clearly labeled.
Limitations: the AI may contain geographic biases or outdated information. Always check official travel advisories.
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
9. YOUR RIGHTS (GDPR, Articles 15 to 22)
• Right of access (Art. 15): know what data we hold
• Right to rectification (Art. 16): correct inaccurate information
• Right to erasure (Art. 17): delete your account and data
• Right to restriction (Art. 18): temporarily freeze use of your data
• Right to portability (Art. 20): receive your data in a structured format
• Right to object (Art. 21): object to processing based on legitimate interest
• Withdrawal of consent (Art. 7(3)): at any time, without affecting prior processing
• Right not to be subject to automated decision-making (Art. 22): MapSur does not use automated decisions with legal effects
How to withdraw consent:
• Traveler profile: Profile > Delete my traveler profile
• Analytics sharing: Settings > Privacy Center
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
10. HOW TO EXERCISE YOUR RIGHTS
Send your request to: privacy@mapsur.com
Include: your username, email, and which right you wish to exercise.
Response time: 30 days maximum (extendable by 60 days if complex).
Exercising your rights is free.
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
11. DATA SECURITY
Technical measures:
• Encryption in transit (HTTPS/TLS)
• Encryption at rest (Supabase managed)
• Row Level Security (RLS): each user can only access their own data
• Password hashing (bcrypt)
• Time-limited JWT tokens
• Limited-privilege API key ("anon" key)
• Sensitive traveler profile data protected by specific RLS
In case of data breach:
• Notification to CNIL (French Data Protection Authority) within 72 hours (Art. 33 GDPR)
• User notification if high risk (Art. 34)
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
12. LOCAL STORAGE (AsyncStorage)
Data stored locally on your phone:
• Authentication token (maintain session)
• User preferences (theme, filters)
• Onboarding flag (welcome screens already seen)
• GDPR consents (analytics sharing)
MapSur does not use any cookies, advertising trackers, or tracking SDKs.
This storage is strictly necessary (ePrivacy Directive, Article 5(3)).
Deletion: log out, uninstall the app, or clear data in your phone settings.
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
13. PUBLIC DATA (OPEN DATA)
MapSur uses official public data to calculate safety scores. These are not personal data.
Sources: SSMSI, Dans Ma Rue, ONISR, UK Police, NYC Open Data, Chicago, Los Angeles, San Francisco, Eurostat, World Bank, US State Dept, UK FCDO, Equaldex, OpenStreetMap.
Attribution notices are available in the app (Profile > Settings > Data Sources).
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
14. PROTECTION OF MINORS
MapSur is intended for persons aged 16 and over (GDPR Art. 8).
During registration, the user confirms being at least 16 years old. If we learn that data from a minor under 16 has been collected, we will delete it promptly.
Contact: privacy@mapsur.com
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
15. CHANGES TO THIS POLICY
• Minor changes: updated date modified.
• Substantial changes: notification in the app and/or by email at least 15 days in advance.
• If new consent is required, it will be explicitly requested.
History:
• Version 1.0 — March 18, 2026 (initial version)
• Version 2.0 — March 31, 2026 (added traveler profile, community reviews, updated legal notices)
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
16. CONTACT AND COMPLAINTS
Contact: privacy@mapsur.com
File a complaint with CNIL (French Data Protection Authority):
• Website: https://www.cnil.fr
• File a complaint: https://www.cnil.fr/fr/plaintes
• Address: CNIL, 3 Place de Fontenoy, TSA 80715, 75334 Paris Cedex 07
• Phone: +33 (0)1 53 73 22 22
If you reside in another EU country, contact your national data protection authority.
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
17. LEGAL NOTICES
Publisher: Merta, micro-enterprise (France)
SIRET: 103 063 657 00011
Publication director: Karis Gwet
Host: Supabase Inc., 970 Toa Payoh North #07-04, Singapore 318992
Contact: contact@mapsur.com
Domain: mapsur.com
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
This policy applies to MapSur version 2.0.
In accordance with GDPR Article 12, it is accessible in the app (Profile > Privacy Policy).