PRIVACY POLICY: MapSur Last updated: May 11, 2026, Version 2.5 ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 1. WHO ARE WE? MapSur is a community mobile application for travelers. It allows you to browse travel reviews filtered by profile, safety scores, and plan trips with confidence. Publisher: Merta, micro-enterprise (France) SIRET: 103 063 657 00011 Privacy contact: privacy@mapsur.com ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 2. PURPOSE OF THIS POLICY This privacy policy informs you about: • What personal data we collect • Why we collect it (purposes) • Our legal basis • How long we keep it • Who can access it • Your rights and how to exercise them It complies with the General Data Protection Regulation (GDPR), Articles 12, 13, and 14. ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 3. WHAT DATA DO WE COLLECT? 3.1 Account data (registration) • Email address (required) • Username (required) • Password (required, never stored in clear text, bcrypt hashing) • Unique UUID identifier (automatic) 3.2 Traveler profile (optional, sensitive data, GDPR Art. 9) If you choose to fill in your traveler profile, we may collect: • Gender (man, woman, non-binary) • Ethnic origin (Black, Arab, Asian, Latino, etc.) • Sexual orientation (heterosexual, gay, lesbian, bisexual) • Religion (Muslim, Jewish, Christian, Hindu, Buddhist, no religion) • Disability status (yes/no) • Age range • Travel style (solo, couple, family, group) IMPORTANT: This is sensitive data under GDPR Article 9. It is only collected with your explicit consent. You can modify or delete it at any time (Profile > My traveler profile). 3.3 Activity data • Travel reviews (title, text, ratings, tips, specific location) • "Helpful" votes on other users' reviews • Reports of abusive reviews • Travel searches (destination + dates), only if opted in • Saved destinations Reviews are visible to other users. Your traveler profile is only shown if you authorized it ("Show my profile" option). 3.4 Computed data • Trust score (0 to 1): reflects the reliability of your contributions • Safety scores: calculated from official data • AI estimates (Google Gemini): score and tips, clearly labeled 3.5 Data we DO NOT collect • Real name, date of birth • Phone contacts • Photos or multimedia • Banking or payment data • Background location • Advertising identifiers • Social media data ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 4. WHY DO WE COLLECT THIS DATA? 4.1 Account management • Account creation: legal basis = contract performance (Art. 6(1)(b) GDPR) • Authentication: contract performance • Trust score: legitimate interest (Art. 6(1)(f)) 4.2 Traveler profile • Legal basis: consent (Art. 6(1)(a) GDPR) and explicit consent for special categories of data (Art. 9(2)(a) GDPR) • Purpose: enable review filtering by profile (e.g., see reviews from Black travelers, LGBT+, solo women, etc.) • Traveler profile information is collected only if you voluntarily fill it in; you can withdraw your consent at any time by deleting your traveler profile (Art. 7(3) GDPR) 4.3 Travel reviews • Legal basis: contract performance (publishing reviews is part of the service) • Reviews remain published even after account deletion (anonymized) • "Places of interest" derivative processing: if you ticked "Show my traveler profile" on the review and your overall rating is ≥ 4/5, MapSur may reuse short excerpts from the text to populate a public database of venue recommendations sorted by traveler identity profile (neighborhoods, restaurants, nightlife, cultural spots). Legal basis: distinct consent expressed by ticking "Show my profile" (Art. 6(1)(a) GDPR) combined with the Art. 9(2)(a) consent already given for your traveler profile. This processing uses no AI generation whatsoever: only exact excerpts from your reviews may appear. Withdrawal at any time: delete or edit the review, uncheck "Show my profile", or delete your account. See Article 5.5 of the Terms of Use. 4.4 Safety scores and planning • Safety score calculation: legitimate interest • AI estimates: legitimate interest 4.5 Travel planning • Personal history: contract performance • Anonymous sharing (B2B analytics): consent, explicit opt-in, disabled by default 4.6 Artificial intelligence • Sent to Google Gemini: place name, coordinates, dates and, if you select them for this search, traveler profiles used to personalize the estimate. No user identifier, email address, or account UUID is transmitted. • Shared cache (2 km radius, 30 days) only for non-profiled estimates. Profile-personalized estimates are not stored in the shared cache. • Legal basis: legitimate interest for safety estimation; explicit consent (GDPR Art. 9(2)(a)) for the voluntary use of sensitive profiles in a personalized estimate. 4.7 Product analytics (usage measurement) We record certain interactions with the website (product events) to understand how MapSur is used and prioritize improvements. • Purpose: continuous service improvement, bug detection, audience measurement. • Legal basis: legitimate interest (Art. 6(1)(f) GDPR). Balancing test performed: the processing is necessary for product improvement, proportionate (no personal identifier on sensitive events), and respectful of individuals' rights (easy objection via privacy@mapsur.com). • Data collected: event name (search, filter applied, review viewed, etc.), technical properties (searched destination, selected date window, active profile filters on a personalized search, destination slug, filter type, platform, version, language), timestamp, anonymous session identifier rotating every 30 days. Never email, name, or review text. • Enhanced anonymity on identity filters and profile-personalized searches (gender, ethnicity, religion, orientation, disability): the user identifier is stripped at the database level before recording. Use of these filters or profiles cannot be tied to a named account. • Recipients: Supabase Inc. only (EU host, Ireland). No third-party tool (Google Analytics, Mixpanel, Meta Pixel) is used. • Retention: 13 months, then automatic deletion. • Transfers outside the EU: none. • No cookie or fingerprint: the session identifier is stored only in your browser (localStorage) and does not allow cross-site tracking. • Your rights: right to object (Art. 21), right of access (Art. 15), right to erasure (Art. 17). Email privacy@mapsur.com. Upon account deletion, all events tied to your account are also deleted. 4.8 Affiliate links MapSur includes affiliate links to third-party travel partners (hotels, activities, insurance) on destination pages and the trip planner page (/explore). These links are clearly identified as "Sponsored links" / "Liens partenaires" in immediate proximity. When you click an affiliate link and subsequently make a booking with the partner, MapSur may earn a commission, at no extra cost to you. This helps keep the app free for individual travelers. Data shared with partners: • No personal data (name, email, traveler profile, searches) is transmitted to the partner at the time of the click. Only commercial tracking parameters are embedded in the URL: a MapSur affiliate identifier ("aid" or "partner_id"), a campaign label including the clicked city name, and UTM parameters (utm_source=mapsur, utm_medium=destination or organic). • The partner may, independently of MapSur, place cookies on your browser via their own website once you arrive there. This processing is under the partner's sole responsibility and governed by their own privacy policies. Partners used (as of May 1, 2026): • Booking.com, hotels, Booking.com B.V., Netherlands, policy: https://www.booking.com/content/privacy.html • GetYourGuide, activities and tours, GetYourGuide AG, Switzerland, policy: https://www.getyourguide.com/privacy/ • SafetyWing, travel insurance, SafetyWing Inc., USA, policy: https://safetywing.com/privacy On the MapSur side, the "affiliate_clicked" event is tracked in our product analytics (see section 4.7) with properties { program, destination, surface }, without any personal data attached to the user account. How to opt out: • Do not click links identified "Sponsored links" / "Liens partenaires". • On the partner side (after arriving on their website), configure your browser cookie settings or the partner's privacy options. Legal basis: legitimate interest (Art. 6(1)(f) GDPR) for anonymous click tracking on the MapSur product analytics side, balanced against your right to privacy. No personal data is processed by MapSur on this event. Any subsequent processing by the partner after you arrive on their site is governed exclusively by the partner. 4.9 Cookies and trackers on mapsur.com 4.9.1 What is a cookie? A cookie is a small file placed on your device by the website you visit. It allows information to be stored for site operation, audience measurement, or advertising. 4.9.2 Cookies used on mapsur.com We use two categories of cookies subject to your consent: a) Audience measurement (Google Analytics 4) • Purpose: understand site traffic, most viewed pages, and traffic sources. • Legal basis: your consent (Art. 6(1)(a) GDPR + Art. 82 of the French Data Protection Act). • Processor: Google Ireland Limited (EU-based) with possible recourse to Google LLC (United States). • Transfer framework: Data Privacy Framework (DPF), Google LLC certified since July 2023. • Anonymization: your IP address is truncated before storage (last two octets masked). • Retention: 14 months (GA4 data) and 13 months (cookies). • Tracking exclusions: URLs containing identity-related profile filters (e.g. /destination/marrakech?filter=muslim) are excluded from GA4 so that sensitive data within the meaning of Art. 9 GDPR is not indirectly transmitted. b) Advertising effectiveness measurement (Google Ads) • Purpose: measure which advertising campaigns lead to account creation, review publication, or a click toward an affiliate partner. • Legal basis: your consent (Art. 6(1)(a) GDPR + Art. 82 of the French Data Protection Act). • Processor: Google Ireland Limited with possible recourse to Google LLC (United States), DPF framework. • Retention: 13 months maximum. We also use Vercel Analytics for technical site performance measurement (load times, errors). This tool does not place any cookie or identifier and is not subject to consent. 4.9.3 How to manage your consent On your first visit, a banner allows you to accept, refuse, or customize your choices by purpose (audience measurement and/or advertising). The three choices are presented in a visually equivalent manner, in line with the CNIL recommendation of 17 September 2020. You can change or withdraw your consent at any time by clicking the "Cookie preferences" link at the bottom of each page. Withdrawal of consent does not affect the lawfulness of processing based on consent before such withdrawal (Art. 7(3) GDPR). Consent collection and management is handled by tarteaucitron.js, a French open-source library (BSD-3 license, Amnet project, used by many French administrations). The code runs entirely in your browser: your choice is stored locally (technical cookie "tarteaucitron_mapsur" and browser localStorage), and is never transmitted to a third party. There is therefore no processor within the meaning of Art. 28 GDPR for this purpose. 4.9.4 If you refuse cookies If you refuse all or part of the cookies, you can still fully use the site. Only the corresponding measurement functions are disabled. In accordance with the CNIL opinion of 16 May 2024 on "Consent Mode", Google may receive an anonymized signal without cookies ("ping") indicating that consent was refused, solely for global statistical estimation purposes. No cookie is placed and no individual data about you is transmitted. ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 5. HOW LONG DO WE KEEP YOUR DATA? • User account: as long as the account is active, deleted within 30 days upon request • Traveler profile: until deleted by user or account deletion • Travel reviews: kept indefinitely (anonymized if account is deleted) • Travel searches: 12 months (history), 24 months if analytics opt-in (anonymized) • Saved destinations: until deleted by user • AI estimates: 30 days for the non-profiled cache; no shared cache for profile-personalized estimates • Product analytics events: 13 months • Local data (AsyncStorage): until logout or app uninstall After account deletion: all personal data is deleted within 30 days. Published reviews are anonymized (username removed). ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 6. WHO HAS ACCESS TO YOUR DATA? 6.1 Technical subprocessors • Supabase Inc.: database hosting, authentication, server functions, servers in the EU (Ireland) • Google LLC (Gemini API): AI estimates, United States (see section 7) 6.2 Third-party geocoding services • Photon / OpenStreetMap: location search and coordinates. No MapSur account identifier is transmitted. However, the search term you type (e.g. "Paris, 11th arrondissement") and the coordinates required to make the call are transmitted to the geocoding service so it can respond. 6.3 Other users Visible: your reviews (title, text, ratings, tips, location), your username, and your traveler profile if authorized. Not visible: your email, saved destinations, travel searches, trust score. 6.4 Authorities Disclosure possible in response to a legal request (court order). ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 7. TRANSFERS OUTSIDE THE EU MapSur prioritizes hosting and processing in the EU region whenever available. Most of your data is hosted in the EU (Ireland). Some providers may nevertheless involve a transfer or access outside the EU, in which case appropriate safeguards apply (DPA, Standard Contractual Clauses, or adequacy decisions such as the Data Privacy Framework when relevant). Transfers currently identified to the United States: • Google LLC (Gemini API): covered by the Data Privacy Framework (DPF), EU adequacy decision of July 10, 2023, when the specific service used is covered by Google's DPF commitments. Place name, coordinates, and dates are transmitted; selected traveler profiles may also be transmitted only if you request a personalized estimate. • Resend Inc. (transactional emails): covered by standard DPA plus DPF certification when applicable, or otherwise by the EU Commission's Standard Contractual Clauses. • Supabase Inc.: no transfer identified, data in eu-west-1 region (Ireland). ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 8. ARTIFICIAL INTELLIGENCE MapSur uses Google Gemini to estimate safety levels when local data is insufficient. How it works: 1. You search for a location without sufficient local data 2. MapSur sends to the AI: place name, coordinates, dates and, if selected, traveler profiles needed for personalization 3. The AI generates a score (1-10), a level, a summary, and tips 4. The result is displayed with the label "AI Estimate" What the AI does NOT do: • It makes no decisions about you • It does not access your account, email, reviews, history, or saved profile; it only receives the profiles selected in the current search • It does not constitute an official safety advisory Transparency: MapSur applies, in anticipation, the transparency principles set out in Article 50 of Regulation (EU) 2024/1689 (AI Act). Each AI estimate is clearly labeled as such in the interface. Limitations: the AI may contain geographic biases or outdated information. Always check official travel advisories. ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 9. YOUR RIGHTS (GDPR, Articles 15 to 22) • Right of access (Art. 15): know what data we hold • Right to rectification (Art. 16): correct inaccurate information • Right to erasure (Art. 17): delete your account and data • Right to restriction (Art. 18): temporarily freeze use of your data • Right to portability (Art. 20): receive your data in a structured format • Right to object (Art. 21): object to processing based on legitimate interest • Withdrawal of consent (Art. 7(3)): at any time, without affecting prior processing • Right not to be subject to automated decision-making (Art. 22): MapSur does not use automated decisions with legal effects How to withdraw consent: • Traveler profile: Profile > Delete my traveler profile • Analytics sharing: Settings > Privacy Center ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 10. HOW TO EXERCISE YOUR RIGHTS Send your request to: privacy@mapsur.com Include: your username, email, and which right you wish to exercise. Response time: 30 days maximum (extendable by 60 days if complex). Exercising your rights is free. ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 11. DATA SECURITY Technical measures: • Encryption in transit (HTTPS/TLS) • Encryption at rest (Supabase managed) • Row Level Security (RLS): each user can only access their own data • Password hashing (bcrypt) • Time-limited JWT tokens • Limited-privilege API key ("anon" key) • Sensitive traveler profile data protected by specific RLS In case of data breach: • Notification to CNIL (French Data Protection Authority) within 72 hours (Art. 33 GDPR) • User notification if high risk (Art. 34) ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 12. LOCAL STORAGE (AsyncStorage) Data stored locally on your phone: • Authentication token (maintain session) • User preferences (theme, filters) • Onboarding flag (welcome screens already seen) • GDPR consents (analytics sharing) MapSur does not use any cookies, advertising trackers, or tracking SDKs. This storage is strictly necessary (ePrivacy Directive, Article 5(3)). Deletion: log out, uninstall the app, or clear data in your phone settings. ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 13. PUBLIC DATA (OPEN DATA) MapSur uses official public data to calculate safety scores and provide mapping services. These are not personal data. Sources: SSMSI, Dans Ma Rue, ONISR, UK Police, NYC Open Data, Chicago, Los Angeles, San Francisco, Eurostat, World Bank, US State Dept, UK FCDO, Equaldex. Map data attribution: © OpenStreetMap contributors. Map data and geocoding (location search, addresses, coordinates) come from OpenStreetMap and are made available under the Open Database License (ODbL 1.0). https://www.openstreetmap.org/copyright Places of interest sources and licenses: • OpenStreetMap (ODbL): venues, addresses, coordinates, tags (e.g. religion, wheelchair, lgbtq). Attribution "© OpenStreetMap contributors" required. • Wikidata (CC0): notable venues, semantic classes (e.g. LGBT bar, synagogue). No attribution requirement. • Wikivoyage (CC BY-SA 4.0): name, address, coordinates, and source URL only. Textual descriptions are not reused by MapSur to avoid any "share-alike" contamination of MapSur's editorial content. • MapSur community reviews: only when the consent conditions described in Section 4.3 of this Policy and in Article 5.5 of the Terms of Use are met (traveler profile visible, overall rating ≥ 4/5). Complete attribution notices for all sources are listed in our Terms of Use (Article 15), accessible from the website footer. ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 14. PROTECTION OF MINORS MapSur is reserved for persons aged 16 and over. This threshold is a service choice aimed at strengthening user protection. In France, the digital age of consent is set at 15 (GDPR Art. 8 + Article 7-1 of the French Data Protection Act). MapSur voluntarily applies a higher, more protective threshold. During registration, the user confirms being at least 16 years old. If we learn that data from a minor under 16 has been collected, we will delete it promptly. Contact: privacy@mapsur.com ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 15. CHANGES TO THIS POLICY • Minor changes: updated date modified. • Substantial changes: notification in the app and/or by email at least 15 days in advance. • If new consent is required, it will be explicitly requested. History: • Version 1.0: March 18, 2026 (initial version) • Version 2.0: March 31, 2026 (added traveler profile, community reviews, updated legal notices) • Version 2.1: April 16, 2026 (added product analytics §4.7, dual legal basis for sensitive data, removal of obsolete ODR reference, age-threshold clarification, EU-transfer nuance, DSA/LCEN reporting procedure, Safe Places sources) • Version 2.2: April 27, 2026 (profile-personalized AI estimates, no shared cache for those estimates) • Version 2.3: May 1, 2026 (rebrand "Safe Places" → "Places of interest" with URL updates and 301 redirects; added §4.8 affiliate links Booking/GetYourGuide/SafetyWing) • Version 2.4: May 1, 2026 (removal of "by profile" suffix from the feature label; no substantive change, data processing and legal bases remain identical to V2.3) • Version 2.5: May 11, 2026 (added §4.9 Cookies and trackers on mapsur.com covering Google Analytics 4 and Google Ads, consent management via open-source library tarteaucitron.js (local browser storage, no processor), Consent Mode v2 "default denied", tracking exclusion for URLs containing Art. 9 identity filters) ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 16. CONTACT AND COMPLAINTS Contact: privacy@mapsur.com File a complaint with CNIL (French Data Protection Authority): • Website: https://www.cnil.fr • File a complaint: https://www.cnil.fr/fr/plaintes • Address: CNIL, 3 Place de Fontenoy, TSA 80715, 75334 Paris Cedex 07 • Phone: +33 (0)1 53 73 22 22 If you reside in another EU country, contact your national data protection authority. ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 17. LEGAL NOTICES Publisher: Merta, micro-enterprise (France) SIRET: 103 063 657 00011 Publication director: Karis Gwet Host: Supabase Inc., 970 Toa Payoh North #07-04, Singapore 318992 Contact: contact@mapsur.com Domain: mapsur.com ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ This policy applies to MapSur version 2.0. In accordance with GDPR Article 12, it is accessible in the app (Profile > Privacy Policy).