Privacy

Privacy Policy

This Privacy Policy explains how Mappy collects, uses, stores and protects information when you use the route planning application, create an account, sign in with Google, validate addresses, contact us, or save routes.

Last updated: May 16, 2026

Terms of UseContact

Information we collect

Account data: email address, display name, profile image/avatar if provided by Google, preferred language, selected theme and account status.

Authentication data: secure session identifiers stored in HttpOnly cookies, hashed session tokens, basic security metadata such as hashed IP address and hashed user agent, readable session device labels, approximate country code when available, and login timestamps.

Route data: addresses you import or enter, validation status, coordinates returned by geocoding providers, formatted addresses, saved routes, route zones and route history.

Local alias data: if you explicitly save a confirmed address alias, Mappy stores the label you entered and the address you confirmed in this browser local storage so future validation can try the confirmed address first. In v1 this alias data is not uploaded to Mappy servers.

Contact data: your name, email address and message when you send us a message through the contact form.

Technical data: browser/device information that is normally sent with web requests, rate-limit counters and basic operational logs used to protect and maintain the service.

Google Sign-In data

If you choose “Continue with Google”, Mappy requests only the minimum data needed to sign you in: your Google account identifier, email address, email verification status, name and profile picture. We use this data only to create or access your Mappy account, link your Google identity to your account, display your profile and secure your sessions.

Mappy does not request access to Gmail, Google Drive, Google Calendar, Google Contacts or other Google Workspace data. We do not sell Google user data, use it for advertising, or share it with third parties except as necessary to operate the user-facing account feature or comply with legal obligations.

Address validation and geocoding providers

When you validate addresses, Mappy may send the address text and relevant location hints to third-party geocoding providers so the application can verify addresses, return coordinates, show pins and create route zones. Providers may include HERE, TomTom, OpenStreetMap/Nominatim, MapTiler and, only if enabled in the production configuration, Google Maps Platform.

Mappy uses geocoding results only for the route planning features visible in the application. We do not resell geocoding results as a dataset.

How we use information

We use information to provide account login, saved routes, route history, address validation, delivery workflow, profile settings, support replies, abuse prevention, troubleshooting, security and service improvement.

Storage and retention

Account data is kept while your account is active. If you delete your account, we deactivate the account, revoke active sessions and remove or anonymize personal account fields where possible.

Saved routes remain available to your account until you delete them or delete your account. Operational logs and rate-limit records are kept only as needed for security and reliability.

Confirmed address aliases are stored in your browser local storage until you clear browser or app data. They are not account-synced in v1.

If Google Maps Platform geocoding is enabled, Mappy is configured to avoid long-term storage of Google geocoding latitude/longitude data, to track Google-sourced coordinates separately, and to purge or require revalidation for Google-sourced cached and saved-route coordinates after 30 days.

Data deletion

You can delete saved routes and your account from the profile page. For Google Sign-In accounts, deletion also removes the link between your Mappy account and your Google account from Mappy systems.

If you cannot access your account, contact us through the contact page and include the email address connected to the account so we can verify and process the deletion request.

Security

Mappy uses HTTPS, HttpOnly secure cookies for account sessions, hashed session tokens in the database, rate limiting, CORS restrictions and security headers. No method of transmission or storage is perfect, but we take reasonable steps to protect user data.

Your choices

You can use the core route planner without creating an account. You can update profile preferences, change your password, sign out from sessions, delete saved routes, or delete your account from the profile page.

You can choose not to save address aliases. If you saved aliases locally, you can remove them by clearing browser or app data for Mappy.

Contact

For privacy questions or data deletion requests, contact us through the contact page or by using the email address shown there.