We collect information you provide directly to us — account registration data (email address, name), billing information processed via Stripe, and API usage metadata (query strings, result counts, timestamps). We do not store the raw Google Maps results you extract via our API.
Automatically collected data includes: IP address, browser user-agent, referrer, and page-level analytics via Plausible (a privacy-first, cookieless analytics provider).
We use collected data to:
We do not sell your data to third parties. We do not use your data for advertising targeting.
Account data is retained for the lifetime of your account plus 90 days after deletion. API access logs are retained for 30 days for abuse detection, then purged. Billing records are retained for 7 years as required by law.
We use a small number of sub-processors: Stripe (payments), Postmark (transactional email), Cloudflare (CDN and DDoS protection), and Hetzner / AWS (compute and storage). Each is bound by a DPA.
Under GDPR and CCPA, you have the right to access, correct, export, or delete your personal data. Submit requests to privacy@mapsapi.dev. We respond within 30 days.
We use one first-party cookie: a session token for dashboard authentication. We do not use advertising cookies or third-party tracking pixels. Our analytics provider (Plausible) is cookieless.
Data is encrypted in transit (TLS 1.3) and at rest (AES-256). API keys are stored as salted hashes — we cannot recover a lost key; you must rotate it. Production infrastructure runs in isolated VPCs with no public database endpoints.
We will notify registered users by email at least 14 days before material changes take effect. Continued use of the service after the effective date constitutes acceptance.
Questions about this policy: privacy@mapsapi.dev. Postal address available on request for GDPR Article 27 purposes.