Privacy Policy

Mapinly is a collaborative trip planning platform built to help groups plan travel together. This Privacy Policy explains what personal information we collect, how we use it, who we share it with, and what choices you have.

We believe privacy should be explained in plain English, not buried in legal jargon. If something in this policy is unclear, please reach out through our contact page.

By using Mapinly, you also agree to our Terms of Service.

We collect information in three ways:

Information you provide directly.

• Name and email address when you create an account.
• Password (stored as a secure hash — we never see it in plain text).
• Profile photo, if you choose to upload one.
• If you sign in with Google, we receive your name, email, and profile photo from Google.

Content you create. Everything you build inside Mapinly — trip plans, itineraries, idea lists, notes, polls, checklists, votes, budget entries, and files you upload — is stored and associated with your account. When you collaborate on a shared trip, your name, email, and profile photo are visible to the other collaborators on that trip. Your contributions (votes, notes, budget entries, uploaded files) are also visible to everyone on that trip.

Information collected automatically. When you use Mapinly, we and our third-party services automatically collect:

• Your IP address and approximate location (country/city level).
• Browser type, operating system, and device type.
• Pages visited, features used, and time spent on Mapinly.
• Events like sign-ups, logins, and feature interactions (via Google Analytics).

Operate the service. We use your name, email, and avatar to create your account, identify you, and display you to collaborators on shared trips.

Enable collaboration. When you join or create a trip, we share your profile information (name, email, avatar) with the other members of that trip so your group can plan together. You control who you invite, and the trip owner can remove collaborators at any time.

Process payments. If you subscribe to a Plus plan, we send your email and payment details to Stripe to process billing. Your card number and billing address never touch Mapinly's servers.

Improve the product. We use anonymized, non-identifiable analytics data (for example, popular destinations or which features are used most) to understand how people use Mapinly and make it better. This data cannot be traced back to you.

Communicate with you. We send account-related emails only — email confirmation, password reset, and subscription updates. We do not send marketing emails.

Ensure security. We use IP addresses, device data, and login patterns to detect suspicious activity and protect your account.

We do not sell your personal information. Ever.

Mapinly relies on several third-party services to operate. Here is exactly what each one receives and why:

Supabase — our backend infrastructure provider. All data you create on Mapinly (your account, trips, files, and real-time updates) is stored and processed on Supabase's servers. Supabase acts as our data processor. Supabase Privacy Policy

Google Maps & Places API — powers the map and place search features. When you search for a destination or place, your search queries and the geographic coordinates of your trip are sent to Google. Google Privacy Policy

Stripe — processes subscription payments. When you subscribe to a Plus plan, your email and payment details are sent directly to Stripe. Your card number and billing address never touch Mapinly's servers — we store only your Stripe customer ID to link your account to your subscription. Stripe Privacy Policy

Google Analytics — helps us understand how people use Mapinly. Google Analytics receives data about pages visited, features clicked, and events triggered. No personally identifiable information is included in analytics events. Google Analytics Privacy

Cookies we set. Mapinly sets one cookie: sidebar:state, which remembers whether your sidebar is open or collapsed. It is non-personal and expires after 7 days.

Google Analytics cookies. Google Analytics sets its own cookies to track sessions and distinguish users. These are standard analytics cookies and do not contain personally identifiable information.

We do not use advertising cookies, tracking pixels, or any third-party marketing tags.

Local storage (in your browser).

• Remembered email — if you check "Remember me" on the login page, your email is saved locally so you don't have to retype it. You can clear this by unchecking "Remember me."
• Place detail cache — Google Places API results are cached locally for up to 7 days to reduce load times and API calls.
• Distance cache — travel time and distance results are cached locally for performance.
• Session storage — search results and map filter preferences are stored for the duration of your browser session only and are cleared when you close the tab.

You can clear all local storage at any time through your browser settings.

We take reasonable steps to protect your data:

• All data is encrypted in transit (HTTPS/TLS) and at rest by Supabase.
• Passwords are hashed by Supabase Auth and are never stored or visible in plain text.
• Row Level Security (RLS) is enforced at the database level — you can only access your own data and trips you are a member of.
• Uploaded files are accessed via signed URLs that expire after 1 hour.
• Payment data is handled entirely by Stripe, which is PCI-DSS compliant. We never see or store your card details.

No system is completely immune to security incidents. We cannot guarantee that data will never be accessed, disclosed, or lost due to factors beyond our control. If a security breach occurs that affects your personal data, we will notify you as required by applicable law.

While your account is active. We retain your account data and all content you create for as long as your account exists.

Free plan archiving. Trips on the Free plan are automatically archived 7 days after the trip end date. Archived trips become read-only — your data is not deleted.

Deleting a trip. When you delete a trip, it is immediately removed from your dashboard and from all collaborators' views. The underlying data is retained for a limited period so our support team can help with accidental deletions. After this retention window, the data is permanently purged.

Deleting your account. You can permanently delete your account from your profile settings at any time. Deletion is immediate and irreversible. It removes:

• Your authentication record and profile.
• Trips you created with no collaborators — permanently deleted, including all their content.
• Trips you created with active collaborators — ownership transfers to the earliest collaborator. The trip and its content remain accessible to the group.

Content on shared trips you collaborated on. If you contributed content (notes, votes, budget entries, items) to a trip owned by someone else, that content remains visible to the remaining trip members after you delete your account, but will no longer be attributed to you.

Your collaborator identity. Your name and email may remain visible to members of trips you collaborated on, even after your account is deleted. This allows trip owners to retain a record of who contributed to the trip.

Backups. Supabase maintains database backups for disaster recovery purposes. Deleted data may persist in backups for a limited period before being permanently purged.

PDF itinerary export. You can export a day-by-day itinerary for any trip as a PDF directly from the itinerary view. This PDF is generated in your browser and is never sent to our servers.

You have the following controls over your data:

• Access & update. Edit your name and profile photo anytime from your profile settings.
• Delete your account. Permanently remove your account and all associated data from your profile settings.
• Control collaboration. Manage who has access to your trips by choosing who you invite.
• Clear remembered email. Uncheck "Remember me" on the login page to remove your saved email from local storage.
• Opt out of Google Analytics. You can opt out by installing the Google Analytics Opt-out Browser Add-on or by using your browser's built-in privacy settings.

For any requests you cannot handle through self-service, please reach out through our contact page.

Additional rights. If you are located in the EU, UK, or California, you may have additional rights under GDPR, UK GDPR, or CCPA — including the right to data portability, the right to restrict processing, and the right to object to certain uses of your data. To exercise these rights, contact us through our contact page.

Mapinly is not intended for anyone under the age of 16. We do not knowingly collect personal information from children under 16. If we become aware that a user is under 16, we will delete their account and associated data promptly.

If you believe a child under 16 has created an account, please contact us through our contact page.

We may update this Privacy Policy from time to time. When we make material changes, we will notify you by email or through an in-app notice. The "Last updated" date at the top of this page will always reflect when the policy was last revised.

Your continued use of Mapinly after changes take effect means you accept the updated policy.

If you have questions or concerns about this Privacy Policy, please reach out through our contact page.