Privacy Policy

1. Data we collect

• Account data: email address. Used to authenticate you via magic link and to send operational notifications.
• Billing data: Stripe customer ID, subscription status, billing period timestamps. Card numbers and payment methods are stored by Stripe; we never receive them.
• App configuration: package name, OpenAPI schema URL, optional request headers, registry token (encrypted at rest with AES-256-GCM).
• Operational data: OpenAPI schema content polled from URLs you provide, generated SDK source, build artifacts (tarballs), publish logs, and timestamps.
• Session data: short-lived session tokens stored as hashes in our database; plaintext in your browser as mapree_access and mapree_refresh cookies.
• IP address and user-agent for rate-limiting and abuse prevention. Retained for up to 30 days.

2. How we use your data

We process your data only to (a) provide and maintain the Service; (b) process payments through Stripe; (c) send operational notices (build failures, payment events, deletion warnings) by email; (d) enforce our Terms of Service; (e) comply with legal obligations.

We do not sell your personal data. We do not use your data for advertising.

3. Legal basis for processing (GDPR)

• Contract: to provide the Service you signed up for.
• Legitimate interest: rate-limiting, abuse prevention, fraud detection.
• Legal obligation: tax records, regulatory requests.
• Consent: optional features you opt into (notification preferences configurable in Settings).

4. Third-party processors (sub-processors)

We share data only with the following processors, each contractually bound to handle it under equivalent or stricter terms:

• Stripe, Inc. — payment processing and card storage.
• Resend — transactional email delivery.
• Trigger.dev — background job orchestration (crawls, builds, publishes).
• S3-compatible storage providers — object storage for build artifacts (currently Backblaze B2).
• Cloud hosting provider — runtime infrastructure.

5. Data retention

• Account email: retained while your account is active. Soft-deleted for 365 days after account deletion, then permanently removed from our database and from Stripe.
• Apps and associated data (schemas, builds, publishes): retained while the App is active. Soft-deleted for 180 days after the App is deleted or after 90 days of non-payment, then permanently removed.
• Subscription history: retained indefinitely for audit and tax purposes while your account exists; purged with the account after the 365-day window.
• Webhook error logs: retained up to 1 year.

6. Your rights

Under LGPD and GDPR you have the right to access, correct, export, delete, and restrict processing of your data. You may exercise most rights directly from the Settings page. For anything else, contact privacy@mapree.dev. We will respond within 15 days.

You may also lodge a complaint with the Brazilian data protection authority (ANPD) or your local supervisory authority.

7. Security

Registry tokens and other sensitive fields are encrypted at rest (AES-256-GCM). Sessions use HMAC-hashed tokens; cookies are HttpOnly, SameSite, and set Secure in production. All traffic is over TLS. We never log secrets in plaintext.

8. International data transfers

Our infrastructure and processors may be located outside Brazil. Where data is transferred internationally, we rely on adequacy decisions, Standard Contractual Clauses, or equivalent mechanisms permitted by the LGPD and GDPR.

9. Cookies

We use only first-party, strictly-necessary cookies for authentication (mapree_access,mapree_refresh). We do not use analytics, advertising, or third-party tracking cookies.

10. Children

The Service is not directed to anyone under 18. We do not knowingly collect data from minors. If you believe a minor has provided us data, contact us and we will delete it.

11. Changes

Material changes to this Policy will be announced by email at least 15 days before taking effect. The current version and effective date are shown at the top of this page.

12. Contact

Data Protection Officer: privacy@mapree.dev.