Maptero

This document is provided in English. The English version is the legally binding version.

1. Who We Are

Maptero is operated by Maptero, registered at Europe. For privacy inquiries, contact us at legal@maptero.com.

2. Data We Collect

Account Data

Email address (required for authentication)
Display name (optional, set by you)

Content You Create

Tasks (title, type, status, deadline, effort level, recurrence rules)
Projects (name, description)
Contacts (first name, last name, company, job title) — see "Third-Party Personal Data" below
Task relationships (blockers, contact assignments)

Voice Data

Audio recordings are sent to OpenAI for transcription and are not stored by Maptero
Text transcriptions of your voice commands are stored for 90 days for debugging, then automatically deleted

Usage & Account Data

API usage logs (AI model used, cost per request) for billing and rate limiting
Account settings (usage tier, monthly cap)
Invite code redemption records (during early access)

Tutorial & Onboarding Data

Tutorial progress (which steps you have completed)

Security Monitoring Data

Active session count (how many browser tabs are open, tracked ephemerally for abuse prevention)
Security alerts (pseudonymized records of unusual activity, retained for 30 days)

Technical Data

Authentication session cookies (strictly necessary)
Language preference cookie (strictly necessary)
Timezone preference cookie (strictly necessary) — stores your device's time zone so dates display in your local time
UI state preferences stored in your browser's local storage
Error diagnostics (stack traces, browser/OS metadata, anonymized request paths) sent to our error-monitoring sub-processor for service reliability and security, on a legitimate-interest basis (Art. 6(1)(f)). IP addresses, cookies, request bodies, and authorization headers are scrubbed before send. You can opt out of client-side error reporting in Account settings.

For details about cookies and local storage, see our Cookie Policy.

3. Legal Basis for Processing

Data	Legal Basis (GDPR)
Account data, tasks, projects, contacts	Contract performance — Art. 6(1)(b)
Third-party contact data (names, companies)	Legitimate interest (task management) — Art. 6(1)(f)
API usage logs, account settings	Contract performance — Art. 6(1)(b)
Voice transcription logs	Legitimate interest (debugging) — Art. 6(1)(f)
Security monitoring & abuse prevention	Legitimate interest (protecting the service) — Art. 6(1)(f)
Error & performance diagnostics (Sentry)	Legitimate interest (service reliability & security) — Art. 6(1)(f); you can opt out in Account settings
Authentication, locale & timezone cookies	Strictly necessary — ePrivacy Directive exemption

4. AI Processing

Maptero uses artificial intelligence to interpret your voice commands and manage tasks. When you use voice features:

Your audio is sent to OpenAI's Whisper service for speech-to-text transcription
The transcribed text, along with your task context (task titles, project names, contact names), is sent to OpenAI's GPT models (GPT-4o-mini, GPT-4o, and the Realtime API) for interpretation
OpenAI processes this data under a Data Processing Agreement (DPA) and does not use it to train their models
AI interpretations may be inaccurate — you are always shown a confirmation before any action is taken
Data processed by our sub-processors is subject to their own data retention policies, as governed by their respective terms and, where applicable, Data Processing Agreements

5. Third-Party Personal Data (Contacts)

Maptero allows you to store contact information about other individuals (first name, last name, company, job title) for task management purposes. This constitutes third-party personal data.

How it's used: Contact names are stored in our database and included in AI processing requests to enable voice-based task assignment, filtering, and contact resolution
Legal basis: Legitimate interest of the user for professional task management (Art. 6(1)(f) GDPR)
Your responsibility: As the person entering contact data, you act as data controller for this information. You should ensure you have a lawful basis to store it and avoid entering sensitive personal data
Retention: Contact data is retained while your account is active and deleted when you delete your account or remove the contact
Sub-processor access: Contact names are shared with OpenAI during voice processing (see AI Processing above) and stored in Supabase (see Sub-Processors below)

6. Sub-Processors

We use the following third-party services to operate Maptero:

Service	Purpose	Location	DPA
Supabase Inc.	Database hosting, authentication, realtime subscriptions	EU (AWS eu-west-1, Ireland)	Yes
OpenAI Inc.	Voice transcription (Whisper), task interpretation (GPT-4o, GPT-4o-mini), Realtime API (GPT-4o-realtime)	USA	Yes
Vercel Inc.	Application hosting, edge network, serverless functions	USA (edge nodes in EU)	Yes
Upstash	Rate limiting and session tracking (ephemeral data, max 300s TTL)	USA/EU	Yes
Telegram	Admin security alerts (pseudonymized identifiers only)	UAE/UK	No
Sentry (Functional Software, Inc.)	Error monitoring and exception aggregation	EU (Frankfurt, Germany)	Yes
Cloudflare, Inc.	Bot detection / CAPTCHA (Turnstile) on the login form	USA (global edge network)	Yes

7. Data Retention

Account data, tasks, projects, contacts: Retained while your account is active
Voice transcription logs: Automatically deleted after 90 days
API usage logs: Automatically deleted after 180 days
Security alerts: Automatically deleted after 30 days
Deleted accounts: When you request account deletion, your data is retained for 30 days (so you can cancel), then permanently deleted
Deleted-account operational archive: A copy of your account data, protected by the same infrastructure-level encryption-at-rest as the rest of our database, is retained for 7 days after the hard-delete strictly for system error recovery (in case the deletion job mis-fires). After 7 days the archive entry is itself deleted automatically. Service operators have no routine access to this archive; it exists only to recover from an operational error within the first week.

8. Data Security

We take the protection of your data seriously:

Encryption at rest: All data is encrypted at rest using AES-256 at the infrastructure (database-provider) level — including database storage and write-ahead logs. We do not currently apply additional application-level (per-field) encryption on top of this.
Encryption in transit: All data transmitted between your device and our servers is encrypted using TLS (HTTPS).
Access control: Database access is restricted through row-level security policies. Each user can only access their own data. Service administrators may access user email addresses and account settings for operational, support, and abuse prevention purposes.
Authentication: User sessions are managed through industry-standard secure authentication protocols.

9. Your Rights

Under the GDPR, you have the following rights:

Access: Request a copy of all your data (use "Export my data" in Account settings)
Rectification: Correct inaccurate data (edit your tasks, contacts, and profile directly)
Erasure: Request deletion of your account and all data (use "Delete my account" in Account settings)
Portability: Download your data in JSON format (use "Export my data" in Account settings)
Restriction: Request restricted processing by contacting legal@maptero.com
Objection: Object to processing based on legitimate interest (Art. 21) by contacting legal@maptero.com. Upon receiving a valid objection, we will cease the specific processing unless we demonstrate compelling legitimate grounds. For voice transcription logs, we will delete your existing logs upon request.
Complaint: Lodge a complaint with your local EU data protection authority

10. International Data Transfers

Our sub-processors are located in the United States and the EU (see the Sub-Processors table above for each provider's location). Transfers to the United States are protected by the EU-US Data Privacy Framework and/or Standard Contractual Clauses (SCCs) as appropriate. Most sub-processors operate under Data Processing Agreements; where one does not (currently Telegram, used only for internal pseudonymized security alerts), we share only pseudonymized identifiers and document the residual risk in our records.

11. Data Breach Notification

In the event of a personal data breach that poses a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours and notify affected users via email without undue delay, in accordance with GDPR Articles 33 and 34.

12. Changes to This Policy

We may update this policy from time to time. For material changes, we will notify you via email at least 30 days before they take effect. The "last updated" date at the top of this page reflects the most recent revision.

13. Contact

Maptero
Europe
Email: contact@maptero.com
Privacy contact: legal@maptero.com

1. Who We Are

Maptero is operated by Maptero, registered at Europe. For privacy inquiries, contact us at legal@maptero.com.

2. Data We Collect

Account Data

Email address (required for authentication)
Display name (optional, set by you)

Content You Create

Tasks (title, type, status, deadline, effort level, recurrence rules)
Projects (name, description)
Contacts (first name, last name, company, job title) — see "Third-Party Personal Data" below
Task relationships (blockers, contact assignments)

Voice Data

Audio recordings are sent to OpenAI for transcription and are not stored by Maptero
Text transcriptions of your voice commands are stored for 90 days for debugging, then automatically deleted

Usage & Account Data

API usage logs (AI model used, cost per request) for billing and rate limiting
Account settings (usage tier, monthly cap)
Invite code redemption records (during early access)

Tutorial & Onboarding Data

Tutorial progress (which steps you have completed)

Security Monitoring Data

Active session count (how many browser tabs are open, tracked ephemerally for abuse prevention)
Security alerts (pseudonymized records of unusual activity, retained for 30 days)

Technical Data

Authentication session cookies (strictly necessary)
Language preference cookie (strictly necessary)
Timezone preference cookie (strictly necessary) — stores your device's time zone so dates display in your local time
UI state preferences stored in your browser's local storage
Error diagnostics (stack traces, browser/OS metadata, anonymized request paths) sent to our error-monitoring sub-processor for service reliability and security, on a legitimate-interest basis (Art. 6(1)(f)). IP addresses, cookies, request bodies, and authorization headers are scrubbed before send. You can opt out of client-side error reporting in Account settings.

For details about cookies and local storage, see our Cookie Policy.

3. Legal Basis for Processing

Data	Legal Basis (GDPR)
Account data, tasks, projects, contacts	Contract performance — Art. 6(1)(b)
Third-party contact data (names, companies)	Legitimate interest (task management) — Art. 6(1)(f)
API usage logs, account settings	Contract performance — Art. 6(1)(b)
Voice transcription logs	Legitimate interest (debugging) — Art. 6(1)(f)
Security monitoring & abuse prevention	Legitimate interest (protecting the service) — Art. 6(1)(f)
Error & performance diagnostics (Sentry)	Legitimate interest (service reliability & security) — Art. 6(1)(f); you can opt out in Account settings
Authentication, locale & timezone cookies	Strictly necessary — ePrivacy Directive exemption

4. AI Processing

Maptero uses artificial intelligence to interpret your voice commands and manage tasks. When you use voice features:

Your audio is sent to OpenAI's Whisper service for speech-to-text transcription
The transcribed text, along with your task context (task titles, project names, contact names), is sent to OpenAI's GPT models (GPT-4o-mini, GPT-4o, and the Realtime API) for interpretation
OpenAI processes this data under a Data Processing Agreement (DPA) and does not use it to train their models
AI interpretations may be inaccurate — you are always shown a confirmation before any action is taken
Data processed by our sub-processors is subject to their own data retention policies, as governed by their respective terms and, where applicable, Data Processing Agreements

5. Third-Party Personal Data (Contacts)

Maptero allows you to store contact information about other individuals (first name, last name, company, job title) for task management purposes. This constitutes third-party personal data.

How it's used: Contact names are stored in our database and included in AI processing requests to enable voice-based task assignment, filtering, and contact resolution
Legal basis: Legitimate interest of the user for professional task management (Art. 6(1)(f) GDPR)
Your responsibility: As the person entering contact data, you act as data controller for this information. You should ensure you have a lawful basis to store it and avoid entering sensitive personal data
Retention: Contact data is retained while your account is active and deleted when you delete your account or remove the contact
Sub-processor access: Contact names are shared with OpenAI during voice processing (see AI Processing above) and stored in Supabase (see Sub-Processors below)

6. Sub-Processors

We use the following third-party services to operate Maptero:

Service	Purpose	Location	DPA
Supabase Inc.	Database hosting, authentication, realtime subscriptions	EU (AWS eu-west-1, Ireland)	Yes
OpenAI Inc.	Voice transcription (Whisper), task interpretation (GPT-4o, GPT-4o-mini), Realtime API (GPT-4o-realtime)	USA	Yes
Vercel Inc.	Application hosting, edge network, serverless functions	USA (edge nodes in EU)	Yes
Upstash	Rate limiting and session tracking (ephemeral data, max 300s TTL)	USA/EU	Yes
Telegram	Admin security alerts (pseudonymized identifiers only)	UAE/UK	No
Sentry (Functional Software, Inc.)	Error monitoring and exception aggregation	EU (Frankfurt, Germany)	Yes
Cloudflare, Inc.	Bot detection / CAPTCHA (Turnstile) on the login form	USA (global edge network)	Yes

7. Data Retention

Account data, tasks, projects, contacts: Retained while your account is active
Voice transcription logs: Automatically deleted after 90 days
API usage logs: Automatically deleted after 180 days
Security alerts: Automatically deleted after 30 days
Deleted accounts: When you request account deletion, your data is retained for 30 days (so you can cancel), then permanently deleted
Deleted-account operational archive: A copy of your account data, protected by the same infrastructure-level encryption-at-rest as the rest of our database, is retained for 7 days after the hard-delete strictly for system error recovery (in case the deletion job mis-fires). After 7 days the archive entry is itself deleted automatically. Service operators have no routine access to this archive; it exists only to recover from an operational error within the first week.

8. Data Security

We take the protection of your data seriously:

Encryption at rest: All data is encrypted at rest using AES-256 at the infrastructure (database-provider) level — including database storage and write-ahead logs. We do not currently apply additional application-level (per-field) encryption on top of this.
Encryption in transit: All data transmitted between your device and our servers is encrypted using TLS (HTTPS).
Access control: Database access is restricted through row-level security policies. Each user can only access their own data. Service administrators may access user email addresses and account settings for operational, support, and abuse prevention purposes.
Authentication: User sessions are managed through industry-standard secure authentication protocols.

9. Your Rights

Under the GDPR, you have the following rights:

Access: Request a copy of all your data (use "Export my data" in Account settings)
Rectification: Correct inaccurate data (edit your tasks, contacts, and profile directly)
Erasure: Request deletion of your account and all data (use "Delete my account" in Account settings)
Portability: Download your data in JSON format (use "Export my data" in Account settings)
Restriction: Request restricted processing by contacting legal@maptero.com
Objection: Object to processing based on legitimate interest (Art. 21) by contacting legal@maptero.com. Upon receiving a valid objection, we will cease the specific processing unless we demonstrate compelling legitimate grounds. For voice transcription logs, we will delete your existing logs upon request.
Complaint: Lodge a complaint with your local EU data protection authority

10. International Data Transfers

11. Data Breach Notification

12. Changes to This Policy

13. Contact

Maptero
Europe
Email: contact@maptero.com
Privacy contact: legal@maptero.com

Privacy Policy

1. Who We Are

2. Data We Collect

Account Data

Content You Create

Voice Data

Usage & Account Data

Tutorial & Onboarding Data

Security Monitoring Data

Technical Data

3. Legal Basis for Processing

4. AI Processing

5. Third-Party Personal Data (Contacts)

6. Sub-Processors

7. Data Retention

8. Data Security

9. Your Rights

10. International Data Transfers

11. Data Breach Notification

12. Changes to This Policy

13. Contact

Privacy Policy

1. Who We Are

2. Data We Collect

Account Data

Content You Create

Voice Data

Usage & Account Data

Tutorial & Onboarding Data

Security Monitoring Data

Technical Data

3. Legal Basis for Processing

4. AI Processing

5. Third-Party Personal Data (Contacts)

6. Sub-Processors

7. Data Retention

8. Data Security

9. Your Rights

10. International Data Transfers

11. Data Breach Notification

12. Changes to This Policy

13. Contact