Privacy Policy

We are committed to maintaining the accuracy, confidentiality, and security of our users' personal information. This Privacy Policy describes the personal information that we collect from or about our users, how we use that information, the third parties we share it with, and how long we keep it.

This Policy is intended to explain how we collect, use, disclose, and protect personal data in connection with the Services, including where applicable under the GDPR, UK GDPR, CCPA, and other relevant privacy laws.

This Policy takes effect on the date set out at the top of this page and replaces any prior privacy statements relating to Maponim. We may update this Policy from time to time as described in Section XV (Amendments).

This Policy applies to all individuals and entities that visit the Maponim website, register for an account, subscribe to a paid plan, purchase a Custom Domain, or otherwise interact with the Services, including users who access Maponim from locations outside the United States.

If you use Maponim on behalf of a business or other legal entity, this Policy applies to your personal data, and you are responsible for ensuring that any other people whose personal data you submit (for example, WHOIS contact details for a domain registered on behalf of a business) are aware of and consent to the processing described here, to the extent required by applicable law.

For the purposes of this Policy:

• "Personal Data" means information that relates to an identified or identifiable natural person.
• "Processing" means any operation performed on personal data, whether by automated means or not, including collection, recording, organization, storage, use, disclosure, transfer, or deletion.
• "User" or "You" means any individual or legal entity using Maponim.
• "Services" or "Maponim" means the software-as-a-service platform operated by ALM NOVA INC at maponim.com and related subdomains.
• "Sub-processor" means a third party engaged by us to process personal data on our behalf in connection with the Services.
• "Custom Domain" means a domain name registered through our registrar partner Vercel on your behalf and connected to a site you create with Maponim.

We only collect information that is necessary to operate, secure, and improve the Services, to comply with our legal obligations, or to support the legitimate interests described in this Policy. Depending on how you use Maponim, the information we collect may include:

• Account identification data received from Google when you sign in through Google OAuth, including your Google account identifier, email address, and (where you choose to share it) your display name and profile picture. Google OAuth is the sole authentication method for Maponim; we do not store passwords ourselves.
• Subscription and billing information, including the Stripe customer identifier associated with your account, your active subscription status and plan, billing period dates, and a record of past payments. We do not store full payment card numbers; this information is handled directly by Stripe under their own privacy policy.
• Business profile information that you submit or that we retrieve from public Google sources when you connect a business to Maponim, including business name, category, address, city, country, phone number, website URL, social media URLs, hours, and Google Place identifier.
• Custom Domain registration data that you submit only when purchasing a Custom Domain, including the WHOIS contact information required by ICANN for domain registration: first name, last name, email address, telephone number (in international E.164 format), and postal address (street, city, state or region, postal code, country).
• Generated and edited site content, including AI-generated copy produced by Maponim from Google reviews and business profile data, your edits to that content, and photos imported from the Google Places API and stored on our infrastructure for display.
• Technical and usage data, including IP address, browser type and version, operating system, device identifiers, language settings, approximate location derived from IP, pages visited within the Services, session timestamps, and authentication cookies.
• Rate-limit counters keyed by user identifier and stored in our caching layer (Upstash Redis) to enforce per-plan limits on site builds and Google Places resolutions and to detect abuse.
• Communications you send to us, including support requests, bug reports, feature suggestions, and any other emails or messages addressed to contact@maponim.com.

We do not claim ownership of the business content you submit to Maponim or of the generated website that Maponim produces from your inputs. We process the materials you provide only as necessary to operate the Services, generate, edit, and host your site, manage your subscription and any Custom Domain, and otherwise deliver the functionality you have requested.

We do not collect sensitive categories of personal data (such as racial or ethnic origin, political opinions, religious beliefs, trade-union membership, genetic or biometric data, health data, or data concerning a person's sex life or sexual orientation) and you should not submit such data to Maponim.

We do not knowingly collect personal data from children under the age of eighteen (18). If you believe a minor has submitted personal data to the Services, please contact us at contact@maponim.com and we will take reasonable steps to delete it.

We do not, and will not, sell your personal information to third parties. We share personal data only with the categories of recipients listed below, and only to the extent necessary for the purposes set out next to each recipient.

• Google: when you connect a business to Maponim, we query the Google Places API with the Google Maps link or place identifier you submit, and we receive the corresponding public business profile and reviews. Google OAuth also receives authentication requests when you sign in. Google processes this data under Google's own terms and privacy policy.
• Stripe: subscription and Custom Domain payments are processed by Stripe, Inc. We share with Stripe the information required to create a customer record (email address, user identifier in our system) and to charge the applicable fees. Card data is collected by Stripe directly through Stripe's hosted checkout and is never stored on our infrastructure.
• Vercel: Vercel, Inc. provides hosting for Maponim and acts as our registrar partner for Custom Domain purchases. For Custom Domain registrations we share with Vercel the WHOIS contact information you provide so the domain can be registered in your name with the appropriate registry.
• Anthropic: when generating site content, we send the business profile data, the public Google review excerpts, and your generation preferences (such as language and theme) to Anthropic's Claude AI model for processing. Anthropic acts as a sub-processor and processes this data under Anthropic's terms.
• Supabase: Supabase provides our database, authentication infrastructure, and object storage for site photos. Personal data stored about your account, sites, and reviews resides on Supabase-managed infrastructure.
• Upstash: Upstash provides the Redis-based rate-limiting layer that protects expensive endpoints from abuse. The data shared with Upstash is limited to per-user usage counters keyed by your user identifier; no business content is sent.
• Vercel Web Analytics and Speed Insights: in addition to hosting our infrastructure, Vercel provides cookieless, privacy-friendly first-party analytics that we use to measure aggregate site traffic (page views, top pages, referrers, country-level breakdowns) and Core Web Vitals (loading speed, interactivity, layout stability). These services do not set cookies, do not track individual users, and do not collect personal data. They are used solely to help us understand and improve the Service.
• Professional advisors and law enforcement: where required by law, court order, valid legal process, or to protect our rights, property, or the safety of any person, we may disclose personal data to our legal advisors, accountants, regulators, or law enforcement authorities.
• Acquirers: in the event of a merger, acquisition, financing, reorganization, sale of assets, bankruptcy, or similar transaction, personal data may be transferred as part of the transaction, subject to the recipient honoring the commitments made in this Policy or providing equivalent protections.

We enter into written agreements with our sub-processors that require them to safeguard personal data, process it only for the purposes we instruct, and comply with applicable data protection laws.

ALM NOVA INC is based in the United States, and most of our sub-processors (including Stripe, Vercel, Anthropic, Supabase, and Upstash) operate primarily from infrastructure in the United States. By using Maponim, you acknowledge that your personal data may be transferred to, stored in, and processed in the United States or other countries that may have data protection laws different from those in your country of residence.

Where personal data of users located in the European Economic Area, the United Kingdom, or Switzerland is transferred to the United States or another country that is not subject to an adequacy decision under applicable data protection law, we take steps designed to ensure that appropriate safeguards are in place, including, where applicable, the Standard Contractual Clauses approved by the European Commission and supplementary measures.

If you have questions about international data transfers or would like a copy of the relevant safeguards, please contact us at contact@maponim.com.

We process your personal data for the purposes described below.

A. General Use

• To create, authenticate, and maintain your Maponim account, including verifying your Google OAuth identity at sign-in.
• To create and maintain your Stripe customer record, process subscription payments and Custom Domain purchases, manage renewals, and issue refunds where required.
• To send service-related emails and in-product notifications, including subscription confirmations, payment receipts, billing failures, site build completion, plan-limit notifications, security alerts, and updates to this Policy or our Terms.
• To respond to your support requests, feature suggestions, bug reports, and other communications sent to contact@maponim.com.
• To operate, maintain, secure, monitor, and improve the Services and the underlying infrastructure, including diagnosing technical issues, preventing abuse, detecting fraud, and enforcing our Terms and Conditions.
• To measure aggregate, anonymous usage of the Services (such as page views, top pages, referrers, and Core Web Vitals) through cookieless first-party analytics provided by Vercel, so we can understand how Maponim is used and where to invest in improvements.
• To comply with our legal obligations, respond to lawful requests from authorities, defend legal claims, and exercise or defend our legal rights.

B. Business-Specific Use

• To process the Google Maps URL or business listing you submit, retrieve the corresponding public business profile and review data from the Google Places API, and store that data on your behalf so it can be displayed on your generated site.
• To send the business profile, review excerpts, and your generation preferences (such as language and theme) to Anthropic's Claude model in order to generate the structured site content (hero copy, why-people-love-us items, atmosphere descriptions, signature experiences, FAQ, and similar sections).
• To deliver the generated website to your dashboard, allow you to edit any section, regenerate content where supported, and publish it under your Maponim subdomain or a connected Custom Domain.
• To register and manage Custom Domains on your behalf with Vercel, pass the WHOIS contact information you provided to the registrar, configure DNS and HTTPS, and bill renewals annually through Stripe.
• To enforce per-plan limits and rate limits via Upstash counters keyed by your user identifier, to protect expensive AI and third-party API endpoints from abuse.

C. Aggregated and De-identified Use

We may use aggregated, anonymized, or de-identified data derived from your use of the Services for internal analytics, model evaluation, security research, abuse prevention, capacity planning, and product improvement. This data does not identify you or any individual user.

Where applicable under data protection law, we process personal data on one or more of the following legal bases:

• Performance of a contract: processing is necessary to provide the Services to you, maintain your account, process subscription and Custom Domain payments, deliver generated websites, host published sites, manage Custom Domains, and respond to your support requests.
• Legitimate interests: processing is necessary for our legitimate interests in operating, securing, maintaining, improving, troubleshooting, and administering the Services, preventing fraud and abuse, enforcing our Terms, communicating with users about service-related matters, and pursuing analytics and product-improvement research that does not identify individuals. Where we rely on legitimate interests, we balance them against your rights and freedoms.
• Compliance with legal obligations: processing is necessary to comply with applicable laws, tax obligations, anti-money-laundering rules, lawful requests from authorities, and other legal duties to which ALM NOVA INC is subject.
• Consent: where required by applicable law, we rely on your consent, for example before adding non-essential cookies in the future or sending marketing communications. You may withdraw your consent at any time by contacting us at contact@maponim.com or by using the relevant in-product control once it is offered.

We retain personal data only for as long as is necessary to fulfill the purposes for which it was collected, to provide the Services, to comply with our legal, tax, accounting, and audit obligations, to resolve disputes, and to enforce our Terms.

• Account data is retained for as long as your account remains active. When you close your account or we terminate it under the Terms, your sites and User Content are retained for thirty (30) days after termination (see Section 5 of the Terms) so you have a window to request an export, after which they may be permanently deleted, except for backup or audit copies retained in the ordinary course of business or as required by law.
• Subscription and billing records are retained for as long as required by Stripe's records-management practices and by applicable tax and accounting laws (typically up to seven years in the United States).
• Custom Domain WHOIS contact information is retained for as long as the domain is registered through our registrar partner, plus any additional period required by ICANN or applicable registry policy.
• Server logs, security event logs, and rate-limit counters are typically retained for between thirty (30) and ninety (90) days, after which they are deleted or anonymized, except where a longer period is necessary to investigate a specific incident.
• Aggregated, anonymized, or de-identified data may be retained indefinitely, as it no longer identifies any individual.

Where you exercise a right of erasure (see Section XI), we will delete or anonymize personal data within a reasonable time, subject to the exceptions described above.

We take reasonable technical and organizational measures designed to protect personal data against accidental loss, unauthorized access, alteration, disclosure, and destruction. These measures include:

• Encryption of data in transit using TLS (HTTPS) across the Services, including the public site renderer, the dashboard, all API endpoints, and webhook traffic.
• Encryption of data at rest as provided by our sub-processors (Supabase for database and storage, Stripe for payment data, Vercel for hosted assets).
• Google OAuth for authentication, so we never handle or store user passwords ourselves.
• Use of Stripe-hosted checkout for all card data, so card numbers and CVCs are never transmitted to or stored on Maponim infrastructure.
• Role-based access controls on our internal infrastructure, with privileged operations performed through Supabase service-role keys held only in secured environment variables.
• Webhook signature verification on Stripe events to prevent forged billing or subscription updates.
• Rate limiting via Upstash to mitigate brute-force and abuse scenarios on expensive endpoints.

No security measures are ever perfect. While we strive to use commercially reasonable safeguards, we cannot guarantee absolute security, and you use the Services at your own risk. If we become aware of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify you and the relevant supervisory authorities as required by applicable law.

Depending on where you live and which laws apply to you, you may have the following rights in respect of your personal data:

• Right of access: to obtain confirmation as to whether we process personal data about you and, where we do, to receive a copy of that data.
• Right to rectification: to have inaccurate or incomplete personal data corrected.
• Right to erasure ("right to be forgotten"): to have your personal data deleted in certain circumstances, including where it is no longer necessary for the purposes for which it was collected, or where you withdraw your consent and there is no other legal basis for processing.
• Right to restriction of processing: to have processing restricted in certain circumstances, for example while we verify a request you have made.
• Right to object: to object to processing based on our legitimate interests on grounds relating to your particular situation, and to object at any time to processing for direct marketing purposes.
• Right to data portability: to receive personal data you have provided to us in a structured, commonly used, machine-readable format, and to have it transmitted to another controller where technically feasible.
• Right to withdraw consent: where we rely on consent, to withdraw it at any time without affecting the lawfulness of processing carried out before withdrawal.
• Right to lodge a complaint: with a supervisory authority in your country of residence, place of work, or place of the alleged infringement, if you believe our processing of your personal data infringes applicable data protection law.

If you are a resident of California, you may also have the following rights under the CCPA and its amendments (CPRA): the right to know what personal information we collect, use, disclose, and share; the right to delete personal information we collect from you; the right to correct inaccurate personal information; the right to opt out of the sale or sharing of personal information (note: we do not sell personal information); and the right not to be discriminated against for exercising your privacy rights.

To exercise any of these rights, please contact us at contact@maponim.com. We may request information necessary to verify your identity before processing your request. We will respond within the period required by applicable law. There is no fee for exercising your rights, unless your request is manifestly unfounded or excessive.

You can delete most of your data from within the Services. You can delete individual sites (and all attached reviews, generated content, and photos) from the dashboard using the kebab menu on each site card. You can cancel your subscription through the "Manage subscription" portal, which will revert your account to the Free plan at the end of the current billing period.

To request deletion of your entire account, including your profile, all sites, all stored content, your Stripe customer record (subject to retention rules described in Section IX), and any associated data, please contact us at contact@maponim.com from the email address associated with your account.

Personal data deletion may result in cancellation of active subscriptions, loss of access to any sites you have published, loss of access to any Custom Domain managed through Maponim (although you remain the legal owner of the domain), and loss of any editable content. Some data may be retained as required by applicable law, for the resolution of disputes, the enforcement of our Terms, or in backup or audit copies maintained in the ordinary course of business.

Maponim uses a small number of cookies and similar technologies, limited to what is strictly necessary to operate the Services securely. As of the effective date of this Policy, we use only the following essential cookies:

• Authentication session cookies set by our authentication provider (Supabase). These cookies are required to keep you signed in across pages and to authorize API requests. Without them, the Services cannot function.
• Stripe cookies set on Stripe-hosted checkout pages during a subscription or Custom Domain purchase. These cookies are required for fraud prevention and to complete the payment flow.

We do not currently use any analytics, advertising, tracking, or other non-essential cookies. If we add such cookies in the future, we will request your consent through a clearly visible cookie banner before they are set on your device, in accordance with applicable law.

Most browsers allow you to refuse or delete cookies through their settings. If you do so, some features of the Services (such as remaining signed in) will not function correctly.

ALM NOVA INC has not appointed a formal Data Protection Officer, as we are not required to do so under applicable law given the nature and scale of our processing. If you have any questions, concerns, or complaints regarding this Policy, your personal data, our processing activities, or how to exercise your rights, please contact us at contact@maponim.com. We will respond within a reasonable time.

We may update this Policy from time to time to reflect changes in our practices, our sub-processors, the features of the Services, or applicable law. The latest version is always available at maponim.com/privacy, and the effective date at the top of this page will be updated each time we make a change.

If we make material changes that affect your rights or the way we process your personal data, we will notify you in advance by email to the address associated with your account, by an in-product notification, or by a prominent notice on the Services. Your continued use of Maponim after the effective date of an updated Policy constitutes your acceptance of the changes, unless applicable law requires us to obtain your fresh consent.

If you have any questions, comments, complaints, or requests regarding this Privacy Policy, your personal data, or our processing activities, please contact us at:

• Company: ALM NOVA INC
• Product: Maponim
• Email: contact@maponim.com
• Registered Address: 79 SW 12th St PH0308, Miami, FL 33130, United States

For privacy-specific requests (access, deletion, rectification, objection, complaint), please include the word "PRIVACY" in your subject line so we can route your request promptly.