Privacy Policy

Last updated: June 7, 2026

1. Who We Are

MapLeads (themapleads.com) is a data discovery platform that helps businesses find publicly available business information.

This Privacy Policy explains:

•What personal data we collect from YOU (our users)
•How we use and protect that data
•Your rights regarding your data

This policy covers YOUR personal data as a MapLeads user — not the business data you discover using our platform. Business data shown in MapLeads comes from Google Maps public listings.

2. Data We Collect

2.1 Account Data (when you register)

•Full name
•Email address
•Password (encrypted with bcrypt, never stored in plain text)
•Account creation date and IP address

2.2 Subscription Data

•Plan type (Free/Pro/Agency)
•Subscription status
•Payment reference numbers (NOT full card details — handled by our payment processor)

2.3 Usage Data

•Search queries you enter (business type + location)
•Contacts you save to your account
•Email templates you create
•Campaign names and statistics (emails sent/opened counts only)
•Feature usage patterns
•Login history and IP addresses

2.4 Technical Data

•Browser type and version
•Device type and operating system
•Referral source (how you found us)
•Session duration and page views

2.5 What We Do NOT Collect

•Full payment card details
•Government ID or identity documents
•Biometric data of any kind
•Location tracking data
•Contents of emails you send

3. How We Use Your Data

We use your data ONLY to:

•✓ Provide and maintain the MapLeads service
•✓ Process your subscription payments
•✓ Send essential account notifications (password reset, plan changes, invoices)
•✓ Respond to your support requests
•✓ Detect and prevent platform abuse
•✓ Improve our search accuracy and features
•✓ Send product updates (you can opt out)

We NEVER:

•✗ Sell your personal data to any third party
•✗ Share your search history or saved contacts
•✗ Use your data for advertising targeting
•✗ Share your email with marketing companies
•✗ Build profiles to sell to data brokers

4. Legal Basis for Processing

For users in the European Union (GDPR), our legal bases for processing are:

Contract Performance

Processing necessary to provide the service you signed up for.

Legitimate Interests

Security monitoring, fraud prevention, and service improvement.

Consent

Marketing emails (you can withdraw consent at any time).

5. Third-Party Services

Google Places API

Purpose: Retrieve business search results

Data shared: Search queries and locations (NOT your personal details)

Privacy: policies.google.com/privacy

Payment Processor

Purpose: Payment processing (merchant of record)

Data shared: Email, billing details — we receive only transaction references

Privacy: Provided at checkout

Supabase

Purpose: Database and authentication (SOC 2 Type II certified)

Data shared: All account and usage data

Privacy: supabase.com/privacy

Anthropic Claude API

Purpose: AI email generation (optional feature)

Data shared: Business contact data you choose to generate emails for

Privacy: anthropic.com/privacy

Vercel

Purpose: Website hosting and CDN

Data shared: Server access logs, IP addresses

Privacy: vercel.com/legal/privacy-policy

6. Data Retention

•Active accounts: data retained for duration of account
•Deleted accounts: personal data permanently deleted within 30 days. Anonymized usage statistics may be retained.
•Payment records: retained 7 years for tax/legal compliance

7. Data Security

We protect your data using:

•✓ AES-256 encryption at rest
•✓ TLS 1.3 encryption in transit
•✓ HTTPS enforced on all connections
•✓ SMTP passwords encrypted before storage
•✓ Row-level security on all database tables
•✓ Regular security audits
•✓ Principle of least privilege access

If we experience a data breach affecting your personal data, we will notify you within 72 hours as required by applicable law.

8. Your Rights

All users

•Access — Request a copy of your data
•Correction — Fix inaccurate information
•Deletion — Delete your account and data
•Export — Download your saved contacts as CSV
•Opt-out — Unsubscribe from marketing emails

EU/UK users (GDPR/UK GDPR)

•Erasure — Right to be forgotten
•Restriction — Limit how we use your data
•Portability — Receive data in machine-readable format
•Object — Object to processing
•Automated decisions — Not subject to solely automated decision-making

To exercise your rights: email privacy@themapleads.com. We respond within 30 days.

9. Cookies

Essential (cannot be disabled)

•auth-session — Keeps you logged in
•csrf-token — Security protection

Preference

•dismissed_banners — UI state

We do NOT use advertising cookies or tracking pixels (except those you explicitly add via our Analytics settings in your account).

10. International Transfers

Your data may be processed in:

•United States (Supabase, Vercel, Anthropic)
•European Union (various)

We ensure appropriate safeguards are in place for all international transfers including Standard Contractual Clauses where required by GDPR.

11. Children's Privacy

MapLeads is not directed at children under 16 years of age. We do not knowingly collect data from minors. Contact us immediately if you believe a minor has registered.

12. Changes

We will notify you of significant changes via email with 14 days advance notice. Minor changes may be made without notice. Always check the “Last updated” date.

13. Chrome Extension & LinkedIn Data

MapLeads offers an optional Chrome extension (“MapLeads LinkedIn Email Finder”) that operates on LinkedIn pages. This section explains what data the extension accesses and how it is used.

What the extension reads

When you use the extension on LinkedIn, it reads publicly visible information from LinkedIn profile pages and search results, including: full name, job title, company name, location, LinkedIn profile URL, and profile photo URL. The extension only reads data that is already visible to you on screen.

What is sent to MapLeads servers

To find an email address, the extension sends the following to our servers: name, company name, and LinkedIn profile URL. This data is used solely to perform the email lookup and is not stored permanently on our servers beyond the duration of the lookup request.

Email addresses found

Email addresses discovered through the extension are stored in your MapLeads account and associated with the corresponding lead record. You control this data and can delete it at any time from your dashboard.

Local storage

The extension uses chrome.storage.local to temporarily store your selected profiles during an active LinkedIn session. This data is stored locally on your device and is cleared when you save your selection or manually clear it. Your MapLeads API key is also stored locally to authenticate requests.

LinkedIn compliance

The extension reads only publicly visible data that is rendered in your browser. It does not bypass any LinkedIn authentication or access data you would not otherwise see. The extension never performs automated actions on your behalf — it does not send connection requests, follow profiles, send messages, or interact with LinkedIn in any way other than reading visible page content.

Data retention

Profile data temporarily processed during email lookups is not retained on our servers. Email addresses found and saved to your account are retained until you delete them.

You can uninstall the extension at any time from chrome://extensions. Removing the extension clears all locally stored data immediately.

14. Contact

Privacy questions: privacy@themapleads.com

Response time: within 30 business days. For EU users: we aim to respond within the GDPR-required 30-day period.