Privacy Policy
LetsMap ("LetsMap", "we", "us", "our") operates the LetsMap application and website (the "Service"). This policy explains what we collect, why, how we safeguard it, and the rights you have over it. We intentionally collect as little as possible to run the product and describe below exactly what is stored.
1. Who we are (data controller)
The data controller for information collected through the Service is LetsMap. You can reach us at support@letsmap.me. For privacy-specific requests (access, correction, deletion, opt-out, complaints), email support@letsmap.me.
2. Information we collect and store
This section describes the fields we actually keep in our user record. If we add or remove fields, we will update this section.
Provided by you at sign-up or in settings
- Account identifiers: display name, email address, a bcrypt-hashed password (we never store your plaintext password), account creation timestamp, and a per-account random identifier.
- Plan & billing reference: your current plan (Free / Plus / Pro / Beta), plan source, and a Stripe customer ID if you subscribed. Stripe holds your card data; we do not.
- Preferences: theme (light / dark), accent color, email preferences (outcome reminders, re-engagement nudges, weekly digest, master unsubscribe flag, and a dated record of when each preference was last changed).
- Invite & referral metadata: if you signed up through an invite code, we record which code you used so the code owner can see redemption counts; we do not expose your identity to them.
Generated by you while using the product
- Expectation records: the text of the outcomes you predict, confidence rating (1–5), category, target resolve date, actual outcome (yes / no / partial), and any notes you attach.
- Calibration metrics: derived statistics (calibration score, streaks, accuracy by category). These are computed from your expectations and stored for display speed.
- Reminder metadata: when a reminder or nudge email is sent to you, whether you clicked the one-click “resolve” link in that email (which carries a signed short-lived token so you can record an outcome without logging in), and the resolution timestamp.
Collected automatically for security and abuse prevention
We store these fields on your account record to investigate abuse, prevent duplicate-account fraud, and honor unsubscribe requests. We do not use them for advertising or analytics.
- IP address at signup and most recent IP address when you log in.
- A rolling history of the last five distinct IP addresses you have used with the account, each with a timestamp.
- The User-Agent string (browser / device identifier your browser sends us) at signup and on most recent use, truncated to 255 characters. This identifies your browser family and OS family; we do not fingerprint beyond this.
- Last-active timestamp (for showing “X days since last visit” internally and for dormant-account email gating).
- Unsubscribe audit log: if you opt out of an email channel, we keep a dated record of the unsubscribe so we can prove we honored your request (required by CAN-SPAM § 7704(a)(4) and good GDPR accountability).
- Server access logs of HTTPS requests (URL, timestamp, response code). These are retained for up to 30 days unless a security incident requires longer.
- Administrative notes: if we have a support or abuse-investigation reason to annotate your account (e.g., a note about a refund), we may add an internal admin note. You can request a copy at any time.
Cookies
- A session cookie to keep you logged in (essential).
- A preference cookie to remember your theme / accent choice (essential).
- A CSRF token cookie to protect form submissions (essential).
That is the complete list. We use no advertising cookies and no third-party analytics cookies.
3. Why we use this information (legal bases under GDPR)
| Purpose | Legal basis |
|---|---|
| Provide calibration tracking; store and display your expectations and outcomes | Performance of a contract (Art. 6(1)(b)) |
| Send transactional service emails (outcome reminders you scheduled, password resets, receipts) | Performance of a contract (Art. 6(1)(b)) |
| Send re-engagement nudges and the weekly digest | Your consent — on by default with one-click opt-out in every message (Art. 6(1)(a) / CAN-SPAM). You can also disable each channel individually at Settings → Email notifications. |
| Record IP address, User-Agent, and IP history to prevent abuse, duplicate accounts, credential stuffing, and to defend legal claims | Legitimate interest (Art. 6(1)(f)) |
| Retain unsubscribe records and billing records as long as applicable law requires | Legal obligation (Art. 6(1)(c)) |
4. We do not sell or share your data for advertising
We do not sell personal information. We do not “share” personal information for cross-context behavioral advertising (as defined by California law). We do not run ad networks on LetsMap. The only parties who see your data are the service providers listed below, acting on our instructions under contract.
5. Service providers (processors)
| Provider | Role | Data they see |
|---|---|---|
| Our hosting provider | Application & file storage | Everything we store |
| Stripe, Inc. | Payment processing (paid plans only) | Name, email, payment method (held by Stripe, not us) |
| Our SMTP / email provider | Deliver transactional and opt-in emails | Email address, email subject & body |
Each processor is bound by a data-processing contract requiring them to process data only on our instructions and to maintain appropriate security.
6. International transfers
Our servers are located in the United States. If you access the Service from outside the US, your data will be transferred to and processed in the US. Where required by law (e.g. for EU / EEA / UK residents), we rely on appropriate safeguards such as Standard Contractual Clauses with our service providers.
7. Data retention
- Account and expectation data: kept until you delete your account.
- IP / User-Agent / IP history: kept while the account is active; the rolling history keeps the five most recent addresses and replaces older entries automatically.
- Server access logs: up to 30 days, then rotated out.
- Unsubscribe records: retained indefinitely so we can prove we honored your opt-out.
- Billing records: retained for at least 7 years to comply with US tax law.
- Deleted-account backup: when you delete your account, your user record and expectations are removed from the live system immediately. A dated backup copy is retained for up to 30 days so we can honor chargeback or abuse-investigation obligations and so that an accidental deletion can be reversed on written request. After 30 days the backup is purged permanently.
8. Your rights
Regardless of where you live, you may:
- Access and download your data (Settings → Data Export — available in either JSON or CSV format).
- Correct inaccurate data (Settings → Profile).
- Delete your account and all associated data (Settings → Delete Account). See § 7 for the 30-day post-deletion backup window.
- Opt out of any non-essential email in one click via the link in every such message, or at Settings → Email notifications, where you can toggle outcome reminders, nudges, and the weekly digest independently.
- Request a copy of any administrative note we have added to your account.
If you are in the EU / EEA, UK, or Switzerland, GDPR also gives you rights to restrict or object to processing, to data portability, and to lodge a complaint with your supervisory authority.
If you are a California resident, the CCPA / CPRA gives you the right to know what personal information we collect, the right to delete it, the right to correct it, the right to limit our use of sensitive personal information, and the right to opt out of “sale” or “sharing” (we do neither). We do not discriminate against you for exercising these rights.
To exercise any right, email support@letsmap.me. We verify requests using the email on file for your account. We respond within 30 days (GDPR) or 45 days (CCPA), whichever is shorter.
9. Children's privacy
LetsMap is not directed at children under 13, and we do not knowingly collect personal information from children under 13. Users between 13 and 16 in the EU / EEA should have parental permission. If you believe a child has provided us information, email support@letsmap.me and we will delete it.
10. Security
Passwords are salted and hashed using bcrypt. Session cookies are HTTP-only. Data is transmitted over HTTPS. Administrative access is limited to the operator. No system is perfectly secure; if we become aware of a breach affecting your data, we will notify you without undue delay as required by applicable law.
11. Do Not Track
Because we do not track you across the web, we treat Do-Not-Track signals as unnecessary. We simply do not do it either way.
12. Changes
We may update this policy. Material changes will be highlighted on this page and, where legally required, emailed to you. Continued use after the effective date constitutes acceptance.
13. Contact
Email: support@letsmap.me
Privacy / data requests: support@letsmap.me
Support: hello@letsmap.me