Privacy Policy
LetsMap ("LetsMap", "we", "us", "our") operates the LetsMap application and website (the "Service"). This policy explains what we collect, why, how we safeguard it, and the rights you have over it. We intentionally collect as little as possible to run the product and describe below exactly what is stored.
1. Who we are (data controller)
The data controller for information collected through the Service is LetsMap. You can reach us at support@letsmap.me. For privacy-specific requests (access, correction, deletion, opt-out, complaints), email support@letsmap.me.
2. Information we collect and store
This section describes the fields we actually keep in our user record. If we add or remove fields, we will update this section.
Provided by you at sign-up or in settings
- Account identifiers: display name, email address, a bcrypt-hashed password (we never store your plaintext password), account creation timestamp, and a per-account random identifier.
- Plan & billing reference: your current plan (Free / Plus / Pro / Beta), plan source, and a Stripe customer ID if you subscribed. Stripe holds your card data; we do not.
- Preferences: theme (light / dark), accent color, your local timezone (used to deliver scheduled emails at your local clock time and to format dates throughout the dashboard in your local time; auto-detected from your browser via the standard
Intl.DateTimeFormatAPI and overridable in Settings; we do not use it to fingerprint or geolocate you beyond these display / scheduling purposes), email preferences (outcome reminders, re-engagement nudges, weekly digest, and a master unsubscribe flag — with a timestamp recording the moment you click “unsubscribe from all”). - Invite & referral metadata: if you signed up through an invite code, we record which code you used so the code owner can see redemption counts; we do not expose your identity to them.
Generated by you while using the product
- Expectation records: the text of what you expect to happen, your confidence rating (1–5 scale), category (auto-detected from your text; you can override at any time), an optional target review date or scheduled reminder, and the outcome you record (1–5 rating plus an optional written note). Edits overwrite the record in place; we do not retain a per-edit version history.
- Calibration metrics: derived statistics (calibration rate, streaks, accuracy by category). These are computed live from your expectations on each page view; we do not pre-store the aggregates separately on your account record.
- Reminder metadata: when a reminder or nudge email is sent to you (timestamp and a sent flag), the signed short-lived token associated with the one-click “resolve” link in that email so you can record an outcome without logging in, the resolution timestamp once you record an outcome, and any snooze / cancel / reschedule actions you take on the reminder.
Collected automatically for security and abuse prevention
We may record the following information for fraud, abuse, and security purposes. We do not use it for advertising or analytics.
- Server access logs of HTTPS requests (IP address, URL, timestamp, response code, User-Agent string). These are produced by the web server, not stored on your account record, and are retained for up to 30 days unless a security incident requires longer.
- Signup IP & most recent login IP: we record the IP address you used to create your account (set once at signup) and the IP address of your most recent login (updated each time you sign in). Used solely for fraud prevention and duplicate-account detection. Retained until you delete your account.
- Operator-toggled per-user IP audit (off by default): if the operator enables the “Track IPs” admin setting, a separate audit file at
storage/ip_tracking.jsonretains up to ten distinct IP addresses per account for fraud and duplicate-account investigation. While the toggle is off (default), no per-user IP audit is produced. - Last-active timestamp (for showing “X days since last visit” internally and for dormant-account email gating).
- Unsubscribe audit log: if you opt out of an email channel, we keep a dated record of the unsubscribe so we can prove we honored your request (required by CAN-SPAM § 7704(a)(4) and good GDPR accountability).
- Account-deletion audit log: when an account is deleted (self-initiated via Settings or admin-initiated for abuse/fraud), we record the deletion timestamp, the internal account identifier, the requesting IP address, and the source (self / admin / data-subject request). This is the audit counterpart to the 30-day recovery backup described in § 7 — the audit entry lets us prove a deletion happened even after the recoverable backup is purged. We do not record your name, email, or any decision content in this log.
- Administrative notes: if we have a support or abuse-investigation reason to annotate your account (e.g., a note about a refund), we may add an internal admin note. You can request a copy at any time.
Anonymous aggregate analytics
We keep simple aggregate counters on our own server so we can see things like how many people visited a page or finished the demo — for example, “42 demo completions today.” To avoid double-counting the same person, your user ID (or, if you are signed-out, your session ID) is one-way hashed with a server-side salt before being written; the original value is never stored. No IP addresses, page contents, prediction text, or device fingerprints are recorded for analytics, no cookies record any of this aggregate data (the optional opt-out cookie disclosed below only suppresses analytics), and no third-party analytics service is used.
Cookies
- A session cookie to keep you logged in (essential).
- A preference cookie to remember your theme / accent choice (essential).
- A CSRF token cookie to protect form submissions (essential).
- An optional opt-out cookie (
lm_no_track) — set only when you explicitly opt out using the button below (or by visiting/?test=lm-opt-out). While the cookie is present, no analytics events fire for your browser. It lasts one year. Clear it by clicking “Opt back in”, visiting/?test=off, or deleting cookies in your browser settings. This cookie is never set unless you opt in to opting out.
That is the complete list. We use no advertising cookies, no third-party analytics cookies, and no fingerprinting in lieu of cookies.
Opt out of analytics
Status: Anonymous aggregate analytics are enabled for your browser, as described above. Clicking below sets the lm_no_track cookie and disables all analytics for this browser.
3. Why we use this information (legal bases under GDPR)
| Purpose | Legal basis |
|---|---|
| Provide calibration tracking; store and display your expectations and outcomes | Performance of a contract (Art. 6(1)(b)) |
| Send transactional service emails (outcome reminders you scheduled, password resets, receipts) | Performance of a contract (Art. 6(1)(b)) |
| Send re-engagement nudges and the weekly digest | Your consent — on by default with one-click opt-out in every message (Art. 6(1)(a) / CAN-SPAM). You can also disable each channel individually at Settings → Email notifications. |
| Maintain server access logs (IP, URL, timestamp, response code, User-Agent), capture the signup IP and most-recent login IP on your account record, and — if enabled by the operator — a per-account IP audit, to prevent abuse, duplicate accounts, credential stuffing, and to defend legal claims | Legitimate interest (Art. 6(1)(f)) |
| Retain unsubscribe records and billing records as long as applicable law requires | Legal obligation (Art. 6(1)(c)) |
4. We do not sell or share your data for advertising
We do not sell personal information. We do not “share” personal information for cross-context behavioral advertising (as defined by California law). We do not run ad networks on LetsMap. The only parties who see your data are the service providers listed below, acting on our instructions under contract.
5. Service providers (processors)
| Provider | Role | Data they see |
|---|---|---|
| Our hosting provider | Application & file storage | Everything we store |
| Stripe, Inc. | Payment processing (paid plans only) | Name, email, payment method (held by Stripe, not us) |
| Our SMTP / email provider | Deliver transactional and notification emails (the opt-out ones described in § 3) | Email address, email subject & body |
Each processor is bound by a data-processing contract requiring them to process data only on our instructions and to maintain appropriate security.
6. International transfers
Our servers are located in the United States. If you access the Service from outside the US, your data will be transferred to and processed in the US. Where required by law (e.g. for EU / EEA / UK residents), we rely on appropriate safeguards such as Standard Contractual Clauses with our service providers.
7. Data retention
- Account and expectation data: kept until you delete your account.
- Server access logs: IP, URL, timestamp, response code, and User-Agent — retained for up to 30 days by the web server, then rotated out by cleanup cron. Used solely for security; not used for advertising or analytics.
- Per-account IP audit (only if operator-enabled): when the “Track IPs” admin setting is on, up to ten distinct IP addresses you used to access the Service are retained in a separate audit file while the account is active. Off by default.
- Signup IP / login IP on user record: kept while the account is active. Removed when you delete your account; persists for up to 30 days in the deletion backup, then purged permanently.
- Unsubscribe records: retained indefinitely so we can prove we honored your opt-out.
- Billing records: retained for at least 7 years to comply with US tax law.
- Deleted-account backup: when you delete your account, your user record and expectations are removed from the live system immediately. A dated backup copy is retained for up to 30 days so we can honor chargeback or abuse-investigation obligations and so that an accidental deletion can be reversed on written request. After 30 days the backup is purged permanently.
- Deleted-expectation buffer (24 hours): when you delete an individual expectation (not your whole account), the record disappears from your dashboard, history, insights, and calibration math immediately. We retain the record on the server for up to 24 hours afterwards so the rolling per-day quota counter remains accurate (preventing “hit limit, delete one, add another” abuse). After the 24-hour window passes, the record is permanently hard-purged by our cleanup cron. The retained record is not visible to you or to anyone else during this buffer; it is used solely for quota integrity.
8. Your rights
Regardless of where you live, you may:
- Access and download your data (Settings → Data Export — available in either JSON or CSV format).
- Correct inaccurate data (Settings → Profile).
- Delete your account and all associated data (Settings → Delete Account). See § 7 for the 30-day post-deletion backup window.
- Opt out of any non-essential email in one click via the link in every such message, or at Settings → Email notifications, where you can toggle outcome reminders, nudges, and the weekly digest independently.
- Request a copy of any administrative note we have added to your account.
If you are in the EU / EEA, UK, or Switzerland, GDPR also gives you rights to restrict or object to processing, to data portability, and to lodge a complaint with your supervisory authority.
If you are a California resident, the CCPA / CPRA gives you the right to know what personal information we collect, the right to delete it, the right to correct it, the right to limit our use of sensitive personal information, and the right to opt out of “sale” or “sharing” (we do neither). We do not discriminate against you for exercising these rights.
To exercise any right, email support@letsmap.me. We verify requests using the email on file for your account. We respond within 30 days (GDPR) or 45 days (CCPA), whichever is shorter.
9. Children's privacy
LetsMap is not directed at children under 13, and we do not knowingly collect personal information from children under 13. Users between 13 and 16 in the EU / EEA should have parental permission. If you believe a child has provided us information, email support@letsmap.me and we will delete it.
10. Security
Passwords are salted and hashed using bcrypt. Session cookies are HTTP-only. Data is transmitted over HTTPS. Administrative access is limited to the operator. No system is perfectly secure; if we become aware of a breach affecting your data, we will notify you without undue delay as required by applicable law.
11. Do Not Track
Because we do not track you across the web, we treat Do-Not-Track signals as unnecessary. We simply do not do it either way.
12. Changes
We may update this policy as the Service evolves. During our open beta, the policy may be refined to reflect product changes โ these refinements are noted by updating the "Last updated" date above, which we encourage you to check periodically. Once we exit beta (public launch), we will notify all existing users by email of the launch-effective policy, and any subsequent material changes will be highlighted on this page and, where legally required, emailed to you. Continued use after the effective date constitutes acceptance.
13. Contact
Email: support@letsmap.me