Privacy Policy

1. Introduction

This Privacy Policy explains how we process personal data when you use Mappu, the main purposes of processing, who we may share data with, and the rights you can exercise.

2. Information We Collect

We collect the data needed to provide the service and, in some cases, additional data when you enable optional features:

• Account and profile data: email, display name, and profile preferences you choose to save.
• Purchase and billing data: payment references, purchase status, refunds, reversals, and credit balance; full card details are handled by the payment provider.
• Notification data: push tokens or browser subscriptions, platform, and notification preferences if you enable these features.
• Travel and interaction data: travel preferences, itineraries, prompts, chats, guide history, and generated content associated with your account or session.
• Sensitive data entered voluntarily: Mappu is a general travel-planning service and does not normally require data relating to health, allergies, accessibility, religion, or other special-category data. We ask you not to enter them in free-text fields unless a feature clearly requires them. If they are entered voluntarily, we process them only to the extent needed to technically handle the request, assist you, protect the service, or proceed with deletion. Unless a different legal basis or separate explicit consent applies, we do not use them for dedicated sensitive personalization.
• Location data: precise device location when you enable Walk Mode, nearby search, or other location-based guide features, including, on supported native devices, the continuation of an active guide session in background or pocket mode if you enable it.
• Media and shared content: optionally uploaded images, invites, collaborator roles, invite messages, and recipient details you provide for sharing.
• Support, feedback, and notification data: support requests, reports, feedback, data connected to notifications, and related settings.
• Technical and security data: browser or app type, IP address, session identifiers, short-lived transfer codes, and data needed to prevent abuse or protect the service.
• Clickout and referral data, where applicable: limited records of the opening of some external offers for reconciliation, audit, and fraud prevention.

Depending on the feature used, we may receive data from these sources:

• Directly from you when you create an account, plan trips, upload content, share itineraries, or contact support.
• From other users when they invite you to collaborate or enter your email address to send you an invitation.
• From your device, browser, or app when you use the service, enable notifications, or use location-based features.
• From payment providers, app stores, security providers, and technical providers that confirm purchases, help protect the service, or provide data needed for the requested feature.
• From map, location, and public or partner sources when needed to generate the results you requested.

3. How We Use Your Information

We use the information collected to:

• Create and manage your account and provide the requested service.
• Manage payments, credit packs, refunds, reversals, and related accounting records.
• Generate itineraries, guide responses, and other travel content based on your inputs and preferences.
• Provide location-based features such as Walk Mode, nearby search, and guide content linked to the area you are in.
• Manage sharing, collaboration, support, feedback, and assistance requests.
• Process optionally uploaded images for multimodal follow-up when you choose to use that feature.
• Send notifications and service communications when needed or when you choose to receive them.
• Protect the service, prevent abuse, and improve reliability, quality, and security.
• Run optional diagnostics and measure errors and performance only when the relevant preference is active.
• Comply with legal obligations and defend our rights.
• Measure, reconcile, and verify the opening of some external offers or referrals, where applicable, also for audit and fraud-prevention purposes.

We process data under different legal bases depending on the feature you use:

• Contract or pre-contract steps: to create and manage the account, generate the requested itineraries, complete credit purchases, provide the main features of the service, and send necessary service communications. Providing the data needed for these purposes is necessary; if you do not provide it, some or all main features may not work. Optional data remains optional.
• Consent: for cookies and optional tools, optional diagnostics, optional notifications when you choose to enable them, and, if introduced in the future, specific features requiring separate explicit consent. You can withdraw consent at any time, without affecting processing carried out before withdrawal.
• Legitimate interests: to protect the service, prevent fraud and abuse, enforce usage limits, diagnose reliability issues, and defend our rights.
• Legal obligations: to keep accounting records, respond to lawful requests, and manage privacy requests.

4. How We Protect Your Data

We adopt appropriate technical and organizational measures to protect personal data.

5. Third-Party Services

We use trusted external providers to deliver the service:

• Infrastructure, authentication, hosting, storage, email, and technical-delivery providers such as AWS.
• Payment providers and app stores such as Stripe, Apple, and Google for purchases, refunds, and related checks.
• AI, maps, location, authentication, and other platform-service providers such as Google and, where needed, OpenAI for backup AI functions.
• Security and anti-abuse providers such as Cloudflare Turnstile.
• Optional diagnostics providers such as Sentry when the relevant preference is active.
• Notification and technical-communication providers when you enable those features.
• Travel, clickout, and external services you voluntarily choose to open from Mappu.
• Public and open-data sources useful for geocoding, geospatial context, or destination information.

We share data only to the extent necessary to provide the service, comply with legal obligations, protect the platform, or manage features you request.

When you open, book, or purchase an external offer or destination site (for example a hotel, flight, marketplace, experience, or eSIM provider), the relevant provider becomes independently responsible for its own processing under its own privacy notice and terms.

7. Your Rights and Choices

You have control over your personal information:

• Access: Request a copy of your personal data
• Correction: Update or correct your information
• Deletion: Request deletion of your account and associated data
• Portability: Export your itineraries, travel data, and eligible uploaded files
• Restriction: Ask us to limit certain processing while we assess a request, dispute, or objection
• Objection: Refuse certain data-processing activities
• Withdrawal of Consent: Change your privacy preferences at any time

To exercise any of these rights, contact us at [email protected]

If you live in the EEA, the UK, or another jurisdiction with similar rights, you may also lodge a complaint with your local data protection authority.

Mappu does not rely on solely automated decisions producing legal or similarly significant effects on you without meaningful human or user involvement. AI outputs are supportive travel suggestions, not decisions on eligibility for credit, employment, insurance, housing, healthcare, or similar rights.

8. Children's Privacy

Mappu is not intended for minors who may not use the service under applicable law. In Italy, online consent for information-society services is generally valid from age 14; below that age, authorization from a parent or guardian is required. If you believe a minor has provided us with data in breach of applicable law, please contact us.

9. Data Retention

We keep personal data for as long as needed to provide the service, comply with legal obligations, handle disputes, prevent abuse, and defend our rights. In general, account and itinerary data remain linked to the user relationship until deletion or account closure, unless the law requires longer retention; payment and accounting data are kept for the periods required by applicable law; security and anti-abuse logs are kept for limited and proportionate periods; guest sessions and transfer codes have short durations; saved guide history may be kept for up to one year; consent records may be retained for compliance purposes; and clickout or referral records, where present, may be kept for up to 12 months for audit, reconciliation, and fraud prevention.

10. International Data Transfers

Your information may be transferred to and processed in countries other than your own, including by providers operating globally or from the United States and other jurisdictions. Where required, we rely on an adequacy decision or on appropriate safeguards such as the European Commission's Standard Contractual Clauses, supplemented where necessary. You can contact us at [email protected] for more information about the relevant transfer mechanism or safeguards.

11. Changes to This Policy

We may update this Privacy Policy from time to time. The updated version will be published on this page.

12. Contact Us

If you have questions about this Privacy Policy, our practices, or your rights, please contact us:

Andrea Fenu, impresa individuale, operating as Mappu / mappu.ai, acts as controller for the processing described in this notice. For privacy matters, you can contact us at [email protected].