Mapyx— Legal & Compliance Documents

1.Privacy Policy

1.1 Who is the data controller

The data controller responsible for the processing of personal data within Mapyx is [FULL_NAME], an individual developer based in [COUNTRY]. Contact: [EMAIL].

Because Mapyx is operated by a single individual and is not a company, no Data Protection Officer (DPO) is formally appointed. Where a DPO is required by law (for example, under LGPD Art. 41), the contact above acts as the privacy point of contact (Encarregado de Proteção de Dados).

1.2 Scope

This Privacy Policy applies to the Mapyx mobile application distributed on the Apple App Store and Google Play, and to the marketing website at https://mapyx.app. It does not apply to third-party services that the user may access through the app (see Third Parties).

1.3 Categories of data processed

Mapyx does not require an account, does not collect names, email addresses, phone numbers, payment data, contacts, photos, microphone, health, or biometric data, and does not sell personal data.

1.4 Purposes and legal bases

1.5 Third-party services and data sharing

Mapyx sends limited data to the following processors strictly to render the app:

• OpenStreetMap Foundation (Nominatim) — receives the user's free-text search query and the device IP address to return geographic results. Privacy policy: osmfoundation.org/wiki/Privacy_Policy.
• CARTO (CartoDB basemaps) — receives standard tile requests including the device IP. Privacy policy: carto.com/privacy.
• Unsplash (via the developer's backend at [BACKEND_URL]) — country names are sent to a server-side proxy (GET /api/images) which queries Unsplash and returns image URLs. The Unsplash API key is held server-side. Unsplash privacy policy: unsplash.com/privacy.
• GitHub (raw GeoJSON) — public country boundary files are fetched over HTTPS; standard request metadata applies. Privacy policy: docs.github.com.
• Apple and Google — distribute the app and may collect their own diagnostic data per their store policies.

Mapyx does not share personal data with advertising networks, data brokers, or for any cross-context behavioural advertising purpose.

1.6 International transfers

Some of the third parties above are located outside the European Economic Area, the United Kingdom, or Brazil. Where data is transferred internationally, the developer relies on (i) Standard Contractual Clauses published by the relevant providers, (ii) adequacy decisions where applicable, or (iii) the user's explicit consent for a specific feature, in compliance with GDPR Chapter V and LGPD Art. 33.

1.7 Retention

Data stored on the device (explored countries, saved countries, timezone preferences) remains until the user uses the in-app "Delete All Data" function or uninstalls the app. Data sent to third-party processors is retained per their own policies. The developer keeps no server-side database of user activity.

1.8 User rights

Subject to applicable law, the user may exercise the following rights free of charge:

• Right of access — request a copy of personal data processed.
• Right of rectification — correct inaccurate data.
• Right of erasure ("right to be forgotten") — delete personal data, including via the in-app "Delete All Data" button.
• Right of portability — receive a copy of data in a structured, commonly used, machine-readable format (JSON), available via the in-app "Export My Data" function.
• Right to restriction and right to object to processing.
• Right to withdraw consent at any time, without affecting the lawfulness of prior processing.
• Right to lodge a complaint with a supervisory authority — in the EU, the local Data Protection Authority; in the UK, the Information Commissioner's Office (ico.org.uk); in Brazil, the ANPD (gov.br/anpd).

To exercise any of these rights, contact [EMAIL]. Responses are provided within 30 days (GDPR) or 15 days (LGPD).

1.9 Children

Mapyx is rated suitable for ages 4+ and does not knowingly collect personal data from children under 13 (or under 16 in jurisdictions that apply that threshold). The app does not include account creation, social features, or behavioural advertising. If the developer becomes aware that data from a child has been collected without verifiable parental consent, that data will be deleted promptly.

1.10 Security

All network communication uses HTTPS/TLS. Sensitive preferences are stored using expo-secure-store, which uses the iOS Keychain and the Android Keystore. The Unsplash API key is not embedded in the client; it is held server-side at [BACKEND_URL]. The developer takes reasonable technical and organizational measures to protect data, but no system is perfectly secure.

1.11 EU and UK representatives

Where required under GDPR Art. 27 and the UK GDPR, the developer has appointed:

• EU representative: [EU_REPRESENTATIVE_NAME_AND_CONTACT]
• UK representative: [UK_REPRESENTATIVE_NAME_AND_CONTACT]

If no representative is currently appointed, this section will be updated before the app is offered to users in the relevant jurisdiction.

1.12 Updates to this policy

Material changes will be announced through the app, the website, or the relevant store listing at least 14 days before they take effect. The "Last Updated" date at the top of this document always reflects the current version.

2.Terms of Service

2.1 Acceptance

By downloading, installing, or using Mapyx, the user agrees to these Terms of Service and to the Privacy Policy above. If the user does not agree, the app must not be used.

2.2 The service

Mapyx is free-to-use country exploration app providing maps, statistics, and informational content about countries. The service is provided "as is" and "as available", without warranties of any kind, except where such warranties cannot be excluded by mandatory consumer protection law.

2.3 License

The developer grants the user a personal, non-exclusive, non-transferable, revocable license to install and use Mapyx on devices owned or controlled by the user, solely for personal, non-commercial purposes and in accordance with the Apple Media Services Terms and the Google Play Terms of Service.

2.4 Acceptable use

The user agrees not to:

• Reverse engineer, decompile, or attempt to extract the source code, except as permitted by law.
• Use the app to violate any applicable law or third-party right.
• Bypass rate limits, abuse the developer's backend ([BACKEND_URL]), or interfere with the service's normal operation.
• Distribute malware or use the app as a vector for any malicious activity.

2.5 Intellectual property

The app, its source code, design, and original content are the intellectual property of [FULL_NAME]. Country statistics are derived from public sources. Map tiles are provided by CARTO and OpenStreetMap contributors under their respective licenses. Country images are provided by Unsplash photographers under the Unsplash License.

2.6 Third-party content

Some content is supplied by third parties (OpenStreetMap, CARTO, Unsplash). The developer is not responsible for the accuracy, legality, or availability of third-party content.

2.7 In-app purchases and payments

Mapyx is currently free of charge and contains no in-app purchases, subscriptions, or advertising. If paid features are introduced in the future, billing will be handled exclusively by Apple or Google through their standard in-app purchase systems, and updated terms (including refund policies) will be presented before purchase, in accordance with Apple Guideline 3.1 and Google Play Payments policy.

2.8 Disclaimer

Country information presented in the app is for informational purposes only and may contain inaccuracies. It must not be relied upon for legal, financial, immigration, travel, or safety decisions. The developer disclaims liability for decisions made based on the content of the app, to the maximum extent permitted by law.

2.9 Limitation of liability

To the maximum extent permitted by applicable law, the developer's total liability arising out of or related to the app shall not exceed the amount the user has paid for the app in the twelve (12) months preceding the event giving rise to liability, or fifty euros (€50), whichever is greater. Nothing in these Terms limits liability for fraud, gross negligence, death or personal injury caused by negligence, or any liability that cannot be excluded under applicable consumer law.

2.10 Termination

The user may stop using the app at any time and uninstall it. The developer may suspend or terminate access if these Terms are violated, or to comply with law.

2.11 Governing law and jurisdiction

These Terms are governed by the laws of [COUNTRY], without regard to its conflict-of-laws rules. Any dispute arising from these Terms shall be brought before the competent courts of [COUNTRY], except where mandatory consumer protection law grants the user the right to bring proceedings in the user's country of residence.

2.12 EU consumer dispute resolution

Consumers resident in the European Union may use the European Commission's Online Dispute Resolution platform: ec.europa.eu/consumers/odr. The developer is not currently obliged to participate in arbitration before a consumer arbitration board.

3.Data Handling & Storage Policy

3.1 Storage architecture

• AsyncStorage (on-device, plaintext): non-sensitive app state — explored country IDs (@mapyx/explored_ids), recently explored (@mapyx/recently_explored), saved country IDs (@mapyx/saved_ids).
• SecureStore (on-device, OS-encrypted): per-country timezone preferences, keyed by country ID; consent flags.
• In-memory only: approximate device location returned by the OS; never persisted.
• Server-side (developer's backend at [BACKEND_URL]): Unsplash API key only. The backend is a stateless image proxy and does not log personal data beyond what is required for abuse prevention; logs are retained for no more than [BACKEND_LOG_RETENTION_DAYS] days.

3.2 Encryption

Data in transit is protected by HTTPS/TLS 1.2 or higher. Data at rest in SecureStore is protected by the platform-provided Keychain (iOS) or Keystore (Android). AsyncStorage data is protected by the OS's standard sandboxing; it is not additionally encrypted because it does not contain sensitive personal data.

3.3 Deletion

The user may delete all locally stored data at any time from Settings → "Delete All Data". This action clears all keys under @mapyx/* in AsyncStorage and all timezone-related keys in SecureStore. The action is irreversible.

3.4 Export

From Settings → "Export My Data", the user may export all locally stored data as a JSON file via the standard share sheet, satisfying GDPR Art. 20 and LGPD Art. 18, V.

3.5 Backups

Locally stored data may be included in OS-level backups (iCloud Backup, Google Drive backup) at the user's discretion and per the OS settings. The developer has no access to those backups.

4.Tracking & Analytics Disclosure

Mapyx does not use the Apple Identifier for Advertisers (IDFA), the Google Advertising ID (GAID), the Apple App_TransactionID, fingerprinting, SDK-based behavioural analytics, advertising SDKs, or any cross-app/cross-website tracking. As a result, the App Tracking Transparency prompt (Apple) is not presented and Google Play "tracking" disclosures are answered "No".

If diagnostic crash reporting is added in the future (for example, Firebase Crashlytics or Sentry), it will be:

1. Disclosed in this document before deployment.
2. Off by default and enabled only with explicit user consent.
3. Configured to scrub IP addresses and personally identifiable strings.
4. Reflected in the Apple Privacy Nutrition Label and Google Play Data Safety form.

5.GDPR & UK GDPR Rights

This section is provided to satisfy Articles 13 and 14 of the GDPR and the equivalent UK GDPR provisions.

No automated decision-making with legal or similarly significant effects is performed. No profiling occurs.

6.Apple App Store Compliance

This section discloses information required by Apple's Privacy and App Review guidelines, including App Privacy Details (Nutrition Label), Guideline 5.1.1 (Data Collection and Storage), and Guideline 5.1.1(v) (Account Deletion).

6.1 Privacy Nutrition Label (App Privacy Details)

The "Data Used to Track You" section is empty. The "Data Linked to You" section is empty. The "Data Not Linked to You" section contains Coarse Location, Other Usage Data, and Diagnostics (if enabled).

6.2 Account deletion (Guideline 5.1.1(v))

Mapyx does not require account creation. The "Delete All Data" feature in Settings removes all locally stored personal data and satisfies Apple's account-deletion requirement for apps that store user-generated state on the device.

6.3 Sign in with Apple

Not applicable: Mapyx does not implement third-party login.

6.4 EU Digital Services Act — Trader status

Under the EU Digital Services Act, the developer is registered as a [TRADER_OR_NON_TRADER]. Verified contact details are filed with App Store Connect and are also reproduced here for transparency:

• Name: [FULL_NAME]
• Address: [POSTAL_ADDRESS]
• Email: [EMAIL]
• Phone: [PHONE]

6.5 Children's category

The app is not submitted to the Kids category; it does not contain advertising, third-party analytics, or external links targeted at children.

7.Google Play Data Safety

This section mirrors the Data Safety form in Google Play Console.

7.1 Data collection & sharing

7.2 Security practices

• Data encrypted in transit: Yes (HTTPS/TLS).
• Data deletion mechanism: Yes (in-app "Delete All Data").
• Independent security review: [SECURITY_REVIEW_STATUS].
• Family-friendly: app does not target children, but does not include content unsuitable for general audiences.

7.3 Account deletion (Google Play policy)

No account is created. The on-device "Delete All Data" function is disclosed on the store listing as required by the Google Play Account Deletion policy.

8.Contact & Requests

For privacy requests, legal notices, security disclosures, or general support, contact:

• Operator: [FULL_NAME]
• Email: [EMAIL]
• Postal address: [POSTAL_ADDRESS]
• Country: [COUNTRY]

Brazilian users may also contact the privacy point of contact (Encarregado) at the same email address. EU and UK users may, where appointed, contact the local representative listed in Section 1.11.

9.Changes to These Documents

Whenever the app's data handling, third-party services, or store disclosures change in a material way, this document is updated and the "Last Updated" field at the top is bumped. A summary of changes is kept in compliance_audit_protocol.md in the project repository. Continued use of the app after a material change constitutes acceptance of the updated documents.