Privacy Policy

Last updated: April 26, 2026

MapMeal is a personal map for restaurants you discover in social-media videos. This page explains what data we collect, why we collect it, and who we share it with. If anything here is unclear, email us — contact details at the bottom.

What MapMeal does

When you paste a TikTok, Instagram, or YouTube link, we extract the restaurant being featured and save it as a pin on your map. You can add notes, mark places as visited, and organize your collection. The data is yours; we store it so you can access it across devices.

What we collect

Email address — used to sign you in. We receive it from Google (if you sign in with Google) or from you directly (if you use the magic-link option). We don't use your email for marketing or share it with third parties.

Your name and avatar — if you sign in with Google, we receive and display your Google display name and profile picture. These are only shown in your own session (profile screen, avatar icon). If you sign in with email magic-link, we don't collect a name until you choose to add one.

Google account identifier (sub claim) — an opaque identifier Google gives us when you sign in. We use it to map your Google account to a user record. It's never displayed or shared.

Anonymous device cookie — if you save places before signing in, we set a mapmeal_device_id cookie so you can come back to those saves later. It's a SHA-256 hash of a random UUID, set only after you actively use the site. It carries no identifying information and is cleared when you clear cookies.

Saved places — the restaurants you save, your notes, favorite flags, visited dates. Visible only to you.

Payment info — if you subscribe to Pro, billing is handled entirely by Stripe. We receive a customer reference and subscription status; we never see your card details.

What we don't collect

  • Location data — the Map tab asks for your location permission to center the map on where you are. Your coordinates are used locally by the map library and never sent to our servers.
  • Personal analytics — we don't link analytics data to your account, email, or device identifier. No session replay.
  • Cross-site tracking pixels — no Facebook Pixel, no IDFA / GAID collection, no retargeting trackers.
  • Content from videos — we call the respective platform's public metadata (Open Graph tags, oEmbed) to pull the caption and restaurant name. We don't download or store the video itself.

Aggregated analytics

We use Vercel Web Analytics and Vercel Speed Insights to understand which pages people visit and how fast those pages load. Both are:

  • Cookieless — no cookies or browser storage are set for analytics.
  • Aggregated — counts and trends, never tied to your account or device.
  • First-party via our hosting provider — data stays within the Vercel infrastructure that already serves the site.

What's collected: pageview counts, referring domain, device class (desktop / mobile), and Core Web Vitals (load timing, interaction responsiveness). What's not: your identity, your saved places, your search terms, the contents of any page, or anything that could be used to identify you individually.

Third-party services

  • Supabase — authentication and database. Privacy policy
  • Google Places — restaurant details, hours, photos, reviews. Privacy policy
  • Stripe — payment processing for the Pro plan. Privacy policy
  • Vercel — application hosting. Privacy policy
  • OpenAI — used only inside the extraction pipeline to identify the restaurant name from a video's caption. We send the caption text and the URL of the video; we don't send your identity. Privacy policy
  • Google AdSense — see "Advertising" below. Used only for free-tier accounts on the Saved and place-detail screens, and only after you grant consent.

Advertising

Free MapMeal accounts may see one Google AdSense display unit on the Saved screen and on individual place-detail pages. Pro subscribers and signed-out visitors never see ads. Ads do not appear on the map, the save workflow, the profile screen, or anywhere on the marketing/editorial pages.

What Google receives. When an ad serves, Google AdSense receives the standard signals every display ad receives: your IP address, your user agent, a general (city-level) location derived from IP, the URL of the page the ad rendered on, and interaction events (impression, click). MapMeal does not pass your account email, name, or any saved-place data to Google.

Consent Mode v2. We run Google's Consent Mode v2. When ads are enabled, the page initializes with ad_storage, ad_user_data, ad_personalization, and analytics_storage all set to denied by default. You see a consent banner (Google's "Privacy & messaging" / Funding Choices banner) and Google only personalizes ads — and only sets ad cookies — if you affirmatively grant consent. Deny means non-personalized ads only, with no advertising cookies set; we honor that signal globally, not just in regulated regions.

Manage your ad preferences. You can review and adjust how Google personalizes ads to you at Google Ad Settings and read Google's overview at How Google uses information from sites or apps that use our services. To stop seeing MapMeal's ads entirely, upgrade to Pro — Pro turns the entire ad surface off for your account.

ads.txt. Per IAB convention, /ads.txt lists Google as the only authorized direct seller of MapMeal ad inventory.

Cookies

The app sets one strictly-necessary cookie, mapmeal_device_id, used for anonymous-save functionality (no consent banner required under EU ePrivacy rules). Our analytics (Vercel Web Analytics and Speed Insights) are cookieless.

Advertising cookies are only set when (a) ads are enabled for your account (free, signed-in users), and (b) you have granted ad consent in the Funding Choices banner. If you deny consent or are a Pro subscriber, no advertising cookies are set.

Your rights

You can:

  • Export your data — email us and we'll send a JSON export of your saved places.
  • Delete your account — email us and we'll cascade-delete all your rows from Supabase and cancel any active Pro subscription via Stripe. Deletion is irreversible.
  • Correct or update your data — use the in-app editing controls (notes, favorites, visited dates) or email us if something's off we haven't exposed.

Data retention

Your saved places and profile live in our database until you delete your account. The anonymous device-ID cookie has a one-year expiry. Supabase runtime logs follow Supabase's retention policy (a few days by default).

International users

We serve users globally. If you're in the EU or UK, we rely on our third-party providers' standard data-processing agreements for the transfer of data outside the EEA. We do not currently have an EU representative under GDPR Article 27; we'll add one if our EU user count grows to the threshold where it's required.

Changes to this policy

We'll update the "Last updated" date at the top whenever we make changes. For material changes (new third-party services, new data categories), we'll also show a notice in-app the next time you sign in.

Contact

For anything in this policy, email taylor@baremetalcloud.com. Replies typically land within 1–2 business days.