Last Updated: 30 June 2025 MappedUP is operated by STRETCH EOOD (Bulgarian UIC 205132463). Throughout this document, “MappedUP”, “we”, “us” or “our” refers to STRETCH EOOD acting under that trade name.
Key Facts at a Glance (GDPR Art 12)
1 Scope This Policy explains how we collect, use, share and safeguard Personal Data when you visit our marketing site or use our SaaS dashboard to manage Google Business Profiles (“GBP”). It complies with EU GDPR, UK GDPR, CCPA/CPRA, LGPD and Google API Services User Data Policy (“Limited Use”). MappedUP is independent of Google LLC.
2 What Data We Collect & Why (details → Appendix A)
Account Data — e-mail, name, workspace ID · contract
OAuth Data — Google UID, encrypted refresh-token, scopes · contract & consent
Analytics — GA4 consent-mode ID + events · consent (opt-in)
Comms / Support — e-mails, tickets · contract · 24 m
AI Processing — short review text and review‑metadata sent to OpenAI API for (i) drafting suggested replies and (ii) generating aggregate sentiment scores; no Google OAuth tokens or full personal data are transmitted
We do not collect special-category data, children’s data (< 16) or sell personal data. Legitimate-interest balancing test available on request.
3 How We Use Data
Provide, maintain & improve dashboard, alerts, AI review drafts.
Display/update GBP strictly on your actions via Google APIs.
Security, fraud-prevention, encrypted backups.
Service e-mails; marketing e-mails only with opt-in consent.
Aggregate, IP-anonymised analytics to enhance UX.
Generate AI‑powered reply drafts and sentiment analytics through the OpenAI API, always on your explicit in‑app request.
4 Google API Services Compliance (Limited Use)
Scope business.manage only.
No ads, selling or cross-service profiling.
No human access unless you request support, security is at risk, or required by law (access logged).
Cached GBP data purged ≤ 30 d.
Tokens encrypted in transit (TLS 1.3) and at rest (AES-256) and erased ≤ 7 d after revocation.
We never request, transmit or store your Google password.
If you revoke access in your Google account, all related refresh tokens and any cached GBP resource data will automatically be deleted within seven (7) days.
A CSV of all user‑initiated GBP changes is downloadable from the Activity Log at any time.
Our use and transfer of information received from Google APIs will adhere to the Google API Services User Data Policy, including its Limited Use requirements
5 Cookies & Similar Technologies Essential cookies always active. GA4 analytics cookies load after explicit opt-in. Consent remembered 12 months; banner can be reopened via “Cookie Preferences” floating consent button (always present on the left corner on a page). Do-Not-Track/GPC signals respected where feasible. See the full Cookie policy. 6 Sharing & Sub-Processors We share data with each sub‑processor only to the minimum extent necessary to operate the relevant feature.
Provider
Role
Region
Safeguards
Xano
Backend DB & auth
EU-Central
SCC + ISO 27001
WeWeb
Front-end hosting
EU-West
SCC
Google Cloud Platform
Cloud infrastructure
EU-West
SCC · EU-only region
Mailgun (Sinch)
E-mail
US
SCC · EU–US DPF
CookieYes
CMP
EU
SCC
Google Analytics 4*
Analytics (opt-in)
EU
Consent-Mode, IP-anon
OpenAI
Natural-language generation & sentiment scoring
US
SCC · EU–US DPF · No model training on your data
Data‑Processing Addendum — Our standard GDPR Art 28 DPA is available on request by emailing privacy@mappedup.io. *GA4 disabled until cookies accepted. Workspace owners are notified 30 days before a new sub-processor is added.
7 International Transfers Standard Contractual Clauses (2021/914) plus encryption (industry‑standard encryption in transit and at rest). Copies available on request.
8 Retention, Deletion & Portability Tokens/cache deleted ≤ 7 days after revocation. Users can export account & GBP data (JSON/CSV) in-app or by e-mail.
9 Your Rights Access · Rectify · Erase · Port · Restrict · Object · Withdraw consent · Complain to CPDP. We respond within 30 days. MappedUP will not discriminate or retaliate against you for exercising any of these rights.
10 Automated Decision-Making MappedUP does not engage in automated decision-making or profiling that produces legal or similarly significant effects.
12 Changes & Contact Material changes announced 15 days in advance by e-mail and in-app notice. Archived versions are available via email.
Business transfers. If we are involved in a merger, acquisition or asset sale, we will not transfer any Google API‑derived personal data to the new owner without obtaining your explicit consent.
