Privacy Policy
Last updated July 10, 2026. This policy explains what MapCrates collects, how it is used, how it is shared, how it is protected, and what choices you have. It also includes a data-safety summary for the MapCrates website, account services, desktop software, beta access, licensing, downloads, support, and future billing.
Local-first commitment
MapCrates is designed so your GIS datasets, drone imagery, attachments, generated `.mapcrate` packages, and exported HTML map exhibits stay on your machine. The online services are for identity, beta access, licensing, download entitlement, security, support, admin workflows, and future billing. MapCrates does not intentionally collect or store your customer map project data online unless you choose to send it to us, such as for support.
1. Scope
This policy applies to MapCrates websites, account pages, admin pages, APIs, desktop licensing services, installer downloads, beta signup, support interactions, and related communications. It does not apply to third-party websites, services, basemap providers, payment processors, email providers, or hosting providers that have their own privacy policies.
2. Information we collect
We collect the following categories of information, depending on how you use MapCrates:
- Account information, such as email address, password hash, company name, optional profile details, account status, role, email verification status, and password reset status.
- Authentication and security information, such as session tokens, token hashes, IP address hashes, user-agent hashes, audit events, verification attempts, login times, and password reset events.
- Desktop license information, such as hashed device fingerprint, device display name, operating system, app version, license session status, lease IDs, entitlement state, and last-seen timestamps.
- Download information, such as the app version downloaded, download entitlement, timestamp, IP address hash, and user-agent hash.
- Billing information, when paid plans are enabled, such as Stripe customer IDs, subscription IDs, plan IDs, subscription status, trial dates, renewal dates, cancellation status, and webhook event hashes. Full card numbers are handled by Stripe and are not stored by MapCrates.
- Communications and support information, such as email messages, support requests, feedback, bug reports, screenshots, diagnostics, or files that you choose to send us.
- Website and service technical information, such as request metadata, cookie data needed for login sessions, security logs, human verification results, and operational logs.
3. Information the desktop app keeps local
Unless you intentionally send files to MapCrates, the following are intended to remain on your device or systems:
- Shapefiles, FileGDBs, GeoJSON, KML, CSVs, raster imagery, drone imagery, and attachments.
- Map layouts, layer styling, project working files, generated `.mapcrate` packages, and HTML exports.
- Client names, site locations, parcel details, boundaries, measurements, photos, or notes contained in your map data.
If you send support files to MapCrates, those files may contain personal information, geospatial information, or confidential customer information. Do not send regulated, sensitive, or confidential data unless you are authorized to do so and the data is needed for support.
4. How we use information
MapCrates uses information to:
- Create, verify, secure, and manage user accounts.
- Provide beta access, downloads, desktop login, license leases, and entitlement checks.
- Operate one-active-desktop-session licensing and offline grace behavior.
- Send email verification, password reset, account, billing, beta, and support messages.
- Process future subscriptions, trials, renewals, cancellations, and payment status.
- Prevent fraud, abuse, unauthorized access, credential attacks, license bypass, and misuse.
- Debug, maintain, secure, improve, and support MapCrates.
- Comply with legal, tax, accounting, payment, security, and contractual obligations.
5. How we share information
We do not sell personal information. We do not share personal information for cross-context behavioral advertising. We share information only as needed for the purposes described in this policy:
- Service providers, such as Railway for hosting/database, Cloudflare for DNS, WAF, Turnstile, and installer delivery, Resend for transactional email, and Stripe for paid billing when enabled.
- Professional advisors, such as lawyers, accountants, security consultants, or insurers, when reasonably necessary.
- Legal and safety reasons, such as complying with law, protecting rights, enforcing terms, investigating abuse, or responding to lawful requests.
- Business transfers, such as a merger, acquisition, financing, restructuring, or sale of assets, subject to appropriate protection of user information.
- With your direction or consent, such as when you ask us to troubleshoot a support file or communicate with someone on your behalf.
6. Cookies and similar technologies
MapCrates uses cookies and similar technologies that are necessary for login sessions, authentication, security, fraud prevention, human verification, and service operation. We do not currently use third-party advertising cookies or cross-site behavioral advertising pixels.
7. Data safety summary
| Data category | Collected by online services? | Purpose | Shared with | Protection and retention |
|---|---|---|---|---|
| Account and profile | Yes | Account creation, email verification, login, support, and admin workflows. | Hosting/database providers, email provider, and support tools as needed. | Passwords are hashed. Account records are kept while the account is active and as needed for legal, security, billing, or audit purposes. |
| Authentication and security logs | Yes | Sessions, password resets, audit logs, abuse prevention, and incident investigation. | Hosting, security, and infrastructure providers as needed. | Session and reset tokens are stored as hashes where practical. Logs are access-controlled and retained as needed for security and operations. |
| Device and license status | Yes | Named-user licensing, one active desktop session, entitlement checks, downloads, and offline grace. | Hosting/database providers and internal support/admin users with a need to know. | Device fingerprints are expected to be hashed before storage. Records are retained while needed to provide licensing, audit, support, and abuse prevention. |
| Billing and subscription status | When paid plans are enabled | Trials, subscriptions, renewals, cancellation, entitlement, tax/accounting, and payment support. | Stripe and hosting/database providers. | MapCrates stores Stripe IDs and subscription state, not full card numbers. Billing records are retained as needed for accounting, tax, dispute, and legal obligations. |
| Installer download records | Yes | Download entitlement, app-version history, audit, security, and support. | Hosting, storage/CDN, and security providers. | IP address and user-agent data may be hashed. Retained as needed for security, entitlement, support, and audit purposes. |
| GIS project data and exports | No, unless you send it to us | Processed locally by the desktop software. Support review only if you choose to provide files. | No routine sharing by MapCrates. Support files may be shared with service providers or advisors if needed to resolve the issue. | Keep your own backups. Support files are access-controlled and should be deleted or returned when no longer needed for support, legal, or security purposes. |
| Human verification data | Yes | Bot prevention, signup/login/reset protection, and abuse prevention. | Cloudflare Turnstile or a MapCrates-managed verification endpoint. | Used to validate requests and reduce abuse. Retention depends on provider logs and MapCrates security needs. |
| Transactional emails | Yes | Email verification, password resets, beta messages, billing notices, and support. | Resend or another transactional email provider. | Email addresses and message metadata are retained as needed for delivery, support, compliance, and abuse prevention. |
8. Security practices
We use administrative, technical, and organizational measures designed to protect personal information. Current and planned protections include HTTPS, password hashing, hashed session and reset tokens, hashed IP and user-agent fields where practical, short-lived access tokens, rotating desktop refresh tokens, license lease signing, role-based admin access, audit logs, human verification, Cloudflare security controls, and limited access to production systems.
No system can be guaranteed perfectly secure. You are responsible for protecting your own devices, credentials, project files, exported deliverables, backups, and customer data. If you believe your MapCrates account or data has been compromised, contact us promptly at security@mapcrates.com.
9. Retention
We keep personal information for as long as needed to provide MapCrates, manage accounts, provide downloads and licenses, operate security controls, support users, resolve disputes, enforce terms, comply with legal obligations, maintain audit records, and operate our business. We may retain limited records after account closure where needed for security, accounting, legal, fraud prevention, backup, or legitimate business purposes.
10. Your choices and rights
You may request access, correction, deletion, or export of personal information by contacting privacy@mapcrates.com. We may need to verify your identity before fulfilling a request. Some information may be retained where allowed or required by law, such as security logs, billing records, audit records, backup data, or records needed to complete transactions and prevent fraud.
We do not sell personal information or share it for cross-context behavioral advertising. If that changes, we will update this policy and provide required opt-out choices. Where applicable privacy laws grant rights to know, access, delete, correct, opt out, limit use of sensitive information, appeal, or avoid discrimination for exercising rights, we will honor those rights as required.
11. California and other U.S. state privacy notices
Depending on where you live and whether MapCrates meets the legal thresholds for a particular privacy law, you may have additional privacy rights. These may include the right to know categories and specific pieces of personal information, the right to delete, correct, opt out of sale or sharing, limit certain uses of sensitive personal information, and not be discriminated against for exercising privacy rights.
We do not knowingly sell personal information, share personal information for cross-context behavioral advertising, or use sensitive personal information for purposes that would require a right to limit under California law. If you submit a privacy request, we will respond within the time required by applicable law or, where not legally required, within a reasonable time.
12. Children's privacy
MapCrates is intended for business and professional users. It is not directed to children, and we do not knowingly collect personal information from children under 13. If you believe a child provided personal information to MapCrates, contact us so we can take appropriate action.
13. International use
MapCrates is operated from the United States. If you use MapCrates from outside the United States, your information may be processed in the United States or other countries where our service providers operate. Those locations may have data protection laws that differ from those in your jurisdiction.
14. Changes to this policy
We may update this policy from time to time. The updated version will be posted with a new "Last updated" date. If a change materially affects your privacy rights or our data practices, we will provide reasonable notice, such as through the website, account area, email, or desktop software.
15. Contact
Privacy requests and questions can be sent to privacy@mapcrates.com. Security concerns can be sent to security@mapcrates.com. General support questions can be sent to support@mapcrates.com. The MapCrates Terms of Service explain the rules for using the software and services.