Data Protection

FriendsMap is committed to protecting your personal data. This page describes our data protection practices, your rights, and how we handle personal information in accordance with applicable data protection laws.

1. Data Controller

FriendsMap acts as the data controller for personal information collected through our app and website. For questions about how we handle your data, contact us at contact@friendsmap.me.

2. Legal Basis for Processing (GDPR)

If you are located in the European Economic Area, we process your personal data under the following legal bases:

• Consent: Location sharing with friends; contact list access; push notifications
• Contract performance: Account creation; providing core app functionality
• Legitimate interests: Security; fraud prevention; service improvement; crash reporting
• Legal obligation: Compliance with applicable laws and regulations

3. Categories of Personal Data

We process the following categories of personal data:

• Identity data: Phone number, display name
• Location data: GPS coordinates (only when sharing is enabled)
• Communication data: In-app messages, AR tag content
• Device data: Device model, OS version, push notification token
• Usage data: Feature interactions, crash reports
• Contact data: Hashed phone numbers from your contacts (for friend discovery)

4. Data Minimization

We follow the principle of data minimization — we only collect data that is necessary for the specific purpose for which it is collected. We do not collect additional data "just in case." For example, we do not store your full contact list; we only use contact numbers for hashed matching to help you find friends.

5. Data Storage and Security

Your data is stored in Firebase (Google Cloud), which employs industry-standard security measures including:

• Encryption at rest (AES-256)
• Encryption in transit (TLS 1.2+)
• Access controls and audit logging
• Physical security at data center facilities

Our Firebase Firestore Security Rules enforce that users can only access data they are authorized to see. No user can read another user's data without explicit authorization.

6. Data Retention

We retain data for only as long as necessary:

• Account data: Retained while your account is active; deleted within 30 days of account deletion request
• Live location: Not stored — transmitted in real time and discarded
• Chat messages: Retained until you delete them
• Crash logs: Retained for 90 days
• Event data: Retained for 2 years after the event date, then purged

7. Your Rights

Depending on your jurisdiction, you have the following rights regarding your personal data:

• Right of access: Request a copy of your personal data
• Right to rectification: Correct inaccurate or incomplete data
• Right to erasure: Request deletion of your personal data ("right to be forgotten")
• Right to restriction: Request that we limit how we process your data
• Right to portability: Receive your data in a machine-readable format
• Right to object: Object to processing based on legitimate interests
• Right to withdraw consent: Withdraw consent at any time without affecting prior processing

To exercise any of these rights, contact us at contact@friendsmap.me. We will respond within 30 days.

8. International Transfers

Firebase infrastructure is operated by Google and may involve transfers of data to the United States and other countries. These transfers are covered by Google's Standard Contractual Clauses and their compliance with applicable data protection frameworks including the EU-US Data Privacy Framework.

9. Children's Data

We do not knowingly collect personal data from children under 13. For users aged 13–17, our parental consent flow requires a parent or guardian to approve the child's account. Parents may contact us to review or delete their child's data at contact@friendsmap.me.

10. Data Breach Notification

In the event of a data breach that poses a risk to your rights and freedoms, we will notify affected users and relevant supervisory authorities within 72 hours of becoming aware of the breach, as required by applicable law.

11. Sub-processors

We use the following sub-processors to deliver the Service:

• Google Firebase (Google LLC) – Authentication, database, storage, analytics — Privacy
• HERE Technologies – Map rendering and navigation — Privacy
• Hostinger – Email delivery — Privacy

12. Supervisory Authority

If you are located in the EEA and believe we have not handled your data lawfully, you have the right to lodge a complaint with your local data protection supervisory authority. In Canada, the applicable authority is the Office of the Privacy Commissioner of Canada (priv.gc.ca).

13. Contact Our Data Protection Officer

For data protection inquiries:

Email: contact@friendsmap.me
Subject line: "Data Protection Request"