Get an API key
Legal

Privacy policy

Last updated: 13 July 2026

We run a metered API, not an advertising business. We store what metering, billing and abuse prevention require, and nothing is ever sold.

1. What we store

We keep the minimum needed to run a metered API: your email address (lowercased, as the identity of record for keys, ledger and plan); API keys as cryptographic hashes only, never in plaintext; per-key usage counters (day, endpoint, count); your prepaid ledger and its credit history; your plan quota history; and a record of your terms acceptance, including the timestamp, IP address and user agent of the accepting request.

We do not store route coordinates against your identity for profiling. Request logs used for operations are short-lived and carry a request id, not a behavioural profile.

2. Why we store it

Service operation: issuing and authenticating keys, metering usage against quotas and credit, showing you your own account state, and billing through our payment processor.

Abuse prevention: issuance velocity limits per IP, key caps per identity, and disposable-email rejection all rely on the data above. The acceptance record (timestamp, IP, user agent) exists so that self-serve and agent-made acceptances are evidenced.

The lawful bases are performance of a contract (running the service you signed up for) and legitimate interests (keeping the service secure and abuse-free).

3. Who else touches it

We do not sell personal data, full stop.

We use a small number of processors to run the service: Stripe (card payments and subscriptions; we never see card numbers), Resend or an equivalent transactional email provider (delivery of magic-link verification emails), and our hosting providers (the servers the gateway and website run on). The current processor list is available on request and will be published here as it settles.

4. How long we keep it

Keys and identities persist while your account is active. Revoked keys and their usage counters are retained for up to twenty-four months for billing evidence and abuse forensics, then deleted or anonymised. Ledger and quota history are retained for six years in line with UK accounting requirements. Acceptance records are kept for as long as the agreement could be relevant. IP-based issuance counters expire within days.

5. Your rights

Under the UK GDPR you have the right of access, rectification, erasure, restriction, portability and objection, and the right to complain to the Information Commissioner's Office (ico.org.uk). Email us and we will act on a verified request within one month. Note that erasing your identity necessarily revokes its keys.

6. Contact

Controller: MapMap. For any privacy matter, including subject access requests, contact hello@mapmap.ai. We will update this page as the service evolves; material changes will be dated here.

The contractual side lives in the terms of service. Anything unclear: hello@mapmap.ai.

Template pending solicitor review: this document reflects how the service actually operates, but it has not yet been reviewed by a qualified solicitor.