EN
Privacy

Privacy Policy

Effective date: 24 April 2026

This Privacy Policy explains how MapX (“MapX”, “we”, “us” or “our”) collects, uses, discloses, and protects personal data when you use the MapX platform, websites, and services (collectively, the “Service”).

MapX is a map-based survey platform. We process personal data in two different roles:

  • As a data controller, for information about account holders (“Customers”), visitors to our marketing site, and people who contact us.
  • As a data processor, for survey responses and other personal data that our Customers collect from their respondents through the Service. In that case the Customer is the controller, and you should consult the Customer’s own privacy notice.

1. Who we are

MapX is operated from Sweden. For any privacy-related question or to exercise your rights, contact us at support@mapx.se.

2. Information we collect

2.1 Account information (Customers)

When you create an account we collect your name, email address, password (stored as a hash by Firebase Authentication), profile photo if uploaded, your company name and domain, your role within that company, and your account type. We also store timestamps for account creation, updates, and last login.

2.2 Survey content (Customers)

We store the surveys you create — including titles, descriptions, questions, uploaded images, logic rules, and branding configuration — so we can render and deliver them.

2.3 Response data (Respondents)

When someone answers a survey you have published, we process data on your behalf. Depending on the survey’s configuration, this may include:

  • Answers to questions (text, choices, ratings, dates, map coordinates, drawn lines or polygons, planned routes, etc.)
  • Photos, videos and audio captured through map-media questions
  • Address and location text entered by the respondent
  • Contact fields (full name, email, phone, company, role, address, website) if a contact question is included
  • A geographic position from the respondent’s browser (latitude, longitude, accuracy), if the survey requests it and the respondent grants permission
  • The respondent’s IP address, a session token, start and completion timestamps, and time spent on the survey

As a Customer, you are the controller for this data and you are responsible for providing respondents with an appropriate privacy notice and a lawful basis for the processing.

2.4 Technical and usage data

When you use the Service we automatically receive standard log information — IP address, device type, browser, operating system, referring and exit pages, and timestamps — and product analytics about how you interact with features (for example, which pages you visit and which buttons you click). Product analytics are collected by PostHog on EU infrastructure.

2.5 Cookies and similar technologies

We use a small number of cookies and browser storage mechanisms:

  • Strictly necessary — Firebase Authentication session cookies and App Check tokens used to keep you signed in and to protect against abuse; localStorage entries for your preferred theme and language.
  • Analytics (optional, consent-based) — PostHog identifiers used to understand product usage. We configure PostHog for “identified only” profiles and host it in the EU. These are only set after you opt in through the cookie banner in the MapX app, and you can withdraw consent at any time from the Privacy Policy page in the app.
  • Third-party — Mapbox and Google reCAPTCHA Enterprise may set cookies or collect device signals when you view a map or submit a form.

3. How we use information

  1. To provide, operate and maintain the Service — including authentication, hosting your surveys, delivering responses, rendering dashboards, and exporting results.
  2. To generate AI outputs — when you use our AI Survey Generator, AI Analysis Generator, or chat, we send prompts, document uploads, and the relevant survey data to Anthropic (Claude) for inference. Outputs are streamed back to your workspace.
  3. To provide customer support, respond to enquiries, and operate our support ticketing system.
  4. To secure the Service — detect abuse, spam, fraud and unauthorised access, including through Firebase App Check and IP-based rate limiting.
  5. To improve the Service — analyse usage patterns, diagnose errors, and guide product development.
  6. To comply with legal obligations and enforce our Terms.
  7. To communicate with you — including transactional messages (verification emails, password resets, ticket notifications) and, where permitted, product updates.

4. Legal bases (GDPR)

Where GDPR applies, we rely on the following legal bases:

  • Performance of a contract (Art. 6(1)(b)) — to provide the Service to you.
  • Legitimate interests (Art. 6(1)(f)) — to secure the Service, prevent abuse, analyse usage, and communicate about your account. You may object at any time.
  • Consent (Art. 6(1)(a)) — for analytics cookies (where applicable), optional marketing communications, and any processing that requires consent. You may withdraw consent at any time without affecting the lawfulness of prior processing.
  • Legal obligation (Art. 6(1)(c)) — to comply with tax, accounting, and law-enforcement requests.

For Respondent data, the Customer determines the legal basis in their own privacy notice. We process that data only on the Customer’s documented instructions.

5. Sharing and disclosure

We do not sell personal data and we do not share it for cross-context behavioural advertising.

We share personal data only with:

  • Subprocessors acting on our instructions to help operate the Service (see section 6).
  • Other users within your organisation — members of the same MapX workspace can see shared surveys, dashboards and team information according to role (Owner, Admin, Member, Viewer).
  • Legal and safety — courts, regulators, or other third parties when required by law or to protect our rights, the rights of users, or the safety of any person.
  • Business transfers — in connection with a merger, acquisition, reorganisation or sale of assets, subject to customary safeguards.

6. Subprocessors

ProviderPurposeLocation & safeguards
Google Ireland Ltd. (Firebase)Authentication, Firestore database, Cloud Functions, Cloud Storage, Realtime Database, App Check, HostingEU (Firestore region europe-north2, Functions region europe-west3); some edge services may process data outside the EU under Standard Contractual Clauses.
Anthropic PBCClaude AI inference for AI Survey Generator, AI Analysis Generator, and chat featuresUnited States, under Standard Contractual Clauses. Inputs and outputs are not used to train Anthropic models.
Mapbox Inc.Map tile rendering, geocoding, and routing for map-based questionsUnited States, under Standard Contractual Clauses.
PostHog Inc.Product analytics and error trackingEU (eu.i.posthog.com).
Google reCAPTCHA EnterpriseAbuse protection via Firebase App CheckProcessing by Google.

A current, complete list of subprocessors is available on request at support@mapx.se.

7. International transfers

MapX’s primary infrastructure is located in the European Union. Where a subprocessor is based outside the EEA, we rely on appropriate safeguards such as the EU Standard Contractual Clauses (EU Commission Decision 2021/914) together with supplementary technical and organisational measures.

8. Data retention

  • Customer account data is retained for the life of the account and for a reasonable period after closure to satisfy legal and accounting obligations (typically up to 7 years for financial records).
  • Survey and response data is retained as long as the Customer keeps it in the Service. Customers can delete surveys and responses at any time. On account closure we delete or return the data within a reasonable period.
  • Logs and analytics are retained for up to 24 months.
  • Support tickets are retained for up to 3 years after closure.

9. Security

We apply technical and organisational measures appropriate to the risk, including:

  • TLS encryption in transit and encryption at rest for data stored with Firebase;
  • Role-based access controls within the platform (Owner, Admin, Member, Viewer);
  • Firebase App Check backed by Google reCAPTCHA Enterprise to prevent abuse;
  • Access controls and audit logging for our internal systems;
  • Secure handling of secrets — no credentials are stored in the client or public repositories.

No system is completely secure and we cannot guarantee absolute security of personal data.

10. Your rights

Depending on your jurisdiction, you may have the right to:

  • Access the personal data we hold about you;
  • Have inaccurate data corrected;
  • Have your data erased (the “right to be forgotten”);
  • Restrict or object to processing;
  • Receive your data in a portable format;
  • Withdraw consent where we rely on consent;
  • Lodge a complaint with a supervisory authority. In Sweden this is the Swedish Authority for Privacy Protection (IMY).

If you are a Respondent, please direct rights requests first to the Customer who created the survey — they are the controller of your data. If you cannot identify or reach the Customer, contact us and we will forward your request.

To exercise rights regarding data we control, email support@mapx.se. We will respond within one month and may extend that by up to two further months for complex requests.

11. Changes to this policy

We may update this Privacy Policy from time to time. Material changes will be notified in-product or by email at least 30 days before they take effect. The “Effective date” at the top shows when the current version was published.

12. Contact us

Questions about this policy or our data practices? Email support@mapx.se.