Privacy Policy

When you sign in or use Mapou, we may collect:

• Your name and email address (from Google or Microsoft OAuth)
• Your profile picture (from your OAuth provider)
• Usage data, which pages you visit and actions you take in the platform
• Data from third-party platforms you choose to connect (Shopify, Google Analytics 4, Klaviyo, Meta Ads). For each, see the “Connected integrations” section below for the specific data fields and retention.
• Public Reddit posts that mention your tracked brand or competitors, collected read-only via Reddit's public Data API.

• To authenticate you and provide access to your workspace
• To run AI prompt analysis on your brand and competitors
• To generate reports, summaries, and recommendations within your account
• To compute anonymized network benchmarks (medians and quartiles across all connected workspaces), individual workspace values are never exposed; benchmarks are gated until at least three workspaces share a category
• To send product updates, weekly digests (when opted in), or support messages

We do not sell your data to third parties. We do not use your connected commerce data, AI prompt results, or Reddit signal to train AI models.

When a workspace administrator connects a third-party platform to Mapou, we read specific data subject to that platform's own permissions framework. We never write to or modify any connected account.

Klaviyo

Read-only scopes requested: campaigns:read, flows:read, metrics:read, lists:read.
Data collected: campaign names, status, send times, recipient counts, opens, clicks, conversion value, flow names, status, trigger types, list metadata. Subscriber email addresses, phone numbers, and profile data are not accessed.
Retention: retained while the integration is connected. Cleared within 30 days of disconnect (immediate deletion available via support email).

Meta Ads (Facebook)

Read-only scopes requested: ads_read, business_management.
Data collected: ad account ID, campaign names, status, objectives, start/stop times, last-90-day insights (spend, impressions, clicks, reach, purchases, purchase value, ROAS). Individual user-level data and audience data are not accessed.
Retention: retained while the integration is connected. Cleared within 30 days of disconnect, or immediately on receipt of a Meta data-deletion request via our data-deletion endpoint.

Shopify

Read-only scope requested: read_products.
Data collected: product handles, titles, URLs, structured-data metafields, basic catalog state. Order data, customer data, and PII are not accessed.
Retention: retained while the integration is connected. Cleared within 30 days of disconnect.

Google Analytics 4

Read-only access: session-level metrics by URL.
Data collected: organic sessions, engaged sessions, conversions, and revenue at the page-URL level. Individual user identifiers are never accessed.
Retention: retained while the integration is connected. Cleared within 30 days of disconnect.

Reddit

Authentication: Reddit's OAuth client-credentials flow, read-only access to public posts via the Reddit Data API.
Data collected: public posts that match a search for your brand or tracked competitors, title, selftext (post body), subreddit, score, comment count, public author handle, post timestamp, permalink. We do not access private messages, private subreddits, or any user data not publicly available.
Retention: 90 days, refreshed on each sync. Deletion on disconnect within 30 days.

Mapou engages third parties to process personal data on your behalf, under our instructions. Hosting (Vercel, Neon), payment processing (Stripe), AI model providers (Anthropic, OpenAI, Google, xAI, Perplexity), authentication (Google, Microsoft), and transactional email (Resend) are all listed in our canonical subprocessor list, with the categories of data each one processes and links to their DPAs.

We commit to 30 days' advance notice to workspace admins before adding a new subprocessor. We do not authorise any AI provider to train models on your data.

Subscription payments are processed by Stripe Inc. Mapou never receives or stores card numbers, CVV codes, or full account details, those are held by Stripe under PCI DSS Level 1 compliance. We store only your billing email, your Stripe customer and subscription IDs, and your plan / tier / period boundaries. Card data updates and invoice history live in Stripe's hosted Customer Portal, accessible from your billing settings.

You have the right to access, correct, export, or delete your personal data at any time. To exercise these rights, email support@mapou.ai. We will respond within 30 days (sooner for deletion requests, typically one business day).

Disconnecting an integration: revoke Mapou's access from within the source platform (e.g. Klaviyo Connected Apps, Meta Business Settings, Shopify app permissions). Synced data will be cleared within 30 days, or immediately upon emailed request.

Meta data deletion: per Meta's Platform Terms, we operate a dedicated deletion endpoint at https://app.mapou.ai/api/meta/data-deletion. Meta users can also email us directly.

Deleting your workspace (self-serve): from Billing, scroll to the Danger Zone, type your workspace name to confirm, and we schedule a hard delete in 14 days. During the grace window you can restore. After the grace window, a daily cron permanently erases the workspace and all derived data (cascades through prompts, results, traits, page performance, etc.). Your data export is available at any time from the same surface.

Deleting your account (alternative): email us with the subject “Delete my account” from the address tied to the workspace. We confirm within one business day.