Privacy notice

When you sign in with Google through Firebase Authentication, we receive and store your Firebase user ID, email address, display name, and profile image URL. We do not receive your Google password, and we do not request access to Google Drive, Gmail, Contacts, or other unrelated Google data.

We store account and subscription-related data in Cloud Firestore, including your user role, plan, billing status, Stripe customer ID, Stripe subscription ID, Stripe price ID, billing period dates, account creation date, and update timestamps.

We store project data in Cloud Firestore. This includes the project name, location label, selected map bounding box, camera position, board dimensions, layer and material settings, water settings, selected map style, palette choice, preview summary information, locked preview signature, and, when a preview is locked, a stored preview image for later display.

We also store usage records in Cloud Firestore to enforce plan quotas. These records include the billing-cycle key, the number of created projects in that cycle, a list of project IDs counted in that cycle, and timestamps.

In the current implementation, Cloud Firestore is accessed through server-side application routes rather than direct browser reads and writes. The current Firestore security rules in this project deny direct public client access.

After successful sign-in, Layered Maps creates an HTTP-only server session cookie named layeredmaps_session. In the current implementation, that cookie is set with a maximum lifetime of five days unless you sign out earlier.

The app also uses browser session storage for a small redirect-state flag during Google sign-in. In addition, Firebase Authentication may persist your signed-in browser state locally until you sign out, because the app currently uses the default browser persistence behavior of the Firebase web SDK.

Payments and subscription management are handled through Stripe Checkout, the Stripe customer billing portal, and Stripe webhooks. When you begin checkout, we send Stripe your name, email address, internal Firebase user ID, and the selected plan.

Stripe returns subscription status information to us through webhooks. We store only the Stripe identifiers and subscription status data needed to operate billing inside the app. We do not store full payment card numbers in Layered Maps.

Layered Maps uses Mapbox services to render the interactive map and to retrieve map, satellite, and terrain tiles needed for previews and exports. When you open the map, move it, change styles, lock previews, or generate exports, requests are sent to Mapbox containing at least the requested tile or style information and standard web request metadata.

Generated export ZIP archives are stored in Firebase Cloud Storage under a user-specific path so they can be downloaded again. Cloud Storage is not used here for general user uploads. The current Firebase Storage rules deny all direct public read and write access, and download access is mediated by authenticated server routes.

The site includes Vercel Web Analytics. This may process usage information such as page visits, referrers, device or browser characteristics, and related aggregated traffic metrics so we can understand how the site is used.

In development environments only, the app may also log certain technical events and errors to the server console, such as authentication or session exchange failures.

We use personal data to authenticate users, create and maintain accounts, store and retrieve projects, generate locked previews and export archives, enforce plan and quota limits, process subscriptions, provide billing self-service, secure the app, diagnose failures, and comply with legal obligations.

Where applicable under data protection law, these processing operations are based on the performance of our contract with you, our legitimate interests in operating and securing the service, and legal obligations that apply to billing and recordkeeping.

Account records, project records, preview data, and billing reference data are kept until they are deleted by us or at your request, subject to legal retention obligations and legitimate operational needs.

Export ZIP archives may remain stored in Firebase Cloud Storage while the related project exists so they can be downloaded again. When a project is deleted through the app, the current implementation also deletes the related export archives from Cloud Storage.

If you want your account removed completely, contact hello@strics.at. The current app does not yet provide a self-service account deletion flow.

Depending on how you use the app, personal data may be processed by the following service providers acting as our processors or independent providers: Google Firebase Authentication, Google Cloud Firestore, Google Cloud Storage, Stripe, Mapbox, and Vercel.

If these providers process data outside your country, they may rely on contractual and organizational safeguards offered under their service terms and data processing documentation.