Moe Talaat
8:00AM - 6:00PM
Monday to Saturday
hello@moetalaat.com
Email me directly
+1 (707) 706-0501
Let's talk
HomeServicesPricingBlogAboutSupport

← Back to Mapsy

Privacy Policy

Last updated: July 8, 2026

1. Introduction

Mapsy ("we," "our," or "us") is a US geography learning app for iPhone and Android. This Privacy Policy explains what data we collect, what we don't, and how the small amount we do use flows between your device and a handful of ordinary services.

The most important thing to understand: Mapsy is offline-first. You can install it, learn all 50 states, and use every quiz mode without an account and without a network connection. Your progress lives on your own device. Signing in is optional and exists only to sync that progress across your own phones and tablets. We don't sell ads, we don't track you across other apps, and we don't collect any of the content you might expect a camera or location app to collect, because Mapsy uses neither.

2. How Your Data Flows

Understanding the data flow is the clearest way to understand our privacy model:

  • Device only (the default): Your quiz progress, levels completed, mastered states, hearts, current session, and settings are stored on your device using local storage (AsyncStorage). If you never sign in, this data never leaves your phone and we never see it.
  • Device ↔ Firebase (only if you sign in): If you choose to sign in to sync across devices, your progress and current session are mirrored to a single document at users/{your-user-id} in Google Firestore, readable and writable only by your signed-in account. That is the only data we mirror. Your local settings and profile name stay on-device and are not uploaded.
  • Device ↔ Apple / Google (sign-in): If you sign in with Apple or Google, the provider handles authentication and returns a token to Firebase Auth. We never see your Apple or Google password. If you sign in with email and password, Firebase Authentication stores and verifies those credentials; we never see your password in plain text.
  • Device ↔ RevenueCat ↔ Apple / Google (subscriptions): When you upgrade to Mapsy Pro, the purchase is processed by Apple or Google. RevenueCat sits between the app and the store to tell us whether your Pro entitlement is active. RevenueCat receives an anonymous user ID and the store receipt. We never see your Apple ID, Google account, or payment method.
  • Device ↔ PostHog (product analytics):The app sends anonymous behavioral events to PostHog (for example "level_completed," "paywall_shown," "state_mastered") so we can understand which parts of the app work and which don't. If you're signed in, these are keyed to your Firebase user ID; if not, to an anonymous device identifier. No personal content is sent, because Mapsy has none to send. Session recording and replay are not used.

3. Information We Collect

Account information (only if you sign in)

  • Email address (if you sign up with email, or if your provider relays one)
  • A Firebase Authentication user ID (UID), generated when you sign in
  • The sign-in provider you used (Apple, Google, or email)

Learning progress (created by you)

  • Which modes and levels you've started, passed, or failed
  • Which states you've mastered, and your per-mode progress
  • Your current in-progress session and remaining hearts
  • An optional display name you can set locally

Without an account, this lives only on your device. With an account, the progress and session portions are mirrored to your private Firestore document so a second device can pick up where you left off.

Subscription state

  • Whether your Mapsy Pro entitlement is active (true/false), as reported by RevenueCat and the app store

Product analytics (PostHog, anonymous behavioral events)

  • Event names such as "app_opened," "onboarding_completed," "mode_started," "question_answered," "level_completed," "level_failed," "state_mastered," "paywall_shown," "paywall_action," "state_detail_viewed," "map_opened," "map_state_selected," "sign_in," and "sync_completed"
  • Coarse metadata attached to those events, such as which mode or level, without any personal content

What we do NOT collect

  • No camera or photo access. Mapsy has no camera feature.
  • No location data. Learning where a state is on a map does not use your real-world location.
  • No contacts, calendar, or health data
  • No microphone or audio recording. Mapsy only plays short sound effects.
  • No advertising identifier (no IDFA), no ad networks, no retargeting
  • No cross-app or cross-site tracking of any kind
  • No session recording or screen replay

4. Tracking & Advertising

Mapsy does nottrack you across other companies' apps or websites. We do not participate in ad networks, retargeting, or audience-building of any kind. We do not use Apple's IDFA (Identifier for Advertisers). Accordingly, the App does not present an App Tracking Transparency (ATT) prompt, because no cross-app or cross-site tracking occurs.

5. Third-Party Services

The App relies on the following services, each with their own privacy policies:

  • Google Firebase (Authentication, Firestore, Cloud Functions): used only if you sign in, to store your progress and to run account deletion. Data is stored in Google Cloud in the United States.
  • Apple: handles Sign in with Apple, App Store distribution, and Mapsy Pro in-app purchase billing on iOS.
  • Google: handles Sign in with Google, Play Store distribution, and Mapsy Pro in-app purchase billing on Android.
  • RevenueCat: reports your Mapsy Pro entitlement (active/expired) to the app. RevenueCat receives an anonymous user identifier and the store receipt, and processes data in the United States.
  • PostHog: product analytics. Receives anonymous behavioral events (no personal content). Hosted at us.i.posthog.com (United States). Session recording is not used.

6. Data Retention & Deletion

If you never sign in, there is nothing stored on our servers. Deleting the app removes your on-device progress. There is no server-side copy to delete.

If you have an account, your synced progress lives in your Firestore document until you delete it. You can delete your entire account from the app's Settings. This triggers a Cloud Function that:

  • Deletes your user document (progress and session) in Firestore
  • Deletes your Firebase Auth account, invalidating all sessions
  • Wipes your progress from the device you deleted it on

This is irreversible.

7. Legal Basis for Processing (GDPR)

If you are located in the EEA, United Kingdom, or Switzerland, we process your personal data on the following legal bases:

  • Contractual necessity (Art. 6(1)(b) GDPR): creating an account and syncing your progress across your devices, when you choose to sign in.
  • Legitimate interest (Art. 6(1)(f) GDPR): basic product analytics to improve the app and prevent abuse.

8. International Data Transfers

Firebase, RevenueCat, and PostHog all process data in the United States. If you use Mapsy from outside the U.S. and sign in, your synced data is transferred to and processed in the U.S. These providers offer Standard Contractual Clauses for cross-border transfers.

9. Your Rights

You have the right to:

  • Use the entire app without an account and without sharing any data with us
  • Delete your account and synced progress at any time from Settings
  • Request a copy of your data by emailing us

EEA/UK residents (GDPR): you also have the right to data portability, the right to restrict or object to processing, and the right to lodge a complaint with your local data protection authority.

California residents (CCPA/CPRA):you have the right to know what personal information we collect, the right to delete it, and the right to opt out of "sale" or "sharing" of personal information. We do not sell or share your personal information.

10. Children's Privacy

Mapsy is a learning app suitable for teens and adults, but it is not directed to children under the age of 13 (or 16 in the EEA), and we do not knowingly collect personal information from them. Because the core app works with no account and no data collection, a child can learn from Mapsy without any personal data being gathered. If you believe a child has created an account, contact us and we will delete it.

11. Security

Authentication is handled by Firebase Auth. All traffic between the app, Firebase, RevenueCat, and PostHog uses HTTPS. Firestore security rules restrict every user's synced data to their own UID. No system is perfectly secure, but Mapsy stores almost nothing beyond the progress you make in the app.

12. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be announced on this page and, if significant, in the app. Continued use of Mapsy after changes constitutes acceptance.

13. Contact

Questions, requests, or anything else, write to support@moetalaat.com.

14. Summary

In short: Mapsy works entirely on your device with no account. If you sign in, we mirror only your quiz progress to your own private Firebase document so it follows you across devices. RevenueCat tells us whether Pro is active. PostHog gets anonymous events about how the app is used, never personal content. There is no camera, no location, no ads, and no cross-app tracking. Delete your account and the synced copy is gone. Delete the app and the local copy is gone too.

Got an app idea?

Let’s ship it.

I take on a couple of client projects at a time alongside my own apps. Tappable prototype in about a week, App Store in weeks not months.

Get in touchSee what I do
MOE TALAAT

Solo builder. iOS, Android, and the small backends that hold them up. Each app gets its own page, real legal copy, and a support inbox that goes to me.

Site

  • Home
  • Services
  • Pricing
  • About
  • Blog
  • Contact
  • Support

Contact

  • hello@moetalaat.com
  • support@moetalaat.com

© 2026 Mohamed Talaat. All rights reserved.

Built solo. Hosted on Vercel.