Last updated: May 31, 2026
RatMap ("we", "us", or "our") operates the RatMap mobile application. This Privacy Policy explains how we collect, use, and protect your information when you use our app, and the rights you have over your data.
Account Information: When you create an account, we collect your email address and username. If you sign in with Apple or Google, we receive basic profile information from those services.
Location Data: We collect your device's location when you submit a rat sighting or use the map. Location is used to place sightings on the map and to show nearby activity. We only access location while the app is in use and with your permission. EXIF GPS metadata is stripped from photos before upload.
Photos: Photos you attach to sightings are uploaded to our servers and displayed publicly within the app. We do not access your photo library beyond the images you choose to share.
Push Tokens and Delivery Logs: When you enable notifications, we store an anonymous device push token and a log of notifications we send (for delivery diagnostics and rate limiting).
Crash Reports: If you opt in, we collect anonymous crash data via Sentry to fix bugs. This is off by default and never includes account content.
Consent Records: When you grant or revoke consent for a feature, we record what you accepted and when, so we can prove your consent if asked.
For users in jurisdictions that require a lawful basis, the following table maps each data category to its purpose and the legal basis we rely on:
| Data | Purpose | Lawful basis |
|---|---|---|
| Email, username, auth credentials | Account creation and login | Contract (GDPR Art. 6(1)(b)) |
| GPS at sighting time, photos | Plot sightings on the map | Contract |
| Friend graph | Social features | Contract |
| Push tokens, cached device location | Decide whether to send nearby/friend notifications | Consent (Art. 6(1)(a)) |
| Push delivery logs | Deliver notifications, rate limiting | Consent |
| Crash diagnostics (Sentry) | Improve the app, debug crashes | Consent — off by default |
You can withdraw consent at any time in Settings → Notifications / Privacy. Withdrawing consent does not affect the lawfulness of processing before withdrawal.
We use the following service providers (subprocessors) to operate the app. We have data processing agreements in place with each:
Our primary database and storage are hosted by Supabase in the United States (AWS region us-west-2). If you are located in the EU, UK, Switzerland, or another jurisdiction with cross-border transfer rules, your data is transferred to the United States. We rely on Standard Contractual Clauses (and where applicable the EU–US Data Privacy Framework) as the legal mechanism for this transfer.
Your username, sightings, and profile information are visible to other RatMap users — that is the point of the app. We do not sell your personal information to third parties. The only third parties who process your data are the subprocessors listed in Section 4.
Your data is stored on Supabase, which provides encryption at rest and in transit. We use industry-standard security measures (Row-Level Security on every user-facing table, hashed credentials, scoped storage paths) to protect your information, but no method of transmission over the internet is 100% secure.
You have the right to:
You can exercise the access, portability, and deletion rights directly in the app: Settings → "Export My Data" (Art. 15 / Art. 20) and Settings → "Delete Account" (Art. 17). Account deletion is immediate and irreversible. For any other request, email ratmapsupport@gmail.com and we will respond within 30 days.
RatMap is not intended for children under 16. We do not knowingly collect personal information from children under 16. If you believe a child has provided us with personal data, please contact us so we can remove it.
If you are in the EEA or UK, you may lodge a complaint with your national data protection authority. In the absence of an EU-based representative, the lead authority for cross-border issues defaults to the Irish Data Protection Commission (dataprotection.ie). UK residents may complain to the ICO (ico.org.uk).
If you are in Australia, we handle your personal information in accordance with the Australian Privacy Principles under the Privacy Act 1988. You may complain to the Office of the Australian Information Commissioner (oaic.gov.au).
If you are in New Zealand, your rights are governed by the Privacy Act 2020. You may complain to the Office of the Privacy Commissioner (privacy.org.nz).
If you are in Brazil, you have rights under the LGPD including access, correction, anonymization, portability, deletion, information about subprocessors, and revocation of consent. To exercise these rights contact ratmapsupport@gmail.com, or complain to the ANPD (gov.br/anpd).
If you are in Singapore, your rights are governed by the Personal Data Protection Act. Our designated Data Protection Officer is reachable at ratmapsupport@gmail.com. You may complain to the Personal Data Protection Commission (pdpc.gov.sg).
If you are in Canada, your rights are governed by PIPEDA (and provincial laws where applicable). You may complain to the Office of the Privacy Commissioner of Canada (priv.gc.ca).
For privacy questions, access/deletion/portability requests, or to withdraw consent, contact ratmapsupport@gmail.com. We will respond within 30 days.
We may update this Privacy Policy from time to time. We will notify you of significant changes through the app. The "Last updated" date above reflects the current version. Continued use of RatMap after changes constitutes acceptance of the updated policy.