Privacy Policy

Mantle Place LLC is the data controller for personal data processed through mantle.place. For privacy questions, data-subject requests, or to contact the controller, email contact@mantle.place. Mantle Place LLC does not currently have an appointed EU representative under GDPR Art. 27; if EU traffic exceeds the Art. 27 threshold (regular processing of EU resident data at scale) we will appoint one and update this section.

• Email address — required to deliver bundles and re-access links. Provided by you at checkout or through Supabase Auth.
• Order details — your AOI bbox, codename, the canonical provider IDs (always the v1 trio: Protomaps, NAIP, Mapterhorn), and the computed price.
• Payment metadata — Stripe handles card details directly; we store only the resulting PaymentIntent / Customer / Charge IDs and the dispute / refund status returned by Stripe webhooks.
• Technical signals — IP address (for rate limiting), browser user-agent, request paths, and standard server logs.

• Stripe — payment processing and refunds.
• Cloudflare — Workers runtime, KV (rate limit + tile vintage), R2 (bundle storage), CDN.
• Supabase — Postgres database (orders, users, etl_jobs) and Auth.
• Google Cloud Platform — Pub/Sub queue and Cloud Batch workers that produce your bundles.
• Resend — transactional email (bundle-ready, refund, dispute notifications).
• PostHog— pseudonymous product analytics. Data hosted in the US region; transfers from the EU rely on PostHog Inc.'s EU-US Data Privacy Framework certification.

• Order fulfillment, vault re-access, refunds — Art. 6(1)(b) performance of a contract with you (or steps prior to entering one).
• Email + auth records — Art. 6(1)(b) (contract) and 6(1)(c) (legal obligation, e.g. tax-recordkeeping) where applicable.
• Product analytics (PostHog events) and cookie storage of preferences — Art. 6(1)(a) consent. Analytics do not fire until you click Accept on the consent bar. Decline / no interaction is treated as withdrawal of consent and capture stays off.
• IP-based rate limiting, security logs, CSP violation reports, fraud prevention via Stripe — Art. 6(1)(f) legitimate interests in keeping the service available and protecting curators and Mantle Place from abuse.
• Compliance with binding legal requests — Art. 6(1)(c).

• Order records (orders + etl_jobs rows) — retained for the lifetime of your account so the vault stays permanent; the durable re-access promise depends on it. Deleted on account deletion or at your written request (after tax-recordkeeping obligations have lapsed).
• Payment metadata (Stripe PaymentIntent / Charge / Customer IDs, last-4) — retained alongside the order record for chargeback and dispute defense, per Stripe's and applicable financial regulations' requirements (typically up to ~6 years for tax / chargeback windows).
• Billing address from Stripe Elements (for tax) — captured at checkout, retained only as long as needed to satisfy tax-recordkeeping obligations.
• Email address + auth tokens — retained for the lifetime of your account; tokens rotate on each login.
• Server logs (Cloudflare Worker logs, including IP and user-agent) — rotated within ~30 days unless an active investigation requires longer retention.
• Resend transactional email logs— retained per Resend's standard retention policy (delivery + bounce metadata, typically ≤90 days).
• PostHog product analytics events— retained per PostHog Cloud's standard retention policy for the US region (typically ≤12 months on free tier).
• Snapshot rows + OG preview images — retained until you hard-delete them at /vault/snapshots.

Email contact@mantle.place to exercise any of the rights below. We respond within 30 days; deletion of your account is destructive (it voids your vault), and we'll confirm before acting.

If GDPR applies to you (you are in the EEA, UK, or Switzerland), you have the right to:

• Access — request a copy of your personal data (Art. 15).
• Rectification — correct inaccurate or incomplete data (Art. 16).
• Erasure — request deletion (Art. 17), subject to retention obligations in §4.
• Restriction — restrict processing in specific cases (Art. 18).
• Portability — receive your data in a machine-readable format and transmit it elsewhere (Art. 20).
• Objection — object to processing based on legitimate interests (Art. 21).
• Withdraw consent — for processing that relies on consent (analytics via the §8 toggle).
• Lodge a complaintwith your local supervisory authority (Art. 77). We hope you'll email us first so we can resolve it, but the right is yours either way.

If you are a California resident, the CCPA / CPRA grants you the right to know, delete, correct, and limit the use of sensitive personal information, plus the right to opt out of any "sale" or "sharing" of personal information for cross-context behavioral advertising. See §9 California Privacy Rights below for our specific disclosures and the opt-out mechanism.

• Private by default. Only you can see a snapshot until you flip Make Publicin the Share modal. Public snapshots are visible to anyone with the URL; the URL itself is a 12-character random token so it's not enumerable in practice.
• Anonymous by default.Public snapshots don't show your name or email unless you opt-in via Show me as the sharer.
• Not indexed by Google. Every snapshot page sets noindex, nofollow so link-sharing works as designed (Slack / Discord / Twitter previews) without your AOI ending up in search results.
• What we store: the AOI bbox you drew, its area in km², the Cesium camera position at Share-click, your privacy + attribution toggles, and an OG preview image rendered from your viewport. Pricing parameters and personal info are not attached to snapshots.
• How to revoke: open the snapshot's Share modal and flip Make Public off. The URL keeps resolving for you (the owner) but returns 404 to anyone else.
• How to hard-delete: visit /vault/snapshots and click deleteon any row. The snapshot row and its OG preview image are removed; the URL returns 404 to everyone including you. This is destructive and can't be undone.
• Per-day cap: 50 snapshots per account per 24 hours, to keep the share surface clean. Email us if you have a legitimate need to lift the cap.

If you are a California resident, the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), grants you the rights enumerated in §5 plus two additional opt-out rights:

• Right to Opt Out of Sale or Sharing. Mantle Place does not sell personal information for money. Mantle Place does notshare personal information for cross-context behavioral advertising. Our PostHog analytics are first-party product analytics only and do not feed third-party advertising networks. Use the toggle in §8 above to disable analytics if you prefer; it's the same opt-out surface for "sharing" under the CCPA definition.
• Right to Limit Use of Sensitive Personal Information. Mantle Place does not collect sensitive personal information as defined by CCPA §1798.140(ae) (precise geolocation, racial/ethnic origin, religion, union membership, mail/email contents, genetic data, biometrics, health, sex life). Your drawn AOI is geospatial but is not your geolocation. If we ever collect a category that meets the CCPA sensitive-PI definition, this section will be updated and a limit-use opt-out surfaced here.

We do not knowingly collect personal information from California residents under 16; if you believe we have, email contact@mantle.place and we will delete it. You may also authorize an agent to make a request on your behalf; we will verify their authority before responding.