Privacy Policy

1. Who we are

FriendsMap ("we", "our", or "us") is a location-sharing application and website operated at friendsmap.me. We are based in Canada. For privacy questions or requests, contact us at contact@friendsmap.me.

2. Our commitment: we do not sell your data

We will never sell, rent, trade, or give away your personal information to any third party for their commercial purposes. We do not use your data for advertising, targeted marketing, or to build advertising profiles. Your data exists only to run the FriendsMap service for you.

We do not retain data longer than necessary. When you delete your account, we delete or irreversibly anonymize your personal data within 30 days, except where we are required by law to retain certain records.

3. How we make money

FriendsMap is funded through voluntary donations and optional paid subscriptions — not by monetizing your data or displaying targeted ads. If we ever introduce paid tiers or new revenue streams, we will update this policy and notify you. Your privacy will never be traded for revenue.

4. Applicable privacy laws

We comply with Canada's Personal Information Protection and Electronic Documents Act (PIPEDA) and applicable provincial privacy laws, including Quebec's Act Respecting the Protection of Personal Information in the Private Sector (Law 25). Where applicable, we also align with the General Data Protection Regulation (GDPR) for users in the European Economic Area, and the California Consumer Privacy Act (CCPA/CPRA) for California residents. If there is a conflict between these laws, the stricter protection applies.

5. Information we collect

We collect only what is necessary to operate the service:

• Account information: Phone number (used for sign-in via SMS verification), display name, and profile photo if you choose to add one.
• Location data: When you enable location sharing, we process your device's GPS coordinates to show your position to the friends or convoy/event participants you have explicitly chosen. Location is only processed in real time according to your in-app settings; we do not build a historical movement log for advertising purposes.
• Age and date of birth: Collected at profile setup to determine whether parental consent is required. For users 15 years old or under, we additionally collect the parent's or guardian's email address and optionally their phone number for account verification.
• Usage data: Information about features you use (e.g. convoys created, events, AR tags) to operate and improve the service.
• Device and technical information: Device type, operating system version, app version, and app crash/diagnostic logs to provide support and ensure compatibility.
• SOS and emergency data: If you use the SOS feature, we temporarily process your current location to build the message or link you send. See Section 11 for details.

We do not collect your contacts list, microphone audio (outside of push-to-talk in convoy mode, which is not recorded or stored), camera content, or any data beyond what is listed above.

6. Legal basis for processing (GDPR / PIPEDA)

We process your personal information on the following legal bases:

• Contractual necessity: Processing your phone number, account information, and real-time location is necessary to provide the core services you signed up for.
• Consent: We rely on your explicit consent for location sharing (which you control at all times) and for any optional features. You may withdraw consent at any time without affecting the lawfulness of prior processing.
• Legitimate interests: We process usage and device data to improve stability, security, and performance of the service, provided this does not override your privacy rights.
• Legal obligation: We may retain certain data (such as age verification records for minors) where required by law.

7. How we use your information

Your information is used exclusively to:

• Provide location sharing, convoy mode, events, AR tagging, and other app features.
• Authenticate your identity (via phone number verification) and manage your account.
• Send push notifications you have opted into (friend requests, event reminders, convoy updates, SOS alerts).
• Verify age and obtain parental consent for users 15 and under.
• Operate, secure, monitor, and improve the app and infrastructure.
• Respond to your support requests.
• Comply with applicable laws and enforce our Terms and Conditions.

We will not use your information for any purpose that is incompatible with the purposes listed above without obtaining your prior consent.

8. Sharing and disclosure

Your personal data is shared only as follows:

• With friends and participants you choose: Your location, display name, and profile photo are shared only with the specific friends, convoy members, or event participants you have selected in the app. You control these permissions.
• With service providers (processors): We engage trusted third-party providers who help us run the infrastructure. They act on our instructions and under strict data processing agreements. See Section 9 for details.
• Legal requirements: We may disclose data if required by a valid court order, search warrant, subpoena, or applicable law. Where permitted, we will notify you of such requests.
• Safety and protection of rights: We may disclose information to prevent imminent harm, protect the safety of any person, or enforce our policies.
• Business transfers: If FriendsMap is acquired or merges with another entity, your data may be transferred as part of that transaction. We will notify you and require the acquiring party to honour this policy or obtain your fresh consent.

We will never sell, share, or disclose your personal data for advertising or commercial data-brokering purposes under any circumstances.

9. Third-party service providers

We use the following third-party services to run FriendsMap. Each has its own privacy policy:

• Google Firebase (Google LLC, USA): authentication, real-time database, cloud storage, push notifications, and crash reporting. Data may be stored on Google's servers, including in the United States. Firebase is covered by Google's Cloud Data Processing Addendum and is certified under multiple international security frameworks. Firebase Privacy
• HERE Technologies (HERE Global B.V., Netherlands): maps, routing, and location services. HERE Privacy
• Apple App Store / Google Play: if you purchase a subscription through the app stores, Apple or Google processes the payment. We do not store your payment card details. See Apple's and Google's privacy policies for how they handle billing data.

We review our third-party providers periodically and will update this list if we add or remove services.

10. International data transfers

Some of our service providers (notably Firebase/Google) are based in or store data in the United States. When your data is transferred outside of Canada, we ensure it is protected through appropriate safeguards, such as contractual clauses consistent with PIPEDA requirements and, where applicable, Standard Contractual Clauses recognized under GDPR. By using FriendsMap, you acknowledge that your data may be transferred to and processed in countries outside your jurisdiction where data protection laws may differ.

11. SOS and emergency data

When you activate the SOS feature (in-app alarm, call 911, call your trusted contact, or send your location via SMS), we temporarily access your current location to build the outbound message or link. This location data is not stored on our servers for SOS events — it is used in real time and discarded. We do not sell or use SOS data for advertising or profiling.

For users 15 and under, the trusted SOS contact is the parent or guardian who verified the account. For adult users, you can optionally set a trusted contact in Settings; we store that contact information only to support the SOS feature and not for any other purpose.

12. Children, age verification, and parental consent

Users who are 15 years old or under are considered minors. We require a parent or guardian to complete identity verification (including government-issued ID) before a minor's account is activated. The app remains blocked for the minor until parental verification is approved by us.

For minor accounts, we collect and store: the minor's date of birth (to determine minor status), the parent's/guardian's name and email address (and optionally phone), and records of the verification process. This information is used only for safety, compliance, and operating the service — never for advertising or marketing.

Parents and guardians may contact us at contact@friendsmap.me to review, correct, or request deletion of a child's data at any time.

We do not knowingly allow children under 13 to create accounts independently. If we discover that we have inadvertently collected data from a child under 13 without verifiable parental consent, we will delete it promptly.

13. Data retention

We retain your personal data for the following periods:

• Account data: Retained while your account is active. Upon account deletion, deleted or anonymized within 30 days, except as required by law.
• Location data: Real-time location is processed in-memory and not stored as a permanent movement history. Short-term caching for convoy/event features may occur for the duration of the session only.
• Age verification records for minors: Retained for as long as the minor's account exists and for a reasonable period thereafter as required by applicable child protection laws.
• Usage and diagnostic logs: Retained for up to 90 days for security and support purposes, then deleted or anonymized.
• Legal hold: We may retain data longer if required by a court order or legal obligation, for the duration of that obligation only.

14. Security

We take the security of your data seriously and implement industry-standard safeguards, including:

• Encryption in transit (TLS/HTTPS) for all communications between your device and our servers.
• Encryption at rest for data stored in Firebase, enforced by Google's infrastructure.
• Access controls and least-privilege principles: only team members who need access to data to perform their roles can access it.
• Regular review of third-party provider security certifications.
• Incident response procedures for data breaches (see Section 15).

No system is completely impenetrable. We cannot guarantee absolute security, but we continuously work to maintain the highest reasonable standard of protection.

15. Data breach notification

In the event of a data breach that poses a real risk of significant harm to you, we will:

• Report the breach to the Office of the Privacy Commissioner of Canada (OPC) as soon as feasible.
• Notify you directly (via in-app notification or email/phone number on file) as soon as reasonably possible after discovery.
• Provide details of what happened, what data was affected, and what steps we are taking.

We maintain a breach record log as required by PIPEDA.

16. Your rights

You have the following rights regarding your personal data. To exercise any of them, contact us at contact@friendsmap.me:

• Access: Request a copy of the personal data we hold about you.
• Correction: Request that we correct inaccurate or incomplete information.
• Deletion: Request that we delete your personal data (subject to legal retention requirements).
• Portability: Request your data in a structured, machine-readable format where technically feasible.
• Withdraw consent: Withdraw consent to any processing based on consent (e.g. location sharing) at any time, without affecting the lawfulness of prior processing.
• Object: Object to processing based on legitimate interests.
• Restrict processing: Request that we limit how we process your data in certain circumstances.

We will respond to verified requests within 30 days (or sooner where required by law). We may need to verify your identity before acting on a request.

If you are a Canadian resident and believe your privacy rights have been violated, you may file a complaint with the Office of the Privacy Commissioner of Canada at priv.gc.ca. Quebec residents may also contact the Commission d'accès à l'information. EU/EEA residents may contact their national data protection authority.

17. Cookies and analytics

Our website (friendsmap.me) uses only technically necessary cookies (e.g. session management). We do not use tracking cookies, advertising cookies, or third-party analytics that identify you personally. If this changes, we will update this policy and add a cookie consent mechanism.

18. Changes to this policy

We may update this Privacy Policy from time to time. When we make material changes, we will post the revised policy on this page with a new effective date and notify you via the app or by email/push notification. If you continue using FriendsMap after the effective date of changes, you accept the updated policy. If you do not agree, you may delete your account.

19. Contact us

For any privacy-related questions, concerns, access requests, or complaints, please contact:

FriendsMap – Privacy
Email: contact@friendsmap.me
General contact: contact@friendsmap.me
Website: friendsmap.me

We aim to respond to all privacy requests within 30 days.