Skip to content
← Back to Home

Privacy Policy

Effective Date: 1 February 2026 | Last Updated: 1 February 2026

App Name: FriendMapp | Developer: TeapotSoftware | Contact: teapotsoft@outlook.com

1. Introduction

FriendMapp ("the App", "we", "us", or "our") is a personal relationship CRM developed by TeapotSoftware. The App helps you stay in touch with the people who matter by combining contact management, interaction logging, smart reminders, and visual relationship maps.

This Privacy Policy explains what information we collect, how we use it, who we share it with, how we protect it, and what rights you have in relation to it. This policy applies to all users of FriendMapp on iOS and Android platforms.

By creating an account or using the App, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with the practices described here, please do not use the App.

2. Information We Collect

2.1 Information You Provide Directly

  • Account credentials -- Email address and password, for account creation and authentication.
  • Profile information -- Display name, avatar image, for personalisation of your profile.
  • Contact information -- Names, phone numbers, email addresses, birthdays, and nicknames of your personal contacts, for core CRM functionality.
  • Interaction logs -- Date, type (call, text, in-person, social, email, other), and notes about your interactions with contacts.
  • Tags and groups -- User-defined labels such as "Family", "College", "Work".
  • Connections -- Relationships between your contacts (e.g., "Alice knows Bob") for Constellation and Cluster visualisation views.
  • Notes -- Free-text notes attached to contacts.
  • Referral codes -- Codes you generate or redeem for referral programme management.

2.2 Information Collected Automatically

  • Device push token -- Expo Push Notification token, for delivering push notifications.
  • Subscription status -- Free, trial, premium, or lifetime plan type and billing period.
  • App version and platform -- For compatibility, debugging, and feature rollouts.
  • Anonymous usage analytics -- Feature usage events, screen views, onboarding completion (via PostHog), for product improvement.
  • Crash and error reports -- Stack traces, device model, OS version (via Sentry, with PII scrubbed), for bug fixes.
  • Deep link attribution -- Referral source and campaign parameters (via Branch.io).

2.3 Information We Do NOT Collect

  • Message or call content. FriendMapp never reads the content of your calls, text messages, emails, or any other communications.
  • Location data. FriendMapp does not request or collect GPS, Wi-Fi, or cell-tower location data.
  • Contacts without your action. We do not automatically access your device address book. Contact import is initiated manually by you and requires explicit permission.
  • Biometric data. We do not collect fingerprint, facial recognition, or other biometric identifiers.
  • Advertising identifiers. We do not collect or use IDFA (iOS) or GAID (Android) for advertising or tracking purposes.
  • Financial information. Credit card numbers, billing addresses, and payment method details are handled entirely by the Apple App Store or Google Play Store.

3. How We Use Your Information

  1. Providing the Service. Storing and displaying your contacts, interaction logs, tags, connections, and notes; generating visual relationship maps; calculating reminder schedules and sending push notifications.
  2. Account Management. Authenticating your identity, managing your profile, and processing password resets.
  3. Subscription Management. Verifying your subscription tier, processing upgrades and downgrades via the Apple App Store or Google Play Store (through RevenueCat).
  4. Product Improvement. Analysing anonymous, aggregated usage data to understand which features are used, identify bugs, and guide product development. Analytics events do not contain personally identifiable information.
  5. Error Resolution. Using crash reports (PII scrubbed) to identify, diagnose, and fix software defects.
  6. Communications. Sending push notifications for reminders, birthday alerts, and streak milestones.
  7. Security and Fraud Prevention. Monitoring for abuse and enforcing referral programme caps.
  8. Legal Compliance. Complying with applicable laws, regulations, legal processes, or government requests.

4. Legal Bases for Processing (GDPR)

For users in the EEA, the United Kingdom, and Switzerland:

  • Performance of a contract (Article 6(1)(b)): Account creation, contact storage, interaction logging, reminder delivery, subscription management.
  • Legitimate interests (Article 6(1)(f)): Anonymous usage analytics for product improvement; crash reporting for service reliability; fraud prevention and security monitoring.
  • Consent (Article 6(1)(a)): Non-essential analytics tracking (PostHog), promotional push notifications. You may withdraw consent at any time via Settings > Privacy or by adjusting device notification preferences.
  • Legal obligation (Article 6(1)(c)): Responding to lawful data access requests, tax record retention for subscription transactions.

5. Third-Party Services

FriendMapp integrates with the following third-party services to operate. Each service acts as a data processor on our behalf and is bound by its own privacy policy and, where applicable, a Data Processing Agreement (DPA).

5.1 Neon Inc. (Database)

Cloud database (PostgreSQL 17) for all user data, contacts, interactions, and application state. Data is encrypted in transit (TLS 1.2+) and at rest (AES-256). All user data is protected by Row-Level Security (RLS) at the database level. Data location: AWS us-east-1 (Virginia, United States).

5.2 Cloudflare Inc. (API and Storage)

Serverless API hosting (Cloudflare Workers), file storage (R2), and content delivery network (CDN) for contact photos, avatars, and export files. All API traffic uses TLS 1.3+. JWT tokens are signed and verified server-side.

5.3 PostHog (Analytics)

Anonymous product usage analytics, feature flag management, and A/B testing. Configured with ip: false to prevent IP address collection. Autocapture and automatic screen capture are disabled. No contact names, phone numbers, email addresses, or interaction content are ever sent to PostHog. Analytics tracking is opt-in under GDPR.

5.4 Sentry (Error Tracking)

Crash reporting and error monitoring. All personally identifiable information (PII) is scrubbed before transmission. Data retained for 90 days.

5.5 RevenueCat (Subscription Management)

Managing in-app subscriptions and verifying purchase receipts. RevenueCat does not receive your email, name, contacts, or any relationship data.

5.6 Branch.io (Deep Linking)

Deep link routing for referral links and attribution tracking. No contact data, interaction data, or user profile data is shared with Branch.io.

5.7 Expo Push Notifications

Delivering push notifications to your device. Notification payloads may include a contact's first name (e.g., "Time to catch up with Alice"). No phone numbers, email addresses, or sensitive contact details are included.

6. Data Sharing and Disclosure

We Do NOT Sell Your Data

We do not sell, rent, lease, or trade your personal data to any third party for advertising, marketing, data brokerage, or any other commercial purpose.

We share personal data only in the following limited circumstances:

  • With third-party service providers listed in Section 5, strictly for the purposes described.
  • To comply with legal obligations (court orders, subpoenas, government requests).
  • To protect rights and safety of TeapotSoftware, our users, or others.
  • In connection with a business transfer (merger, acquisition, sale of assets) with prior notice to you.
  • With your explicit consent.

7. Data Retention and Deletion

We retain your personal data for as long as your account is active. Key retention periods:

  • Account, profile, contacts, interactions, tags, connections, notes: Account lifetime.
  • Subscription records: Account lifetime plus up to 7 years post-deletion for tax/legal compliance.
  • Analytics events (PostHog): 12 months from the date of the event.
  • Crash reports (Sentry): 90 days.

Account Deletion

You may delete your account at any time via Settings > Account > Delete Account. Your account enters a 30-day grace period during which you may reactivate by signing back in. After 30 days, all data is permanently and irreversibly deleted from our systems and deletion requests are issued to all third-party processors. We recommend exporting your data before initiating account deletion.

8. Data Security

We implement appropriate technical and organisational measures to protect your personal data:

  • Row-Level Security (RLS): All 14 database tables are protected by Neon PostgreSQL RLS policies, ensuring each authenticated user can only access their own records.
  • Encryption in transit: All data transmitted between the App and our servers uses TLS 1.3+ via Cloudflare Workers and Neon.
  • Encryption at rest: Database storage is encrypted using AES-256 (Neon). Cloudflare R2 storage uses encryption at rest for all uploaded files.
  • Authentication: Custom JWT implementation via Cloudflare Workers. Passwords are hashed using bcrypt and never stored in plaintext.
  • Input validation: All user inputs are validated using Zod schemas on both client and server side.
  • Server-side authorisation: All 21 API routes verify the caller's JWT token before executing database queries.
  • Secure credential storage: Sensitive tokens are stored using the device's secure storage (iOS Keychain / Android Keystore) via expo-secure-store.

While we strive to use commercially reasonable means to protect your personal data, no method of electronic storage or transmission over the Internet is 100% secure, and we cannot guarantee absolute security.

9. International Data Transfers

FriendMapp is developed by TeapotSoftware, based in the United Kingdom. Our third-party service providers may process data in jurisdictions outside your country of residence, including the United States. Where personal data is transferred from the EEA, UK, or Switzerland, we ensure appropriate safeguards are in place, including Standard Contractual Clauses (SCCs), the UK International Data Transfer Agreement, and EU-US Data Privacy Framework certification where applicable.

10. Your Rights Under the GDPR

If you are located in the EEA, the United Kingdom, or Switzerland, you have the following rights:

  • Right of Access (Article 15): Request a copy of your personal data. Export your data via Settings > Data > Export Data in JSON or CSV format.
  • Right to Rectification (Article 16): Request correction of inaccurate data. Update your data directly within the App at any time.
  • Right to Erasure (Article 17): Request deletion of your personal data via Settings > Account > Delete Account.
  • Right to Data Portability (Article 20): Receive your data in a structured, commonly used format (JSON or CSV).
  • Right to Restriction of Processing (Article 18): Disable analytics via Settings > Privacy > Analytics and push notifications via Settings > Notifications.
  • Right to Object (Article 21): Object to analytics processing by opting out.
  • Right to Withdraw Consent (Article 7(3)): Withdraw consent at any time without affecting the lawfulness of prior processing.
  • Right to Lodge a Complaint: Contact the Information Commissioner's Office (ICO) at ico.org.uk (UK) or the supervisory authority in your country of residence (EU).

To exercise any of these rights, use the in-app tools or contact us at teapotsoft@outlook.com. We will respond within 30 days.

11. Your Rights Under the CCPA

If you are a California resident, you have the following rights under the CCPA/CPRA:

  • Right to Know: Request disclosure of the categories and specific pieces of personal information collected about you.
  • Right to Delete: Request deletion of your personal information via the App or by email.
  • Right to Opt Out of Sale: We do not sell or share your personal information as defined by the CCPA/CPRA.
  • Right to Non-Discrimination: You will receive the same service quality and pricing regardless of your privacy choices.
  • Right to Correct: Request correction of inaccurate personal information directly within the App.

To submit a verifiable consumer request, contact us at teapotsoft@outlook.com. We will respond within 45 days.

12. Cookies and Tracking Technologies

FriendMapp is a native mobile application and does not use browser cookies. However, the App uses the following tracking-related technologies:

  • PostHog SDK: Anonymous usage events. Does not use cookies. IP address collection is explicitly disabled. Autocapture and automatic screen capture are disabled.
  • Sentry SDK: Crash reports. Does not use cookies or persistent identifiers beyond the session.
  • Branch.io SDK: Device-level attribution identifiers. On iOS 14.5+, Branch.io will not access the IDFA unless you grant ATT permission.
  • Expo Push Notification token: Used solely for delivering push notifications, not for tracking or advertising.

The FriendMapp website (friendmapp.app) may use essential cookies for basic site functionality. See our Cookie Policy for details.

13. Children's Privacy

FriendMapp is not directed at children under the age of 13. We do not knowingly collect personal data from children under 13. An age confirmation step is included during account creation. If we become aware that we have collected personal data from a child under 13, we will take steps to delete that information promptly.

14. Third-Party Contacts and Non-User Data

FriendMapp allows you to store information about your personal contacts who have not signed up for the App. This data is accessible only to you, protected by Row-Level Security, and is never used to contact, market to, profile, or build shadow profiles of these individuals. You may delete any contact's data at any time.

15. Push Notifications

Push notifications require your device-level permission and can be revoked at any time. Notification payloads may include a contact's first name but never contain sensitive data such as phone numbers, email addresses, or interaction content. Push notification reminders are a premium feature.

16. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. When we make material changes, we will update the "Last Updated" date and notify you via a prominent notice within the App. A copy of this policy is always available at friendmapp.app/privacy.

17. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices:

For GDPR-related enquiries, TeapotSoftware acts as the data controller for all personal data processed through FriendMapp.

UK Supervisory Authority: Information Commissioner's Office (ICO) -- ico.org.uk -- Telephone: 0303 123 1113

This Privacy Policy is effective as of 1 February 2026.