Techmapr

Privacy Policy

Last updated: April 13, 2026

1. Controller and contact

The data controller within the meaning of the EU General Data Protection Regulation (“GDPR”) and other applicable data-protection laws is:

Dr. Alexander Hoffmann
Lutherstraße 38, 30171 Hannover, Germany
Email: techmapr [at] gmail [dot] com

Techmapr (“we,” “us,” or “our”) provides technology-radar, intelligence research, and decision-support software at techmapr.com.

2. Categories of personal data we collect

a) Account and authentication data

When you sign in or sign up, we process your email address, one-time login verification data, account ID, session identifiers, and profile metadata you provide (role, industry, existing stack). Authentication is managed by Supabase Auth (Supabase, Inc., San Francisco, CA, USA).

b) Product-usage data

We store user-scoped application content in Supabase PostgreSQL, including radar workspace state, shared snapshot metadata and content, feature-request text, intelligence subscriptions (name, interval, signals, email-delivery preference), and generated intelligence reports.

c) AI-processed input and output

When you use AI-powered features (technology-radar research, deep-research reports, intelligence subscription reports, feature-request polishing, or the general AI assistant), the text you submit and the AI-generated results are transmitted to Google Gemini (Google LLC, Mountain View, CA, USA) for processing. For the general AI assistant endpoint, we also store a request summary and model output in our ai_runs table to provide run history and operational continuity.

d) Technical and log data

Our hosting provider Vercel (Vercel, Inc., San Francisco, CA, USA) automatically collects IP addresses, browser type, operating system, referrer URLs, timestamps, and request metadata when you visit or use the service. These logs are used for security, abuse prevention, and performance monitoring.

e) Email data

If you subscribe to intelligence reports delivered by email, your email address is shared with Postmark (ActiveCampaign, LLC, Chicago, IL, USA) solely for transactional delivery of those reports. Message content includes your subscription name, report output, and an account-management unsubscribe/manage link.

f) Payment and subscription billing

If you purchase a paid plan, payment and subscription management are handled by Stripe (Stripe, Inc., San Francisco, CA, USA, and Stripe affiliates as applicable). Stripe processes payment method details and issues invoices according to its terms. We receive and store limited billing metadata in our billing_accounts table (for example Stripe customer ID, subscription ID, price ID, tier, status, and billing period end) so we can grant access to paid features. We do not store full payment card numbers on our own infrastructure.

g) Cookies and similar technologies

We use strictly necessary cookies for session continuity and security. Optional cookies (preferences, analytics, marketing) are disabled by default and only set after you consent. See our Cookie Notice for full details.

3. Purposes of processing and legal bases (GDPR Art. 6)

PurposeLegal basis
Providing the core service (radar creation, research, intelligence reports, AI assistance)Performance of contract (Art. 6(1)(b))
Account creation and authenticationPerformance of contract (Art. 6(1)(b))
Transmitting user input to Google Gemini for AI processingPerformance of contract (Art. 6(1)(b))
Sending transactional emails (research reports)Performance of contract (Art. 6(1)(b))
Security, abuse prevention, and infrastructure monitoringLegitimate interest (Art. 6(1)(f))
Payment processing, subscription lifecycle, and billing support (checkout, portal, and webhook synchronization)Performance of contract (Art. 6(1)(b)); legal obligation for accounting/tax records (Art. 6(1)(c)); legitimate interest in fraud prevention and service integrity (Art. 6(1)(f))
Optional analytics and preference cookiesConsent (Art. 6(1)(a))
Responding to privacy-rights requests and compliance documentationLegal obligation (Art. 6(1)(c)) and legitimate interest (Art. 6(1)(f))
Legal compliance (e.g., tax records, law-enforcement requests)Legal obligation (Art. 6(1)(c))

4. AI-powered processing and automated decision-making

Techmapr uses Google Gemini large-language models to power the following features:

  • Radar research— Your seed topic, role, industry context, and optional existing-stack description are sent to Google Gemini, which returns scored technology keywords and strategic recommendations.
  • Deep research and intelligence reports— Selected signals (topic/theme/signal triples) are sent to Google Gemini to generate structured research briefs.
  • Feature-request polishing— Your feature-request text is sent to Google Gemini for grammar, spelling, and clarity improvements.
  • General AI assistant— Free-form messages you enter are sent to Google Gemini for conversational responses.

What data is sent: Only the specific text input described above and the system prompt required for each feature. Depending on the feature, this may include free-form prompts, role/industry/stack context, signal lists, and subscription names entered by you. We do not intentionally send account credentials to Google Gemini.

Automated decisions (GDPR Art. 22): The AI-generated output (e.g., maturity/impact scores, recommendations, research reports) is informational and advisory. No legally binding or similarly significant decision is made solely on the basis of automated processing. You always retain full control to accept, modify, or discard any AI-generated content.

Google’s data handling:Google processes your data as a data processor under Google’s Cloud Data Processing Addendum and states it does not use Gemini API input or output to train its foundation models. For details, refer to Google’s Gemini API Terms of Service and Google Privacy Policy.

5. Recipients and sub-processors

We share personal data only with the following categories of recipients, each acting as a data processor under a Data Processing Agreement (DPA) or equivalent contractual safeguard:

ProviderPurposeLocation
Google LLC (Gemini API)AI/LLM processing for radar research, reports, and assistant featuresUSA
Stripe, Inc. (and applicable Stripe affiliates)Subscription checkout, billing portal, payment processing, invoicing, tax handling, and subscription webhook eventsUSA (and other jurisdictions where Stripe affiliates operate)
Supabase, Inc.Authentication, database storage, and session management (including user metadata)USA
Vercel, Inc.Application hosting, serverless functions, CDN, and edge infrastructureUSA (global edge network)
ActiveCampaign, LLC (Postmark)Transactional email delivery (intelligence reports)USA

We do not sell, rent, or trade your personal data to third parties. We do not share personal data for cross-context behavioral advertising.

6. International data transfers

Your data is transferred to and processed in the United States by the sub-processors listed above. For transfers from the European Economic Area (EEA), UK, and Switzerland to the USA, we rely on the following safeguards:

  • EU-U.S. Data Privacy Framework (DPF)— Where a sub-processor is certified under the DPF, we may rely on that certification as the transfer mechanism.
  • Standard Contractual Clauses (SCCs)— Where no DPF certification is available or where additional safeguards are needed, we rely on the European Commission’s Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914) and supplementary technical and organizational measures where appropriate.

You may request a copy of the applicable safeguards by contacting us at the address above.

In practice, this applies to providers such as Google, Supabase, Vercel, Postmark, and Stripe where data may be processed in the United States or other non-EEA jurisdictions.

7. Data retention

  • Account data is retained for as long as your account is active. If you delete your account, we trigger immediate deletion of user-scoped product data and account access (subject to technical processing delays and legal retention obligations).
  • AI request logs (request summaries and results stored in our database) are retained for the lifetime of your account to provide continuity and are deleted when your account is deleted.
  • Intelligence reports are retained for the lifetime of the associated subscription or account and are deleted when you delete the report, the subscription, or your account.
  • Server and access logs (held by Vercel) are retained for up to 30 days for security and debugging purposes, depending on hosting plan and configuration.
  • Billing metadata in billing_accounts is retained while your paid subscription is active and then only as long as needed for contractual support, fraud prevention, and mandatory accounting/tax retention obligations.
  • Legal-hold data may be retained longer where required to comply with legal obligations, resolve disputes, or enforce agreements.

8. Your rights under EU/EEA, UK, and Swiss law

If you are located in the European Economic Area, the United Kingdom, or Switzerland, you have the following rights under the GDPR and equivalent national legislation:

  • Access (Art. 15) — Obtain confirmation of whether we process your personal data and request a copy.
  • Rectification (Art. 16) — Correct inaccurate or incomplete personal data.
  • Erasure (Art. 17) — Request deletion of your personal data (“right to be forgotten”).
  • Restriction (Art. 18) — Request restriction of processing in certain circumstances.
  • Data portability (Art. 20) — Receive your data in a structured, commonly used, machine-readable format.
  • Objection (Art. 21) — Object to processing based on legitimate interests, including profiling.
  • Withdraw consent (Art. 7(3)) — Where processing is based on consent, withdraw at any time without affecting prior lawful processing.
  • Automated individual decision-making(Art. 22) — You have the right not to be subject to a decision based solely on automated processing that produces legal effects or similarly significant effects. As described in Section 4, our AI outputs are advisory only and do not constitute such decisions.

To exercise any right, email us at techmapr [at] gmail [dot] com. We will respond within 30 days (extendable by 60 days for complex requests, with notice). We may verify your identity before fulfilling a request.

Right to lodge a complaint: You have the right to lodge a complaint with your local data-protection supervisory authority. For Germany, this is the Die Landesbeauftragte für den Datenschutz Niedersachsen (State Data Protection Authority of Lower Saxony), www.lfd.niedersachsen.de.

9. Your rights under U.S. state privacy laws

Residents of California (CCPA/CPRA), Colorado (CPA), Connecticut (CTDPA), Virginia (VCDPA), Utah (UCPA), Texas (TDPSA), Oregon (OCPA), Montana (MCDPA), and other states with comprehensive privacy legislation may have the following rights, to the extent applicable:

  • Right to know / access — Request the categories and specific pieces of personal information we have collected about you.
  • Right to delete — Request deletion of personal information we hold.
  • Right to correct — Request correction of inaccurate personal information.
  • Right to portability — Obtain your data in a portable format.
  • Right to opt out of sale or sharing — We do not sell personal information and do not share it for cross-context behavioral advertising. No opt-out action is required.
  • Right to opt out of automated decision-making — Our AI features produce advisory output only; no consequential decisions are made solely by automated means.
  • Right to non-discrimination — We will not discriminate against you for exercising any privacy right.

California-specific disclosures (CCPA/CPRA)

Categories collected: Identifiers (email, account ID), internet/electronic-network activity (usage logs, IP address), professional information (role, industry context you provide), commercial information (subscription tier/status and billing metadata), and inferences (AI-generated radar scores and research outputs).

Business purpose: All personal information is collected and processed solely to provide and improve the Techmapr service as described in this policy.

Sensitive personal information: We do not collect categories of sensitive personal information as defined under CPRA (e.g., Social Security numbers, precise geolocation, racial or ethnic origin, or biometric data).

Financial incentives: We do not offer financial incentives in exchange for personal information.

To submit a verifiable consumer request, email techmapr [at] gmail [dot] com. We will verify your identity by matching the request email with your account email. You may also designate an authorized agent; we will require written authorization and identity verification.

If we deny a rights request, you may appeal by replying to our response email with “Privacy Rights Appeal” in the subject line.

10. Children’s privacy

Techmapr is not directed at children under the age of 16 (or under 13 in jurisdictions where COPPA applies). We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us and we will promptly delete it.

11. Security measures

We implement appropriate technical and organizational measures to protect your personal data, including:

  • Encryption in transit (TLS) and at rest for stored data.
  • Authentication via secure session tokens with HttpOnly, Secure, and SameSite cookie attributes.
  • Stripe webhook signature verification and event idempotency checks before billing updates are applied.
  • Role-based access controls and row-level security on our database.
  • Infrastructure isolation via serverless architecture (Vercel) and managed database services (Supabase).

No method of transmission or storage is 100% secure. If you suspect unauthorized access to your account, contact us immediately.

12. Cookies and tracking technologies

We use strictly necessary cookies by default. Optional categories (preferences, analytics, marketing) are enabled only after you give consent via our cookie banner.

As of the date above, our production cookie catalog contains strictly necessary cookies for authentication/session handling and consent-state storage only.

You can update or withdraw cookie consent at any time using the Cookie settings link in the landing-page footer or under Account in the app Profile section.

For a full list of cookies, their providers, purposes, and durations, see our Cookie Notice.

13. Global Privacy Control

We honor the Global Privacy Control (GPC) signal. When we detect a GPC signal from your browser, we treat it as a valid opt-out of the sale or sharing of personal information (where applicable under US state law) and as a rejection of optional marketing cookies.

14. Do Not Track

Some browsers transmit a Do Not Track (DNT) signal. Because there is no universally accepted standard for how to respond to DNT, we do not currently alter our practices in response to DNT signals, but we do honor GPC as described above.

15. Changes to this policy

We may update this Privacy Policy from time to time. When we make material changes, we will update the “Last updated” date at the top, and if appropriate, notify you via email or an in-app notice. Your continued use of the service after an update constitutes acceptance of the revised policy.

16. Contact us

For any questions, requests, or complaints about this Privacy Policy or our data practices, contact us at:

Dr. Alexander Hoffmann
Lutherstraße 38, 30171 Hannover, Germany
Email: techmapr [at] gmail [dot] com

We aim to resolve all enquiries within 30 days.

Related documents

Cookie Notice · Impressum

Cookie preferences

We use strictly necessary cookies for sign-in and security. Optional cookies for analytics, preferences, and marketing are off until you consent.

We apply privacy defaults based on your region and browser privacy signals.

Read our Terms of Service, Privacy Policy, and Cookie Notice.