Back

Privacy Policy

Last updated: April 30, 2026

This policy describes what data LiveMap collects, why we collect it, who we share it with, and what control you have over it. We’ve written it in plain English. If anything is unclear, email us at privacy@livemap.co.

Quick summary

  • Photos and files you upload are public. Profile pictures, post media, chat attachments, vehicle photos — everything you upload — is stored on Google Cloud Storage and served from a public URL. Anyone with the link can open it directly, even without an account, and even after you delete the post. Don’t upload anything you wouldn’t be comfortable being public.
  • Location. We collect live GPS only while sharing is on or you’re in a convoy. Last-known position is cached for up to 24 hours. Only people you mutually follow can see you, and only while sharing is on.
  • Messages. Stored encrypted at rest with AES-256-GCM. Metadata (sender, recipient, timestamp) is not encrypted because we need it to deliver messages.
  • No selling, no ads. We don’t sell personal data, we don’t run third-party advertising on LiveMap, and we don’t share data with data brokers.
  • Payments. Stripe handles web payments and Apple/Google handle mobile in-app purchases. We never see raw card numbers.
  • Deleting your account. Settings → Security → Delete Account on web or mobile. Deactivated immediately, permanently deleted after 30 days.

1. Who we are

LiveMap is operated by LiveMap LLC, 1173 Canton St, Roswell, GA 30075, United States. When this policy says “we,” “us,” or “LiveMap,” it means LiveMap LLC. You can reach us at support@livemap.co.

2. What LiveMap is

LiveMap is a real-time map and community platform for car enthusiasts. It lets you share your live location with friends, organize and join group drives (“convoys”), discover and host events, join communities, post photos and threads, message other users, and find recommended places and roads. It’s available as a website at livemap.co and as a mobile app on iOS and Android.

3. What we collect and why

Account information

  • Email address and password (passwords are hashed with bcrypt — we never store them in plain text).
  • Username, display name, profile and banner image, bio, default city.
  • Optional social links (Instagram, TikTok, X/Twitter, YouTube, website).

Authentication and security

  • If you sign in with Google or Apple, we receive your email and a provider user ID to link your account.
  • If you enable multi-factor authentication, we store your TOTP secret and recovery codes.
  • One-time codes (OTPs) sent by email for sign-up, password reset, and account deletion confirmation.
  • Session tokens (JWTs) valid for up to 7 days.

Location data

  • Live GPS — collected only while the app is open and you have location sharing turned on, or while you’re in an active convoy. On mobile, you can also opt in to background sharing so convoy members can still see you when the app is closed.
  • Last-known location — cached on our servers (in Redis) for up to 24 hours so friends’ positions appear instantly when they open the map.
  • Saved places — home address and favorite places you choose to save in your preferences.
  • Post and event coordinates — latitude/longitude attached to posts, events, and convoy stops you create.

Social and content data

  • Follows, blocks, mutes, community memberships, roles.
  • Posts, comments, reviews, reactions, likes, RSVPs, garage cars, convoy participation.
  • Reports you submit about other users or content.

Messages

Direct messages and community channel messages are stored on our servers and encrypted at rest using AES-256-GCM. Message metadata (sender, recipient, timestamp, channel) is not encrypted because we need it to deliver and route messages. We can technically access stored message content to comply with the law or investigate abuse; we don’t do this routinely.

Synced contacts (optional)

If you choose to find friends from your phone’s address book, we upload phone numbers (and optionally names and emails) to match them against existing LiveMap users. You can disable this in settings, and you can ask us to delete your synced contacts at any time.

Device data

  • Push notification token, push provider (APNS, FCM, Web Push), device type, OS version, app version, locale, and timezone.

Activity logs

  • IP address, user agent, and the API endpoints you hit, used for security, abuse prevention, and debugging.
  • Aggregate community/channel analytics (online counts, message counts) used to power the product.

Payments

We use Stripe for web payments and Apple/Google in-app purchases on mobile. We store a Stripe customer ID, subscription status, transaction IDs, and amounts. We never see or store raw card numbers— that data goes directly to Stripe, Apple, or Google.

4. Photos, videos, and other uploads — please read this

Any photo, video, or file you upload to LiveMap — including profile pictures, banner images, post media, chat attachments, garage car photos, event covers, and community assets — is stored on Google Cloud Storage and served from a publicly accessible URL.

In practical terms: anyone who has the link can open the file directly in a browser, even if they don’t have a LiveMap account, and even after you delete the post or message inside the app. The URLs are long and not easily guessable, but they are not access-controlled and they may be cached by third parties (CDNs, link previews, search engines that have crawled them).

When you delete a post or message, we remove our references to the file and queue the underlying object for deletion from Google Cloud Storage. Copies that other people or services have already downloaded or cached are outside our control.

Don’t upload anything to LiveMap that you wouldn’t be comfortable being public.

5. How location works in detail

  • When we collect it: only while the app is open and you have shareLocation enabled, or while you’re in an active convoy. On mobile you can opt in to background sharing for convoys.
  • Who can see it: only people you mutually follow, and only while sharing is on. Convoy members see each other’s positions for the duration of the convoy. If you turn shareLocation off, your position is hidden from everyone immediately.
  • How long we keep it: last-known location is cached on our servers for up to 24 hours and replaced when you next move. Live convoy positions live in memory only and disappear when the convoy ends or the server restarts. Coordinates attached to posts and events stay until you delete the post or event.
  • What we don’t do: we don’t sell location data, we don’t share it with advertisers, and we don’t build profiles to target ads.

6. How we use your data

  • To run the service: showing the map, delivering messages, routing convoys, sending push notifications, hosting events.
  • To keep the service safe: detecting abuse, spam, fraud, and policy violations.
  • To process payments and manage subscriptions.
  • To send transactional email (sign-up confirmation, password reset, receipts, security alerts).
  • To debug crashes and improve features using aggregated, non-identifying metrics.
  • To comply with legal obligations.

We do not sell your personal data, we do not run third-party advertising on LiveMap, and we do not share your data with data brokers.

7. Service providers we use

These third parties help us operate LiveMap. We share only the data they need to do their job, and they are contractually required to protect it.

  • Google Cloud Storage — stores all uploaded media (publicly accessible URLs, see section 4).
  • Google Cloud Platform — server hosting and logging.
  • Firebase Cloud Messaging (Google) — delivers push notifications to your device.
  • Resend — sends transactional emails from noreply@livemap.co.
  • Stripe — processes web payments, subscriptions, and creator marketplace payouts.
  • Apple App Store / Google Play — process in-app subscription purchases and verify receipts.
  • Mapbox — renders maps and provides geocoding/search; receives the coordinates of the area you’re viewing.
  • Sign in with Google / Sign in with Apple — optional sign-in providers; receive only the standard OAuth handshake.
  • Klipy and Tenor — power GIF search inside chat; receive your search query.
  • OpenAI — powers AI assistance features; receives the text of the prompts you send when you use those features.
  • Google Analytics, Vercel Analytics, Vercel Speed Insights — web only; help us understand traffic and performance using aggregated, anonymized data.

8. Cookies and local storage (web)

  • token — your session cookie, used to keep you signed in.
  • cookie_consent — remembers whether you accepted analytics cookies.
  • Google Analytics cookies — loaded only after you accept analytics cookies.
  • localStorage — stores UI preferences, drafts, cached map state, and similar non-sensitive data on your device.

We don’t use cookies for advertising or cross-site tracking.

9. Mobile permissions we ask for

  • Location (when in use) — to show the map, find nearby events and places, and share your position with friends and convoys.
  • Location (always / background) — only if you opt in, so convoy members can still see you while the app is closed.
  • Camera and Photo Library — to take or pick photos for posts, profile, garage, and chat.
  • Calendar — to add events you RSVP to into your calendar.
  • Notifications — to deliver friend requests, convoy invites, messages, and event updates.

You can grant or revoke any of these in your device’s system settings at any time. Some features won’t work without the corresponding permission.

10. Your controls

  • Location sharing toggle — turn live location off for everyone with one switch.
  • Private profile — require approval for new followers.
  • Block any user to remove them from your DMs, mentions, and visibility.
  • Notification preferences — control what triggers a push, email, or in-app notification.
  • Contact sync — opt in or out at any time; ask us to delete previously synced contacts.
  • Edit or delete any post, comment, or message you’ve created.

11. Account deletion and data retention

You can delete your account at any time from Settings → Security → Delete Account on either the website or the mobile app. The flow is the same on both:

  • Your account is deactivated immediately. Your profile, posts, and content stop being visible to other users.
  • You have a 30-day grace period. If you sign back in within 30 days, your deletion is cancelled and your account is restored.
  • After 30 days, your account is permanently deleted: profile, posts, comments, messages, uploaded media, location history, device tokens, and connections are removed.

Some data is retained longer where required by law or for legitimate business reasons: payment and tax records (kept as long as our finance/tax obligations require), abuse and security logs (kept for a limited investigation window), and aggregated, de-identified analytics (which can’t be tied back to you).

12. Requesting your data

You have the right to request a copy of the personal data we hold about you, to correct inaccurate data, to ask us to delete it, or to restrict how we use it. To make a request, email privacy@livemap.co from the email address on your account. We’ll respond within 30 days. We may need to verify your identity before fulfilling the request.

13. Children

LiveMap is not intended for users under 13. We do not knowingly collect personal information from children under 13. If you believe a child under 13 has created an account, email us at privacy@livemap.co and we’ll remove the account.

14. International users

LiveMap is operated from the United States and your data is processed and stored on servers in the United States. By using LiveMap from outside the US, you consent to the transfer of your data to the US.

15. Security

We protect your data with TLS for everything in transit, AES-256-GCM encryption at rest for chat content, bcrypt password hashing, optional multi-factor authentication, and standard access controls on our infrastructure. No system is perfectly secure, and we can’t guarantee absolute security. If we learn of a breach that affects your data, we’ll notify you and the appropriate authorities as required by law.

16. Purposes and legal bases (EU/UK users)

If GDPR or UK GDPR applies to you, we process your personal data on the following legal bases:

PurposeLegal basis (GDPR Art. 6)
Creating and maintaining your account; delivering the map, social features, convoys, communities, messages, eventsContract necessity (Art. 6(1)(b))
Sharing your live location with friends and convoy membersConsent (Art. 6(1)(a))
Sending push notifications and marketing-style email digestsConsent (Art. 6(1)(a))
Accessing your camera, photo library, and contactsConsent (Art. 6(1)(a))
Processing payments and managing subscriptionsContract necessity (Art. 6(1)(b))
Sending transactional email (sign-up, password reset, receipts, security alerts)Contract necessity (Art. 6(1)(b))
Security, abuse prevention, and fraud detectionLegitimate interests (Art. 6(1)(f))
Aggregated analytics and product improvementLegitimate interests (Art. 6(1)(f))
Complying with legal obligationsLegal obligation (Art. 6(1)(c))

You can withdraw consent at any time (for example, by turning off location sharing or revoking a permission in your device settings). Withdrawing consent doesn’t affect the lawfulness of processing we did before. EU/EEA, UK, and Swiss users also have the right to lodge a complaint with their local data protection authority.

17. Law enforcement and government requests

  • We do not volunteer user data to law enforcement, intelligence agencies, or any other authority.
  • We do not respond to informal requests, voluntary disclosure programs, or non-binding inquiries.
  • We provide user data only when compelled by a legally binding court order issued in a jurisdiction we’re subject to, and only after our review confirms it’s valid.
  • When we’re legally required to disclose data, we provide the minimum amount necessary to comply, and we notify the affected user in advance unless we’re legally prohibited from doing so.
  • We will publicly disclose if we ever receive a national security letter, FISA order, or similar process, to the extent we’re legally permitted.

Law enforcement requests should be sent to privacy@livemap.co with the subject line “Legal Request.”

18. California residents (CCPA / CPRA)

If you’re a California resident, the California Consumer Privacy Act (as amended by the California Privacy Rights Act) gives you the following rights, which we honor regardless of whether we currently meet the law’s applicability thresholds:

  • Right to know what personal information we collect, use, and disclose about you.
  • Right to delete personal information we’ve collected from you.
  • Right to correct inaccurate personal information.
  • Right to opt out of the sale or sharing of personal information for cross-context behavioral advertising. We do not sell or share your personal information for these purposes. We honor Global Privacy Control (GPC) signals on the website as an opt-out request.
  • Right to limit the use of sensitive personal information, including precise geolocation. You can do this by turning off location sharing in app settings.
  • Right to non-discrimination for exercising these rights.

To exercise these rights, email privacy@livemap.co with the subject line “California Privacy Request.” We’ll respond within 45 days. We may need to verify your identity before fulfilling the request, and you can authorize an agent to make a request on your behalf with written proof.

19. Other US state privacy rights

Residents of Virginia, Colorado, Connecticut, Utah, Oregon, Texas, Montana, Delaware, Iowa, Tennessee, Indiana, Kentucky, Rhode Island, New Jersey, New Hampshire, Minnesota, Maryland, Nebraska, and Nevada have rights similar to California’s under their state privacy laws — the right to access, delete, correct, port their personal information, and opt out of targeted advertising, the sale of personal information, and certain forms of profiling. We honor these rights on the same basis as California. To exercise them, email privacy@livemap.co.

20. Changes to this policy

We’ll update this policy when our practices change. For material changes, we’ll provide notice by email or an in-app notice at least 15 days before they take effect. Non-material changes (typos, clarifications, reorganization) take effect when posted. The “Last updated” date at the top reflects the most recent revision.

21. Contact us

Privacy questions, data requests, and law-enforcement inquiries can be sent to privacy@livemap.co. For general account or billing support, use support@livemap.co.

LiveMap LLC
1173 Canton St
Roswell, GA 30075
United States

    Privacy Policy - LiveMap