N NapMap
Start publishing
Legal

Privacy Policy

Last updated: May 13, 2026

This policy explains exactly what NapMap ("we", "us", "NapMap") collects when you visit napmap.net, why we collect it, who we share it with, and what choices you have. We aim to keep this readable. If something is unclear, email [email protected] and we'll fix the wording.

The short version

  • We do not sell your personal information to anyone.
  • Reader IP addresses are hashed with SHA-256 the moment we receive them — we never store your raw IP.
  • For country-level CPM and analytics, we read the country code from the Cloudflare CF-IPCountry header — never your precise location.
  • Cookies for analytics and ads only fire after you click Accept all in the consent banner. Essential cookies (login, CSRF, theme) always run.
  • Publishers can export or delete their account data from the dashboard at any time.

1. Who this applies to

This policy covers two audiences:

  • Readers — anyone visiting recommendation pages, articles, or any other public part of the site without an account.
  • Publishers — anyone who registers an account to publish recommendations and earn payouts.

2. What we collect

From readers (no account)

  • Hashed IP address. When you load a recommendation page we compute a one-way SHA-256 hash of your IP. The raw IP is never written to our database. The hash is used to deduplicate clicks within a 24-hour window and to detect abuse patterns (velocity, burst clicks, repeat visits to the same link).
  • Country code only. For CPM payouts and analytics we read the two-letter country code from Cloudflare's CF-IPCountry header. We do not derive city or coordinate-level location.
  • User agent string. Used for bot detection (curl, headless browsers, automation frameworks) and to flag suspicious traffic.
  • Engagement signals. Per click, we measure: how many seconds the page was open, how many seconds it was visible (Page Visibility API), how far you scrolled, and how many times you interacted (mouse moves, key presses, taps — throttled to 1 every 250ms). These are needed to validate publisher earnings and reject bot traffic.
  • Referrer. Where you came from, with UTM parameters stripped.
  • Visitor token (24h). A random UUID stored in a vt cookie used to detect if the same browser visited the same recommendation more than once in 24 hours. Resets on its own.

From publishers (with account)

  • Name, email, hashed password (bcrypt) — required to register.
  • Profile information you choose to add: username, bio, avatar, social links, country, timezone, locale.
  • Tax information you provide for payout purposes (encrypted at rest).
  • Payout method details: PayPal email, UPI ID, bank account, or USDT wallet — encrypted at rest, only used to send your payouts.
  • Two-factor authentication secret and recovery codes — encrypted at rest. We never see them in plaintext after first display.
  • Content you publish: recommendation articles, link metadata, featured images.
  • API tokens you create — stored as SHA-256 hashes; we cannot recover lost tokens.

Aggregate operational data

  • Server logs (request method, path, response status, timing) for debugging and security.
  • Error reports — when a server error occurs we send a stack trace to Sentry. Sentry receives the user ID and email of any logged-in publisher whose request errored, so we can debug. No raw IPs.

3. How we use this information

  • To run the site, show you content, and keep your session alive.
  • To calculate publisher earnings tied to genuine reader engagement (the four counters above).
  • To detect fraud, click farms, bot traffic, and policy violations. A composite risk score combines bot UA detection, per-IP velocity, burst-click patterns, repeat visits, geolocation, engagement counters, and (when configured) third-party IP reputation lookups.
  • To process payouts and respond to support questions.
  • To send transactional email from [email protected]: account verification, password reset, security alerts, withdrawal status, and the optional weekly publisher digest (you can turn this off in your profile).
  • To comply with legal obligations.

4. Cookies and similar storage

NapMap uses three classes of cookies and browser storage. The consent banner you see on first visit lets you choose between essential-only and full consent.

Essential (always on)

  • laravel_session — keeps you logged in.
  • XSRF-TOKEN — prevents cross-site request forgery on form submissions.
  • cookie_consent — remembers your consent choice for one year.
  • vt — 24-hour visitor token for click deduplication.
  • theme — remembers your light / dark / system preference.

Analytics (only after Accept all)

  • Google Analytics 4 (_ga, _ga_*) — aggregate traffic measurement, never linked to identifiable individuals on our side.

Advertising (only after Accept all)

You can withdraw consent at any time by deleting your cookie_consent cookie (the banner returns) or by clicking the appropriate link in your browser's site settings.

5. Third parties we share data with

We share only what is needed for these services to do their job:

  • Hetzner — server hosting (Germany).
  • Cloudflare — CDN, DDoS protection, country geolocation.
  • Zoho Mail — outbound transactional email.
  • Google AdSense — advertising on recommendation pages (requires consent).
  • Google Analytics 4 — aggregate analytics (requires consent).
  • Sentry — error tracking (no raw IPs; user ID + email only on errored requests).
  • IP reputation provider (currently disabled by default; when enabled, IPQualityScore or proxycheck.io receive the visitor's IP for VPN/proxy/datacenter detection — response cached 24h).
  • PayPal / UPI rails / banks / USDT networks — only when you request a payout, only with the destination details you provide.
  • Razorpay — when tipping is enabled, Razorpay processes the tip transaction. We never see the tipper's card details.
  • Backups are stored on Backblaze B2 (US-West), encrypted in transit and at rest.

We may also disclose information when required by law, valid legal process, or to protect the rights, safety, or property of NapMap, our users, or the public.

6. International transfers

Our primary infrastructure is in Germany (Hetzner) and our CDN is global (Cloudflare). If you're in the EEA / UK / Switzerland, your data may be transferred to and processed in countries with different data-protection laws (notably the United States for AdSense, GA4, and Sentry). We rely on Standard Contractual Clauses where required.

7. Data retention

  • Clicks table (engagement signals + hashed IP) — kept for 90 days, then aggregated and individual rows pruned.
  • Fraud-signal records — 12 months for pattern detection.
  • Admin audit log — 24 months.
  • Failed login attempts and CSP violations — 30 days.
  • Account data — kept while your account is active, plus 30 days after deletion to handle chargebacks and final payouts. Tax records held longer if required by law.
  • Email logs — 30 days.
  • Backups — 14 daily snapshots, then rotated.

8. Your rights

You can exercise the following rights from your dashboard or by emailing [email protected]:

  • Access — request a copy of your data. Publishers can self-serve at /profile/export (one ZIP per day, includes account JSON, links, articles, withdrawals, clicks CSV).
  • Correction — fix inaccurate information from your profile page.
  • Erasure — delete your account from the profile page. We remove personal data within 30 days. Aggregate, non-identifiable analytics may persist.
  • Portability — the export above is machine-readable JSON + CSV.
  • Objection / restriction — email us; we'll process within 30 days.
  • Withdrawal of consent — clear cookies or change consent at any time.
  • Complaint — to your local data-protection authority. EEA residents: see your national DPA. UK residents: ICO.

9. California residents (CCPA / CPRA)

We do not sell or share personal information for cross-context behavioral advertising in the CCPA sense. If you'd like a "Do Not Sell or Share" confirmation in writing, email [email protected].

10. Children

NapMap is not intended for anyone under 13. Publishing accounts require you to be at least 18. We do not knowingly collect data from children. If we discover we have, we'll delete it.

11. Security

Passwords are stored as bcrypt hashes. 2FA secrets, recovery codes, payout details, and tax information are encrypted at rest using Laravel's encrypted cast (AES-256-GCM with a key in APP_KEY). Sessions are HTTPS-only. We send Strict-Transport-Security, X-Content-Type-Options, X-Frame-Options: SAMEORIGIN, and a Content-Security-Policy (currently report-only) on every response. We rate-limit login attempts (5 per email+IP per minute, 20 per IP per 15 minutes) and offer optional 2FA on every account. No security is perfect; if you spot a vulnerability, please email [email protected].

12. Changes to this policy

If we make material changes we'll update the date at the top and email registered publishers. Minor wording or clarification edits won't trigger a notice — but the live page is always the canonical version.

13. Contact

Privacy questions, data subject requests, and complaints: [email protected]

We use cookies

Essential cookies keep the site working. With your permission we'd also use analytics + ads cookies to understand readership and pay our publishers — you can change this anytime. Privacy policy.