Privacy Policy

This Privacy Policy applies where ONE STEP BEYOND AI LLC acts as a data controller of your personal data, i.e., where we determine the purposes and means of processing your personal data. This includes situations where we collect information from and about:

• visitors to our Website;
• registered users of Mapiok and their accounts;
• prospective customers and partners contacting us through forms, email, or other channels;
• individuals communicating with our support team.

In all such cases, we are responsible for deciding which personal data is collected, for what purposes it is used, and how it is processed.

You may upload, send, or otherwise process personal data of third parties when you use our APIs or Services (for example, if you process your own customers' or users' data through Mapiok). In these scenarios, you determine the purposes and means of processing such third‑party data, and we process that data on your behalf.

In such cases, we act as a data processor, not a data controller, with respect to that third‑party personal data, and this Privacy Policy does not govern those processing activities. Such activities may be governed by a separate data processing agreement between you and us. You are solely responsible for ensuring that you have all necessary rights, consents, and other legal bases required to process such personal data and to instruct us to process it on your behalf.

This Privacy Policy also does not apply to personal data about current and former employees, contractors, or agents of ONE STEP BEYOND AI LLC, which may be governed by separate internal or contractual documents.

We collect a variety of personal data that you provide directly to us when you interact with the Website or the Services, for example when you:

• create or manage a user account;
• sign in using email/password or OAuth providers;
• contact our support team;
• participate in referral programs;
• communicate with us via email or other channels.

Depending on your use of the Services, this may include, without limitation:

• Account data: name, email address, password (hashed), OAuth identifiers, preferred language, country, profile photo.
• Authentication identifiers: identity provider, provider subject identifier, verified email information.
• Referral data: referral code stored in a cookie and associated metadata.

You may choose not to provide certain personal data; however, if you do so, some features of the Website or Services may not be available or may function with limitations.

When you visit the Website or use the Services, we automatically collect certain information about how you access and use them, including:

• Usage data and request logs: requested URLs, request parameters, response metadata, credits usage, timing information, and technical logs related to the API and other features.
• Security and anti‑fraud data: IP address, device information, browser type and version, user‑agent string, login tokens, and related metadata used to detect abuse and protect the Services.

We use this information to operate, secure, and improve the Website and the Services.

We use cookies and similar technologies to provide and secure the Services and to remember certain choices you make. Cookies are small data files stored on your device that help us recognize your browser and store certain information.

We use strictly necessary cookies for authentication, security, and service settings, including:

• session cookies to support login;
• a referral cookie stored for 30 days to attribute referrals.

For more details about the cookies we use, their purposes, and your choices, please see our Cookie Policy — https://mapiok.com/cookies.

We process your personal data for the purposes and on the legal bases described below, in accordance with applicable data protection laws:

• Providing the Services and operating user accounts (contract) — To create and manage your account, authenticate you, deliver API responses, and provide core functionality of the Website and Services.
• Protecting the Services and preventing abuse (legitimate interests) — To monitor access, detect, prevent, and investigate fraud, abuse, security incidents, and other harmful activity, and to improve reliability and stability of the Services.
• Analytics and service improvement (legitimate interests) — To analyze aggregated usage data, understand how the Services are used, and improve features, performance, and user experience.
• Referrals and basic marketing communications (consent / legitimate interests) — To attribute referrals using the ref_code cookie and, where applicable, to send you marketing or promotional communications, if permitted by law or based on your consent.
• Legal compliance and enforcement (legal obligations / legitimate interests) — To comply with applicable laws and regulations, respond to lawful requests, and establish, exercise, or defend legal claims.

Where required by law (for example, for non‑essential cookies or certain marketing communications), we will rely on your consent and will process such data only if you have given it and until you withdraw it.

We may disclose your personal data:

Service Providers (Processors) — We share personal data with third‑party service providers that process data on our behalf and in accordance with our instructions, for example: hosting providers, email and support tools, analytics providers, payment processors, and similar vendors necessary to provide and support the Services. These providers are bound by contractual obligations to protect your personal data.

Business partners and integrations — Where necessary to provide specific features or integrations you choose to use, we may share limited personal data with partners involved in delivering those features, strictly for the relevant purpose.

Legal and safety reasons — We may access, preserve, and disclose personal data if we believe it is reasonably necessary to: (a) comply with any applicable law, regulation, legal process, or governmental request; (b) enforce agreements with you; (c) protect the rights, property, or safety of Mapiok, our users, or the public; or (d) detect, prevent, or otherwise address fraud, security, or technical issues.

Business transfers — In connection with any merger, sale of company assets, financing, or acquisition of all or a portion of our business, personal data may be transferred as part of the transaction, subject to continued protection consistent with this Privacy Policy.

Otherwise with your consent or at your direction — We may share your personal data with third parties when you expressly consent to or request such sharing.

We keep your personal data only for as long as necessary for the purposes for which it was collected, or as required by applicable law.

Typical retention periods currently used in our systems include, for example:

• created files and generated results: generally up to 180 days, unless you delete them earlier or a different retention is configured;
• default storage objects: generally up to 30 days, unless otherwise specified;
• technical metadata related to job or task queues: generally up to 7 days;
• the mandatory referral cookie ref_code: 30 days.

After the applicable retention period expires, we will delete or anonymize the data, unless we are legally required or permitted to keep it longer (for example, for tax, accounting, or dispute‑resolution purposes).

Depending on your location and applicable law, you may have certain rights regarding your personal data, which may include:

• Right of access – to request confirmation as to whether we process your personal data and to obtain a copy of such data.
• Right to rectification – to request correction of inaccurate or incomplete personal data.
• Right to erasure – to request deletion of your personal data in certain circumstances.
• Right to restriction of processing – to request that we limit processing of your personal data under specific conditions.
• Right to data portability – to receive your personal data in a structured, commonly used, machine‑readable format, where legally applicable.
• Right to object – to object to certain types of processing, including processing based on our legitimate interests, where applicable.
• Right to withdraw consent – where processing is based on your consent, you can withdraw it at any time, without affecting the lawfulness of processing before withdrawal.

To exercise your rights or update your personal data, you may contact us at support@mapiok.com. We respond within 45 days (extendable per CCPA).

We may need to verify your identity before responding to your request. Applicable law may also allow us to refuse certain requests (for example, where fulfilling the request would adversely affect the rights of others or our legal obligations); in such cases, we will inform you of the reasons as required by law.

You may also have the right to lodge a complaint with a competent data protection authority in your jurisdiction if you believe that our processing of your personal data violates applicable law.

For email‑based marketing communications (if and when used), you can typically unsubscribe at any time via the link included in such emails.

California residents: Exercise 'Do Not Sell or Share' rights via this opt-out link or Global Privacy Control (GPC). Delaware residents: Withdraw consent for targeted ads/profiling via privacy settings (15 days effect). We do not sell personal information.

The Website and the Services may contain links to third‑party websites, services, or features (for example, embedded content, social media buttons, or integrations). These third parties may collect information such as your IP address and which page you are visiting and may set cookies to enable their features to function properly.

This Privacy Policy does not apply to such third‑party websites or services. Your interactions with them are governed by their own privacy policies and terms. We are not responsible for the privacy or security practices of such third parties, and we provide links and integrations solely for your convenience.

Your personal data may be processed and stored in jurisdictions other than your country of residence. Our service providers and infrastructure may be located in different countries, which may have data protection laws that differ from those in your jurisdiction.

Where required by applicable law, we will implement appropriate safeguards for international transfers of personal data, such as standard contractual clauses or equivalent mechanisms, and will take reasonable steps to ensure that your data remains protected in accordance with this Privacy Policy.

By using the Website or the Services, you acknowledge and agree that your personal data may be transferred to and processed in countries outside of your country of residence, subject to appropriate safeguards where required by law.

We take appropriate technical and organizational measures to protect personal data against unauthorized access, alteration, disclosure, or destruction. These measures may include, for example, access controls, encryption in transit or at rest (where appropriate), logging, and internal policies governing how personal data is handled.

Access to personal data is limited to personnel and service providers who need such access to perform their duties and who are bound by confidentiality obligations. While we strive to protect your personal data, no method of transmission over the Internet or method of electronic storage is completely secure, and we cannot guarantee absolute security.

If you believe that the security of your account or interaction with us has been compromised, please contact us immediately using the contact details below.

The Website and the Services are not intended for individuals under the age of 18 (or any higher age required by applicable law in your jurisdiction). We do not knowingly collect personal data from children under this age.

If we become aware that a child under the relevant age has provided us with personal data without verifiable parental consent where required, we will take steps to delete such data as soon as reasonably possible. If you believe that we may have collected personal data from a child, please contact us.

We may update this Privacy Policy from time to time. We will post any changes on this page and update the "Last Updated" date at the top of the Policy.

Your continued use of the Website and the Services after any changes or revisions to this Privacy Policy have been published indicates your agreement to the updated Privacy Policy.

If you have any questions, requests, or concerns about this Privacy Policy or our processing of your personal data, you may contact us at:

Email: support@mapiok.com

Postal address (registered office): ONE STEP BEYOND AI LLC 1201 N. Orange Street, Suite 7587, Wilmington, Delaware 19801, USA

We will do our best to respond to your inquiry within a reasonable time and in accordance with applicable legal requirements.