Maps require direct browser sharing
A live web map cannot appear out of nothing. When a page is allowed to load Google Maps Platform or OpenStreetMap resources, your browser has to request JavaScript, map tiles, style files, or geocoding responses from that provider. That direct request is what makes the map visible on screen.
Because the browser is making that request, the map provider can see the normal web-request data that every site sees for a resource fetch, such as your IP address, browser headers, the time of the request, and usually the referring page or site. For map tiles and place lookups, the provider can also infer the approximate area being viewed from the requested tiles or coordinates.
LocationNotes still does not have a browser-only way to show a live third-party map without that sharing. The alternatives are to keep using that third-party map, or to fall back to LocationNotes-owned hosted tiles at /maps/tiles/{z}/{x}/{y}.png so the browser stays on LocationNotes-owned URLs instead of calling a third-party map service directly.
Account preferences and consent-required visits
Signed-in users can save an Experience and privacy mode on the account page. Latest and Greatest is the recommended default and allows browser-side third parties when the current visit permits them. No 3rd Parties is the stricter path: it keeps browser-side third parties off and makes LocationNotes rely on hosted maps only.
Signed-in users can also save a preferred map source. Google Maps first and OpenStreetMap first are preferences, not promises. If the preferred provider is unavailable, the site falls back to the other allowed provider. If the visit needs consent and that consent has not been granted yet, or the request came from a private-network or otherwise unresolved IP, LocationNotes forces the stricter hosted-maps path for that visit.
The visit-level privacy prompt is mainly for signed-out or otherwise unresolved visits. If someone later creates an account after making that visit-level choice, the first account setup can start from it once. After sign-in, the saved account settings become the durable source of truth and signed-in pages use those saved settings instead of reopening the visit prompt every time.
What map providers do not automatically receive
A map provider does not automatically receive your private note body, team membership list, or internal permissions just because a map is shown. Those remain in LocationNotes unless a specific workflow intentionally sends a related lookup to the external service.
In practical terms, the provider can usually see that a browser asked for map resources for a certain area, but not the full private record you are editing unless the product explicitly sends that data for a separate feature.
Journey reads expose the saved stop plus currentNotesAtCoordinate. That collection is today's visible note read model for the same coordinate, not proof that the stop permanently owns one note.
Place, history, and access stay separate: the journey stop preserves the snapped coordinate, the note keeps its own editable record, and the note's visibility plus required access scope decides who can open note content.
External sign-in providers work the same way
If you choose Google Identity or Facebook Login sign-in, your browser is redirected to that provider so it can authenticate you. The provider can see that you are trying to sign in to LocationNotes, along with normal browser and network metadata. If you approve the login, the provider sends LocationNotes the account identifier and approved profile data needed to create or link your local account, such as email address, name claims, and the provider subject identifier.
LocationNotes stores the linkage needed to recognize that provider later. The provider also keeps its own record that your account was used to authenticate with this site, subject to that provider's own policies.
Google Analytics and operational infrastructure
LocationNotes currently uses Google Analytics for sanitized website analytics only when the site is configured for analytics and the current visit still allows browser-side analytics. In those cases, the browser loads analytics code from Google and LocationNotes sends sanitized page-view data plus limited workflow events such as sign-in, account creation, provider linking, note creation, location-stop creation, category creation, team creation, trackable creation, trackable activation, and secret-code entry. LocationNotes is designed not to intentionally send note text, secret codes, private scan URLs, exact coordinates, names, or email addresses to Google Analytics.
If the effective experience mode is No 3rd Parties, or the visit is in a consent-required region without granted consent, LocationNotes keeps analytics essential-only and does not load the Google Analytics browser tag for that request.
Separately from analytics, normal hosting and operations still create server-side records. Web servers, reverse proxies, application logs, security logs, and database transaction logs can capture request times, requested paths, status codes, and technical diagnostics so the service can stay secure and support incidents can be investigated.
Email and text delivery providers
LocationNotes currently uses Mailgun for transactional email delivery. That means the recipient email address, delivery headers, message content needed for the delivery, and delivery-status events can be processed by Mailgun so account-security and support-related mail can reach the recipient.
LocationNotes also has Twilio Messaging configuration in place for future text-message delivery. When that feature is enabled, the destination phone number, message content, carrier-routing metadata, and delivery-status events will need to be processed by Twilio to deliver the text and report whether it succeeded.
Deletion does not always erase every log instantly
When you delete an account or a synced record, LocationNotes removes the live product data that the deletion workflow is designed to remove. That does not always mean every copy disappears from every operational system at that same second. Backup sets, database transaction logs, short-term server logs, and incident records can persist until their normal rotation, overwrite, or retention window ends.
That extra retention is operational, not a second public copy of your content. It exists because real systems need disaster recovery, audit trails, fraud review, and security investigation records.
Legal requests are reviewed, not automatic
LocationNotes does not maintain an open feed that automatically hands user data to government agencies or private requesters. If a warrant, subpoena, court order, judgment, or similar lawful demand requires disclosure, the request is reviewed and the response is limited to what the law requires and what the system actually stores.
In practice, that usually means collecting the same underlying account, content, provider-link, support-ticket, and audit records that a user can already request through export workflows, plus any server, security, or backup records that must be preserved for the legal review. A valid legal hold can also delay normal deletion of affected records until the obligation is resolved.
Why this page exists
Privacy and Terms summarize the rule. This page goes deeper because map rendering, hosted-map fallback, third-party login, optional Google Analytics, and operational logging are easy to misunderstand if they are described only in one short sentence.
The same deeper explanation matters for restore and transfer work too. Portable account exports keep the full manifest, while the matching additive import flow is designed to add missing records, skip identical matches, and list conflicting existing data instead of overwriting the target account automatically.