Mapdesk Privacy Annex

This Annex applies to the Mapdesk mobile app for iOS and Android, operated by Stiple Inc. ("Stiple," "we," "us"). It describes what the app accesses on your device, what it streams to Stiple, and what it deliberately does not do.

Mapdesk is a professional field surveying and mapping tool. It is used by surveyors, geomatics professionals, engineers, and field crews to capture high-accuracy positions and observations in the field and stream them to a Stiple account.

Platform parity. Except where a specific platform mechanism is described (for example, the Android foreground-service notification), Mapdesk behaves the same way and discloses the same practices on both iOS and Android. There is no two-track behaviour between the platforms.

2.1 Why Mapdesk Needs Precise Location

Recording accurate geographic positions is the core function of a field survey app. Location is therefore not an optional add-on — it is the purpose of the App. Mapdesk works with precise (high-accuracy) location, including the position reported by your device and, when you connect one, the survey-grade position reported by an external GNSS receiver. An approximate location is not sufficient for surveying.

2.2 Foreground and Background — Gated to an Active Survey

Field surveys are not always done with the app on screen. A long traverse can run for many minutes; a surveyor may lock the screen to save battery, take a call, or switch to another app to check a plan mid-survey. So that your survey keeps recording points reliably through these everyday interruptions, Mapdesk collects location in the background as well as the foreground. This background collection is strictly gated to an active survey session:

• Only during an active survey. Continuous location collection — foreground or background — happens only while you have started a survey session and the App is recording points. When no survey is active (for example, while you are reviewing data, editing attributes, or on the App's settings screen), Mapdesk is not collecting your location.
• It stops when the survey stops. When you end the survey session, background location collection ends. Mapdesk does not continue to collect location after the survey is over.
• Never for tracking. Location is used solely to produce the survey you are creating. It is never used for advertising, analytics, profiling, or to build a history of your movements, and it is never shared for those purposes.

2.3 How Each Platform Handles Background Location

• iOS. Mapdesk uses the iOS location background mode so that an active survey continues to record positions while the App is backgrounded or the screen is locked. iOS shows its standard background-location indicator while this is happening.
• Android. Mapdesk runs a foreground service during an active survey, which displays a persistent notification for as long as the survey is running. This notification is your visible signal that a survey — and its location recording — is active. Ending the survey removes the notification and stops the service.

2.4 You Are in Control

You grant location access through your device's standard permission prompts, and you can change or revoke that permission at any time in your device settings. If you revoke location access, Mapdesk cannot perform surveys, but you can still sign in and review previously synced work. See the permissions table in Section 12.

Mapdesk uses Bluetooth in the foreground and the background, on both iOS and Android, for a single purpose: to connect to and exchange data with an external GNSS receiver — for example, a Septentrio mosaic-X5, a u-blox ZED-F9P, or a SparkFun RTK device. Background Bluetooth is required because the receiver connection must stay live for the duration of a survey, including while the App is backgrounded or the screen is locked (see Section 2).

3.1 What Travels Over the Bluetooth Link

The connection to the receiver is bidirectional:

• From Mapdesk to the receiver: Mapdesk streams RTCM correction data to the receiver so it can compute a corrected, high-accuracy position.
• From the receiver to Mapdesk: the receiver returns the precise position, accuracy estimates, satellite and constellation information, and fix-quality data that Mapdesk records as part of your survey.

The version of Mapdesk submitted for this release does not request camera permission and does not use the camera. There is no camera-based data collection in the launch build.

Until that release ships, treat every statement in this Annex about images and camera use as forward-looking. The launch build collects no images and requests no camera access.

Mapdesk uses WorkOS as its identity provider. WorkOS is the only personal-data flow in Mapdesk that leaves Canada; see Section 10.

5.1 Sign-In Happens in the System Browser

When you sign in, Mapdesk hands the sign-in off to a WorkOS-hosted page in your device's system browser — Safari via SFSafariViewController on iOS, and Chrome Custom Tabs on Android. Because the sign-in page runs in the system browser and not inside Mapdesk's own screens, the Mapdesk app process never sees your password. Your password is entered into, and handled by, WorkOS.

5.2 What WorkOS Returns to the App

After a successful sign-in, WorkOS returns to the App an access token, a refresh token, and your name, email address, and profile photo.

Profile photo. Your profile photo is served from WorkOS's content-delivery network (CDN) and is fetched fresh each time it needs to be displayed. As a result, the WorkOS CDN may receive your device's IP address and a timestamp each time an avatar loads. Mapdesk does not store the photo — it is displayed from the CDN, not saved on the device or on Stiple's servers.

5.3 How Tokens Are Stored and Protected

The access and refresh tokens let you stay signed in. Mapdesk stores them using each platform's hardware-backed secure storage:

• iOS. Tokens are stored in the iOS Keychain with the afterFirstUnlockThisDeviceOnly protection class, and iCloud Keychain sync is turned OFF — so the tokens never leave the device.
• Android. Tokens are encrypted with AES-256 in GCM mode; the encryption key is held in the Android Keystore (hardware-backed where the device supports it), and the resulting ciphertext is kept in the App's private storage.

Tokens are transmitted only over HTTPS/TLS, and they are deleted on sign-out.

To achieve survey-grade accuracy, Mapdesk uses real-time correction data. These corrections travel over a secure WebSocket (wss://, encrypted with TLS) directly from your device to the NTRIP service you configure — for example, the Stiple NTRIP Caster. Mapdesk then forwards those corrections to your connected GNSS receiver over Bluetooth (see Section 3), and the receiver returns the corrected position.

You choose which NTRIP service to use. The correction stream is a technical data exchange that carries the information the service needs to deliver corrections; it is not used to track you or to build a profile.

Mapdesk is server-streamed by design. As you work, your field data is streamed to Stiple's servers in real time. The App is not intended to be a permanent archive of your projects on the device.

7.1 Why There Is a Local Cache

Field work happens in places with unreliable connectivity. To make sure you never lose in-progress work, Mapdesk keeps a local cache of survey data on the device. The cache provides offline resilience — it protects your work against a loss of network, an app crash, or your battery dying mid-survey. Once an upload is confirmed, the cached data is reconciled and cleared.

7.2 How the Local Cache Is Protected — and What You Should Do

The local cache is not separately encrypted by Mapdesk at the application layer. Instead, it relies on your device's operating-system at-rest encryption — iOS Data Protection on iPhone/iPad, and file-based encryption on Android — which protects the data on the device while the device is locked.

No analytics SDK. Mapdesk does not contain an embedded product-analytics SDK and sends no analytics events. (Stiple uses analytics only on its web properties, not in the Mapdesk app.)

No crash-reporting or diagnostics SDK. The App contains no crash-reporting or diagnostics SDK. When the App encounters an error or stops unexpectedly, no automated report is created or sent. If you choose to tell us about a problem yourself — for example, by emailing support — that is something you initiate, not something the App collects.

No advertising or tracking SDK. Mapdesk does not build advertising or marketing profiles and does not track you across other apps or websites.

8.1 How the Map Renders — No Map-Vendor Telemetry

Mapdesk renders its maps with MapLibre and PMTiles, drawing from self-hosted basemaps. There is no Mapbox or Google Maps backend behind the map, and therefore no map-vendor telemetry: displaying the map does not send your position or activity to a third-party mapping service.

8.2 A Note on Google Play Services Location (Android Only)

On Android, Google Play Services Location is bundled as a system component that Mapdesk uses as an operating-system wrapper for location. It runs on-device. Mapdesk transmits nothing to Google through it — it is used only as an OS-level location interface, not as a data-sharing channel.

Mapdesk sends no push notifications and no marketing notifications.

On Android, the App displays a single persistent foreground-service notification while a survey is active (see Section 2.3). This is the only notification Mapdesk shows. It is a required, visible signal that a survey — and its location recording — is running, and it disappears when you end the survey.

The only cross-border transfer for Mapdesk is WorkOS authentication. The sole personal-data flow that leaves Canada in Mapdesk is your sign-in, which is handled by WorkOS in the United States (including the profile-photo CDN described in Section 5). Your survey, project, and file data are never transferred to the United States.

Mapdesk involves no payment processing and no Stripe. Mapdesk is free and contains no in-app purchases, so there is no payment processor in the Mapdesk data flow at all. This makes Mapdesk's data-residency story cleaner than the platform's overall: the umbrella Stiple Privacy Policy also describes Stripe as a U.S. payment processor, but Stripe applies only to Stiple Labs subscriptions — never to Mapdesk. If you use Mapdesk without a Labs subscription, no payment data and no Stripe are involved on your account.

Because some processing of your sign-in occurs in the United States, that information may be subject to U.S. law, including laws such as the CLOUD Act. We have deliberately kept your substantive field data in Canada to minimize this exposure. See the umbrella Stiple Privacy Policy and the Sub-Processor List for the full cross-border picture.

You can delete your Stiple account and associated data at any time. Account deletion is handled through your Stiple account: sign in to Stiple Labs at labs.stiple.ca and go to Profile → Danger Zone → Delete account. The "Delete Account" option inside Mapdesk takes you to this same Stiple Labs deletion flow.

When you confirm, your account enters a 14-day cancellation window during which you can reverse the request by signing back in. After 14 days, your account and associated data — including projects, survey data, files, and images — are permanently deleted, and any active subscription is cancelled; this cannot be undone.

What deletion does for Mapdesk. Completing deletion purges your server-side data — including the field data stored on Backblaze B2 in Toronto — and clears the local cache on your device. For security, fraud-prevention, audit, and legal-compliance purposes, Stiple retains a limited set of account and access logs after deletion (for example, sign-in records and a record of which projects were downloaded and when); these logs do not include your project, survey, or file content, are retained for 24 months, and are then deleted unless a longer period is required by law. For the broader timelines, exceptions, and backup-rotation windows that apply to deletion, see the umbrella Stiple Privacy Policy.

Mapdesk requests only the permissions it needs to function. Each is requested through your device's standard prompt and can be changed or revoked in your device settings. The launch build requests no camera, no microphone, no contacts, no photos-library, and no calendar permission.

• Location (precise) — iOS & Android. Foreground + background, only during an active survey. Used to record precise survey positions; continues through screen-lock / app-switch during a survey (Section 2). Never collected when no survey is active.
• Bluetooth — iOS & Android. Foreground + background, while connected during a survey. Used to connect to an external GNSS receiver and exchange RTCM corrections / position data (Section 3). Not used to scan for other devices.
• Camera — not in the launch build. Camera-based geodetic imaging is an upcoming feature; the current build does not request camera permission (Section 4).
• Internet / network — iOS & Android. As needed for signing in, streaming survey data to your Stiple account, and receiving NTRIP corrections.

Not requested: camera (launch build), microphone, contacts, photos library, calendar. If a feature requiring a new permission ships later, this Annex and the App's declared permissions will be updated together.

Our current sub-processors and their data locations are listed at stiple.ca/legal/sub-processors. Of those, Mapdesk touches only:

• WorkOS — authentication and the profile-photo CDN (United States; see Sections 5 and 10).
• Backblaze B2 — storage of your survey data and files in Toronto, Canada.

On Android, the bundled Google Play Services Location system component is also present as an on-device OS wrapper (Section 8.2); it is not a data-transmitting sub-processor. Mapdesk involves no Stripe and no payment processor.

For the topics common to all Stiple products — your privacy rights (under PIPEDA and Quebec Law 25), data retention, breach notification, children's privacy, and how to contact our Privacy Officer or file a complaint — please see the Stiple Privacy Policy at stiple.ca/legal/privacy. Those sections apply to your use of Mapdesk and are not repeated here. Where this Annex and the umbrella differ on a Mapdesk-mobile-specific matter, this Annex governs.