May 2026 Transparency Report

Why this exists

Same deal as April: every month I publish a plain-language log of what changed on the data and platform side — what we collect, what we removed, who we rely on, and any government or legal request we received (this month: none). If a number or a third party shows up that should not be there, you will see it here first.

May was the v4.0 and v4.1 month — Live Activities, a web inbox, MapLibre on the map (with a written tile-provider commitment), optional cross-device sync without accounts, and Instagram paste-to-prefill with server-side vision. The Privacy Policy got a material update on May 21; this report is the companion piece.

Headlines

• iOS marketing version at end of May: 4.0 (build 21). 4.1 shipped on the web the same week; the App Store binary is still on the 4.0 marketing line until the next store submission.
• Map renderer upgraded; tile provider unchanged. The interactive map moved from Leaflet to MapLibre GL. Basemap data is still OpenStreetMap styled by CARTO, served from *.basemaps.cartocdn.com — not Mapbox, not Google Maps tiles. We committed to that provider in writing here and in Section 9 of the Privacy Policy.
• Live Activities and leave-by alerts (iOS). Lock Screen / Dynamic Island countdowns for saved meets, tiered “time to head out” pushes based on drive-time math, and new APNs token kinds: per-install push-to-start (on push_device) and per-activity update tokens (on live_activity_session). Optional drive-minutes echo to our server (about once per five minutes while a Live Activity is refreshing location, plus an immediate one-shot when iOS infers you are likely en route — integers only, no coordinates). The Privacy Policy still says “once per minute”; that is stale relative to the iOS code and should be corrected there.
• New iOS Background Mode: location. Used only while a Live Activity is active, under When In Use permission — we do not request “Always” location. Raw GPS does not leave the device except as the drive-minutes integer described above.
• Web notification inbox with 90-day retention — rows older than 90 days are deleted by a nightly cron (/api/cron/nightly-prune). Read timestamps (readAt) are stored server-side per installation id when you mark a row read.
• Voluntary cross-device sync linking (4.1). You can copy a sync ID on one device and paste it on another. We still do not auto-merge installs; linking is entirely user-initiated.
• POST /api/submit/from-url — server fetches a URL you paste (Instagram posts get image download + optional vision prefill via Vercel AI Gateway). Not on the public browse render path; only runs when you explicitly ask for prefill.
• Nominatim on typed address fields — not on map/home. /api/address-suggest has existed since April; May 21 wired it into the public submit form (it was already on the organizer admin meet form). Queries are proxied to OSM Nominatim. This is not the April runtime geocoding loop on map/home; that path stays deleted.
• 0 government, law-enforcement, or civil legal requests received. 0 account or content disclosures made.
• 0 data breaches.
• 0 ad networks integrated. 0 analytics SDKs integrated.

Release timeline (from git)

This is the month in ship order — useful if you are diffing the repo against last month’s report.

What we collect, in plain English

Everything from the April report still applies unless noted below. There is still no anonymous telemetry beacon and no third-party analytics SDK.

New or expanded in May

Notification inbox rows (web + linked installs). When we send you a push or need an in-app record of it, we may write a row keyed to your installation identifier: kind (meet_change, meet_request_status, blog_featured, meet_status, etc.), title, body, deep link, optional meet id, read timestamp. These power /inbox and the Menu badge; mark-read landed May 14 (c847326). Rows older than 90 days are purged nightly. Schema: src/server/db/schema/anon-sync.ts (anon_notification_inbox).

Meet submission status lookup. At /submit/status you can enter the same contact detail you used on the submit form and/or your sync ID. We return only rows that match what you typed. Anyone who knows your contact detail or sync ID could run the same lookup — treat them like lightweight credentials.

Anonymous submit drafts (cloud mirror). When sync is enabled, in-progress submit form JSON can mirror to anon_user_pref.submitDraftJson keyed by installation id so a linked device can resume. Only fields you have entered are stored; nothing is published until staff approves a submission.

Live Activity session state. For iOS installs that register push-to-start tokens, we store: installation id, meet id, activity update token, timestamps for start/end/last update, and optionally last drive-minutes (integer) from the on-device echo endpoint. Used to push phase changes and end activities cleanly. Schema: src/server/db/schema/live-activity.ts.

Site announcements. Admins can publish a plain-text sitewide notice in Postgres (singleton row). Dismiss state is stored only in your browser’s local storage (which updatedAt you dismissed), not keyed to installation id on the server.

Staff-only (organizer accounts). May 6 policy update: permission flags and optional internal staff notes on user rows — visible only to site administrators, never on public meet pages. No change to the public visitor data model.

Unchanged commitments worth repeating

• Near me / map distance sorting: approximate coordinates stay in-memory on the device for web and iOS discovery; we do not log your live location to Postgres for sorting.
• Push device records: still no email, name, or IP in the push row.
• Orphaned sync rows: if you reset the app or clear site data, server rows keyed to the old installation id still do not auto-expire on a schedule. Inbox rows do (90 days). We will commit to an orphan retention window in a future report if we add one.

What we removed in May

Alternate iOS app icons

v4.0 briefly shipped alternate icon assets; commit 9782ecd (May 14) removed the picker and plugin the same day. End state: one icon, no extra data surface.

Nothing else material on the render path

April’s deletion of runtime Nominatim geocoding on map/home is still in force. May did not bring that back.

What we added in May

MapLibre + tile-provider commitment (Phase D)

The full-screen map and home map widget now use MapLibre GL instead of Leaflet. Basemap tiles are unchanged: light Voyager and dark Dark Matter styles from CARTO (basemaps.cartocdn.com), built from OpenStreetMap data. Your browser or app still fetches tiles directly from CARTO when you pan and zoom; we do not proxy tiles through our origin.

Offline / cache story: the production service worker may cache recent tiles and a bounded manifest of saved-meet ids on your device (user-configurable budget in Menu). Cache stays on-device; no account or tracking identifiers in those buckets.

Health checks probe the same CARTO style URL we ship in production (src/server/health/probes.ts).

v4.0 — inbox, offline snapshots, Live Activities, /status (May 14, d4b2e12)

• Inbox at /inbox for installs with sync enabled.
• Meet detail snapshots in local storage for faster repeat visits and spotty LTE; service worker caches meet HTML, API responses, images, and map tiles within a user-set budget.
• Live Activities + Widget Extension + App Intents + Spotlight (iOS) — countdown widget and Lock Screen activity use App Group storage synced from saved meets (public meet fields only). Spotlight indexes meet titles you have saved for on-device search; no new account or contact field.
• iOS Share Extension — sharing a URL into Detroit Meets opens /submit with a prefill query; the same /api/submit/from-url path runs as manual paste (see 4.1 for vision).
• Leave-by notifications scheduled on-device (LeaveByNotificationScheduler); server crons can send supplemental tiered alerts when a Live Activity session exists.
• Public /status page plus JSON /api/health — aggregate probes (DB, CARTO style URL, etc.); no per-user payloads. system_heartbeat rows support cron success/failure bookkeeping.
• Sitewide announcement (0027_site_announcement) — singleton admin-edited message; dismiss/reopen stored per install in local storage.
• Detroit Grand Prix Community Pick — presentation-only badges and calendar title prefix for one editorial meet; no new database PII category (uses existing recommended flag).
• POST /api/submit/from-url (first cut) — OG/Twitter metadata parse and Instagram image mirror; vision not required yet.
• Rate-limit infrastructure (0018_rate_limit_bucket) — Postgres-backed buckets when RATE_LIMIT_DURABLE=true; /api/submit/from-url uses them today. Sync and inbox writes still use per-isolate in-memory limits (60/min/IP).
• Cron: dispatch-live-activities, dispatch-live-activity-updates, nightly-prune.

v4.1 — vision prefill, cross-device link, Near me sort (May 21, 70ae79d)

• POST /api/submit/from-url (vision layer) — rate-limited to 12 requests per minute per IP. Fetches up to 256 KB of HTML for generic URLs (512 KB for Instagram image paths), User-Agent: DetMeetsShareBot/1.0, no cookies forwarded. For instagram.com posts/reels: downloads the first post image, mirrors a copy to Catbox for moderator review, and when AI_GATEWAY_API_KEY is set, runs vision prefill (caption + image → structured draft fields via Vercel AI Gateway). Fetched HTML is not retained server-side; only parsed values return to your form. /api/admin/meet-prefill-from-url reuses the same server modules for staff meet forms.
• Meet submission status pushes — approved/rejected flows can write inbox rows and send push when a device token exists (meet-request-status-push.ts).
• Menu → Copy sync ID / Link sync ID — replaces local installation id with the one you paste; cloud hydration pulls saved meets, inbox, and drafts for that id.
• /submit/status — public status lookup (documented in Privacy Policy §2).
• Near me on the home feed sorts by distance then start time when you grant location (b2066a0 shared util with map browse).
• Web manifest + install prompt — manifest.webmanifest for add-to-home-screen; dismiss state in local storage only (detmeets.pwa-install-dismissed.v1).
• Featured blog push dedupe — when you open a featured-post push, the client records the slug locally so fallback notifications do not repeat (c865931); server dispatch uses uncached blog reads post-deploy.
• Privacy Policy + Terms updated May 21 with accordion changelog history at the bottom of each page.

Nominatim on address autocomplete (not map/home)

/api/address-suggest (since April 2) proxies typed queries to Nominatim server-side (normalized text only, 40 requests/minute/IP in-memory limit, 90s server cache). In May it is used on the public submit form and the organizer admin meet editor — not on map render, not on home render. Organizer publish-time geocoding (one-shot, stored in our DB) was already disclosed; that behavior continues.

iOS entitlements and plist copy

• NSSupportsLiveActivities and NSSupportsLiveActivitiesFrequentUpdates enabled.
• UIBackgroundModes → location for Live Activity drive-time refresh (bounded as in Privacy Policy §9).
• Usage strings updated for location (Near me, drive-time, Live Activity refresh).

Staff / admin (not visitor-facing)

Permissions-driven staff controls, richer meet audit logs, internal notes on user rows, Instagram prefill for admin meet forms (/api/admin/meet-prefill-from-url) — same fetch/vision patterns as public submit but staff-gated.

Third parties we currently rely on

Full list as of May 31, 2026. Render path = what loads when a typical visitor browses meets, map, or detail without submitting a form or opting into extra features.

On the render path (unchanged from April unless noted):

• Vercel — hosting, serverless functions, short-lived access logs. No Vercel Analytics / Speed Insights enabled.
• Neon Postgres — meets, organizers, push tokens, sync rows, inbox, live-activity sessions, rate-limit buckets, announcements.
• Apple Push Notification service (APNs) — push, Live Activity start/update/end, push-to-start.
• Apple App Store — distribution, crash reports (Apple’s policy applies).
• Open-Meteo — weather card, server-proxied (meet coordinates only).
• Catbox — cover image hosting; server-to-server uploads.
• Cloudflare — DNS and edge for detmeets.com.
• OpenStreetMap + CARTO — map basemap tiles via MapLibre, *.basemaps.cartocdn.com. Direct tile fetch from your device; we do not pass installation or sync ids to CARTO.
• GitHub — source + deploy workflow for featured-blog push dispatch.

Off the render path — only when you take a specific action:

• OpenStreetMap Nominatim — /api/address-suggest when you type in submit or the admin meet form; one-shot geocode at organizer publish; not on map/home page load.
• Instagram (instagram.com) — our server fetches public post HTML/images when you use paste-from-link prefill (your IP is not sent to Meta; our server IP is).
• Vercel AI Gateway — when vision prefill runs, caption + flyer image go to the gateway; default model path is OpenAI via gateway config (openai/gpt-5.4 in code). No vision calls on browse/map/home.
• Apple Maps / Google Maps / Waze — only if you tap an external directions link; we send venue name + address, no device ids.

We do not use:

• Google Analytics or any analytics SDK.
• Meta / TikTok / Twitter / LinkedIn pixels.
• Sentry, LogRocket, FullStory, or session replay.
• Mixpanel, Amplitude, Posthog, Segment.
• Any ad network or data broker.
• Mapbox or Google Maps tiles in production.

Government and legal requests in May

• Law-enforcement requests received: 0
• Subpoenas, search warrants, or court orders received: 0
• National security letters received: 0
• Civil discovery requests received: 0
• Account or content disclosures made: 0
• Takedown notices received: 0
• Takedowns honored: 0

If we receive any of the above in a future month, the next report will say so. If we are ever gagged from saying so, the canary block above will simply not be repeated.

Security in May

• Vulnerability disclosures received from researchers: 0
• Confirmed data breaches: 0
• Confirmed unauthorized access: 0
• May 11 audit (b1b8fc1) — capped anonymous sync batches at 500 saved entries per POST; 60 sync writes / minute / IP (in-memory per isolate); /api/push/unregister verifies the APNs token matches the stored row when you send a token (otherwise a tight per-IP cap applies); timing-safe bearer comparison on cron secrets; newly generated staff passwords are 20 characters (generateStaffPassword); Better Auth still allows user-chosen passwords from 12 characters up; idempotent meet-request state transitions; pooled APNs HTTP/2 client and transient-failure retry telemetry for push dispatch (still no third-party error SaaS).
• Postgres rate buckets (0018) — durable enforcement is wired for /api/submit/from-url when RATE_LIMIT_DURABLE=true. Address suggest uses a separate in-memory limiter, not the durable table.
• Cron endpoints for live-activity dispatch and nightly prune require CRON_SECRET bearer; May 14 hardened error handling around cron/APNs failures (b9cbef2).
• CSP (7345e81) — img-src https: so meet covers and mirrored Instagram images render without per-host enumeration drift.
• Structured server logging — reportError / reportEvent emit JSON lines to Vercel function logs only; not shipped to Sentry or any vendor.

If you find a security issue, message @alex.30mm on Instagram.

Numbers (light)

• Posts published in May: 4 (3.2 changelog, 4.0 changelog, 4.1 changelog, this report).
• iOS app marketing version at end of May: 4.0 (build 21).
• Privacy Policy effective dates in May: May 6 (staff disclosures), May 21 (sync, inbox, submit status, Nominatim on submit, tile cache, Live Activity tokens).
• Database migrations applied in May: 17 (0011–0027; 0010_meet_requests landed April 30). Breakdown: May 6 permissions + internal notes (0011–0017); May 14 rate limits, inbox, live activity, submit draft + suggested cover, leave-by alert flags, heartbeat, announcement (0018–0027).
• Notable endpoints added in May: /api/submit/from-url (May 14, vision May 21), /api/admin/meet-prefill-from-url (May 21), /api/push/live-activity/*, /api/cron/nightly-prune, /api/cron/dispatch-live-activities, /api/cron/dispatch-live-activity-updates, /api/health; public pages /inbox (May 14), /submit/status (May 21), /status (May 14). /api/address-suggest predates May (April 2); May 21 refactored its Nominatim backend and wired it into public submit.
• iOS marketing version bump: 4.0 in d4b2e12 (May 14); build 21 at month end.
• Render-path third parties added: 0 (MapLibre is a client library; tiles remain CARTO/OSM).
• Render-path third parties removed: 0 (April’s Nominatim-on-map removal still stands).
• Inbox retention: 90 days (nightly prune).

Closing

April’s report promised we’d name the map tile provider and disclose the next wave of platform changes. May delivered both: CARTO + OSM, via MapLibre, plus the Live Activity and submit-prefill machinery — all documented in the Privacy Policy and here.

If something is wrong, missing, or you want a category tracked next month, message @alex.30mm on Instagram.

Effective: May 31, 2026 · Period covered: May 1 – May 31, 2026

Privacy Policy · Terms · April 2026 Transparency Report · Detroit Meets on the App Store