Ma
Maplan Roadmaps · Feedback · Changelog

Data protection (GDPR & PIPEDA)

This page outlines, at a high level, how Maplan is intended to align with key data protection concepts under the EU/UK General Data Protection Regulation (“GDPR”) and Canada's Personal Information Protection and Electronic Documents Act (“PIPEDA”). It is not legal advice.

You should work with your own legal counsel to finalise your approach and documentation before relying on this text with customers or regulators.

1. Roles under GDPR and PIPEDA

In most cases, Maplan acts as a processor/service provider for customer data added to a workspace. Your organisation remains the controller/business for the information you enter, and is responsible for determining the lawful basis and purpose for processing.

2. Data subject and individual rights

GDPR and PIPEDA both provide individuals with rights related to their personal information, such as access, correction, and deletion in certain circumstances. Maplan is being designed so that you can:

  • • Locate and update individual records where they are stored.
  • • Remove or anonymise personal information when a valid deletion request is received.
  • • Export relevant information about an individual, where appropriate, in a portable format.

3. Data residency and transfers

Maplan aims to keep core application data in Canada. If you rely on GDPR adequacy or other transfer mechanisms, you should confirm how your specific hosting choices, sub‑processors, and backup policies align with those requirements.

4. Security measures

This section should describe, in more detail, the technical and organisational controls you implement to protect customer data (for example: encryption in transit, access controls, audit logging, and incident response practices).

5. Data processing agreements

Many organisations using Maplan under GDPR or PIPEDA will expect a data processing agreement (DPA) or similar addendum. You should work with your lawyer to prepare a DPA that covers Maplan's processing obligations, sub‑processor disclosures, and security commitments.

6. Questions and contact

Contact details for data protection questions (for example, a dedicated privacy or security email address) should be included here. This is where customers and regulators can reach you about GDPR, PIPEDA, or similar frameworks.