Compliance (Data Protection and Privacy) - app

📑

Compliance (Data Protection and Privacy) for Causal Map App

Causal Map app, developed by Causal Map Ltd, is committed to protecting the privacy of our users. This privacy policy outlines how we collect, use, store, and protect your personal data in compliance with the General Data Protection Regulation (GDPR), EU AI Act Compliance and other applicable regulations.
 
Causal Map is an online-only service, there is nothing to download or install.
 

Data Controller

Causal Map Ltd acts as the data controller for both QualiaInterviews and Causal Map app. Our Data Protection Officer is Steve Powell, who can be contacted at hello@causalmap.app.

Data Collection and Processing

Types of Data Processed

We collect and process data necessary for the operation of Causal Map, including:
  • From clients (users/subscribers)
    • User account information.
    • Usage data.
    • Essential cookies necessary for app functionality.
    • Name & email address
  • Research data provided by clients, for which clients are the Data Controllers
Data processing is conducted in compliance with the General Data Protection Regulation (GDPR) and other applicable regulations.

Client Responsibilities

As data controllers, clients must ensure:
  • Data was collected with appropriate consent or legal basis
  • They have permission to use data from previous research projects
  • They provide details of initial data collection and methodology
  • They document legitimate interests for data use

Client Data Protection Principles

1. Lawful, Fair, and Transparent Processing
All data processing must meet at least one condition:
  • Subject consent
  • Contract performance
  • Legal obligation
  • Vital interests protection
  • Public interest
  • Legitimate interests
2. Purpose Limitation
  • Data processed only for specified research purposes
  • Further processing for research/statistical purposes permitted if compatible

Data Storage and Security

  • Causal Map is written in R-Shiny and hosted by Posit Software in the USA at AWS in the US.
  • Data is stored on AWS EC2 servers in London
  • We use TLS (Transport Layer Security) via HTTPS for secure data transmission between users and the app.
  • Authentication is managed through Google Firebase, supporting email/password methods and Google account integration.
  • Daily backups of the RDS database are made automatically.
  • A complete copy of each user file is also automatically backed up separately to a separate encrypted service (AWS S3) while the file is being edited. User can restore data from backups at will.
  • The Causal Map app is served from multiple instances. go.causalmap.app resolves to multiple instances, so if one instance fails, another can be used, accessing the same data.
  • If requested we can set up a dedicated instance of the application for you at ShinyApps. Otherwise, multiple users may share sessions with other users on the same instance, though the sessions are isolated from another in software.
  • Data stored at AWS S3 (10-minute incremental backup) is encrypted at rest (automatically, using server-side encryption with Amazon S3 managed keys (SSE-S3)) and in transit.
  • Data stored at AWS RDS is encrypted in transit.

Data Protection Measures

  • All emails to and from clients containing personal data are encrypted at rest and in transit.
  • Clients’ personal data is securely deleted when no longer needed.
  • Access to clients’ personal data is restricted to authorized personnel only.

Data Retention and Deletion

  • Personal data is not kept longer than necessary.
  • Data can be erased if requested.
  • Causal Map Ltd will not usually collect, store, host or process personal data of its clients’ research subjects. In the exceptional cases where this is necessary, it will occur only for and to the extent necessary for the specific purpose(s) informed to data subjects. Data will be pseudonymised at the point of data collection using “a unique identifier that is not connected to their real-world identity, using techniques such as coding or hashing” (Article 89, GDPR). All information which enables the reversal of pseudonymisation and thereby re-identification will only be held for a limited period (see 2.4), at which point all data will be fully anonymised by the destruction of all key lists.

Anonymity

  • At Causal Map we work with anonymous data. However, sometimes it is difficult for clients to make sure that the data they give us is free from any personally identifying information especially when there is a large volume of text, say from interview transcripts. For this case we have an offline AI which works completely without the internet which does a very good job of removing such information before text even gets uploaded.

International Data Transfers

Causal Map Ltd regularly needs to transfer (‘transfer’ includes making available remotely) personal data to countries outside of the UK. The transfer of personal data to a country outside of the UK can take place only if one or more of the following applies:
  • The transfer is to a country, territory, or one or more specific sectors in that country (or an international organisation), that the UK Information Commissioner’s Office (ICO) has determined ensures an adequate level of protection for personal data;
  • The transfer is to a country (or international organisation) which provides appropriate safeguards in the form of a legally binding agreement between public authorities or bodies; binding corporate rules; standard data protection clauses adopted by the ICO; compliance with an approved code of conduct approved by a supervisory authority (e.g. the Information Commissioner’s Office); certification under an approved certification mechanism (as provided for in the Regulation); contractual clauses agreed and authorised by the competent supervisory authority; or provisions inserted into administrative arrangements between public authorities or bodies authorised by the competent supervisory authority;
  • The transfer is necessary for the performance of a contract between the data subject and Causal Map Ltd or for pre-contractual steps taken at the request of the data subject).
  • The transfer is necessary for important public interest reasons.
  • The transfer is necessary for the conduct of legal claims.
  • The transfer is necessary to protect the vital interests of the data subject or other individuals where the data subject is physically or legally unable to give their consent.
  • The transfer is made from a register that, under UK law, is intended to provide information to the public and which is open for access by the public in general or otherwise to those who are able to show a legitimate interest in accessing the register.

Client Rights

Clients have the right to:
  • Access their personal data.
  • Request rectification or erasure of their data.
  • Object to data processing.
  • Data portability.
  • Withdraw consent at any time.
To exercise these rights, contact our Data Protection Officer at hello@causalmap.app.

Third-Party Services

We use the following third-party services:
  • AWS (Data Storage at S3 and RDS). Soc 2 report available on request.
Each third-party service has its own privacy policy.

Data Breach Notification

In the event of a data breach, we will notify the relevant authorities and affected users in accordance with applicable laws.

Changes to Privacy Policy

We reserve the right to update this policy. Users will be notified of significant changes.

Acceptable Use Policy

Services provided by us may only be used for lawful purposes. Any material or conduct that in our judgment violates this policy may result in suspension or termination of the services or removal of the user's account with or without notice
Prohibited uses include, but are not limited to:
  • Phishing or engaging in identity theft.
  • Distributing malicious code.
  • Distributing pornography or adult-related content.
  • Promoting or facilitating violence or terrorist activities.
  • Infringing on intellectual property rights.
By using Causal Map, you agree to the terms of this privacy policy. If you have any questions or concerns, please contact us.
 

User Activity Monitoring and Audit Logs

  1. Log on and log off is monitored via Google Firebase
  1. Highly significant events like new user registration and file creation are logged in a system SQL database and also emailed to the Data Protection Officer
  1. Significant events like log on, load file, are recorded in a system SQL database
 

App Authentication

Authentication is handled by Google Firebase (for the Causal Map app, via Polished.tech).
  • Users can authenticate with an email + password, or through Google (with a Google account)
  • Users have the option to use 2FA (two factor authentication)
  • Usage of a strong password, and resetting of one’s password regularly is recommended
  • Multiple attempts to access an account with an incorrect password will result in a temporary timeout

Role-Based Access

There are two levels of access to the Causal Map app: Admin and User.
Admin access:
  • is granted to three accounts at Google Firebase. Google Firebase is controlled only by the domain admin.
  • Admins can see the metadata and significant events of all users.
  • Admins are able if necessary to view and even delete client data but will not do this without clients’ explicit permission.
User access:
  • Users can assign (and revoke) view, copy or edit rights to other users.
  • Users can view, copy or edit files to which they have the appropriate permission.
  • Users can create new files over which they then have edit permission.

Contact Information

For privacy-related inquiries:
  • Data Protection Officer: Steve Powell
  • We reserve the right to change this policy at any given time, in which case we will update you.
Â