Compliance (Data Protection and Privacy) - app

📑

Compliance (Data Protection and Privacy) for Causal Map App

Causal Map app, developed by Causal Map Ltd, is committed to protecting the privacy of our users. This privacy policy outlines how we collect, use, store, and protect your personal data in compliance with the General Data Protection Regulation (GDPR), EU AI Act Compliance and other applicable regulations.
 

Data Controller

Causal Map Ltd acts as the data controller for both QualiaInterviews and Causal Map app. Our Data Protection Officer is Steve Powell, who can be contacted at hello@causalmap.app.

Data Collection and Processing

Client Responsibilities

As data controllers, clients must ensure:
  • Data was collected with appropriate consent or legal basis
  • They have permission to use data from previous research projects
  • They provide details of initial data collection and methodology
  • They document legitimate interests for data use
 

Types of Data Processed

We collect and process data necessary for the operation of Causal Map, including:
  • User account information.
  • Usage data.
  • Essential cookies necessary for app functionality.
  • Name
  • Research data as provided by clients
Data processing is conducted in compliance with the General Data Protection Regulation (GDPR) and other applicable regulations.
 

Data Protection Principles

1. Lawful, Fair, and Transparent Processing

All data processing must meet at least one condition:
  • Subject consent
  • Contract performance
  • Legal obligation
  • Vital interests protection
  • Public interest
  • Legitimate interests

2. Purpose Limitation

  • Data processed only for specified research purposes
  • Further processing for research/statistical purposes permitted if compatible
 

Data Storage and Security

  • Causal Map is written in R-Shiny and hosted by Posit Software in the USA at AWS.
  • Data is stored on AWS EC2 servers in London
  • We use TLS (Transport Layer Security) via HTTPS for secure data transmission between users and the app.
  • Authentication is managed through Google Firebase, supporting email/password methods and Google account integration.
  • Daily backups of the database are made automatically.
  • If requested we can set up a dedicated instance of the application for you at ShinyApps. Otherwise, multiple users may share sessions with other users on the same instance, though the sessions are isolated from another in software.

Data Protection Measures

  • All emails containing personal data are encrypted at rest and in transit.
  • Personal data is securely deleted when no longer needed.
  • Access to personal data is restricted to authorized personnel only.

Data Retention and Deletion

  • Personal data is not kept longer than necessary.
  • Data can be erased if requested.
  • Causal Map Ltd will not usually collect, store, host or process personal data of its clients’ research subjects. In the exceptional cases where this is necessary, it will occur only for and to the extent necessary for the specific purpose(s) informed to data subjects. Data will be pseudonymised at the point of data collection using “a unique identifier that is not connected to their real-world identity, using techniques such as coding or hashing” (Article 89, GDPR). All information which enables the reversal of pseudonymisation and thereby re-identification will only be held for a limited period (see 2.4), at which point all data will be fully anonymised by the destruction of all key lists.

Anonymity

  • At Causal Map we work with anonymous data. However, sometimes it is difficult for clients to make sure that the data they give us is free from any personally identifying information especially when there is a large volume of text, say from interview transcripts. For this case we have an offline AI which works completely without the internet which does a very good job of removing such information before text even gets uploaded.

International Data Transfers

Causal Map Ltd regularly needs to transfer (‘transfer’ includes making available remotely) personal data to countries outside of the UK The transfer of personal data to a country outside of the UK can take place only if one or more of the following applies:
  • The transfer is to a country, territory, or one or more specific sectors in that country (or an international organisation), that the Information Commissioner’s Office (ICO) has determined ensures an adequate level of protection for personal data;
  • The transfer is to a country (or international organisation) which provides appropriate safeguards in the form of a legally binding agreement between public authorities or bodies; binding corporate rules; standard data protection clauses adopted by the ICO; compliance with an approved code of conduct approved by a supervisory authority (e.g. the Information Commissioner’s Office); certification under an approved certification mechanism (as provided for in the Regulation); contractual clauses agreed and authorised by the competent supervisory authority; or provisions inserted into administrative arrangements between public authorities or bodies authorised by the competent supervisory authority;
  • The transfer is made with the informed consent of the relevant data subjects.
  • The transfer is necessary for the performance of a contract between the data subject and Causal Map Ltd or for pre-contractual steps taken at the request of the data subject).
  • The transfer is necessary for important public interest reasons.
  • The transfer is necessary for the conduct of legal claims.
  • The transfer is necessary to protect the vital interests of the data subject or other individuals where the data subject is physically or legally unable to give their consent.
  • The transfer is made from a register that, under UK law, is intended to provide information to the public and which is open for access by the public in general or otherwise to those who are able to show a legitimate interest in accessing the register.

User Rights

Users have the right to:
  • Access their personal data.
  • Request rectification or erasure of their data.
  • Object to data processing.
  • Data portability.
  • Withdraw consent at any time.
To exercise these rights, contact our Data Protection Officer at hello@causalmap.app.
 

AI Processing

  • Data is processed either using OpenAI's GPT-4 API or Perplexity’s Llama3 Model.
  • OpenAI retains API data for a maximum of 30 days for compliance purposes. OpenAI declares that API users retain ownership of their data, and API requests are not used for training models (we are a Tier 5 OpenAI customer).
  • Perplexity’s Llama 3 model, in contrast, does not save data on their servers all: the data simply passes through it. During inference, data is temporarily held in memory for processing but does not persist after the task is completed.
  • Causal Map Ltd. adheres to established qualitative research protocols to limit the AI's freedom in making evaluative judgments, thereby aiming for transparency and accuracy in the AI's interpretation of causal claims.
  • Ethical considerations include careful attention to the types of data processed and ensuring the AI's analysis reflects respondent views without systematic bias or undue influence.
 

Third-Party Services

We use the following third-party services:
  • Firebase (Authentication).
  • OpenAI API (AI Processing).
  • Perplexity API (AI Processing).
  • AWS (Data Storage).
Each third-party service has its own privacy policy.

Data Breach Notification

In the event of a data breach, we will notify the relevant authorities and affected users in accordance with applicable laws.

Changes to Privacy Policy

We reserve the right to update this policy. Users will be notified of significant changes.

Acceptable Use Policy

Services provided by us may only be used for lawful purposes. Any material or conduct that in our judgment violates this policy may result in suspension or termination of the services or removal of the user's account with or without notice
Prohibited uses include, but are not limited to:
  • Phishing or engaging in identity theft.
  • Distributing malicious code.
  • Distributing pornography or adult-related content.
  • Promoting or facilitating violence or terrorist activities.
  • Infringing on intellectual property rights.
By using Causal Map, you agree to the terms of this privacy policy. If you have any questions or concerns, please contact us.
 

User Activity Monitoring and Audit Logs

  1. Log on and log off is monitored via Google Firebase
  1. Highly significant events like new user registration and file creation are logged in a system SQL database and also emailed to the Data Protection Officer
  1. Significant events like log on, load file, are recorded in a system SQL database
 

Contact Information

For privacy-related inquiries:
  • Data Protection Officer: Steve Powell