Privacy Policy

Last updated: June 2026

This Privacy Policy explains how SocialImpactMap ("we", "us", "our") collects, uses, and protects personal data when you use our website and mobile applications (the "Platform"). We process personal data in accordance with the EU General Data Protection Regulation (GDPR) and applicable national law.

1. Who is responsible

The controller responsible for your data is [Operator name], [address], contact [contact email]. If you have any privacy questions, you can reach us at that address.

2. Data we collect

We collect and process the following categories of data:

• Account data: your email address and a securely hashed password. New accounts require email verification.
• Business listing data: business name, description, category, address, website, and logo. We convert your address into map coordinates (latitude/longitude) so your business can be shown on the map.
• Proof of social impact: certificates, documents, or photos you upload as evidence of your charitable or social activities.
• Payment data: subscription status and billing period. Card payments are handled by Stripe; we do not store your full card details. We store a Stripe customer identifier to manage your subscription.
• Location data: when you browse the map, your device may provide your approximate location to show nearby businesses. This happens with your permission and is used to perform the search.
• Technical data: basic log and device information needed to operate and secure the service, and an authentication token stored locally on your device to keep you signed in.

3. How and why we use your data (legal bases)

• To provide the service (create your account, publish and display your listing, run map searches) — performance of a contract (Art. 6(1)(b) GDPR).
• To process subscriptions and payments — performance of a contract and compliance with legal (e.g. accounting) obligations (Art. 6(1)(b) and (c) GDPR).
• To send service emails (verification, password reset, approval notifications) — performance of a contract.
• To review and approve listings, secure the Platform, and prevent abuse — our legitimate interests (Art. 6(1)(f) GDPR).
• To use your device location for nearby search — your consent (Art. 6(1)(a) GDPR), which you can withdraw at any time in your device settings.

4. Service providers and recipients

We share data only as needed to operate the Platform, with providers acting on our behalf or as independent controllers:

• Stripe — payment processing and subscription management. See Stripe's privacy policy at stripe.com/privacy.
• Google Maps Platform — maps, address autocomplete, and geocoding. See Google's privacy policy at policies.google.com/privacy.
• Email/hosting providers — to deliver our emails and host the service.

Your approved business listing (name, category, address, website, logo, and social-impact summary) is shown publicly on the map by design.

5. International transfers

Some providers may process data outside the European Economic Area. Where that happens, we rely on appropriate safeguards such as the European Commission's Standard Contractual Clauses or an adequacy decision.

6. How long we keep data

We keep account and listing data for as long as your account is active. When you delete your account, we delete your account, business, and uploaded certificates, and cancel active subscriptions. We may retain limited data where required by law (for example, billing records for statutory retention periods) or to resolve disputes.

7. Your rights

Under the GDPR you have the right to:

• access the personal data we hold about you;
• rectify inaccurate or incomplete data;
• erase your data ("right to be forgotten");
• restrict or object to certain processing;
• data portability;
• withdraw consent at any time, without affecting prior processing;
• lodge a complaint with a data-protection supervisory authority in your country.

To exercise any of these rights, contact us at [contact email]. Many actions (updating your listing, changing your password, deleting your account) can also be done directly in your dashboard.

8. Security

We use appropriate technical and organisational measures to protect your data, including password hashing, access controls, and encrypted connections. No system is completely secure, but we work to protect your information and review our measures regularly.

9. Cookies and local storage

We use strictly necessary local storage to keep you signed in (an authentication token). We do not use this for advertising. If we introduce analytics or non-essential cookies in future, we will ask for your consent where required.

10. Children

The Platform is intended for businesses and adults. It is not directed at children, and we do not knowingly collect data from anyone under 18.

11. GDPR compliance

We are committed to processing personal data in line with the EU General Data Protection Regulation (GDPR). In summary:

• Controller: [Operator name], [address], [contact email] is responsible for your data. [If appointed: our Data Protection Officer can be reached at [DPO email].]
• Lawful basis: we only process personal data where we have a lawful basis under Art. 6 GDPR — see section 3.
• Data minimisation & purpose limitation: we collect only the data needed to run the service and use it only for the purposes described in this policy.
• Data protection by design and by default: we apply measures such as password hashing, access controls, and encrypted connections, and we limit data exposure by default.
• Processors: external providers that process data on our behalf (such as Stripe and Google Maps Platform) do so under data processing agreements as required by Art. 28 GDPR.
• International transfers: where data leaves the EEA we rely on appropriate safeguards such as Standard Contractual Clauses or an adequacy decision — see section 5.
• Your rights: you can exercise the rights listed in section 7 by contacting us; we will respond within one month, as required by Art. 12 GDPR.
• Personal data breaches: in the event of a breach likely to result in a risk to your rights, we will notify the competent supervisory authority within 72 hours and affected individuals without undue delay where the risk is high (Art. 33–34 GDPR).
• Supervisory authority: you have the right to lodge a complaint with a data-protection authority. In Germany this is the authority of the relevant federal state; our competent authority is [name of your Landesdatenschutzbehörde].

12. Changes to this policy

We may update this policy from time to time. We will post the updated version with a new "last updated" date and, where required, notify you.

13. Contact

For any privacy request or question, contact us at [contact email].

← Back to home