Back to AdaptivMaprAdaptivMapr
Legal

Privacy Policy

Last updated: June 3, 2026
Template notice. These policies are a starting template provided for transparency. Have your counsel review and adapt before relying on them in production. AdaptivMapr will execute a customized agreement on request for Pro and Enterprise customers.

1. Introduction

This Privacy Policy explains how AdaptivMapr (“we”, us”, “our”) collects, uses, and shares personal data when you use the AdaptivMapr platform, our website at adaptivmapr.com, our REST API, MCP server, and Workbench (collectively, the “Services”).

The policy is written to comply with the EU General Data Protection Regulation (GDPR), the Swiss Federal Act on Data Protection (nFADP, in force since 2023), the UK GDPR / Data Protection Act 2018, and the California Consumer Privacy Act / California Privacy Rights Act (CCPA / CPRA). Where mandatory local rules apply, they take precedence over the general language below.

For most uses of the Services you are the controller of your end-user data and AdaptivMapr is your processor; that relationship is governed by our Data Processing Addendum, available at /legal/dpa. This Privacy Policy applies in full where AdaptivMapr is the controller (e.g. for our account holders, billing contacts, and website visitors).

2. Data we collect

2.1 Account data

  • Email address, full name, workspace name;
  • Authentication metadata (hashed password, MFA seed, SSO claims if your IdP is connected);
  • Workspace role (Owner, Admin, Developer, Viewer) and team membership.

2.2 Usage data

  • API request metadata: timestamp, endpoint, response status, duration, tier, billed unit count;
  • Mapping decisions: source header text, target field chosen, layer (statistics / heuristic / LLM), confidence. Row values are not stored in schema-only mode;
  • Uploads: file size, mime type, column count, row count.

2.3 Billing data

  • Stripe customer ID, subscription ID, plan, invoiced amounts, payment status;
  • Billing address and VAT number, if you supply them at checkout;
  • We never see your card number, expiry, or CVC — these flow directly to Stripe via their hosted Elements widget.

2.4 Technical data

  • IP address (truncated to /24 IPv4 or /48 IPv6 at the edge before it reaches application logs);
  • User-agent string;
  • Edge request logs retained for 14 days for incident-response and abuse-detection purposes.

2.5 Data we deliberately do not collect

  • Row content in schema-only mode — only header text and up to three sample values (≤80 chars each) leave your environment;
  • Biometric data, precise geolocation, behavioural cookies, advertising identifiers;
  • Sensitive categories of personal data unless explicitly part of a customer's schema and processed under a signed DPA + applicable BAA (via PHI Gateway).

3. How we use data

  • To provide the Services — authenticate API calls, run the cascade, return mapping recommendations, validate outputs;
  • To bill correctly — emit meter events to Stripe, calculate overages, issue invoices;
  • To support you — respond to support requests, troubleshoot incidents, communicate planned maintenance;
  • To improve the Services — learn from anonymized header-to-target mappings (no row values) to strengthen the deterministic statistics layer. You can opt out from workspace settings;
  • To send transactional emails — account verification, security alerts, invoice notifications, breaking-change notices;
  • To meet legal obligations — retain billing records for tax / accounting law, respond to lawful requests from authorities.

We do not use your data for behavioural advertising and we do not sell or share personal data with third parties for their own purposes (within the meaning of CCPA / CPRA).

4. Legal bases (GDPR / nFADP)

Where GDPR or nFADP applies, we rely on the following legal bases:

  • Contract (Art. 6(1)(b) GDPR) — to provide the Services you have subscribed to, including authentication, billing, and support;
  • Legitimate interest (Art. 6(1)(f) GDPR) — to operate the platform securely (abuse detection, rate limiting, incident response), to improve the deterministic cascade layer with anonymized mapping fingerprints, and to send essential service communications;
  • Legal obligation (Art. 6(1)(c) GDPR) — to retain billing records for tax law, to respond to lawful requests;
  • Consent (Art. 6(1)(a) GDPR) — for any optional marketing communications. You can withdraw consent at any time.

5. Sharing & subprocessors

We share data with the following categories of recipients, all bound by written agreements with confidentiality and security obligations consistent with this Policy and our DPA:

  • Stripe Payments Europe Ltd. (Ireland) — billing, payment processing, invoicing. Stripe receives your billing email, name, address, VAT number, and card details (which we never touch).
  • Vercel Inc. (USA, with EU edge deployments) — hosting of the marketing site and Next.js routes. Vercel processes edge request metadata.
  • Cloudflare Inc. (USA, with EU PoPs) — DNS, DDoS protection, edge cache, transactional email forwarding. Cloudflare processes IP addresses and request metadata.
  • Supabase Inc. (Ireland-hosted for EU customers) — account database (email, hashed password, workspace metadata).
  • Upstream LLM providers — OpenAI Ireland Ltd., Anthropic PBC, or Mistral AI SAS, depending on the model your workspace selects. The LLM layer of the cascade sends column header text and up to 3 sample values; row content is never sent in schema-only mode. If you supply your own LLM key (BYO-LLM-key), the call is made under your provider account.
  • PHI Gateway — for any full-data-mode call, AdaptivMapr delegates to PHI Gateway under your separately-executed BAA / DPA with PHI Gateway.

A current subprocessor list with locations and processing purposes is maintained at /legal/dpa#subprocessors and on our security page at /legal/security.

6. International transfers

We store account, billing, and edge log data primarily in the European Union (Frankfurt and Dublin) and Switzerland (Zurich, eu-central-2).

Some subprocessors are located in or transfer data to the United States or other third countries. For these transfers we rely on:

  • The EU Standard Contractual Clauses (Modules 2 and 3, Commission Decision 2021/914) for transfers out of the EEA;
  • The UK Addendum issued by the UK ICO for transfers out of the UK;
  • The Swiss adequacy decisions and supplementary clauses where the recipient country does not appear on the Swiss list of adequate jurisdictions;
  • The EU-US Data Privacy Framework where the recipient is certified (currently Stripe, Vercel, Cloudflare).

7. Retention

  • Parsed upload content — kept in an in-process map for up to 24 hours, then automatically discarded;
  • Mapping fingerprints (header text + chosen target field, no row values) — kept indefinitely to improve the deterministic cascade layer; deleted on workspace deletion or opt-out;
  • Edge request logs — 14 days;
  • Account records — for the lifetime of the workspace, plus 90 days after closure for transactional reconciliation;
  • Audit logs — retained for 7 years to meet billing and accounting law;
  • Backups — encrypted daily snapshots retained for 30 days; deletion requests are honoured on the next overwrite cycle.

8. Your rights

Depending on where you reside, you may have the following rights with respect to your personal data:

  • Access — request a copy of the personal data we hold about you;
  • Rectification — correct inaccurate or incomplete data;
  • Erasure — request deletion, subject to legal retention obligations (notably billing records);
  • Restriction — limit our processing in certain circumstances;
  • Portability — receive your data in a structured, machine-readable format;
  • Objection — object to processing based on legitimate interest;
  • Withdrawal of consent — for any consent-based processing;
  • Not to be subject to automated decisions producing legal or similarly significant effects without human review. The AdaptivMapr cascade is a decision-support tool; final acceptance of a mapping decision happens in your environment, not ours.

To exercise these rights, email dpo@adaptivmapr.com. We will respond within one month of receipt (extendable by two further months for complex requests, with notification). If you believe we have failed to handle your request properly, you have the right to lodge a complaint with your local supervisory authority — for Swiss residents, the FDPIC (edoeb.admin.ch); for EU residents, the supervisory authority of your member state.

9. Children's privacy

AdaptivMapr is a B2B platform and is not directed at children. We do not knowingly collect personal data from anyone under 18. If you believe we have inadvertently collected data from a minor, please contact us and we will delete it.

10. Cookies

The marketing site and dashboard use only strictly necessary cookies for session management, CSRF protection, and load balancing. We do not use analytics, advertising, or social media cookies in the default configuration. If we add optional analytics in the future, we will request your consent and surface a cookie preferences control before any non-essential cookie is set.

11. Changes to this Policy

Material changes will be notified to the email address on file for the workspace at least 30 days before they take effect. The version history of this document is recorded by the “Last updated” date at the top of the page.

12. Contact

For privacy questions or to exercise your rights, contact our Data Protection contact at dpo@adaptivmapr.com. General company contact: hello@adaptivmapr.com.