Privacy Policy

Mapped Research LLC, a Wyoming limited liability company ("Mapped," "we," "our," or "us"), is committed to protecting the privacy and security of your personal data. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our AI-powered systematic review platform and related services (the "Service").

This policy applies to all users of the Service worldwide, including researchers, institutions, and organizations. By using the Service, you consent to the practices described in this Privacy Policy.

We collect the following categories of information:

• Account Information: Name, email address, institutional affiliation, and professional credentials when you create an account.
• Research Data: Project data, research questions, PICOS criteria, extracted data, analysis results, manuscripts, and other content you create or upload to the platform.
• Usage Data: Information about how you interact with the Service, including features used, session duration, workflow progress, and actions taken.
• Technical Data: IP address, browser type and version, device information, operating system, and server log files for security and performance monitoring.
• Payment Data: Billing information and payment details processed through our third-party payment processor. We do not store credit card numbers on our servers.
• Consent Records: Records of your acceptance of our Terms of Service and this Privacy Policy, including timestamps, IP addresses, and user agent strings for legal compliance.

We use the information we collect to:

• Provide, maintain, and improve the Service, including processing your research workflows and generating AI-assisted analyses
• Authenticate your identity and manage your account
• Process payments and manage subscriptions
• Communicate with you about your account, support requests, and Service updates
• Ensure platform security, detect fraud, and prevent abuse
• Analyze aggregated, anonymized usage patterns to enhance the user experience and develop new features
• Comply with legal obligations, enforce our Terms, and protect our rights

We do not sell your personal information or research data. We do not use your research data for training AI models without your explicit, separate opt-in consent.

If you are located in the European Economic Area (EEA), the United Kingdom, or Switzerland, we process your personal data on the following legal bases under the General Data Protection Regulation (GDPR):

• Contract Performance (Article 6(1)(b)): Processing necessary to provide the Service you requested, manage your account, and fulfill our contractual obligations.
• Legitimate Interests (Article 6(1)(f)): Processing necessary for platform security, fraud prevention, service improvement, and enforcing our Terms. We balance these interests against your data protection rights.
• Consent (Article 6(1)(a)): Where required, we obtain your explicit consent for non-essential analytics cookies, marketing communications, and any use of your data for AI model improvement. You may withdraw consent at any time.
• Legal Obligation (Article 6(1)(c)): Processing necessary to comply with applicable laws and regulations.

The Service uses AI models from multiple providers to assist with research tasks. Here is how your data is processed through these systems:

• Processing scope: Research data (PICOS criteria, search queries, abstracts, extracted data) is sent to AI providers solely to generate the research outputs you request (screening suggestions, data extraction, analysis, narrative generation).
• Ephemeral processing: Data is processed through AI provider APIs and is not retained by AI providers beyond the API call, in accordance with their respective data processing agreements.
• No model training: Your research data is not used to train, fine-tune, or improve any AI models without your explicit, separate opt-in consent.
• Human-in-the-loop: AI generates suggestions only. All final decisions are made by the researcher. Mapped does not make autonomous decisions based on your data.

We do not sell, rent, or trade your personal information. We share data only with the following categories of recipients, solely as necessary to provide the Service:

We may also share information when required by law, to protect our rights, in connection with a business transfer, or with your explicit consent.

Your data is processed and stored in the United States through our sub-processors listed in Section 6. If you are located outside the United States, your data will be transferred to the United States for processing.

For transfers from the EEA, UK, or Switzerland, we rely on:

• Standard Contractual Clauses (SCCs) approved by the European Commission
• Supplementary security measures including encryption in transit and at rest
• Data processing agreements with all sub-processors that include appropriate data protection obligations

We implement industry-standard technical and organizational measures to protect your data:

• Encryption: All data in transit uses TLS 1.3 encryption. Data at rest is encrypted using AES-256.
• Access Controls: Role-based access controls (RBAC) ensure only authorized users and personnel can access data.
• Infrastructure: We use SOC 2 Type II compliant cloud infrastructure with regular security audits.
• Backup & Recovery: Regular automated backups ensure data availability and disaster recovery capabilities.
• Incident Response: We maintain an incident response plan with defined procedures for breach detection, containment, and notification.

Despite these measures, no method of transmission over the internet is 100% secure. We cannot guarantee absolute security but are committed to protecting your data using commercially reasonable means. To report a security concern, contact security@mappedresearch.com.

We retain your personal data and research projects for as long as your account is active and as needed to provide the Service. Specifically:

• Active accounts: Data is retained for the duration of your account.
• Deleted accounts: Upon account deletion, you have a 30-day grace period to export your data. After 30 days, your data is permanently purged from our systems.
• Legal holds: We may retain certain data beyond these periods to comply with legal obligations, resolve disputes, or enforce our agreements.
• Consent records: Records of terms acceptance are retained indefinitely as part of our legal audit trail.

If you are located in the European Economic Area, United Kingdom, or Switzerland, you have the following rights under the GDPR:

• Right to Access: Request copies of your personal data.
• Right to Rectification: Request correction of inaccurate or incomplete data.
• Right to Erasure: Request deletion of your personal data under certain circumstances.
• Right to Restrict Processing: Request limitation of how we process your data.
• Right to Data Portability: Request transfer of your data in a structured, machine-readable format.
• Right to Object: Object to processing based on legitimate interests.
• Right to Withdraw Consent: Where processing is based on consent, withdraw at any time without affecting prior processing.

To exercise these rights, contact us at privacy@mappedresearch.com. We will respond within 30 days. You also have the right to lodge a complaint with your local supervisory authority.

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA):

• Right to Know: Request disclosure of the categories and specific pieces of personal information we have collected.
• Right to Delete: Request deletion of your personal information, subject to certain exceptions.
• Right to Opt-Out of Sale: We do not sell personal information. We do not share personal information for cross-context behavioral advertising.
• Right to Non-Discrimination: We will not discriminate against you for exercising your privacy rights.

To exercise these rights, contact us at privacy@mappedresearch.com. We will respond within 45 days as required by CCPA.

Where the Egyptian Personal Data Protection Law (Law No. 151 of 2020) applies, we comply with its requirements and Executive Regulations. Your rights include:

• The right to be informed about the collection and processing of your personal data
• The right to access, correct, and delete your personal data
• The right to restrict or object to processing
• The right to be notified of data breaches within the timeframes specified by law

Cross-border transfers are conducted in compliance with applicable data protection requirements, including adequate safeguards as required by law.

In the event of a personal data breach that poses a risk to your rights and freedoms, we will:

• Notify the relevant GDPR supervisory authority within 72 hours of becoming aware of the breach, where applicable
• Notify relevant supervisory authorities under applicable law within 72 hours, where required
• Notify affected individuals without unreasonable delay when the breach is likely to result in a high risk to their rights and freedoms
• Document all breaches, their effects, and the remedial actions taken

Cookies. We use cookies and similar technologies as described in our Cookie Policy. You can manage cookie preferences through our consent banner or your browser settings.

Children. The Service is not intended for individuals under 18 years of age. We do not knowingly collect personal information from children. If we become aware that we have collected information from a person under 18, we will take steps to delete it promptly.

Changes to This Policy. We may update this Privacy Policy from time to time. For material changes, we will provide notice via email or through the Service at least 30 days before the changes take effect. Your continued use after the effective date constitutes acceptance. The "Last updated" date at the top of this page indicates when this policy was last revised.

Contact. If you have questions about this Privacy Policy or wish to exercise your data protection rights, please contact us: