Legal

Privacy Policy

Effective Date: April 9, 2026 — Last Updated: April 9, 2026

Read

1. Introduction

MapOutcomes Inc. ("we," "our," or "us") operates the MapOutcomes accreditation platform (the "Platform"). We are committed to protecting the privacy and security of personal information collected through our Platform. This Privacy Policy describes our practices regarding the collection, use, disclosure, and protection of personal information in compliance with the Personal Information Protection and Electronic Documents Act (PIPEDA) and applicable Canadian privacy laws.

MapOutcomes is a B2B SaaS platform serving Canadian universities and engineering programs seeking CEAB (Canadian Engineering Accreditation Board) and ABET accreditation. All data is hosted in Canada.

Contact: privacy@mapoutcomes.com

2. Information We Collect

2.1 Personal Information Collected

When you use the MapOutcomes Platform, we collect the following personal information:

Account and Profile Information

  • Full name
  • Professional email address (institutional email preferred)
  • Job title and role within your institution
  • Institution name and affiliation

Usage Information

  • Login credentials (password hashes; we do not store plaintext passwords)
  • Login timestamps and IP addresses (for security and audit purposes)
  • Feature usage patterns and navigation paths within the Platform
  • Export and download activity

Content You Create and Upload

  • Course descriptions and learning outcomes
  • Program-level accreditation mappings
  • Assessment criteria and rubrics
  • Aggregate scoring data and analysis
  • Exemplar documents (e.g., student work samples) — Note: These documents contain no direct student PII (names, student IDs, etc.) and only include aggregate scores
  • Institution-specific configuration and settings

Technical Information

  • Device type and operating system
  • Browser type and version
  • Domain and IP address (for security monitoring)
  • Referring URL and access timestamps

2.2 Information We Do NOT Collect

MapOutcomes does not collect the following:

  • Student names, student IDs, or any directly identifying student information
  • Social insurance numbers (SIN) or government-issued identifiers
  • Financial information (credit cards, bank accounts) — billing is handled separately through institutional purchase orders
  • Health information or sensitive personal data
  • Biometric data

3. How We Use Your Information

3.1 Primary Business Purposes

  1. Service Delivery: To operate and maintain the Platform, including user authentication, access control, and feature functionality
  2. Institutional Accreditation Support: To help your institution manage CEAB/ABET accreditation processes, including course-program-outcome mapping and gap analysis
  3. Customer Support: To respond to inquiries, troubleshoot technical issues, and provide training materials
  4. Account Management: To manage user accounts, process institutional billing, and maintain service records

3.2 Operational Purposes

  1. Security: To monitor for unauthorized access, prevent fraud, and protect Platform integrity
  2. Service Improvement: To analyze usage patterns and improve Platform features and performance
  3. Compliance: To meet legal obligations, including PIPEDA requirements and potential regulatory audits

3.3 Communications

We may send you:

  • Service announcements (maintenance, updates, security notices)
  • Account-related notifications (password resets, login alerts)
  • Product updates and new feature announcements
  • Training materials and best practices

You may opt out of marketing communications at any time by clicking "unsubscribe" in email communications or updating your communication preferences in your account settings. Service announcements and account notifications cannot be opted out of as they are essential to Platform operation.

4. Legal Basis for Processing (PIPEDA Compliance)

Under PIPEDA, we collect, use, and disclose personal information with your consent and only for purposes that a reasonable person would consider appropriate in the circumstances.

Consent: By using the MapOutcomes Platform, you acknowledge that your institution has authorized your access and use of the Platform for accreditation management purposes. Your use of the Platform constitutes consent to the collection, use, and disclosure of personal information as described in this Privacy Policy.

Necessity: We collect only the personal information necessary to provide our services. The information we collect is reasonably required for:

  • Providing accreditation management services to your institution
  • Maintaining security and preventing unauthorized access
  • Complying with legal obligations

5. How We Share Your Information

5.1 We Do NOT Sell Your Data

MapOutcomes does not sell, trade, or rent personal information to third parties.

5.2 Limited Sharing Scenarios

We share personal information only in the following circumstances:

With Your Institution:

  • Your institution's administrators may have visibility into their organization's data
  • Access is role-based and limited to authorized personnel within your institution

Service Providers (Data Processors):

We engage trusted third-party service providers who assist in operating the Platform. These providers have access to personal information only to perform their functions and are contractually obligated to:

  • Use information only for specified purposes
  • Maintain confidentiality and security
  • Comply with PIPEDA requirements

Our current service providers include:

  • Cloud hosting: Canadian-based cloud infrastructure provider (data hosted in Canada)
  • Email delivery: Transactional email service for account notifications
  • Customer support: Ticketing system provider (access limited to support staff)

Legal Requirements:

We may disclose information if required to do so by law or in response to valid requests by governmental authorities (e.g., court orders, search warrants).

Business Transfers:

In connection with a merger, acquisition, or sale of all or substantially all of our assets, personal information may be transferred as part of the transaction. We will provide notice before personal information becomes subject to a different privacy policy.

5.3 No Third-Party Advertising

We do not use third-party advertising cookies or share personal information with advertising networks.

6. Data Retention

6.1 Retention Periods

We retain personal information only for as long as necessary to fulfill the purposes outlined in this Privacy Policy, unless a longer retention period is required or permitted by law.

Data Type Retention Period Notes
Active user accountsDuration of institutional subscriptionAccount remains active while subscription is current
Inactive user accounts90 days after account deactivationAllows for reactivation if needed
Deleted account data30 days after deletionRecovery window; then permanently deleted
Usage logs (IP, timestamps)12 monthsSecurity and audit purposes
Exemplar documentsDuration of subscriptionUser-controlled deletion available
Support tickets24 months after closureCustomer service records
Billing records7 yearsTax and accounting compliance

6.2 Data Deletion

Upon institutional subscription cancellation:

  1. Your institution's data will be exported (if requested) within 30 days
  2. Personal information will be permanently deleted from active systems
  3. Backups containing your data will be purged according to our backup retention schedule (up to 90 days)

To request account deletion, contact: support@mapoutcomes.com

7. Security Measures

7.1 Technical Safeguards

We implement industry-standard security measures to protect personal information:

  • Encryption: All data is encrypted in transit (TLS 1.3) and at rest (AES-256)
  • Access Control: Role-based access control (RBAC) limits data access to authorized personnel
  • Authentication: Secure password hashing (bcrypt) and optional two-factor authentication
  • Network Security: Firewalls, intrusion detection, and regular security monitoring
  • Regular Testing: Annual penetration testing and vulnerability assessments

7.2 Administrative Safeguards

  • Employee Training: All employees receive privacy and security training
  • Access Reviews: Quarterly reviews of employee access to personal information
  • Incident Response: Documented procedures for responding to security incidents
  • Vendor Management: Due diligence and contracts for all third-party service providers

7.3 Data Hosting

All MapOutcomes data is hosted in Canada on Canadian infrastructure. We do not transfer data to servers outside Canada without explicit consent and appropriate safeguards.

8. Your Rights Under PIPEDA

8.1 Access

You may request access to the personal information we hold about you. We will respond to access requests within 30 days. Requests should be submitted to: privacy@mapoutcomes.com

8.2 Correction

If you believe your personal information is inaccurate or incomplete, you may request correction. We will amend your information as appropriate and notify any third parties to whom we disclosed the incorrect information.

8.3 Withdrawal of Consent

You may withdraw your consent to our collection, use, or disclosure of personal information at any time, subject to legal or contractual restrictions and reasonable notice. Withdrawal of consent may limit our ability to provide certain services.

8.4 Deletion

You may request deletion of your personal information. We will comply with deletion requests unless we are required to retain the information for legal, contractual, or legitimate business purposes.

8.5 Complaints

If you wish to file a complaint about our privacy practices, please contact us first at privacy@mapoutcomes.com. We will investigate and respond within 30 days.

If you are not satisfied with our response, you may file a complaint with the Office of the Privacy Commissioner of Canada (OPC):

9. Breach Notification

9.1 What Constitutes a Breach

A personal information breach occurs when there is unauthorized access to or disclosure of personal information under our control, including:

  • Accidental or unauthorized collection, use, or disclosure
  • Accidental loss or destruction of personal information
  • Unauthorized access to personal information

9.2 Our Breach Response

In the event of a personal information breach that poses a real risk of significant harm to individuals, we will:

  1. Contain and Assess: Immediately contain the breach and assess the risk of harm
  2. Notify: Promptly notify affected individuals and the Office of the Privacy Commissioner of Canada as required by PIPEDA
  3. Document: Maintain a record of the breach including facts, effects, and remedial actions taken
  4. Remediate: Take steps to prevent future occurrences

9.3 Notification Content

Notifications will include:

  • A description of the breached information
  • Contact information for further inquiries
  • Steps individuals can take to minimize potential harm
  • Our remedial actions

10. Children's Privacy

MapOutcomes is not intended for use by individuals under the age of 18. We do not knowingly collect personal information from children. If we become aware that we have collected personal information from a child, we will take steps to delete such information promptly.

11. International Transfers

All MapOutcomes data is hosted in Canada. We do not transfer personal information to jurisdictions outside Canada without:

  • Explicit consent from the affected individuals
  • Appropriate safeguards (e.g., standard contractual clauses)
  • A legal basis under PIPEDA section 8

12. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. Material changes will be communicated to users via email and/or a notice on the Platform at least 30 days before the changes take effect.

To review the current version, visit: mapoutcomes.com/privacy-policy

13. Contact Information

If you have questions or concerns about this Privacy Policy or our privacy practices, please contact us:

MapOutcomes Inc.
Email: privacy@mapoutcomes.com
Support: support@mapoutcomes.com
Website: mapoutcomes.com

Privacy Officer: For privacy-related inquiries, contact our Privacy Officer at privacy@mapoutcomes.com.

14. Glossary

CEAB
Canadian Engineering Accreditation Board — the body that accredits Canadian engineering programs
ABET
Accreditation Board for Engineering and Technology — US-based accreditation body with international recognition
PIPEDA
Personal Information Protection and Electronic Documents Act — Canadian federal privacy law governing how private-sector organizations collect, use, and disclose personal information in the course of commercial activities
Personal Information
Information about an identifiable individual (includes name, contact information, location, opinions, etc.)
Exemplar Documents
Sample work products submitted for accreditation review — may include student work but contain no direct student identifiers (names, IDs, etc.)

This Privacy Policy is for informational purposes and represents MapOutcomes' current privacy practices. It does not constitute legal advice. For legal advice regarding privacy compliance, consult a qualified Canadian privacy lawyer.