MapMastery Logo

Privacy Policy

Effective April 1, 2026

About This Policy

This Privacy Policy explains how MapMastery ("Services") collects, uses, discloses, and processes your personal data. By using our Services, you agree to this Privacy Policy.

What We Collect

Information you provide directly:

  • Account information: email address, alias (optional, no real name stored)
  • Student profile: alias (optional, no real name stored), grade level
  • MAP Growth reports (permanently deleted immediately after analysis)
  • Writing samples (permanently deleted immediately after analysis)
  • DIBELS reports (permanently deleted immediately after analysis)
  • Payment information (processed by Stripe, not stored by us)
  • Customer support communications

Information collected automatically:

  • Device and browser information
  • IP address and approximate location
  • Usage data: pages visited, features used, timestamps
  • Error and performance logs
  • Cookies and similar technologies (see our Cookie Policy)

How We Use Your Data

We use your personal data for the following purposes:

  • To provide and maintain the Services
  • To generate AI-powered learning analysis reports
  • To process payments
  • To send account-related communications
  • To improve the Services and conduct research
  • To prevent fraud and ensure security
  • To comply with legal obligations

AI Model Training

AI-generated analysis reports do not contain directly identifiable personal information such as students' real names. We may use report data to improve our Services and train our AI models. We will notify users and obtain explicit consent before doing so.

Student Data & Children's Privacy

MapMastery is designed for parents and guardians managing their children's educational data. We take the privacy of minors very seriously.

  • Accounts must be created by a parent or guardian aged 18 or older
  • Real names of parents and students are not stored. Aliases are optional
  • Grade level is stored to provide accurate analysis
  • MAP Growth reports, writing samples, and DIBELS reports are permanently deleted immediately after analysis
  • AI-generated reports are stored securely and accessible only to the account holder
  • Parents and guardians may delete student profiles and associated data directly from the dashboard. Deletion is processed immediately and cannot be undone
  • If you become aware that a child under 18 has submitted personal data without parental consent, please contact privacy@mapmastery.co and we will take immediate action

How We Share Your Data

We do not sell your personal data. We may share data only in the following cases:

  • AI service providers: OpenAI, Anthropic (for report generation - data processing only)
  • Infrastructure providers: Cloudflare (hosting, storage, security)
  • Payment processors: Stripe (payment processing)
  • Email providers: Resend (transactional emails)
  • Legal authorities: When required by law or to protect rights and safety

All third-party service providers are contractually bound to protect your data and use it only for the purposes we specify.

Data Retention

DataRetention Period
Account information (email, alias)Until account deletion
Student profiles (alias, grade level)Until deleted by user
MAP Growth report originalsPermanently deleted after analysis
Writing sample originalsPermanently deleted after analysis
DIBELS report originalsPermanently deleted after analysis
AI-generated analysis reports (MAP Test/Writing/DIBELS)Retained while account is active
Payment records7 years (Hong Kong law)
System logs12 months

Your Rights

Depending on where you live, you may have the following rights:

  • Access: Request a copy of your personal data
  • Correction: Request correction of inaccurate data
  • Deletion: Request deletion of your data
  • Portability: Request transfer of your data
  • Objection: Object to certain types of processing
  • Withdrawal of consent: Withdraw consent at any time

Please refer to the contact information below to exercise your rights.

Data Security

We implement the following technical and organizational security measures:

  • Encryption of data in transit and at rest
  • Access controls and authentication
  • Regular security monitoring
  • Row-level security (RLS) for database access
  • Secure file storage via Cloudflare R2

International Data Transfers

Bailog Private Limited is a Hong Kong company. Our servers are located in Singapore (Cloudflare). Your data may be processed in:

  • Singapore (primary servers)
  • United States (AI processing via OpenAI and Anthropic)
  • Other countries where our service providers operate

We ensure appropriate safeguards are in place for all international data transfers.

Regional Supplemental Disclosures

For all rights requests and inquiries in this section, please contact privacy@mapmastery.co.

Hong Kong (Personal Data (Privacy) Ordinance, PDPO Cap. 486)

This supplemental disclosure applies to residents of Hong Kong. In case of conflict with our Privacy Policy, this disclosure shall prevail.

We comply with the six Data Protection Principles under the Personal Data (Privacy) Ordinance (Cap. 486). You have the following rights:

  • Right to access personal data held by us
  • Right to correct inaccurate personal data
  • Right to be informed of the purpose of data collection
  • Right to opt out of use of personal data for direct marketing

We will respond to your request within 40 days of receipt.

Singapore (Personal Data Protection Act, PDPA 2012)

This supplemental disclosure applies to residents of Singapore. In case of conflict with our Privacy Policy, this disclosure shall prevail.

We comply with the Personal Data Protection Act 2012 and its 2021 amendments. You have the following rights:

  • Right to access personal data held by us
  • Right to correct inaccurate or incomplete personal data
  • Right to withdraw consent for collection, use, or disclosure of personal data (except where required by law)
  • Right to data portability

Withdrawal of consent may restrict access to certain features of the Service.

International Data Transfers: Your personal data may be transferred outside Singapore (to the United States, Hong Kong, etc.). We ensure appropriate safeguards are in place.

Republic of Korea (Personal Information Protection Act, PIPA)

This supplemental disclosure applies to residents of the Republic of Korea. In case of conflict with our Privacy Policy, this disclosure shall prevail.

Purpose of collection and use:

  • Service provision and contract fulfillment
  • Member management and identity verification
  • Service improvement and new service development
  • Legal obligation compliance

Personal information collected:

  • Required: email address
  • Optional: alias (nickname)

Third-party provision:

We do not provide personal information to third parties in principle. Exceptions are as follows:

  • AI processing: OpenAI, Anthropic (for report generation only)
  • Payment processing: Stripe
  • Email delivery: Resend
  • Infrastructure: Cloudflare

Your rights:

You may exercise the following rights at any time:

  • Right to access personal information
  • Right to correct personal information
  • Right to delete personal information
  • Right to suspend processing of personal information
  • Right to object to automated processing

Cross-border transfers:

DestinationRecipientPurposeRetention
United StatesOpenAI, AnthropicAI analysisDeleted immediately after analysis
United StatesStripePayment processing7 years
United States/EuropeCloudflareInfrastructureUntil account deletion
United StatesResendEmail deliveryDeleted immediately after sending

We will respond within 10 days of receipt. You may file a complaint with the Personal Information Protection Commission (privacy.go.kr) or the Personal Information Infringement Report Center (118).

China (Personal Information Protection Law, PIPL)

This supplemental disclosure applies to residents of China. In case of conflict with our Privacy Policy, this disclosure shall prevail.

We comply with China's Personal Information Protection Law (PIPL). You have the following rights:

  • Right to access and obtain a copy of your personal information
  • Right to correct and supplement your personal information
  • Right to delete your personal information (except where legally required to retain)
  • Right to transfer your personal information
  • Right to explanation and objection regarding automated decision-making
  • Right to withdraw consent for processing

Cross-border transfers: Your personal data may be transferred outside China (to Singapore, the United States, and Hong Kong) for service provision. We implement appropriate safeguards as required by PIPL.

Malaysia (Personal Data Protection Act, PDPA 2010)

This supplemental disclosure applies to residents of Malaysia. In case of conflict with our Privacy Policy, this disclosure shall prevail.

We comply with Malaysia's Personal Data Protection Act 2010. You have the following rights:

  • Right to access personal data held by us
  • Right to correct inaccurate or incomplete personal data
  • Right to withdraw consent for processing
  • Right to opt out of use of personal data for direct marketing

By using our Services, you consent to the collection and processing of your personal data in accordance with this Policy. Withdrawal of consent may restrict access to certain features of the Service.

California, United States (CCPA/CPRA)

This supplemental disclosure applies to residents of California. In case of conflict with our Privacy Policy, this disclosure shall prevail.

Categories of personal information collected:

  • Identifiers: email address, IP address
  • Internet activity information: service usage records
  • Education-related information: AI-generated learning analysis reports

Your rights:

  • Right to know what personal information is collected and for what purpose
  • Right to request a copy of your personal information (twice per year)
  • Right to delete your personal information
  • Right to opt out of sale or sharing of personal information (we do not sell personal information)
  • Right to limit use of sensitive personal information
  • Right to non-discrimination for exercising privacy rights

We will respond within 45 days of receipt.

European Union / EEA (GDPR)

This supplemental disclosure applies to residents of the EU/EEA. In case of conflict with our Privacy Policy, this disclosure shall prevail.

Legal bases for processing:

  • Contract performance: service provision, payment processing
  • Legitimate interests: service improvement, security, fraud prevention
  • Consent: marketing communications, AI model training (separate consent required)
  • Legal obligation: retention of payment records

Your rights:

  • Right of access
  • Right to rectification
  • Right to erasure (right to be forgotten)
  • Right to restriction of processing
  • Right to data portability
  • Right to object
  • Right not to be subject to automated decision-making and profiling
  • Right to withdraw consent

International Data Transfers: Your personal data may be transferred outside the EEA. We rely on Standard Contractual Clauses (SCCs) and other appropriate safeguards for such transfers.

You have the right to lodge a complaint with the data protection supervisory authority in your country of residence. A full list of EU supervisory authorities is available at edpb.europa.eu.

We will respond within 30 days of receipt.

Cookies

We use cookies and similar technologies. For details, please see our Cookie Policy.

Changes to This Policy

This Privacy Policy may be updated from time to time. We will notify you of material changes via email or in-app notice and update the effective date at the top of this page.

Contact

For questions about privacy or to exercise your rights, please contact us at privacy@mapmastery.co.