Privacy Policy

This policy describes how MAP Resources and authorized representatives of MAP Resources ("we," "us," and "our") may "handle" (collect, store, process, share, and otherwise modify or use) data about you and your use of content and services provided by MAP Resources ("our services"). If you interact with or otherwise use our services, we will handle your data as described in the latest version of this policy, which can be accessed at https://maphelp.page/privacy.

Our approach to privacy

At MAP Resources, we work tirelessly to ensure MAPs, their supporters, and the public always have access to the support and information they need to stay safe, healthy, and informed. As part of this work, we use data for several purposes, such as improving the contents of our website based on user feedback. We know transparency is important to our users, so we provide this policy to explain how we use data and describe the methods we use to keep your information safe and put you in control.

Prioritizing your safety

We firmly believe that seeking support should never put someone at risk. That's why we published our Privacy and Security Guide (which helps MAPs and allies stay safe online) and our Guide to Selecting a Therapist (which helps MAPs find safe and effective professional support). In addition to those and other safety-focused projects, we also prioritize safety when handling data. This means we may sometimes ask other companies to handle data for us if they are better equipped to keep it safe.

We also consider worst-case scenarios when deciding what data to handle and how. For example, we try to stop hackers from accessing any data we store, but we also work to ensure that data wouldn't be useful to a hacker if they managed to steal it. One way we do this is by trying not to collect unnecessary data. You can help us with this by not providing information tied to your identity, such as by using an email address that is linked to a pseudonym if a form requires your contact info.

Giving you options

Although we take extensive measures to keep your data safe, we know some people still won't be comfortable with us having any data. Everyone deserves support, so we try to provide options for everyone. In this case, the MAP Resources Backups allow anyone to download everything they need to view the contents of our main website (https://www.mapresources.info) offline. Yes, that means you can turn your internet off while viewing or view it on a device that doesn't have internet access.

You're in control

Just like support, privacy works best when you have a say in the process. Many of the resources and options listed here allow you to decide what data we collect about you, and we'll provide more throughout this policy. We also allow you to exercise several rights to control your data. These include the right to request a copy of your data or ask that it be deleted. Unlike some companies, we don't require you to live in a specific area to do this; if we are handling your data, you can exercise these rights.

Data collection

Identifying the needs of our users is an important part of providing safe and effective support. We do this in a couple of ways. We work with the MAP community to identify support needs and inform our future content. We also sometimes ask MAPs and allies for feedback on new lists of resources before they are published. Data also plays a role in this. For example, when people visit our website, we may collect data about the pages they view and links they click to understand their support needs.

We also collect data to take action on behalf of or at the request of our users. This only happens with explicit consent. For example, if someone asks us to remove a certain resource because they had a bad experience with it, the information they share about their experience will be collected with their request for us to review. Another example could be a user asking us to help them find safe therapists in their area, in which case we would collect the information they provide about their location.

How we collect data

There are a few different ways we can collect data:

• You provide it to us. For example, if you send us an email, DM us on social media, or make a submission using a contact form, we will collect the information that you include in the message. This includes data associated with the contact method, such as your email address or username. This type of data collection may include information about you - including information that could be easily used to identify you - if you choose to share it. Since this form of data collection only occurs if you take a specific action, you are opted out by default.

• Others share it with us. For example, if you ask another organization to help you find resources and they partner with us, they might send us some information about your needs so we can make our own suggestions. We do not accept unsolicited data about anyone unless it is anonymized and relevant to another person's support request. The information included in this type of data collection depends on your actions and our partnerships. Third parties that send us data are responsible for disclosing what types of information are included.

• Our systems record it. For example, if you start filling out our Feedback Form and then stop, we'll collect some data about where you left off so we can check that nothing is broken. In most cases, data collected this way is anonymized, meaning identifying information is removed and we don't know who the data is about. We use automatic data collection across our services, and it is one of the main ways we collect data to help us improve. We use tools like Google Analytics to facilitate this type of data collection when you use our services.

• It is public information. For example, if we are trying to obtain a copy of a research paper and one of the author's contact information is posted on a website belonging to them, their employer, or a reputable scientific organization, we may collect that data so we can reach out to them. However, we are committed to avoiding public sources of data that were compiled or published with the intent to cause harm or without consent. This means we never use doxxing sites, people search sites, or data brokers to collect anyone's personal information.

To enable certain functionality we and some third parties may store small files known as cookies on your device. In most cases, cookies we store are necessary for our services to function properly and you automatically consent to their use by using our services. If we ever want to use a cookie that is not required for our services to function properly, we will ask for your permission before doing so. Most browsers allow you to control the cookies that are stored on your device in your privacy settings.

Types of data we collect

The types of data we might collect can be split into the following categories:

• Information about you is data about you as a person. This can be further divided into two subcategories:

  • Identifying information is information that could be used to easily identify you, such as your real name, identifying contact info, or area of residence. We do not collect this information unless it is absolutely necessary and we never collect it without your consent. For example, one of the few times we collect identifying information is if you ask us to remove a resource because you are an authorized representative of the group providing the resource. In this case, we will ask you to provide a professional email address where we can contact you to confirm your role.

  •  Personal information is information about you that could not be used to easily determine your identity, such as your alias, sexual orientation, pseudonymous contact info, or city of residence. Excluding your current location - which is automatically collected when you use certain services of ours - we only collect this information if you choose to provide it. For example, if you apply to volunteer for MAP Resources, we will ask you to provide an alias and email address that we can use to reach you, as well as some information about any relevant experience that you have.

• Information about your device is data from and about the device you use to interact with our services, such as device model and specifications, operating system type and version, browser type and version, time zone, and network information. This information is shared with our systems when you access our services to ensure they function properly on your specific device. This is normal behavior for most websites and online services. In addition, we collect this information so we can identify any issues with our services that are affecting certain devices, browsers, or networks.

• Information about your activity is data about the actions you take while using our services, such as pages you visit, links you click, your scrolling behavior, searches you perform, and files you download. In some cases, it may include information about your activities on other websites. For example, if you click a link to MAP Resources on another website, we may collect the website address where you clicked the link. This form of data collection helps us understand how people are finding and using our services, and it occurs automatically when you use some of our services. 

Limiting your exposure

Limiting the data we collect is a major way we protect your privacy. Aside from your general location, we never collect information about you unless you choose to provide it. We also try to separate information about you that you have provided from data about your device and activity. For example, if you visit our website and then submit a MAP Message, we will not be able to link your website usage data to the message unless you were the only person who performed both of those actions that day.

We also strive to provide additional controls for users who would like to opt out of certain forms of data collection. Since we use third parties to enable most data collection, these controls are usually provided by third parties. For example, Google's policy regarding information from sites that use their services has instructions for opting out of our main analytics tool. You may be able to find additional opt-out instructions in the privacy policies of other third parties we use to provide our services.

There are additional steps you can take to limit or falsify the data we collect. For example, some browsers and browser extensions can prevent our systems from receiving information about your activity by blocking the signals our services send when you take certain actions. Alternatively, a VPN can alter public-facing data about you and your device, giving us a false IP address and current location. You can learn more about options to preserve your privacy in our Privacy and Security Guide.

Data storage and access

In general, we try to minimize the places where user data is stored and the number of people and organizations who have access to it. This means we usually store data in the location where it was first collected unless the reason we are handling it requires it to be moved elsewhere. For example, if someone submits a response using one of our contact forms, we may copy some data from their response to our internal email and team chat services so that the appropriate people can take action.

We may also save backup copies of some data (not to be confused with MAP Resources Backups) in a secondary location to ensure we are able to continue providing our services even if we lose access to the original data. Backups are stored in an end-to-end encrypted form, meaning they are only accessible to authorized MAP Resources staff members. We restrict access to a few select individuals on our team to reduce the risk of backed-up data being misused or accessed without authorization.

Protecting your data

When we store data, we take reasonable precautions to prevent unauthorized access. These may include:

• Password protection

• Multi-factor authentication

• Obfuscation of the data's contents

• Obfuscation of the data's connection to MAP Resources

• Encryption

Deleting stored data

Data helps us provide and improve our services, but storing it for longer than necessary would contradict our steadfast commitment to your privacy. That's why we've established clear timelines for storing different types of data before we take action to ensure it can't be linked back to you anymore. For example, we might anonymize data by removing information so that it becomes impossible to identify the subject, even if it's combined with additional data, or we might delete it entirely.

Our rules about how long we keep data ("retention periods") are set up so that the following statement will always be true: if you stopped using MAP Resources' services today and immediately canceled all requests that would require us to process your data, all of your data that we control would be deleted or anonymized within 1 year. This ensures that your privacy is always protected, even if you are unable to exercise your rights over your data or otherwise restrict the data that we have.

Our specific retention policies are listed below:

• Data that is recorded by our systems (such as information about your use of our services) will be partly anonymized upon collection when possible. This means we will not be able to link it back to you unless you use our services again, as doing so may allow us to determine that you are using the same device and link your old data to the new data. If you stop using our services, we will fully anonymize this data wherever possible within a year.

• Data that we are storing for a specific reason (such as a request for us to add a new resource based on a positive experience) will be deleted or anonymized wherever possible as soon as the reason we collected it no longer applies. In this example, once we finished our evaluation, we would either delete your request and linked data or remove all identifying information so we could reference it during future reviews of that resource.

• Backup copies of data are deleted within 90 days of a new backup being taken. New backups are typically taken at several points throughout the year. When the original copy of backed-up data is deleted, either per our retention policies or because we received a valid data deletion request, that change will be reflected in all future backups. Therefore, all deleted data will be completely removed from our backups within 5 months of deletion.

In the unlikely event that we need to restore data from a backup, we will try to honor retention policies and data deletion requests. For example, if we have a record of a data deletion request that affected the data being restored, we will reprocess the request after the data has been restored. We may use automated tools to delete restored data that had been deleted under our retention policies. If we do not know when data was collected, we may act as if it was collected at the time of restoration.

Third-party storage

When a third party stores data on our behalf - either because that third party collected it or because we are using a third-party service to store data collected from another source - we take reasonable precautions to secure our method of accessing the data. We will always handle our copy of data in accordance with this policy, regardless of who is storing it. When we have some level of control over how a third party handles data, we will instruct them to handle it in accordance with this policy.

Processing data

We "process" (analyze, consider, combine, draw insights from, and otherwise use) data for a number of reasons, most of them some form of providing, improving, or protecting our services. For example, if a researcher asks us to review a study they are drafting, we will use the information they provided in their request to confirm their credentials. Similarly, if someone uses our Feedback Form to report a bug on our website, we will use the information in their submission to identify and fix the issue.

Restricting data use

When you or others share data with us or allow our systems to collect it, we know it comes with the expectation that we'll use it appropriately. This is why we only ever use data for the reasons it was collected. For example, if you send us an email to ask a question, we will only use your email address to respond to that question. We never use data about you to display targeted ads on our services, send unwanted messages, or identify users who have chosen not to share any identifying information.

How we use data

We process data for the following purposes:

• Research and analytics. Data collected for this purpose helps us understand our users and their needs so we can continue creating helpful content. For example, if you search for a specific type of resource on our website, our systems will record that so we can find resources that would help you. We use data about you, your device, and your activity for this purpose. The legal basis for this processing is our legitimate interest or your consent.

• Security and maintenance. Data collected for this purpose helps us identify problems with our services and discover threats against us, our services, and our users. For example, if you encounter an error page while browsing our website, our systems will record that so we can identify the issue's source and resolve it. We use data about your device and your activity for this purpose. The legal basis for this processing is our legitimate interest.

• Outreach and engagement. Data collected for this purpose helps us collect and share information to raise awareness of MAPs and MAP Resources. For example, we might use data about our existing users to find new ways to connect with and support potential users on social media websites and other platforms. We use data about you, your device, and your activity for this purpose. The legal basis for this processing is our legitimate interest.

• Providing our services. Data collected for this purpose helps us connect you with or provide the support you need. For example, if a researcher asks us for help finding specific groups for their study, we would use information about the study topic and the desired participants to help them find platforms to recruit participants. We use data about you and your activity for this purpose. The legal basis for this processing is your consent.

Sharing data

Sharing data with partners, third parties, and the public allows us to provide more services and better services than we can by ourselves. For example, if we provide a service that allows users to support each other in a safe environment, we might partner with an existing support group that already has systems and moderation in place to facilitate that. Or, if we needed help understanding why so many people visited a certain page, we might run analytics data through a third-party analysis tool.

Why we share data

There are a few reasons we might share data:

• Accessing tools. For example, we might share analytics data with a visualization tool to graph website usage for an internal report.

• Automatic sharing. For example, tools like Google Analytics allow us to understand how people use our website when we share data.

• Obtaining insights. For example, we might share the contents of an email with a researcher if we need help answering a scientific question.

• Providing services. For example, we might share data about you with a partner organization so they can recommend treatment options.

• Public outreach: For example, we might publish statistics about the number of users our website has to draw awareness to our services.

• Reporting harassment: For example, we may send threats against our services or staff to appropriate law enforcement organizations.

• Thwarting attacks: For example, we might share server logs from a DDoS attack with a security service to identify the attack's source.

Protecting shared data

Your data is worth protecting, so we're cautious about who we share it with and why. We never sell your data, share data with the goal of identifying our users, or share data that isn't relevant to the reason for sharing. We try to avoid sharing data from several sources that could be combined to obtain additional data that was intended to remain private. We limit how third parties can use shared data where possible, however, their copy of any shared data will likely be subject to their own policies.

Data we receive

In some cases, organizations may share data with us, either so we can help them provide a service as part of a partnership or because they collected it on our behalf. We will not accept data shared with us by other organizations if it is unsolicited or does not fall within one of these two cases. When we reject shared data, we will either stop it from coming into our possession or delete it when it does. When we accept this type of shared data, our copy will be handled in accordance with this policy.

Your rights

We believe giving you control over your data is an essential part of ensuring your privacy. Therefore, we grant you several rights over the data we handle about you, your devices, and your activity. Some regions have legislation in place to protect or mandate certain rights, but we extend them to all of our users, no matter where they currently reside. If you wish to exercise any of the rights listed here, you can reach out using the contact information that is provided near the bottom of this policy.

We grant you the following rights:

1. The right to request deletion of any data we are handling that can be linked back to you.

2. The right to receive clarification on what data we handle, how we handle it, and why.

3. The right to access any of the data we are handling that can be linked back to you.

4. The right to correct any of the data we are handling that can be linked back to you.

5. The right to cancel any requests or agreements that require us to process your data.

6. The right to opt out of, limit, or object to the handling of your data in certain ways.

Submitting a request

You may exercise any of these rights by submitting a request at any time. If you submit a request, you will still be able to access our services unless the request specifically prevents us from processing data in a way that would be necessary to provide you with a service. In that case, you would have the option to alter or revoke your request or refrain from using that service. To the extent we are able, we will apply your request to all of the data you specify, even if we are not legally obligated to.

Depending on the right you are exercising, your request should include any information we need to take appropriate action. For example, if you are requesting that your data be deleted, you should provide information about you that we can use to track down associated data. This could be as simple as submitting your request from the email address associated with the data. We are not responsible for actioning any data that we cannot identify as yours based on the information in your request.

Our process

We will respond to your request within 30 days of receiving it. Our response will acknowledge receipt and take one of the following actions:

1. Requesting additional information so we can better fulfill your request

2. Asking for proof of your identity to make sure the request is legitimate

3. Responding to the request if it was a question about how we handle data

4. Providing a timeline of the actions we will take to fulfill your request

5. Confirming we have actioned your request on data identified as yours

If you ask us to take specific actions on certain data, your request will be applied to each applicable piece of data within 60 days of us receiving the information we need to identify that data as belonging to you. To ensure your request is actioned quickly, please monitor the contact method you use to submit the request for any follow-up from us. We may also ask for your permission to store a copy of your request even after it is completed to ensure it is applied to any data we collect going forward.

Additional information

Most handling of data is done by third parties on our behalf. You can find the locations where this takes place in the policies linked on our Third Parties page. In addition to third-party processing, MAP Resources handles user data directly in the following regions:

• United States

Some regions provide you with the right to complain about our handling of data to a supervisory authority. If you are considering exercising this right, we encourage you to reach out to us first so we can clarify our approach and work with you directly to resolve any concerns or problems. 

Supplemental policies

Some of our services may have supplemental policies regarding how data is handled when it is collected specifically for those services. You will always be given access to these policies before you use any services that cause your data to become subject to them. This policy always applies to our handling of data by default, however, supplemental policies can override certain parts of it.

Some of our services that currently have supplemental policies include:

• Donating

• Volunteering

Data on minors

MAP Resources does not knowingly handle data about individuals who are legally under the age of 13. If we are made aware of any such data, it will be deleted or anonymized in accordance with the data deletion practices described in this policy. 

Legal exception

MAP Resources reserves the right to handle data in ways that would otherwise violate this policy if and only if we are legally required to do so by a valid warrant, court order, relevant legislation, or other legal obligation. Keep in mind, we cannot share data we do not have and we cannot collect data that is never made available to us. We encourage our users to take steps to protect any information they consider sensitive, even if they trust us.

Limitation of scope

This policy applies to all actions taken by MAP Resources to handle user data, as well as the instructions given by MAP Resources to other companies and organizations that process data on our behalf. We accept no responsibility for the actions taken by third parties in violation of our instructions or their own policies. In addition, we are not responsible for any imperfections, shortcomings, or weaknesses that may be present in standard approaches to data deletion or anonymization.

Changes to this policy

MAP Resources reserves the right to change this policy at any time and without notification. Some updates may be announced on our Telegram channel, however, we accept no formal responsibility for making such announcements. By using our services, you consent to your data being handled as described in the latest version of this policy. If you would like to revoke this consent, stop using our services immediately, cancel all requests that would require us to process your data, and submit a data deletion request as described above. 

Contacting us

If you have questions about this policy or our approach to user privacy, or if you would like to submit a request to exercise one of your rights described above, please send an email to privacy@mapresources.info. Most emails receive a response within a week, however, some may require up to a month.