Privacy Policy

1. Introduction

ValueMap Inc. ("ValueMap", "we", "us", or "our"), incorporated in Ontario, Canada, is committed to protecting the privacy of our customers and their authorized users. This Privacy Policy explains how we collect, use, disclose, and safeguard personal information when you use the ValueMap platform ("Service").

Our primary privacy obligations arise under Canada's Personal Information Protection and Electronic Documents Act (PIPEDA) and applicable Ontario privacy legislation. We also comply with the EU General Data Protection Regulation (GDPR) and UK GDPR for users in those regions, and the California Consumer Privacy Act (CCPA/CPRA) for California residents. Where requirements differ across these frameworks, we apply the standard that best protects your data.

2. Information We Collect

2.1 Account & Organization Data

When you register and set up your Organization, we collect your name, email address, company name, job title, and billing information. Administrators may also add names and email addresses for other users within their Organization.

2.2 Product & Financial Modeling Data

We collect data you enter into ValueMap, including portfolio and initiative structures, financial inputs (benefits, costs, scenarios), metric configurations, and approval workflow data. This data belongs to you as described in the Terms of Service.

2.3 Usage & Technical Data

We automatically collect certain technical data when you use the Service, including IP address, browser type and version, operating system, pages and features accessed, session duration, and error logs. This is used to maintain, improve, and secure the Service.

2.4 Communications Data

If you contact us for support or otherwise communicate with us, we retain records of those communications to resolve issues and improve our service.

2.5 Cookies & Tracking Technologies

We use cookies and similar technologies for authentication, session management, and analytics. You can control cookies through your browser settings, though disabling certain cookies may affect Service functionality. We do not use cookies for advertising or cross-site tracking. We use PostHog as our analytics tool to track basic data, including but not limited to browser data, page visits, general location, retention data, and custom events.

3. How We Use Your Information

We collect and use personal information only for purposes a reasonable person would consider appropriate given the circumstances. Specifically, we use information to:

• Provide, operate, and maintain the Service and your Organization
• Process transactions and manage your subscription
• Authenticate users and enforce role-based access controls and permissions
• Send service communications (account notices, security alerts, product updates)
• Analyze usage patterns to improve product features and experience
• Provide customer support and respond to inquiries
• Meet our legal and regulatory obligations, including under PIPEDA
• Detect, investigate, and prevent fraud, security incidents, and technical issues
• Develop, train, and improve machine learning models and artificial intelligence to provide automated financial insights and suggestions
• Create anonymized, aggregated datasets to provide market-segment benchmarking and industry trend analysis

4. Legal Bases for Processing (GDPR)

For users in the EU or UK, we process personal data under the following lawful bases:

• Contract: Processing necessary to provide the Service under our Terms of Service
• Legitimate Interests: Analytics, security, and product improvement, where these do not override your rights
• Legal Obligation: Compliance with applicable laws
• Consent: Where we request your consent for specific processing activities

5. How We Share Your Information

5.1 Within Your Organization

Users within your Organization may access shared data subject to the role-based permissions configured by your Administrator. ValueMap does not share your Organization's data with other organizations or customers.

5.2 Service Providers & Sub-processors

We share information with trusted third-party vendors (Sub-processors) who assist us in operating the Service, such as cloud hosting providers, payment processors, and customer support platforms. These providers are contractually bound to handle data only as directed and to maintain appropriate security measures. A current list of Sub-processors is available at valuemap.app/sub-processors or on request.

5.3 Legal Requirements

We may disclose information if required by Canadian law, regulation, court order, or governmental authority, or where we believe disclosure is necessary to protect the rights, property, or safety of ValueMap, our customers, or the public. Where permitted, we will notify you of such requests.

5.4 Business Transfers

In the event of a merger, acquisition, or sale of assets, your information may be transferred as part of that transaction. We will notify affected customers before information is transferred and becomes subject to a different privacy policy.

5.5 No Sale of Personal Data

ValueMap does not sell, rent, or trade your personal information or your Organization's data to third parties for their own purposes. For California residents: ValueMap does not "sell" or "share" personal information as defined under the CCPA/CPRA.

6. International Data Transfers

ValueMap is incorporated and operated in Ontario, Canada. Canada has received an adequacy finding from the European Commission under PIPEDA, meaning transfers of personal data from the EU/EEA to ValueMap in Canada do not require additional safeguards for commercial organization data covered by PIPEDA.

Where we transfer personal data to Sub-processors located in countries without an adequacy decision (such as the United States), we rely on appropriate safeguards including EU Standard Contractual Clauses (SCCs) and UK International Data Transfer Agreements (IDTAs). Copies of applicable transfer mechanisms are available on request at support@valuemap.app.

For enterprise customers subject to GDPR who require a formal DPA, please contact support@valuemap.app.

7. Data Retention

We retain your personal information for the duration of your subscription. Upon termination, we will delete or anonymize your personal information from our active systems, in accordance with PIPEDA's retention principles, except where retention is required by law (e.g., billing and tax records).

Usage data and de-identified financial modeling data may be retained in anonymized or aggregated form indefinitely to train our AI models, support product development, and provide market-segment suggestions.

8. Security

ValueMap implements technical and organizational security measures appropriate to the sensitivity of the personal information we process, consistent with PIPEDA's safeguards principle, including:

• Encryption of data in transit (TLS 1.2+) and at rest
• Role-based access controls and permission enforcement across all Organizations
• Regular security assessments and vulnerability management
• Audit logging for sensitive administrative operations

In the event of a privacy breach that creates a real risk of significant harm, ValueMap will notify affected customers and report to the Office of the Privacy Commissioner of Canada as required by PIPEDA's mandatory breach reporting provisions. For EU/UK customers, we will notify within 72 hours as required by GDPR.

9. Your Rights

Depending on your location, you have the following rights regarding your personal information. To exercise any right, contact support@valuemap.app. We will respond within 30 days (PIPEDA), 30 days (GDPR), or 45 days (CCPA) as applicable.

9.1 All Users (PIPEDA)

• Access: Request confirmation of whether we hold personal information about you and obtain a copy
• Correction: Request correction of inaccurate or incomplete personal information
• Withdrawal of Consent: Withdraw consent to processing where consent is the basis, subject to legal or contractual restrictions
• Complaint: Lodge a complaint with the Office of the Privacy Commissioner of Canada (priv.gc.ca)

9.2 EU/UK Users (GDPR)

• Access, Rectification, Erasure, Portability, Restriction, Objection (Articles 15–22 GDPR)
• Lodge a complaint with your local supervisory authority

9.3 California Residents (CCPA/CPRA)

• Know: Right to know what personal information we collect, use, and disclose
• Delete: Right to request deletion of personal information
• Correct: Right to correct inaccurate personal information
• Non-Discrimination: We will not discriminate against you for exercising your CCPA rights

10. Children's Privacy

The Service is intended solely for business use by adults. We do not knowingly collect personal information from individuals under the age of 18. If we become aware that we have inadvertently collected such information, we will take prompt steps to delete it.

11. Changes to This Policy

We may update this Privacy Policy periodically. We will notify you of material changes via email or in-product notice at least fourteen (14) days before changes take effect, consistent with PIPEDA's openness principle. The current version will always be available at valuemap.app/privacy.

12. Contact & Complaints

For privacy questions, requests, or complaints, contact us at support@valuemap.app.

Canadian residents may also contact the Office of the Privacy Commissioner of Canada: priv.gc.ca · 1-800-282-1376