Privacy Policy

Effective Date: 02.12.2025
Last Updated: 04.02.2026
Service Name: Mapala Property Solutions Inc.
Website: https://mapala.ca
Contact Email: info@mapala.ca

1. Introduction

Mapala Property Solutions Inc. ("Mapala", "we," "us," or "our") operates the Mapala platform (https://mapala.ca), a service that allows users to discover, share, and track rental buildings and apartments across Canada.

This Privacy Policy explains:

What personal information we collect
How we use, store, and protect your information
Your rights regarding your personal data
How to contact us with privacy concerns

This policy is designed to comply with Canada's Personal Information Protection and Electronic Documents Act (PIPEDA) and provincial privacy legislation.

2. Information We Collect

2.1 Personal Information You Provide

Account Registration

When you create an account on Mapala, we collect:

Contact Information: Email address, Phone number
Personal Details: First name, last name, and middle name (optional), Date of birth
Address Information: Primary address (address line 1), Secondary address (address line 2, optional), City, province, postal code, Country
Account Security: Password (stored as a cryptographic hash only — we never store plain-text passwords)

Landlord/Company Information (Optional)

If you are a landlord or property manager, you may optionally provide:

Company name
Company address, city, province, postal code
Company phone number and email
Company website

Building and Property Data

When you add a building or apartment listing, you provide:

Building Information: Title and description, Address (street, city, postal code), Year built, builder name, number of units, number of floors, Geographic coordinates (latitude/longitude) for map display
Landlord Contact Information: Landlord name, Contact phone number, Contact email address. Important: This landlord contact information may be publicly visible on building pages to help renters contact property owners.
Photos and Files: Building photos, floor plan images, apartment photos, File metadata (filename, upload date, file type). EXIF Data: We plan to automatically strip EXIF metadata (including geolocation, camera model, and timestamps) from uploaded images to protect privacy. Until this feature is implemented, uploaded images may retain EXIF data.

Subscriptions and Notifications

When you subscribe to updates for a specific building:

Building subscription preferences
Baseline apartment availability snapshot (to detect changes)
Last check timestamp

2.2 Information Collected Automatically

When you use Mapala, we automatically collect:

Technical Information: IP address, User agent string (browser type, operating system, device type), Request URL and HTTP method
Activity Data: Pages visited, Actions performed (e.g., viewing buildings, creating listings), Timestamps for all requests
Request Tracing: Unique request ID (X-Request-ID) for debugging and support
Authentication Data: JWT access tokens and refresh tokens (stored in HTTP-only cookies), Login history and session metadata

2.3 Information from Third Parties

We do not purchase or receive personal information from data brokers or third-party marketing companies.

We may receive limited information from:

Mapbox: Geographic coordinates and map tiles to display building locations. Mapbox may collect IP addresses and usage data according to their own privacy policy.
Google Analytics: In the future, we plan to integrate Google Analytics to analyze website traffic, user behavior, and service improvements. Google Analytics will collect anonymized or pseudonymized usage data (page views, session duration, device type, geographic region). We will update this policy before enabling Google Analytics.

3. How We Use Your Information

3.1 Primary Purposes

We use your personal information for the following purposes:

Account Management: Create and maintain your user account, Authenticate your identity, Manage your profile and preferences
Service Delivery: Display buildings, floor plans, and apartments on the platform, Show building locations on interactive maps, Enable building subscriptions and change notifications, Process your requests (e.g., adding, editing, or hiding listings)
Communication: Send account-related emails (email verification, password reset), Notify you of changes to buildings you're subscribed to, Respond to support inquiries
Platform Improvement: Analyze usage patterns to improve user experience, Monitor application performance and error rates, Conduct internal research and development
Security and Fraud Prevention: Detect and prevent unauthorized access, Monitor for suspicious activity and abuse, Enforce our Terms of Service
Legal Compliance: Comply with applicable laws and regulations, Respond to lawful requests from authorities, Protect our legal rights and interests

3.2 Legitimate Interests

In certain cases, we process personal information based on legitimate interests, such as:

Public Directory of Buildings: We maintain a public directory of rental buildings to help renters find housing. This includes displaying landlord contact information (name, phone, email) on building pages. We believe this serves the legitimate interest of facilitating housing search and tenant-landlord communication.
Service Security: We log IP addresses and request metadata to detect and prevent fraud, abuse, and security incidents.

3.3 Third-Party Data (Landlord Information)

Important Notice:
Users can add landlord contact information (name, phone, email) to building listings without the landlord's explicit consent. This information is displayed publicly on building pages.

Why we allow this:

Rental property information is often publicly available (e.g., rental websites, building signage, lease agreements).
Displaying landlord contact information serves the legitimate public interest of helping renters find and contact property owners.
This practice is common across rental listing platforms.

Landlord Rights:
If you are a landlord and wish to have your contact information removed or corrected, please contact us at info@mapala.ca. We will process your request within 10 business days (see Section 8.4).

4. How We Share Your Information

We do not sell your personal information to third parties.

We may share your information in the following circumstances:

4.1 Service Providers

We share information with trusted third-party service providers who assist us in operating the platform:

Service Provider	Purpose	Data Shared	Location
Amazon Web Services (AWS)	Cloud hosting, file storage (S3), email delivery (SES)	All data stored on the platform	Canada (ca-central-1)
Mapbox	Interactive maps and geolocation	Building coordinates, IP addresses (via map requests)	United States
Google Analytics (Planned)	Website analytics and usage tracking	Anonymized usage data, IP addresses (anonymized), device type	United States
Stripe (Planned 2026)	Payment processing for premium features	Name, email, payment information	United States

All service providers are contractually required to protect your data and use it only for the purposes we specify.

4.2 Legal Requirements

We may disclose your information if required by law or in response to:

Court orders, subpoenas, or legal process
Requests from law enforcement or government agencies
Legal obligations under Canadian or provincial law

We will notify you of such requests unless prohibited by law.

4.3 Business Transfers

If Mapala is acquired, merged, or undergoes a business restructuring, your personal information may be transferred to the acquiring entity. We will notify you before your information is transferred and becomes subject to a different privacy policy.

4.4 Public Information

The following information is publicly visible on Mapala:

Building names, descriptions, addresses, and photos
Landlord names, phone numbers, and email addresses (on building pages)
Floor plan details and apartment information
Geographic coordinates (displayed on maps)

Do not include sensitive personal information in building descriptions or other public fields.

5. Data Storage and Security

5.1 Where We Store Your Data

Your personal information is stored on servers located in Canada (AWS ca-central-1 region).

Database: PostgreSQL or SQLite (development) hosted in AWS ca-central-1
File Storage: AWS S3 (ca-central-1) for photos and documents
Email Service: AWS SES (ca-central-1) for transactional emails

Cross-Border Transfers:
Some third-party services (Mapbox, Google Analytics, Stripe) are based in the United States. When you use Mapala, your data may be transferred to and processed in the U.S., which has different privacy laws than Canada. By using our service, you consent to this transfer. We take steps to ensure these providers offer adequate protection for your data.

5.2 Security Measures

We implement industry-standard security measures to protect your data:

Encryption: All data transmitted between your browser and our servers is encrypted using HTTPS/TLS. Passwords are hashed using Werkzeug's secure password hashing (PBKDF2-based) and are never stored in plain text.
Access Controls: Database access is restricted to authorized personnel only. AWS S3 files are stored in private buckets with presigned URL access (time-limited, authenticated links).
Authentication: JWT-based authentication with short-lived access tokens (10 minutes) and long-lived refresh tokens (7 days). CSRF protection for cookie-based authentication.
Monitoring and Logging: We log all HTTP requests (IP address, method, path, user agent, request ID) for security monitoring and debugging. Logs are retained for 7 days (development) or indefinitely (production, for security analysis).

No system is 100% secure. While we strive to protect your data, we cannot guarantee absolute security. Please use a strong, unique password and do not share your account credentials.

6. Data Retention

6.1 Active Accounts

We retain your personal information for as long as your account is active or as needed to provide services.

6.2 Account Deletion

If you request account deletion:

Your account will be permanently deleted.
Associated personal information (name, email, address, phone) will be removed.
Buildings, floor plans, and apartments you created will be anonymized (disassociated from your account) but not deleted, as they may be useful to other users.
Uploaded files (photos) will remain on the platform unless you specifically request their deletion.

To delete your account, contact us at info@mapala.ca.

6.3 Soft Deletion of Content

When you delete a building, floor plan, or apartment listing through the platform:

The item is hidden from public view (soft delete).
The item is not permanently deleted from our database.
You can request permanent deletion by contacting us at info@mapala.ca.

6.4 Logs and Analytics

Application Logs: Retained for 7 days in development; indefinitely in production for security monitoring.
Business Logs: Retained indefinitely for analytics and service improvement.
Google Analytics Data (Planned): Retained according to Google's data retention settings (typically 14-26 months).

6.5 Backup Retention

Backup copies of your data may persist for up to 90 days after deletion due to backup schedules and disaster recovery procedures.

7. Cookies and Tracking Technologies

7.1 Cookies We Use

We use the following cookies:

Cookie Name	Purpose	Type	Expiration
`access_token_cookie`	JWT access token for authentication	HTTP-only, Secure, SameSite=Lax	10 minutes
`refresh_token_cookie`	JWT refresh token for session renewal	HTTP-only, Secure, SameSite=Lax	7 days
`csrf_access_token`	CSRF protection for access tokens	Secure, SameSite=Lax	Session
`csrf_refresh_token`	CSRF protection for refresh tokens	Secure, SameSite=Lax	Session

7.2 Third-Party Cookies

When you use Mapala, third-party services may set cookies:

Mapbox: Analytics and map interaction tracking. See Mapbox Privacy Policy.
Google Analytics (Planned): Analytics cookies for usage tracking. See Google Privacy Policy.

7.3 Managing Cookies

You can control cookies through your browser settings:

Disable Cookies: Most browsers allow you to refuse cookies. Note that disabling cookies will prevent you from logging in and using authenticated features.
Third-Party Cookies: You can opt out of Google Analytics using the Google Analytics Opt-out Browser Add-on.

8. Your Privacy Rights

Under PIPEDA and provincial privacy laws, you have the following rights:

8.1 Right to Access

You have the right to request a copy of the personal information we hold about you.
How to Request: Email info@mapala.ca with the subject line "Data Access Request." We will provide your data in a structured, commonly used format (e.g., JSON, CSV) within 30 days.

8.2 Right to Correction

You have the right to request corrections to inaccurate or incomplete personal information.
How to Request: Email info@mapala.ca with details of the correction needed. We will update your information within 10 business days and notify you of the change.

8.3 Right to Deletion (Right to Be Forgotten)

You have the right to request deletion of your personal information, subject to legal and operational limitations.
How to Request: Email info@mapala.ca with the subject line "Account Deletion Request." We will delete your account and personal information within 30 days.
Note: Buildings and content you created will be anonymized but not deleted (see Section 6.2).
Limitations: We may retain certain information if required by law or for legitimate business purposes (e.g., fraud prevention, legal compliance).

8.4 Right to Object (Landlord Data Removal)

If your contact information has been added to a building listing without your consent, you have the right to request its removal.

How to Request: Email info@mapala.ca with:

Your full name
The building address or URL where your information appears
Proof of identity (e.g., government-issued ID)

We will review and process your request within 10 business days. If approved, we will remove or anonymize your contact information from the building listing.
Note: We may request verification of your identity to prevent fraudulent removal requests.

8.5 Right to Withdraw Consent

If we process your data based on consent (e.g., email marketing, analytics), you can withdraw consent at any time:

Email Marketing: Click "Unsubscribe" in any marketing email.
Analytics: Opt out of Google Analytics using browser settings or opt-out tools.

Withdrawing consent does not affect the lawfulness of processing based on consent before withdrawal.

8.6 Right to Complain

If you believe we have violated your privacy rights, you have the right to file a complaint with:

Office of the Privacy Commissioner of Canada
Website: https://www.priv.gc.ca
Phone: 1-800-282-1376
Email: info@priv.gc.ca

You may also file a complaint with your provincial privacy commissioner if applicable.

9. Children's Privacy

9.1 No Age Restrictions

Mapala does not impose a minimum age requirement for account registration.

9.2 Parental Responsibility

If you are under the age of majority in your province (typically 18 or 19), you should obtain parental or guardian consent before using Mapala.

Parents and Guardians:

We encourage parents to monitor their children's online activities.
If you believe a child has provided personal information without your consent, contact us at info@mapala.ca to request deletion.

9.3 PIPEDA Compliance

PIPEDA does not prohibit the collection of children's data but requires that we:

Collect only the minimum necessary information.
Use clear and age-appropriate language in privacy notices.
Provide parents with the ability to review and delete their child's data.

We do not knowingly collect sensitive information from minors without parental consent.

10. Third-Party Links

Mapala may contain links to third-party websites or services (e.g., landlord websites, external rental listings).

We are not responsible for the privacy practices of third-party sites.
We encourage you to review the privacy policies of any third-party sites you visit.
This Privacy Policy applies only to information collected by Mapala.

11. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, or legal requirements.

How We Notify You:

We will post the updated policy on this page with a new "Last Updated" date.
For material changes (e.g., new data collection practices, third-party sharing), we will notify you via email or a prominent notice on the website.

Your Continued Use: Your continued use of Mapala after the changes take effect constitutes your acceptance of the revised Privacy Policy.

Review Regularly: We encourage you to review this policy periodically to stay informed about how we protect your information.

12. International Users

Mapala is primarily intended for users in Canada.

Users Outside Canada:

If you access Mapala from outside Canada, your information may be transferred to and processed in Canada and the United States.
By using Mapala, you consent to the transfer of your information to jurisdictions with different privacy laws.
We take steps to ensure adequate protection for your data regardless of where it is processed.

13. Data Breach Notification

In the event of a data breach that poses a real risk of significant harm to you, we will:

Notify Affected Users: We will notify you via email within 72 hours of discovering the breach. The notice will include: What information was compromised, When the breach occurred, Steps you can take to protect yourself, How we are responding to the breach
Notify the Privacy Commissioner: We will report the breach to the Office of the Privacy Commissioner of Canada as required by PIPEDA.
Take Remedial Action: We will investigate the breach, secure the affected systems, and take steps to prevent future incidents.

14. Business Contact Information

Legal Name: Mapala Property Solutions Inc.
Website: https://mapala.ca
Email: info@mapala.ca
Privacy Officer: For privacy-related inquiries, contact our Privacy Officer at info@mapala.ca.

15. Consent

By creating an account or using Mapala, you acknowledge that you have read, understood, and agree to this Privacy Policy.

If you do not agree with this Privacy Policy, please do not use our services.

16. Additional Information

16.1 Account Verification

We verify your email address during registration by sending a confirmation link. This ensures the email address belongs to you and helps prevent fraudulent accounts.

16.2 User Roles and Permissions

Mapala supports different user roles:

Standard Users: Can create and manage their own buildings and subscriptions.
Landlords: Can provide company information and manage multiple properties.
Administrators: Have access to admin-only features (user management, content moderation, SEO settings).

Administrator accounts have access to additional personal information for moderation and support purposes.

16.3 Featured Buildings (Planned Monetization)

In the future, we plan to offer featured building placements for landlords who wish to promote their properties.

Featured buildings will be clearly labeled as sponsored or promoted.
Payment processing will be handled by Stripe (planned for 2026).
When payments are enabled, we will update this Privacy Policy to describe what payment information is collected and how it is processed.

16.4 Building Subscriptions and Notifications

When you subscribe to a building:

We store a baseline snapshot of apartment availability.
We periodically check for changes (e.g., new vacancies).
If changes are detected, we send you an email notification.
You can unsubscribe from building notifications at any time through your account settings.

17. Summary of Key Points

Topic	Details
What We Collect	Email, name, address, phone, date of birth, building data, photos, IP address, usage logs
Why We Collect	Account management, service delivery, communication, analytics, security
How We Share	AWS (hosting), Mapbox (maps), Google Analytics (planned), Stripe (planned 2026)
Where We Store	AWS Canada (ca-central-1); some third-party services in the U.S.
Your Rights	Access, correction, deletion, objection (landlord data removal)
Data Retention	Active accounts: indefinitely; deleted accounts: 30 days; soft-deleted content: hidden, not deleted
Cookies	JWT tokens, CSRF tokens, third-party analytics (Mapbox, Google Analytics)
Children	No age restrictions; parental consent recommended for minors
Security	HTTPS, password hashing, JWT authentication, access controls, logging
Contact	info@mapala.ca

18. Glossary

PIPEDA: Canada's Personal Information Protection and Electronic Documents Act, the federal privacy law governing private-sector organizations.
JWT (JSON Web Token): A secure method of transmitting authentication information between parties.
EXIF (Exchangeable Image File Format): Metadata embedded in image files (e.g., camera model, GPS coordinates).
HTTPS/TLS: Secure protocols for encrypting data transmitted over the internet.
Soft Delete: Marking data as deleted (hidden) without permanently removing it from the database.
Presigned URL: A time-limited, authenticated URL for accessing private files on AWS S3.

Thank you for trusting Mapala with your information. We are committed to protecting your privacy and providing a safe, transparent platform for finding rental housing in Canada.

End of Privacy Policy