Privacy Policy

This Privacy Policy is incorporated into the MAP Terms of Use and applies to your use of the MAP website (the “Website”) and the MAP® online application and service (the “Service”).

This Privacy Policy explains how we collect, use, process, protect, store and share your personal information when you use our Website or Service. "Personal information" (also referred to as "personal data" under applicable laws) means any information relating to an identified or identifiable natural person.

We only use or share your personal information as described in this Privacy Policy and only for the essential purposes set forth in this Privacy Policy. We do not knowingly use or disclose your information for any other purpose.

Some parts of our Website or Service may come with extra privacy notices. For example, optional features may use your personal information in specific ways.

You may find links on our Website or Service—either provided by us or by other users—that lead to third-party websites or products we don’t operate. This Privacy Policy does NOT apply to those third parties. We strongly recommend reviewing their privacy policies to understand how they handle your personal information.

If you use Single Sign-On (SSO) features (like logging in through a social media account), your use of those features may be governed by the SSO provider’s own terms and privacy policies. Please review those policies before using SSO to access our Service.

This Privacy Policy does not apply to MAP employees or applicants to MAP.

We encourage you to read this Privacy Policy to fully understand our privacy practices before using the Website, subscribing to, or using, the Service or submitting any personal information. This Privacy Policy supplements other notices we provide to you and is not intended to override them.

PLEASE NOTE THAT THIS PRIVACY POLICY MAY BE AMENDED OR CHANGED FROM TIME TO TIME.

We indicate at the top of the page when this privacy policy was last updated.

We have appointed a data protection officer who is responsible for overseeing questions in relation to this Privacy Policy. If you have questions about this Privacy Policy or the way we collect, use, process, protect, store or share your personal information, please contact our Data Protection Officer at contact MAP Support or:

Data Protection Officer
MAP Biotech Proprietary Limited
97-99 Bathurst Street
SGround Flr. Ste #1052Sydney NSW 2000 Australia.

If you are a citizen of the European Union, you have the right to make a complaint at any time to the Information Commissioner's Office (ICO) or the supervisory authority or authorities for data protection issues in your country. We would appreciate the chance to deal with your concerns before you approach the ICO or data protection supervisory authorities, so please contact us at contact MAP Support if you have any questions or concerns.

MAP only collects personal information that is reasonably necessary for its activities which include operation of the Website, provision of the Service and conducting scientific research, primarily in the field of Centeredness Theory, mental health, human wellbeing, and human potential. For more information on Centeredness Theory and wellbeing see https://www.frontiersin.org/articles/10.3389/fpsyg.2018.00610/full.

We collect personal information in three (3) main ways:

1. Personal Information you provide to us;
2. Personal Information we receive from others; and
3. Personal Information we automatically collect when you interact with or use our Website or Service.

Information you provide to us:

1. Contact Information. When you sign up for an account or use the Service, we collect basic contact information such as your first and last name and email address. If you sign in through a social media account, we may also collect your social media ID.
2. Account Information. For a user of the MAP Service, the personal information we collect may include your date of birth; age range; gender; username or similar identifier password; marital status; and profession. We collect specific data like marital status, gender, age range, and profession because it helps research scientists to better understand the nature of wellbeing. Your country information is collected because we use that information for scientific research to better understand how wellbeing varies across the world and to anonymously populate the world map of MAP users, which you can access from your dashboard.
3. Payment Information. In the future, we may offer new features or services to the Service which require a paid subscription In such instances, you will need to provide payment details, such as your card number, expiration date and security code, and billing address. We will only collect the information necessary to process your payment, and all transactions will be securely handled by trusted third-party payment providers.
4. Your Website and Service Communications. When you contact us, whether by email, chat, or in-app messages, we may collect your name and email address and any details you choose to share in your messages. This information will not be used for any purpose except to communicate directly with you.
5. Customer Support. When you reach out to us with questions or for customer support, we collect the information you provide.
6. Information we collect from others. We may also collect the name, email address, content engagement, and preferences of individuals that our users identify through our sharing and referral features. We use this data for the sole purpose of sharing content and referring individuals to join the Service.

Information we automatically Collect. We may also automatically collect information about you when you use the Website or Service. This includes the following.

1. We collect your personal data automatically via cookies, in line with our Cookie Policy.
2. We automatically collect information such as your IP address, device ID, device type, operating system, browser type and version, screen resolution, language settings, and any plug-ins or add-ons you use. This information is used exclusively for improving your user experience and to help us debug.

Aggregated Data. We also collect, use and share Aggregated Data such as statistical or demographic data for any purpose. Aggregated Data could be derived from your personal data but is not considered personal data in law as this data will not directly or indirectly reveal your identity. For example, we may aggregate your Usage Data to calculate the percentage of users accessing a specific website feature. However, if we combine or connect Aggregated Data with your personal data so that it can directly or indirectly identify you, we treat the combined data as personal data which will be used in accordance with this privacy policy.

We use the information we collect to operate and provide you with the Website and Service. This includes, but is not limited to:

1. Authenticating your login;
2. Personalizing your MAP experience;
3. Allowing you to monitor your performance and progress in MAP including, for example, presenting charts and graphs of your performance to you;
4. Debugging the Website and Service, and providing follow-up service from the MAP Support Team where the user's session has been interrupted because of an issue in the code;
5. Customizing and delivering information about our products and services by email;
6. Providing customer service and sending confirmations about your account;
7. Protecting our intellectual property or other rights;
8. Managing and improving our business, the Website and the Service.

We use non-personal information, such as aggregated data, for scientific research purposes.

We have set out below, in a table format, a description of the ways we plan to use your personal information, and which of the legal bases we rely on to do so. We have also identified what our legitimate interests are where appropriate.

We mainly store and handle your personal information within Northern Europe and the European Economic Area (EEA), which have strong data protection laws.

Sometimes we may need to transfer your data to other countries that don't have the same level of data protection as Northern Europe or the EEA. When this happens, we always put protective measures in place to keep your information secure. We follow European data protection laws (GDPR) and use one of these approved methods:

1. We only send data to countries that EU authorities have confirmed provide good data protection;
2. We use official Standard Contractual Clauses (SCCs) - these are pre-approved legal agreements that ensure your data stays protected; or
3. We use other legally recognized methods to ensure safe data transfers.

You have the right to know more about how we transfer your data internationally. You can also request copies of the protection measures we use. If you have questions about how we handle your data globally, just email us at [email protected]

We take your privacy seriously and have put in place generally accepted security measures in place to keep your personal data safe from being lost, stolen, altered, improperly disclosed or misused.

MAP has extensive enterprise-grade security, compliance, and encryption controls built in at multiple layers. Your data is encrypted both at rest and in transit.

If you suspect any misuse, loss or unauthorized access to your personal information, please let us know immediately by contacting us at [email protected].

We will only retain your personal information for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements.

You have the following rights regarding your personal information:

• Right of Access (Article 15): You may request a copy of your personal information and information about how we process it.
• Right of Rectification (Article 16): You may request correction of inaccurate or incomplete personal information.
• Right of Erasure/'Right to be Forgotten' (Article 17): You may request deletion of your personal data when:
  • No longer necessary for the original purpose;
  • You withdraw consent;
  • You withdraw consent (where consent is the legal basis);
  • You object to processing based on legitimate interests;
  • Processing is unlawful; or
  • Required by legal obligation.
• Right to Restrict Processing (Article 18): You may request suspension of processing when:
  • You contest the accuracy of personal information or data (during verification);
  • Processing is unlawful but you prefer restriction to erasure;
  • We no longer need the personal information or data but you need it for legal claims;
  • ou have objected to processing (pending our legitimate interest assessment).
• Right to Data Portability (Article 20): You may receive your personal information in a machine-readable format and transmit to another controller when processing is based on consent or contract performance.
• Right to Object (Article 21): You may:
  • Object to processing based on legitimate interests;
  • Object to direct marketing (absolute right); and
  • Object to processing for research purposes (with exceptions for public interest research).
• Right to Withdraw Consent: Where processing is based on consent, you may withdraw your consent at any time through your account settings or by contacting us.
• Right to Lodge a Complaint: You have the right to file a complaint with your national data protection authority. EU residents should contact their national supervisory authority.

No Fee: You will not have to pay a fee to access your personal information (or to exercise any of the other rights). However, we may charge a reasonable fee if your request or requests are clearly unfounded, repetitive or excessive. Alternatively, we may refuse to comply with your request(s) in these circumstances.

What We May Need: We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal information (or to exercise any of your other rights). This is a security measure to ensure that personal information is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response.

Time to Respond: We try to respond to all legitimate requests within one month. Occasionally it may take us longer than a month if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated.

At MAP, we are committed to protecting and respecting children’s privacy. Our Platform is generally intended for individuals at least 18 years old and we do not intentionally collect personal information from individuals under 18 years old.

If you are a parent or guardian and you are aware that a child under age 18 has provided us with their personal information without parental consent, please contact us at [email protected] and we will take steps to remove that personal information from our servers.

When you visit our Website, we may collect information from you automatically through cookies including cookies provided by third parties, as more disclosed in our Cookie Policy. We will get your consent in order to use these cookies or provide you with the opportunity to opt-out of them, to the extent required by applicable law.

This Privacy Policy is effective as of the date posted at the top. We may update this Privacy Policy from time to time to reflect Service changes, make corrections, improve clarity, reflect changes in our privacy practices, or as required by applicable laws. When we may make a significant change, such as on how we use your personal information or your rights, we will notify you within the Service or through another channel such as the email you supplied during account registration, in addition to posting the revised version on our Website. We encourage you to periodically check this Privacy Policy to stay informed about how we handle your personal information.

We want to hear from you if you have questions, concerns, or requests regarding this Privacy Policy. You can reach us by emailing [email protected].

We are providing the supplemental notices in this Section as you may have additional rights that apply to you under the privacy laws of the jurisdiction in which your reside. Privacy laws are continuously being updated and MAP is committed to respecting your privacy. If you do not see your jurisdiction below, we encourage you to still contact us using the contact details provided below with your questions or concerns.

Effective Date: October 31, 2025

This Supplemental Notice applies to California residents and supplements the information in our main Privacy Policy. This notice is required by the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA).

CATEGORIES OF PERSONAL INFORMATION WE COLLECT
In the past 12 months, we have collected the following categories of personal information:

SOURCES OF PERSONAL INFORMATION:

• Directly from you (account registration, surveys, support requests)
• Automatically from your device and browser
• Third-party payment processors
• Referrals from other users

PURPOSES FOR COLLECTING PERSONAL INFORMATION:

• Providing and maintaining our services
• Processing payments and transactions
• Customer support and communications
• Research and analytics
• Security and fraud prevention
• Legal compliance

SHARING OF PERSONAL INFORMATION:

We may share your personal information with:

• Only service providers and vendors required to provide the Service
• Scientific research collaborators (de-identified data only)
• Legal authorities when required by law

SALE OR SHARING OF PERSONAL INFORMATION:

We do not sell your personal information. We may share certain information for analytics, which California law may consider a "sale" or "share." You have the right to opt out of such sharing.

YOUR CALIFORNIA PRIVACY RIGHTS

• Right to Know: Request disclosure of personal information we've collected, used, disclosed, or sold about you.
• Right to Delete: Request deletion of your personal information (subject to certain exceptions).
• Right to Correct: Request correction of inaccurate personal information.
• Right to Opt-Out: You may opt out of the sale/sharing of your personal information and use of sensitive personal information for certain purposes.
• Right to Non-Discrimination: We will not discriminate against you for exercising your privacy rights.
• Right to Limit Sensitive Personal Information: Request that we limit our use of sensitive personal information to what is necessary to perform our services.

EXERCISING YOUR CALIFORNIA RIGHTS

Email: [email protected]

Online: [email protected]

Authorized Agent: You may designate an authorized agent to make requests on your behalf.

We will verify your identity before processing requests and respond within 45 days (extendable by 45 days).

RETENTION:

We retain personal information for as long as necessary to provide services, comply with legal obligations, resolve disputes, and enforce agreements.

SUPPLEMENTAL NOTICE FOR OTHER US STATE RESIDENTS: Virginia, Colorado, Connecticut, Utah, Nevada, Rhode Island, Minnesota, Oregon and Other Applicable States

Virginia Consumer Data Privacy Act ("VCDPA"), the Connecticut Data Privacy Act ("CTDPA"), the Utah Consumer Privacy Act ("UCPA"), the Colorado Privacy Act ("CPA"), and the Nevada Privacy Law ("NPL"), the Rhode Island Data Transparency and Privacy Protection Act ("RIDTPA"), the Minnesota Consumer Data Privacy Act ("MCDPA"), and the Oregon Consumer Privacy Act ("OCPA")

If you are a resident of Virginia, Colorado, Connecticut, Utah, Nevada, Rhode Island, Minnesota, Oregon or another state with comprehensive privacy laws, you may have similar rights to those described in the California section above, including (but not limited to):

• Right to access your personal data
• Right to delete your personal data
• Right to correct inaccuracies
• Right to opt out of targeted advertising and sales
• Right to data portability (where applicable)

The specific rights and procedures may vary by state. Contact our Data Protection Officer for information specific to your state's requirements.

Personal Information Protection and Electronic Documents Act (PIPEDA) Compliance

For Canadian residents, we process personal information in accordance with PIPEDA principles:

• We collect personal information only for identified purposes
• We obtain consent for collection, use, and disclosure
• We limit collection to what is necessary for identified purposes
• We retain personal information only as long as necessary
• We maintain accuracy of personal information
• We protect personal information with appropriate safeguards

Your Canadian Rights:

• Right to access your personal information
• Right to request correction of personal information
• Right to file complaints with the Privacy Commissioner of Canada

Data Processing Basis

For users in jurisdictions requiring specification of legal basis for processing, we process your personal information based on:

• Contract Performance: To provide our services to you
• Legitimate Interests: For research, analytics, and service improvement
• Consent: For marketing communications and certain data processing
• Legal Obligation: To comply with applicable laws

Withdrawal of Consent

Where processing is based on consent, you may withdraw consent at any time through your account settings or by contacting us.

General Privacy Questions: [email protected]

Data Protection Officer:
MAP Biotech Proprietary Limited
97-99 Bathurst Street, Ground Flr. Ste #1052
Sydney NSW 2000 Australia

California-Specific Inquiries:
[email protected]
MAP Biotech Proprietary Limited
97-99 Bathurst Street, Ground Flr. Ste #1052
Sydney NSW 2000 Australia