Privacy Policy

Last updated: 18 May 2026 · Effective date: 18 May 2026

Short version: OuterMap is a B2B SaaS platform. We collect the minimum personal data needed to provide our service, never sell it, and you have the right to access, correct, or delete it at any time by writing to support@outermap.com.

1. Who we are

"OuterMap", "we", "us" or "our" refers to the OuterMap product, owned and operated by Codequantum Technologies Pvt Ltd ("the Company"). OuterMap is a software platform that converts static map images into branded mobile wayfinding apps for parks, campuses, museums, event venues, and similar destinations.

This Privacy Policy explains how we handle personal data of:

Website visitors on outermap.com and its subdomains.
Prospective customers who submit demo requests or contact forms.
Customer administrators who use the OuterMap dashboard.
End users / visitors who use mobile apps built on OuterMap (the relevant organization is the data controller; we are the data processor).

2. Information we collect

2.1 You give us directly

Name, work email, phone number, organization, country.
Demo and contact form responses (your message, location count, etc.).
Account credentials and user profile information.
Billing details if you become a paying customer (processed via PCI-compliant payment providers — we never store full card numbers).

2.2 Collected automatically

Device, browser, operating system, screen size, language.
IP address (used in approximate location form: country/region only).
Pages viewed, referring URL, time on page, clicks.
Cookies and similar technologies — see our Cookie Policy for the full list and opt-out controls.

2.3 From third parties

Identity providers (Google, Microsoft) when you sign in via SSO.
Analytics providers (Google Analytics 4) — aggregated, pseudonymous.
Public sources for enrichment (LinkedIn company size, public-domain venue data).

3. How we use your data

Deliver and operate the OuterMap service and your branded mobile apps.
Respond to demo requests, support questions, and contract negotiations.
Send service notifications (e.g. outages, security advisories, plan changes).
Send marketing emails — only with explicit consent and with one-click unsubscribe.
Detect and prevent fraud, abuse, and security incidents.
Improve the product through aggregated usage analytics.
Comply with legal obligations (tax, audit, court orders).

We do not sell personal data. We do not share it with advertising networks. We do not use it to train third-party AI models without your consent.

4. Legal bases (GDPR / EU & UK users)

Performance of a contract — to deliver the service you signed up for.
Legitimate interest — security, fraud prevention, basic analytics.
Consent — marketing emails, non-essential cookies.
Legal obligation — tax records, lawful requests.

5. Sharing & sub-processors

We share data only with vendors that help us operate the service, under written data-processing agreements. Current sub-processors:

AWS (hosting, data storage) — primary regions: us-east-1, eu-west-1, ap-south-1.
Google Analytics 4 (pseudonymous web analytics).
Stripe (payment processing for paid plans).
Postmark (transactional email delivery).
Sentry (error monitoring).

We will notify customers at least 30 days before adding a new sub-processor that has access to personal data.

6. International transfers

We host data in regions appropriate to the customer (US, EU, or India). When transferring personal data outside your region, we rely on Standard Contractual Clauses (SCCs), the EU-US Data Privacy Framework, and the UK International Data Transfer Addendum, as applicable.

7. Data retention

Marketing leads: 24 months from last activity, then deleted.
Active customer accounts: for the duration of the contract.
Terminated accounts: 90 days then permanently deleted, except where law requires longer retention.
Backups: rolling 30-day window.
Server logs: 90 days.

8. Security

We use industry-standard safeguards: TLS 1.2+ in transit, AES-256 at rest, role-based access controls, audit logging, least-privilege production access, regular vulnerability scanning, and SOC 2 Type II controls (in progress). No system is 100% secure — please use a strong, unique password.

9. Your rights

Depending on where you live (GDPR, UK GDPR, CCPA/CPRA, DPDP Act 2023, etc.), you have the right to:

Access the personal data we hold about you.
Correct inaccurate data.
Delete your data ("right to be forgotten").
Export your data in a machine-readable format.
Object to or restrict certain processing.
Withdraw consent at any time.
Lodge a complaint with your local data-protection authority.

To exercise any of these rights, email support@outermap.com. We respond within 30 days.

10. Children

OuterMap is a B2B product and not directed at children under 16. We do not knowingly collect personal data from children. If you believe a child has provided personal data, please contact us so we can delete it.

11. Changes to this policy

We may update this policy from time to time. The "Last updated" date at the top reflects the most recent revision. Material changes will be announced via email to active customers at least 30 days in advance.

12. Contact us

Email (general & Data Protection Officer): support@outermap.com

This document is a starting template. Have it reviewed by legal counsel familiar with your operating jurisdictions before launch. Update vendor names, retention periods, and DPO details to match your actual operations.