Privacy Policy

Contents

Who we are
What we collect
How we use it
Legal basis
Sharing & processors
Data residency
Security
Retention
Your rights
Children
Changes
Contact us

1. Who we are

Locator Map Plus (“Locator Map+”, “the platform”, “we”, “us”, or “our”) is the branch, ATM, and agent intelligence platform built by Map & Allied Technologies Limited, a company incorporated in Kenya, with offices at Chaka Place, 1st Floor, Argwings Kodhek Road, Nairobi, Kenya.

Map & Allied Technologies is the data controller for the personal data described in this policy. You can reach our team at inquiries@locator-map.com or by visiting map-allied.com.

2. What we collect

We collect only what we need to operate, secure, and improve the service. Specifically:

2.1 Information you give us

Account & contact details when you book a demo, request a quote, or set up an account — name, email, phone, institution, role, country.
Locator configuration data — the addresses, geocoordinates, opening hours, photos, accessibility flags, and other operational data you upload about your branches, ATMs, CDMs, VTMs, and agents.
Support & correspondence content — the contents of emails, support tickets, and meeting notes you share with us.

2.2 Information we collect automatically (end-user analytics)

Search and interaction data — what visitors searched for on your locator (terms, filters, area boundaries), which locations they clicked or viewed, and on which device family.
Approximate geolocation — visitors’ coarse location (city or region level) derived from their IP address, OR precise GPS coordinates if they tap “Find Near Me” and grant permission. Coordinates are not retained beyond the search session unless your configuration explicitly enables longer retention for heatmaps.
Technical telemetry — browser type, OS, viewport size, referring page, and timestamps — for diagnostic and performance reasons.

We do not sell, rent, or share end-user search data with third parties for marketing.

3. How we use it

We use information to:

Operate your locator and deliver the platform features you’ve subscribed to.
Generate the analytics you see in your admin dashboard (search heatmaps, zero-result intelligence, per-location performance).
Produce regulator-formatted reports on your behalf (e.g. CBK PG/15 quarterly returns).
Detect and prevent abuse, fraud, or security incidents.
Communicate with you about service updates, downtime, and new features (you can opt out of non-essential communications at any time).
Improve product quality through aggregated, de-identified usage patterns.

4. Legal basis (for GDPR & equivalent laws)

Where European data-protection law (or equivalent African statute such as Kenya’s Data Protection Act 2019 or Nigeria’s NDPA 2023) applies, we process personal data on one of the following bases:

Contract — performing the service you have engaged us to deliver.
Legitimate interests — operating the platform, securing it against abuse, improving the product.
Legal obligation — complying with tax, banking, or regulatory requirements that apply to us or to you as our customer.
Consent — where required, such as precise GPS location capture by an end user.

We share personal data only in these limited circumstances:

With your institution. If you are an end user of a locator embedded on a bank’s website, the bank is the data controller for your interaction with that locator; we are a processor on the bank’s behalf.
With sub-processors who help us run the platform — hosting (Amazon Web Services, Africa regions), email delivery, customer-support tooling, and analytics. All sub-processors are bound by written data-protection terms equivalent to ours.
With regulators or law enforcement when compelled by a valid legal request and where we have verified its authenticity.
In a corporate change — if Map & Allied Technologies is acquired, merged, or restructured, your data may transfer to the new entity subject to the protections of this policy.

A current list of sub-processors is available on request.

6. Data residency

By default, customer data is stored in AWS Africa regions — primarily Cape Town (af-south-1), Bahrain (me-south-1), and Johannesburg facilities. Enterprise customers may elect on-premises hosting within their own data centres.

Where data crosses borders — for example, when a sub-processor is based outside Africa — we rely on Standard Contractual Clauses (SCCs), adequacy decisions, or equivalent safeguards as required by applicable law.

7. Security

We treat security as continuous engineering, not a one-time checklist. Practical measures include:

TLS 1.3 in transit, AES-256 at rest.
SOC 2 Type II–aligned controls.
OWASP-compliant secure development practices.
Annual third-party penetration testing.
Role-based access control with mandatory two-factor authentication for staff.
Continuous logging, anomaly detection, and 24/7 monitoring.

No security is perfect. If you discover a vulnerability, please report it responsibly to security@locator-map.com. We will acknowledge within 24 hours.

8. Retention

We retain data only as long as needed for the purposes described, with these defaults:

Locator configuration data — for the duration of your contract, plus 90 days after termination for export, then permanent deletion.
End-user search & interaction data — 13 months by default, or as your configuration specifies.
Audit trail records — 7 years, to support regulatory examinations.
Marketing contacts — until you unsubscribe, or 3 years of inactivity.

9. Your rights

Under applicable data-protection laws, you have the right to:

Access the personal data we hold about you.
Correct data that is inaccurate or incomplete.
Delete data (subject to legal-retention obligations).
Restrict or object to certain processing.
Port your data to another provider in a machine-readable format.
Withdraw consent at any time, where consent was the legal basis.
Lodge a complaint with your local data-protection authority — e.g. the Office of the Data Protection Commissioner (Kenya).

To exercise any of these rights, email inquiries@locator-map.com. We respond within 30 days.

10. Children

The platform is not directed at children under 18, and we do not knowingly collect personal data from children. If you believe a child has provided information to us, please contact us and we will delete it.

11. Changes

We update this policy from time to time. Material changes will be posted here with a new effective date and, for active customers, communicated by email at least 14 days before taking effect.

12. Contact us

For any privacy question, request, or complaint:

Email: inquiries@locator-map.com
Postal: Map & Allied Technologies Ltd, Chaka Place, 1st Floor, Argwings Kodhek Road, Nairobi, Kenya
Phone: +254 518 016 894
Parent company: Map & Allied Technologies