Loading...
Loading...
Effective date: 2026-06-04 | Version: 1.8
Changemappers is controlled by Incze Gaspar, an individual based in Hungary. Changemappers is not presently a company, foundation, association, or other incorporated organization. For privacy questions, requests, or concerns, contact [email protected]. If email delivery is unavailable, use the in-app Feedback button and start the message with "privacy request" or "suspected incident" so the operator can triage it as a privacy-rights request.
Changemappers is designed as a privacy-first community platform. We collect only the data needed to provide accounts, community features, safety controls, and service reliability. We do not sell personal data, run advertising profiles, or use third-party marketing trackers.
We use essential cookies, local storage, and session storage for login sessions, registration continuation, language/theme preferences, cookie consent, draft recovery, undo history, and one-per-session analytics deduplication. Temporary registration continuation cookies are HttpOnly, do not contain your password or profile answers, and are removed when registration completes or expires. Optional analytics only runs after consent and its browser deduplication key is cleared when analytics consent is withdrawn. We do not use marketing cookies or cross-site tracking cookies.
We use personal data to create and manage accounts, provide community and collaboration features, generate explainable recommendations, apply privacy and safety settings, prevent abuse, respond to support requests, and improve reliability. Legal bases may include consent, performance of contract, legitimate interests in security and platform operation, and legal obligations.
We use Hetzner for hosting, Upstash Redis for rate-limit storage, Sentry for optional error reporting and monitoring, Brevo for transactional email delivery, Cloudflare for DNS, caching, security, and network protection, and Mailgun only if adopted later for transactional email. For non-EEA transfers, we rely on provider DPAs and Standard Contractual Clauses where required.
We do not sell personal data. We share data only when required to provide the service, comply with law, protect users or the platform, or honor visibility choices. Public content and public profile fields may be visible according to the settings you choose.
Some Changemappers areas are designed for public-interest learning and mapping. If you make a contribution public, it may be displayed publicly and may be included in aggregated or open datasets for social-impact purposes.
We keep personal data while your account is active or while it is needed for the purposes in this policy. Authenticated website use updates account activity. After 180 days without activity, we mark the profile inactive and keep the account for a 30-day export grace period. If no activity happens during that grace period, the account and personal data are erased 210 days after the last activity. Security and technical logs are deleted or anonymized after 90 days unless a longer period is needed for abuse, security, or legal reasons.
You can request account deletion at any time. Deletion removes or anonymizes personal data from active systems, subject to limited retention for security, legal compliance, backups, or records that must be preserved in non-identifying form to maintain community integrity.
You can access your data, correct inaccurate data, request deletion, restrict or object to processing, withdraw consent, and receive a portable copy of your data. If GDPR applies to you, you can also lodge a complaint with your local data protection authority.
Use in-app controls first for profile edits, privacy and visibility settings, matching opt-out, data export, and account deletion. Email [email protected] only for non-self-service privacy rights requests. If email delivery is unavailable, use the in-app Feedback button and start the message with "privacy request". We acknowledge requests within 3 business days and respond within 30 days unless an authority allows an extension.
| Processing activity | Purpose | GDPR basis |
|---|---|---|
| Account and identity management | Creation, authentication, and administration of your account | Performance of contract (6(1)(b)) |
| Profile display and visibility settings | Showing profile fields according to your visibility choices | Performance of contract; consent for optional public visibility |
| Optional profile fields and preferences | Storing optional fields such as pronouns, bio, skills, values, interests, causes, intentions, availability, and preferences | Consent (6(1)(a)) |
| Matching and recommendation features | Generating optional recommendations from profile and matching activation data | Consent; explicit consent where special-category data is involved |
| Security, fraud, and abuse monitoring | Risk management and platform protection | Legitimate interests; legal obligation |
| Category | Retention | Reason |
|---|---|---|
| Account profile and settings | Until account deletion or anonymization | Service continuity and user records |
| Audit logs with PII | 90 days, then scrub or retention action | Security traceability and fraud prevention |
| Page visit logs | 30 days | Usage safety and abuse detection |
| Refresh token sessions | Up to 7 days or token expiry | Session security |
| Messages and direct communications | Until deletion request or anonymization | User communication continuity |
We use TLS encryption, access controls, secure authentication practices, monitoring, and other technical and organizational measures to protect personal data. No online service can guarantee perfect security, but we work to reduce risk and respond quickly when issues are found.
If a personal-data breach creates a high risk to your rights or freedoms, we will notify affected users and relevant authorities as required by law, including the 72-hour GDPR notification window where required. Suspected incidents should be emailed to [email protected], or sent through the in-app Feedback button if email delivery is unavailable.
Changemappers is not intended for children under 16. Registration requires users to confirm they are at least 16 before account creation. If you believe a child has provided personal data to us, contact [email protected] or use the in-app Feedback button if email delivery is unavailable.
We may update this policy as Changemappers changes. When changes are material, we will notify users by email, in-product notice, or a clear notice on the website.
Location controls: users can choose profile location precision and whether they appear on the map. Exact coordinates are optional and map display is off by default.
| Date | Version | Change summary |
|---|---|---|
| 2026-06-04 | 1.8 | Switched the current privacy, rights-request, child-data, and incident contact to [email protected] while keeping in-app Feedback as the fallback path if email delivery is unavailable. |
| 2026-06-04 | 1.7 | Added in-app Feedback as a fallback path for privacy-rights and suspected-incident requests if email delivery is unavailable. |
| 2026-06-04 | 1.6 | Clarified browser storage keys, purposes, consent dependency, and clearance behavior. |
| 2026-05-21 | 1.5 | Added inactive-account retention, warning notice timing, export grace period, and erasure timing. |
| 2026-05-20 | 1.4 | Clarified temporary registration continuation cookies used to finish email-verified account setup. |
| 2026-05-20 | 1.3 | Clarified age confirmation, location precision and map visibility, and Sentry telemetry defaults. |
| 2026-05-19 | 1.2 | Added Upstash Redis to processor disclosure. |
| 2026-05-11 | 1.1 | Added practical GDPR controls, rights workflow, lawful basis mapping, retention categories, breach workflow, and child-data language. |
| 2026-05-08 | 1.0 | Initial public policy. |