Introduction and Purpose

This Global Privacy Policy describes how Social Media Research Institute Ltd (SMRI), a Delaware corporation, collects, processes, stores, uses, discloses, transfers, and protects Personal Data in connection with its Learning Management System, curriculum delivery tools, educator training materials, administrative dashboards, analytics, certifications, and related services (collectively, the "Platform"). This Policy applies to all individuals who interact with the Platform, including students, teachers, administrators, certified trainers, parents and legal guardians, and partner organization staff.

Definitions

For purposes of this Policy:

• Personal Data: Any information relating to an identified or identifiable natural person

• Student Data: Personal Data directly related to a student and processed by SMRI on behalf of an educational Institution

• Educational Records: Records directly related to a student as defined under FERPA, 20 U.S.C. § 1232g

• Processing: Any operation performed on Personal Data, including collection, storage, use, disclosure, or deletion

• Institution: A school, district, university, youth-serving organization, or other entity that contracts with SMRI to access the Platform

• Data Controller: The entity that determines the purposes and means of processing Personal Data

• Data Processor / Operator: The entity that processes Personal Data on behalf of a Data Controller

Data Protection Roles and Governance

With respect to Student Data, SMRI acts as a Data Processor under GDPR, UK GDPR, LGPD, POPIA, PIPEDA, and similar frameworks; as a School Official with a legitimate educational interest under FERPA; and as an Operator under applicable U.S. student privacy laws including COPPA. SMRI processes Student Data solely on documented instructions from the Institution and treats Student Data as remaining under the ownership and control of the Institution. For its own operational and administrative data, SMRI acts as Data Controller. Institutions subject to GDPR or UK GDPR may contact privacy@smri.world to execute a Data Processing Agreement prior to Platform deployment.

Categories of Personal Data Processed

SMRI collects and processes only Personal Data reasonably necessary to deliver educational services and operate the Platform:

• Identity and Account Data: Name, role, institutional affiliation, email address, and authentication credentials

• Educational and Learning Data: Course enrollment, lesson participation, assessment responses, completion status, Social Media Score records, and certifications

• Technical and Usage Data: IP address, device type, browser type, operating system, and login timestamps

• Communications Data: Support requests, feedback submissions, and administrative correspondence

• Security and Audit Data: Access logs, authentication records, and security monitoring data

SMRI does not intentionally collect biometric data, precise geolocation data, financial information, government-issued identification numbers, or other categories of sensitive personal data unless specifically required by law and authorized in writing by the Institution.

Purposes of Processing

Personal Data is collected and processed exclusively for the following purposes:

• Delivering, operating, and improving the Platform and its curriculum, assessments, and certifications

• Providing student progress tracking, educator dashboards, and administrative reporting

• Managing institutional accounts, onboarding, and support relationships

• Issuing and verifying certifications and training credentials

• Maintaining Platform security, integrity, uptime, and availability

• Complying with legal, regulatory, and contractual obligations

• Improving the Platform using aggregated, anonymized insights that cannot reasonably be used to re-identify individuals

SMRI does not sell Personal Data, use Personal Data for advertising or commercial profiling, engage in cross-context behavioral tracking, or create commercial profiles of students or other Platform users.

Lawful Bases for Processing

Depending on the jurisdiction and category of data subject, SMRI relies on one or more of the following lawful bases: performance of a contract with an Institution; compliance with applicable legal obligations; legitimate interests of SMRI or the Institution in delivering and improving educational services; or consent, where required by applicable law. Where consent is the applicable lawful basis, Institutions are generally responsible for obtaining and maintaining such consent on behalf of students, parents, and other users prior to provisioning Platform access.

Children's Privacy and School-Managed Consent

SMRI does not permit children under the age of thirteen (13) to independently create accounts or self-register on the Platform. All Platform access for users under 13 must be provisioned or explicitly authorized by the Institution, which represents and warrants that it has obtained all required verifiable parental or guardian consents in accordance with applicable law, including COPPA and the UK Age-Appropriate Design Code. For users under 13, SMRI limits data collection to what is strictly necessary for educational purposes, does not engage in advertising or behavioral tracking, and does not disclose data to third parties except as necessary to operate the Platform. Parents and guardians seeking to access, correct, or delete data relating to a child should direct requests to the Institution.

Artificial Intelligence and Automated Processing

The Platform may incorporate automated or AI-assisted tools to support curriculum sequencing, aggregate analytics, educator insights, and platform optimization. SMRI commits to the following: it does not engage in automated decision-making that produces legal or significant effects on individual students without human oversight; it does not use Student Data to train third-party AI or machine learning models; it does not engage in predictive behavioral profiling of students for commercial purposes; and all automated outputs are advisory only and subject to human review. Material changes to automated processing practices will be communicated to Institutions prior to implementation.

Data Subject Rights

Depending on applicable jurisdiction, individuals may have the following rights: right of access; right to rectification; right to erasure; right to restriction of processing; right to data portability; right to object; rights related to automated decision-making; and rights under applicable U.S. state laws including CCPA/CPRA. To exercise any rights, individuals may submit a request to privacy@smri.world. SMRI will verify the identity of the requestor, coordinate with the Institution where Student Data is involved, and respond within applicable statutory timeframes.

Data Sharing and Disclosure

Student Data and Educational Records are made available to authorized users within the Institution in accordance with role-based access controls. SMRI may engage third-party service providers including cloud infrastructure providers, CDN providers, analytics platforms, customer support systems, email service providers, security monitoring services, and payment processors. All service providers are bound by written agreements limiting processing to documented SMRI instructions and requiring confidentiality and appropriate security measures. SMRI may disclose Personal Data to governmental authorities where required by law and will provide reasonable advance notice to affected Institutions where permitted. SMRI does not disclose Personal Data for advertising or any purpose inconsistent with the educational mission of the Platform.

International Data Transfers

Personal Data may be transferred to, processed in, or stored in jurisdictions outside the data subject's country of residence. SMRI implements the following safeguards: Standard Contractual Clauses approved by the European Commission; UK International Data Transfer Agreement/Addendum; adequacy decisions issued by competent regulatory authorities; binding contractual commitments with data importers; and technical safeguards including encryption in transit (TLS 1.2 or higher) and at rest (AES-256 or equivalent). Institutions in the EU, UK, or other jurisdictions with specific cross-border transfer requirements should contact privacy@smri.world.

Data Retention

Personal Data is retained only for as long as necessary to fulfill the purposes for which it was collected and comply with applicable legal obligations:

• Student Data and Educational Records: Retained in accordance with the institutional agreement, applicable FERPA requirements, and the Institution's own retention schedule. SMRI will delete or return Student Data upon request following termination of the institutional agreement.

• Account and Authentication Data: Retained for the duration of the account's active status plus up to 90 days following deactivation.

• Security and Audit Logs: Retained for a minimum of 12 months and up to 7 years depending on regulatory requirements.

• Compliance and Legal Records: Retained as required by applicable law or legal hold.

• Aggregated and Anonymized Data: De-identified data may be retained indefinitely for research and platform improvement purposes.

Upon expiration of applicable retention periods, Personal Data is securely deleted or irreversibly anonymized using industry-standard methods.

Security Measures and Incident Response

SMRI implements comprehensive technical, organizational, and administrative safeguards including: encryption of data in transit using TLS 1.2 or higher and at rest using AES-256 or equivalent; role-based access control and the principle of least privilege; multi-factor authentication for privileged and administrative accounts; firewalls, intrusion detection and prevention systems, and network segmentation; regular vulnerability assessments, penetration testing, and patch management; and audit logging and anomaly detection. In the event of a data breach, SMRI will investigate and contain the incident promptly, notify affected Institutions without undue delay and in accordance with applicable law, notify regulatory authorities and affected data subjects as required, and implement remedial measures to prevent recurrence.

Jurisdiction-Specific Provisions

United States — FERPA: SMRI acts as a School Official with a legitimate educational interest. Student Education Records remain under institutional control and are processed solely for educational purposes.

• United States — COPPA: SMRI does not permit children under 13 to self-register. Institutions act as consent authorities for users under 13 and are responsible for obtaining verifiable parental consent.

• United States — California (CCPA/CPRA): SMRI acts as a Service Provider and does not sell or share Personal Information as defined under California law. California residents may exercise their rights by submitting a request to privacy@smri.world.

• European Union and United Kingdom — GDPR/UK GDPR: SMRI acts as Processor for Student Data and as Controller for operational data. Data subjects may exercise rights under Articles 15–22 of the GDPR by submitting a request to privacy@smri.world.

• Brazil — LGPD: Institutions act as Controllers; SMRI acts as Operator for Student Data and Controller for operational data.

• South Africa — POPIA: Institutions act as Responsible Parties; SMRI acts as Operator and processes Personal Data lawfully in accordance with the eight Conditions for Lawful Processing.

• Australia — Privacy Act: SMRI complies with the Australian Privacy Principles under the Privacy Act 1988 and applies appropriate safeguards for cross-border disclosure.

• Canada — PIPEDA: SMRI adheres to PIPEDA's principles of accountability, identifying purposes, consent, limiting collection, accuracy, safeguards, openness, individual access, and challenging compliance.

• India — DPDP Act: SMRI acts as a Data Fiduciary and appoints a Grievance Officer reachable at privacy@smri.world. SMRI does not process Personal Data of children without verifiable parental consent.

• Singapore — PDPA: SMRI processes Personal Data in accordance with the Personal Data Protection Act 2012 and ensures comparable protection for cross-border transfers.

• Nepal: SMRI processes Personal Data of individuals in Nepal lawfully and solely for legitimate educational purposes and coordinates data subject rights requests with Institutions operating in Nepal.

• Zimbabwe and Other Jurisdictions: SMRI commits to processing Personal Data lawfully, fairly, transparently, and securely, consistent with globally recognized data protection standards. Institutions are encouraged to contact privacy@smri.world to discuss applicable requirements.

Policy Updates

SMRI may update this Policy from time to time to reflect changes in applicable law, Platform functionality, or SMRI's data practices. Material changes will be communicated to Institutions at least thirty (30) days prior to taking effect, by email to the institutional contact on file or by prominent notice on the Platform. Continued use of the Platform after the effective date of any amendment constitutes acceptance of the revised Policy. The current version of this Policy will always be available at smri.world and within the Platform.

Contact Information

For privacy inquiries, data subject rights requests, Data Processing Agreement requests, or any concerns relating to this Policy, please contact:

Social Media Research Institute Ltd (SMRI) Attn: Privacy Officer 16192 Coastal Highway, Lewes, Delaware 19958, United States Email: privacy@smri.world Platform: app.smri.world

For legal notices and formal legal correspondence, please direct communications to legal@smri.world.