OZNOZ EDUCATION PLATFORM

PRIVACY POLICY

Oznoz Inc. is committed to protecting the privacy and security of personal data processed through the Oznoz Education Platform. This Privacy Policy explains how Oznoz collects, processes, uses, discloses, and safeguards personal data in accordance with applicable data protection laws, including the General Data Protection Regulation (GDPR), FERPA, and other relevant education privacy frameworks.

ENTERPRISE PRIVACY POLICY (PROCUREMENT & GDPR GRADE)

1. Introduction

Oznoz Entertainment Inc. (“Oznoz,” “we,” “us,” or “our”) is committed to protecting the privacy, confidentiality, and security of personal data processed through the Oznoz Education Platform (“Platform”) available at www.oznoz.com/edu. This Privacy Policy describes how Oznoz collects, processes, uses, discloses, safeguards, and manages personal data in accordance with applicable data protection laws, including the General Data Protection Regulation (EU) 2016/679 (“GDPR”), the UK GDPR, FERPA, COPPA, PIPEDA and other relevant education and privacy frameworks.

2. Scope of This Policy

This Policy applies to schools, districts, networks of schools, ministries of education, educators, and authorized users (collectively, “Subscribers”) that use the Platform pursuant to a Subscription Agreement, Order Form, or other written agreement. This Policy also applies to student data processed by Oznoz on behalf of Subscribers.

3. Roles Under Data Protection Law

For institutional subscriptions, the Subscriber acts as the Data Controller (or equivalent under applicable law). Oznoz acts as a Data Processor and processes personal data solely on documented instructions of the Subscriber in accordance with Article 28 GDPR. For limited teacher registration accounts (no student data), Oznoz may act as Data Controller for basic account-level information.

4. Categories of Personal Data

A. Account Data: name, email address, institution name, role, authentication credentials.

B. Student Data (provided by Subscriber): student identifiers (e.g., name, grade, ID number), class enrollment, assessment responses.

C. Usage Data: IP address, browser type, device identifiers, session logs, feature usage metrics.

D. Communications Data: support requests, service inquiries.

E. Security Logs: authentication attempts, access records, system event logs.

5. Lawful Bases for Processing (GDPR Article 6)

When Oznoz acts as Processor, lawful bases are determined by the Subscriber, typically including Article 6(1)(b) (performance of contract) and/or Article 6(1)(e) (public interest). For limited Controller activities, lawful bases may include Article 6(1)(b) (contract) and Article 6(1)(f) (legitimate interests). Oznoz does not process special categories of data unless instructed by the Subscriber and subject to appropriate safeguards.

6. Purposes of Processing

Oznoz processes personal data solely to: provide educational services; administer SEL and academic assessments; generate school-level reports; maintain and improve platform functionality; ensure security and integrity; comply with legal obligations; and provide customer support. Oznoz does not sell personal data and does not use student data for advertising, profiling, or behavioral marketing.

7. Data Minimization and Purpose Limitation

Oznoz collects and processes only the minimum personal data necessary to fulfill contractual obligations. Personal data is not processed for purposes incompatible with those specified by the Subscriber.

8. De-Identification and Anonymized Data

Oznoz separates identifiable student information from assessment responses prior to analysis wherever feasible. Oznoz may generate anonymized and aggregated data that does not identify any individual or institution (“Anonymized Data”). Anonymized Data may be used for statistical analysis, benchmarking, product development, longitudinal research, academic research, policy analysis, and publication of aggregated sector reports. Oznoz does not attempt to re-identify individuals or institutions from Anonymized Data.

9. Data Subject Rights (GDPR Articles 15–22)

Data subjects may have rights to access, rectification, erasure, restriction, objection, and data portability. Where Oznoz acts as Processor, such requests must be directed to the Subscriber. Oznoz will assist Subscribers in fulfilling lawful data subject requests pursuant to Article 28 GDPR.

10. International Transfers (GDPR Chapter V)

Primary hosting is conducted in Canada using secure cloud infrastructure (including AWS Canada region). Where personal data is transferred outside the EEA or UK, Oznoz implements appropriate safeguards including Standard Contractual Clauses (SCCs) and contractual data protection commitments.

11. Security Measures (GDPR Article 32)

Oznoz maintains a comprehensive information security program including encryption in transit, role-based access controls, multi-factor authentication (where applicable), audit logging, vulnerability management, regular security assessments, and incident response procedures.

12. Data Protection Impact Assessments (DPIA)

Oznoz supports Subscribers in conducting Data Protection Impact Assessments where required and provides necessary documentation regarding technical and organizational measures.

13. Data Breach Notification (GDPR Articles 33–34)

In the event of a confirmed personal data breach affecting Subscriber Data, Oznoz will notify the Subscriber without undue delay and provide relevant information to support regulatory reporting obligations.

14. Data Retention

Personal data is retained only as long as necessary to fulfill contractual obligations. Upon termination, Subscriber Data will be securely deleted following a defined retention window unless retention is legally required. Anonymized Data may be retained indefinitely for research and statistical purposes.

15. Subprocessors (GDPR Article 28)

Oznoz engages subprocessors to provide hosting and infrastructure services. All subprocessors are subject to written agreements imposing data protection obligations consistent with Article 28 GDPR. A current list of subprocessors is available upon request or via the Oznoz Trust Center.

16. Children's Data

The Platform is designed for use by educational institutions. Oznoz processes children’s personal data solely under the authority and direction of Subscribers. Oznoz does not knowingly collect children’s personal data outside institutional authorization.

17. Automated Decision-Making (GDPR Article 22)

Oznoz does not use personal data to make automated decisions producing legal or similarly significant effects. Assessment analytics are used solely to generate educational insights under Subscriber control.

18. Supervisory Authority and Complaints

Data subjects located in the EEA or UK have the right to lodge a complaint with their local supervisory authority if they believe their data protection rights have been violated.

19. Changes to This Policy

Oznoz may update this Privacy Policy from time to time. Material changes will be communicated appropriately and will not materially reduce protections without notice.

20. Contact Information

Oznoz Entertainment Inc.

401-1228 Hamilton Street

Vancouver, BC V6B-2L6

Email: info@oznoz.com