Privacy Policy

1. Scope, Consent & Application

1.1 Application Scope

This Privacy Policy governs your access to and use of the mobile applications and cloud-based platform provided by Octoze Technologies (the "App" and "Service").

By using our App, you consent to the terms and conditions described in this Privacy Policy. If you do not agree with this policy, please do not proceed further with app usage.

The usage of our mobile application requires access to the "Camu. Your Campus" cloud-based ERP solution for educational institutes. If you do not have access to the Camu platform, you will not be able to use this mobile app.

1.2 Age Restriction — Children Under 18

Our products and services are not intended for children under the age of 13. Octoze Technologies does not knowingly collect any personal information from children Under 18. If we learn that we have collected or received personal data from a child Under 18 without verification of parental consent, we will promptly delete that information.

If you believe we may have inadvertently collected information from a child Under 18, please contact us immediately at:
dpo@octoze.com

1.3 Data Ownership

All data sent from the mobile application to the Camu server is stored encrypted. The content is under the ownership of the customer (the educational institute that you are part of). Octoze Technologies will never use this data for any purpose other than delivering the contracted service.

The data that you entered or viewed using the app is owned by the Institute. Octoze Technologies does not assume ownership of the data.

1.4 Octoze's Role: Data Processor and Data Controller

Octoze Technologies operates in two distinct capacities depending on the context of data processing:

• As a Data Processor: When processing personal data on behalf of our customers (educational institutions), Octoze acts as a Data Processor. In this capacity, Octoze processes personal data only in accordance with the customer's instructions. The customer (institution) remains the Data Controller and retains full responsibility for that data.
• As a Data Controller: When collecting and processing personal data for our own business purposes — such as website visitors, marketing contacts, or business operations — Octoze acts as a Data Controller and is directly responsible for compliance with applicable data protection laws.

This distinction determines the rights available to individuals and the obligations Octoze holds in each context, as further described in this Privacy Policy.

1.5 Policy Updates & Contact

Octoze Technologies reserves the right to change, modify, add to, or remove portions of this Privacy Policy at any time, without notice to the user. The User is advised to periodically visit this page to review the current Privacy Policy to which he/she is bound.

If you have any questions about this Privacy Policy, please contact us at:
support@octoze.com

2. Privacy Policy

Octoze is committed to protecting the privacy and personal information of individuals in accordance with applicable privacy laws and regulations. This Privacy Policy outlines how we collect, use, disclose, store, and manage personal information in connection with our services.

2.1 Personal Information We Collect and Hold

We may collect and hold the following types of personal information:

• Identification Information: Full name, date of birth, gender, government identifiers (where required)
• Contact Information: Email address, phone number, postal address
• Professional / Academic Information: Employment details, education records, enrolment details
• Financial Information: Payment details, billing information
• Technical Information: Browser type, system logs, IP address
• Authentication Information: Username, password (encrypted), access logs — including Camu credentials (username and password/PIN)
• Sensitive Information (where applicable and permitted by law): Health information, disability information, demographic data
• System usage metadata and audit logs
• User-generated content required for core platform functionality

App-Specific Data Collection

When accessing the service via the mobile application, we additionally collect:

• Log information: Interactions with the app, content viewed, updates made, time spent, date of access, app version, and IP address
• Device information: Type of device (e.g., brand of phone or tablet), unique device identifiers
• Location information: GPS or device-based location data — used specifically to track Bus location for Institute administration when location-enabled services are active

We only collect personal information that is reasonably necessary for our services and operations. Personal data is collected strictly for operational, administrative, and compliance purposes.

2.2 How We Collect and Hold Personal Information

Collection Methods

We collect personal information through:

• Direct interactions (forms, registrations, contracts)
• Online portals and service platforms
• Email, telephone, and customer support interactions
• Automated technologies (cookies, logs, analytics tools)
• Third parties (employers, educational institutions, authorised partners)

Storage and Security

We hold personal information securely in:

• Encrypted databases
• Secure cloud hosting environments
• Access-controlled internal systems
• Archived storage in accordance with retention policies

Appropriate technical and organisational security controls are implemented to protect personal information from misuse, interference, loss, unauthorised access, modification, or disclosure. We utilise a combination of online and offline security technologies including network access controls, firewalls, role-based restrictions, passwords, access logging, and where appropriate, encryption technology.

We use the device security account capability to store app credentials so that users do not need to type their username and password each time. Credentials are removed from device settings upon logout to prevent unauthorised usage.

Security Certifications

Octoze Technologies maintains industry-recognised security certifications. Details of our security posture, including our System and Organization Controls (SOC) attestations, are available upon request by contacting dpo@octoze.com. Applicable sub-processor certifications (ISO 27001, SOC 2 Type II, PCI DSS) are listed in Section 5.2 of this document.

2.3 Purpose for Collecting, Using, and Disclosing Personal Information

General Service Purposes

We collect and use personal information for purposes including:

• Delivering and administering our services
• Identity verification and authentication
• Processing payments and billing
• Providing customer support
• Meeting legal and regulatory obligations
• Improving system functionality and user experience
• Communicating service updates and notifications
• Security monitoring and fraud prevention

AI-Related Processing

In relation to AI-enabled features, personal data is processed subject to the following restrictions:

• Personal data is NOT used to train, fine-tune, or improve AI, ML, LM, or LLM models.
• Personal data is NOT used for AI-driven profiling, behavioural analysis, or automated decision-making outside core system workflows.
• Personal data is processed only to deliver contracted services, maintain system security, fulfil legal obligations, and support user-requested functionality.

Where AI-enabled features exist, they operate using predefined logic or anonymised/system-generated data and do not analyse personal data for model training or learning purposes.

In-Product Analytics — Consent

Octoze uses analytics functionality within certain platform features to improve our products and services. Customers and users may consent to, or revoke consent for, the collection of analytics data by accessing the consent settings within the Camu platform. Consent can be turned on or off at any time through the product settings.

We only use personal information for purposes that are lawful and directly related to our services.

2.4 Recipients of Personal Information

We may disclose personal information to the following authorised recipients:

• Employees and authorised contractors
• Service providers (e.g., cloud hosting, IT support, payment processors, contracted sub-processors and hosting providers)
• Professional advisers (legal, audit, compliance)
• Regulatory or government authorities where legally required
• Affiliated entities within our corporate group

We do NOT use advertisements, and we do NOT share your information with third-party advertising companies.

Personal data is NOT sold, monetised, or shared for AI research, AI training, or third-party AI analytics. All third-party and sub-processor providers are required to implement appropriate security and confidentiality measures and are bound by contractual data protection obligations.

A full list of our third-party sub-processors is available upon request. Please contact dpo@octoze.com to obtain the current sub-processor list. The register is also maintained internally in Section 5.2 of this document.

2.5 Marketing Communications & Opt-Out

Octoze may send you communications about our products, services, and events where you have provided your details or have a legitimate business relationship with us. You may opt out of any future marketing contacts from us at any time by:

• Using the unsubscribe link included in any marketing email communication
• Emailing your opt-out request to: dpo@octoze.com
• Writing to us at the mailing address provided in Section 5 of this document

Opting out of marketing communications will not affect your ability to receive service-related or transactional communications necessary to deliver the contracted services.

2.6 Cookies, Analytics & Tracking Technologies

Cookies

Our website and platform may use cookies — small files placed on your device — to assist in collecting information about your visit. Cookies help us improve our platform and deliver a better experience. You have the ability to delete cookie files from your device at any time, or avoid cookies by configuring your browser to reject them or notify you when a cookie is being placed on your device.

We may use first-party and third-party cookies for purposes including:

• Platform functionality and user session management
• Lead generation and understanding how visitors use our site
• Serving and optimising advertisements based on past visits

For detailed information on the specific cookies we use, please contact us at dpo@octoze.com to request our Cookie Declaration.

Google Analytics

Our website may use Google Analytics, including Demographics and Interest Reporting, to help us understand — in aggregate — the age, gender, and interests of visitors. This tool does not reveal personally identifiable information to us. We do not combine information from Google Analytics with other personal data we hold. You can prevent Google Analytics from recognising you on return visits by using the Google Analytics Opt-out Browser Add-on.

Social Media Tracking

We may use social media tools including pixel tags (e.g., Facebook Pixel) added to our site that allow data about actions of site visitors to be sent to social media platforms. This is used to track conversions and to allow us to create custom audiences for any products or services we may advertise. Where applicable, data such as email addresses and phone numbers are locally hashed on our systems before being passed to such platforms. Use of that data by the social media platform is governed by their respective privacy policies.

Interest-Based Advertising Opt-Out

You can manage the interest-based advertising you receive or opt out entirely by visiting the relevant advertising opt-out page for your region (such as aboutads.info/choices for US users). You may also adjust your preferences directly through the relevant social media platform's ad settings.

2.7 User-Generated Content in Public Features

Octoze may offer features such as discussion forums, community boards, or social integrations within the platform that are visible to other users. You should be aware that any personal data you choose to submit in these public-facing areas can be read, collected, and used by other participants, and could be used to send you unsolicited messages.

We are not responsible for the personal data you choose to disclose when engaging in such public features. Please exercise caution when sharing personal information in any publicly visible area of the platform.

2.8 Links to Other Sites, Applications & External Websites

Content that you view within the app or website (for example, an assignment, a banner, or a hyperlink) may contain links to other apps or websites — such as camera access to capture a photo, a link to a video, or links to third-party websites and services.

Some links and advertisements on our site or platform may direct you to third-party websites. These third-party websites are not controlled by Octoze Technologies and are not subject to this Privacy Policy. We are not responsible for the privacy practices or content of those external sites. We recommend that you carefully read the privacy statements of any third-party apps or websites before visiting or providing your personal information.

2.9 App Notifications

We send periodic notifications about certain events that are triggered by your Institute — for example, a new Camu message or a new task assigned to you. You may use your device capabilities to control the behaviour of notifications.

2.10 Android Permissions

The following Android permissions are requested by the app and the reason for each:

• USE_CREDENTIALS, GET_ACCOUNTS, READ_PROFILE, MANAGE_ACCOUNTS, AUTHENTICATE_ACCOUNTS — for storing the currently logged-in user's account so that authentication details are not requested each time the user uses the app
• WRITE_EXTERNAL_STORAGE — to save attachments that the user may receive as part of assignments or announcements from their Institute
• ACCESS_NETWORK_STATE — to identify whether the user device has a working network connection before accessing or sending data to the Camu platform

2.11 Data Retention

• Personal data is retained only as long as necessary to provide contracted services or meet legal and regulatory obligations.
• Data retention schedules are documented and enforced.
• Data is securely deleted or anonymised once retention requirements are met.
• No personal data is retained for AI model development or training purposes.
• Camu maintains a contract with the institution which owns the data. The data is retained for the duration of the contract, or until the period the institution instructs Camu to delete the data in case of contract cancellation.

2.12 Consequences of Not Providing Personal Information

If an individual does not provide required personal information:

• We may be unable to provide access to certain services.
• Account registration or service delivery may be delayed or denied.
• We may not be able to meet contractual or regulatory obligations.

Where information is optional, individuals will be informed accordingly.

2.13 Individual Rights

Individuals are informed of their rights, which include:

• Right to access their personal data — receive a copy of the personal data held and verify it is being processed lawfully and fairly
• Right to correct or rectify inaccurate, incomplete, or outdated information
• Right to request deletion (subject to legal requirements) — ask to delete or remove personal data where there is no lawful ground to continue processing
• Right to restrict or object to processing — including where we rely on legitimate interest or where processing is for direct marketing purposes
• Right to data portability — request the transfer of your personal data to another party
• Right to withdraw consent — in circumstances where consent was provided for a specific purpose; to withdraw, write to: dpo@octoze.com
• Right to lodge a complaint with the relevant supervisory authority at any time

You will not have to pay a fee to exercise these rights. However, we may charge a reasonable fee if your request for access is clearly unfounded or excessive. Alternatively, we may refuse to comply with the request in such circumstances.

Requests can be submitted via the contact details provided in Section 5. We may require identity verification before processing such requests. We will respond within a reasonable timeframe as required by applicable privacy laws.

2.14 Withdrawal of Consent

Where consent applies:

• Institutions may withdraw consent at any time.
• Withdrawal mechanisms are clearly defined and accessible.
• Withdrawal does not affect lawful processing carried out prior to withdrawal.

As personal data is not used for AI model training or AI profiling, withdrawal does not impact any AI training activities.

2.15 Opt-Out and Account Termination

You will no longer have access to the app when the Institute terminates you from a position, or you have relieved yourself from the position. The data that you entered or viewed using the app is owned by the Institute.

You may also request that we delete your information by emailing: support@octoze.com, or by submitting a helpdesk ticket through our service desk. We will respond to your request within 30 days.

If you are a student from an academic institution using Camu, we may be unable to delete the information, but we will respond to you with information to help you further on this matter.

2.16 Overseas Disclosure of Personal Information

We may disclose personal information to overseas recipients where necessary for service delivery, including:

• Customer-chosen cloud hosting providers with all applicable privacy agreements in place
• IT support providers of the end customers
• Users of the institutions in agreement

Such disclosures occur only where adequate data protection safeguards are in place or the disclosure is permitted under applicable privacy laws.

Data Storage Regions

Camu is a SaaS-based cloud solution deployed in multiple regions as independent instances to support data governing rules pertaining to where data should be stored. Current hosting regions are:

• India — The data of all users using Camu from within India is stored in India.
• Singapore — The data of all users connecting from PH, SG, MY, TH, UAE, HK is stored in Singapore.
• Ohio (USA) — The data of users connecting from North America, South America, and Africa regions is stored in Ohio.

Full details of sub-processors and country-level controls are set out in Section 5 of this document.

2.17 Privacy Complaints

If an individual believes their privacy has been breached, they may lodge a complaint by contacting us using the details below.

Complaints will:

1. Be acknowledged promptly
2. Be investigated internally
3. Receive a written response outlining findings and corrective actions

If the individual is not satisfied with our response, they may escalate the matter to the relevant regulatory authority.

2.18 Periodic Compliance Reviews & Enforcement

Octoze Technologies conducts periodic reviews of its privacy practices and procedures to verify adherence to this Privacy Notice and applicable data protection laws. These reviews assess whether:

• Personal data is being processed in accordance with the stated purposes
• Security controls remain adequate and effective
• Sub-processor arrangements remain compliant
• Emerging risks or regulatory changes require policy updates

Any data subject with a complaint concerning Octoze's processing of their personal data may contact our Data Protection Officer at: dpo@octoze.com. We will investigate and attempt to resolve any complaints or disputes promptly.

2.19 Contact Details

For privacy concerns, access requests, corrections, complaints, or data deletion requests, please contact:

Privacy Officer — Octoze Technologies Pte. Ltd.
Email (DPO): dpo@octoze.com
Email (Support / Deletion Requests): support@octoze.com

2.20 Data Protection Addendum

A Data Protection Addendum (DPA) is available for download and governs the contractual data protection obligations between Octoze Technologies and its customers. The DPA can be obtained by contacting dpo@octoze.com or via the Camu website.

3. Customer Responsibilities for Data Subjects

Octoze processes personal data that its customers (educational institutions) have chosen to share with Octoze. Octoze has no direct contractual relationship with the individual data subjects — including students, faculty, staff, parents, or alumni — whose data is processed through use of the Camu platform.

3.1 Customer as Data Controller

The customer (educational institution) is the Data Controller in respect of personal data relating to its students, staff, and other data subjects. As a result, the customer is solely responsible for:

• Satisfying all legal obligations owed directly to its data subjects under applicable data protection laws
• Ensuring that personal data it collects or directs Octoze to collect can be legally collected
• Providing required privacy notices to data subjects as required by law
• Responding to data subject rights requests (access, correction, deletion, etc.) from their own users
• Ensuring that disclosure of personal data to Octoze is consistent with its own published privacy policy

3.2 Octoze as Data Processor

When processing Customer Personal Data, Octoze acts solely as a Data Processor and processes that data only in accordance with the customer's instructions. Octoze is not responsible for its customers' privacy policies or their compliance with applicable laws. Octoze does not review or monitor customers' privacy policies or their compliance with such policies.

3.3 Data Integrity

Customers are responsible for ensuring that they provide Octoze with accurate, complete personal data and that the personal data collected is necessary to accomplish the stated purposes. Octoze will process personal data only in accordance with the customer's instructions and will return or destroy personal data in accordance with applicable law upon contract termination.

4. AI Privacy & Responsible AI Policy

This section covers the governance, transparency, and ethical principles that govern the use of Artificial Intelligence (AI) within Octoze's platform. It should be read together with Section 2 of this Privacy Policy.

4.1 AI Governance Assurance

AI features within the service are designed to operate without using personal data for training, behavioural analytics, or model development. Data protection principles of data minimisation, purpose limitation, and privacy-by-design are applied to all system components.

Our organisation maintains an easily accessible Privacy Policy and AI Transparency Notice that clearly informs individuals about how their personal data is handled in relation to AI-enabled features. This information is made available:

• Via our publicly accessible Privacy Policy webpage
• Within customer agreements and platform terms
• Prior to account registration or submission of personal information
• At the point of data collection where system automation features are used
• Before activation of any AI-enabled feature

Any material changes to data processing practices are communicated in advance via updated notices.

4.2 Responsible AI Policy Scope

The Camu Responsible AI Policy establishes the principles, governance structure, and controls governing the usage of 3rd party AI prescribed by the end user, its deployment, and use of AI systems within the organisation. The objective is to ensure AI technologies are used ethically, transparently, securely, and in compliance with applicable laws and organisational values.

4.3 Fairness, Non-Discrimination, and Transparency

Camu's AI approach embeds transparency and ethical governance throughout its AI-powered platform. The company emphasises using "trusted AI" that supports higher education institutions while maintaining clear, auditable, and transparent practices that uphold organisational values. Key commitments include:

• Transparency about how AI supports user outcomes
• Ethical governance embedded in AI design and deployment
• AI systems that empower human decision-making, not replace it ("People decide, AI informs")
• AI systems must not unlawfully discriminate or produce unjust outcomes
• Bias risks are assessed during design, testing, and deployment
• Where adverse impact is identified, corrective action is taken
• Individuals are informed when AI is being used in service delivery
• The purpose and limitations of AI systems are documented
• AI-assisted outputs are explainable at an appropriate level to stakeholders
• Clear principles of fairness, transparency, and accountability guide AI development and use
• Roles and responsibilities for all stakeholders in the AI lifecycle are defined, from developers to users
• Processes to identify, assess, and mitigate potential risks — including bias, security vulnerabilities, and societal impact — are implemented

4.4 Accountability and Human Oversight

• Human oversight is maintained over AI-enabled processes
• Final accountability for AI-driven outcomes rests with the organisation
• High-impact decisions are not made solely by AI without human review
• Accountability mechanisms establish clear accountability for potential harms caused by AI systems

4.5 AI Design and Development

• Focus on designing AI systems that meet human needs, prioritise well-being, and are inclusive
• Ensure responsible data collection, storage, and usage practices that respect privacy regulations and minimise bias
• Promote transparency in how AI systems make decisions, allowing users to understand the reasoning behind outputs

4.6 Testing, Deployment, and Continuous Monitoring

• Implement rigorous testing procedures to ensure AI systems perform as expected, are reliable, and avoid unintended consequences
• Continuously monitor deployed AI systems to identify potential issues, biases, or performance degradation
• Maintain human oversight throughout the AI lifecycle for responsible decision-making and intervention when necessary
• Ongoing monitoring is conducted to detect drift, bias, or unintended outcomes
• The Responsible AI Framework is reviewed periodically to reflect regulatory developments, address emerging AI risks, and incorporate lessons learned
• Continual learning and improvement: continuously learn from data, feedback, and real-world deployment to improve AI systems and address emerging issues

4.7 AI Risk Management

The organisation adopts a risk-based approach to AI deployment:

• AI use cases are assessed before implementation
• Risks evaluated include bias, privacy impact, cybersecurity exposure, and operational risk
• Higher-risk AI applications require enhanced review and approval

4.8 Communication and Stakeholder Engagement

• Clearly communicate how AI systems work, their limitations, and how user data is used
• Engage stakeholders like policymakers, regulators, and the public in discussions about Responsible AI development and deployment

4.9 AI Incident Management

A documented process exists to identify, investigate, and remediate AI-related incidents, including:

• Security breaches
• Privacy incidents
• Harmful or biased outputs
• System misuse

Significant incidents are escalated to management and addressed through corrective action.

4.10 Training and Awareness

Personnel involved in AI development, deployment, or use receive appropriate training on:

• Responsible AI principles
• Ethical considerations
• Privacy and security obligations

5. Sub-Processor Register & Overseas Disclosure Statement

This section discloses all third-party sub-processors engaged to deliver the service, the countries in which personal information may be stored, processed, or accessed, and the controls in place to protect that information.

5.1 Role Allocation

• Data Controller: The school or educational institution (customer)
• Data Processor: Camu – processes personal information on behalf of the controller
• Sub-Processor: Third parties engaged by the processor that process personal information for the service

5.2 Sub-Processor Register

The following table lists all sub-processors currently engaged in delivering the service. All sub-processors are bound by Data Processing Agreements (DPAs) that flow down equivalent privacy and security obligations. An updated sub-processor list is available upon request at: dpo@octoze.com

5.3 Octoze Liability for Sub-Processor Acts

Octoze takes reasonable and appropriate steps to ensure that sub-processors and third-party agents process personal data in accordance with our contractual agreements and this Privacy Policy. If Octoze learns that a sub-processor is using or disclosing personal data in a manner contrary to this Privacy Policy, Octoze will take steps to prevent or stop such use or disclosure.

Under certain circumstances, Octoze may remain liable for the acts of its third-party agents or service providers in their handling of personal data transferred to them on Octoze's behalf. Octoze will take responsibility for ensuring adequate contractual protections are in place and will act promptly to remediate any identified breach of those obligations.

5.4 Overseas Disclosure Statement

Personal information processed as part of this service may be stored, accessed, or supported from the countries listed below. We have implemented contractual, technical, and organisational controls to ensure that all cross-border disclosures meet applicable privacy obligations, including the Australian Privacy Principles (APP 8), New Zealand Privacy Act (IPP 12), and GDPR.

5.5 Technical Safeguards for Overseas Disclosures

• All data encrypted in transit using TLS 1.2 or higher
• All data encrypted at rest using AES-256
• Access controls: role-based access with MFA enforced for all sub-processors with access to personal data
• Audit logging enabled for all access to personal information
• Region-specific data residency enforced per customer location (India, Singapore, Ohio)

5.6 Advance Change Notification Process

1. Subscription: Customers can subscribe to sub-processor change notifications at: dpo@octoze.com
2. Notice Period: We provide a minimum of 30 days' advance notice prior to activating any new or replacement sub-processor.
3. Objection Process: Customers who have a reasonable objection may notify us within the 30-day period. We will work in good faith to address the concern or discuss contract exit options.
4. Emergency Changes: Where a sub-processor change is required urgently, we will notify customers as soon as practicable and document the circumstances.

5.7 Contractual Controls & Governance

• Confidentiality obligations and data-use restrictions limited to the agreed service purpose
• Security requirements including encryption, access controls, and audit logging
• Breach notification obligations (notify us within 48 hours of discovery)
• Restrictions on onward transfer — sub-processors may not engage further sub-processors without prior written consent
• Deletion and return of data upon contract termination
• Audit rights: right to inspect or commission audits of sub-processor compliance

6. Additional Rights — California Residents (CCPA)

This section applies to California residents who are "Consumers" as defined in the California Consumer Privacy Act ("CCPA").

6.1 Age Restriction for California Consumers

Octoze does not knowingly collect personal information from California Consumers under the age of 16.

6.2 Rights of California Consumers

California Consumers have the right to request the following information:

• The categories of personal information Octoze collects about you
• The categories of sensitive personal information Octoze collects about you
• The categories of sources from which your personal information is collected
• Whether Octoze sells or shares your sensitive personal data
• The right to limit the use of your sensitive personal data
• The business purpose(s) for collecting your personal information
• The categories of third parties with whom Octoze shares your personal information
• The specific pieces of personal information Octoze has collected about you

California Consumers may also have the right to request that Octoze delete certain personal information.

6.3 Non-Discrimination

Octoze will not discriminate against California Consumers who exercise their rights under the CCPA.

6.4 How to Exercise CCPA Rights

California Consumers may exercise these rights by contacting us at: dpo@octoze.com or support@octoze.com. Octoze will verify your request using information you provide, which may include your email address. Government identification may be required to validate your request. California Consumers may also designate an authorised agent to exercise these rights on their behalf.

6.5 Sale or Sharing of Personal Information

7. Additional Rights — EEA, UK & Switzerland (GDPR)

This section applies to individuals whose personal data is collected or processed by Octoze in connection with the European Economic Area ("EEA"), the United Kingdom ("UK"), or Switzerland.

7.1 Data Collected from EEA, UK & Switzerland

Personal data collected from individuals in the EEA, UK, or Switzerland may include:

• Contact information: name, address, email address, phone number
• Student records provided by Octoze's higher education customers
• Professional and employment information
• Financial information
• Identification information including government-issued identifiers
• Information regarding use of the Octoze platform or services

7.2 Sensitive Personal Data — Opt-In Consent

Octoze recognises that certain categories of personal data require heightened protection. When we directly collect sensitive personal data — including data concerning racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, health information, or data concerning sex life — we will obtain explicit opt-in consent where required by applicable law, including if we disclose such data to third parties or use it for a different purpose than originally collected.

7.3 International Data Transfers from EEA / UK / Switzerland

Octoze's platform is maintained and hosted in various regions including the United States and other countries. By using Octoze's platform or services, you acknowledge that your personal data may be transferred to, processed, and retained outside the EEA, UK, and Switzerland.

Octoze ensures that any such transfer is subject to appropriate safeguards, including:

• Standard Contractual Clauses (SCCs) as approved by the European Commission or other authorised body
• Contractual data processing agreements (DPAs) with all sub-processors
• Encryption in transit (TLS 1.2 or higher) and at rest (AES-256)

Where required, Octoze will enter into standard contractual clauses for the transfer of personal data from the EEA, UK, or Switzerland to third countries.

7.4 Records Management & Retention

Octoze maintains documented data retention schedules. Personal data is retained in accordance with those schedules and is securely deleted, destroyed, de-identified, or anonymised at the end of the applicable retention period. Octoze will retain personal data as necessary to fulfil the purposes described in this Privacy Policy or in applicable customer agreements.

7.5 Access Rights for EEA / UK / Switzerland Data Subjects

You may have the right to access the personal data we hold about you and to request that we correct, amend, or delete it if it is inaccurate. These access rights may not apply in all cases — for example, where providing access is unreasonably burdensome or would violate the rights of another individual.

To request access, correction, amendment, or deletion, submit a written request to: dpo@octoze.com. We may request specific information from you to confirm your identity. In some circumstances a reasonable fee may be charged for access to information.

7.6 Right to Complain to a Supervisory Authority

If you are located in the EEA, UK, or Switzerland and have concerns about how Octoze processes your personal data, you have the right to contact your local data protection authority (DPA) to lodge a complaint. You may also contact Octoze's Data Protection Officer directly at: dpo@octoze.com

7.7 EU Binding Corporate Rules (BCR)

Octoze Technologies is committed to implementing appropriate cross-border data transfer mechanisms to protect personal data transferred internationally. Where required under applicable EU/UK data protection law, Octoze applies Binding Corporate Rules (BCR) or equivalent internal policies to govern the transfer and handling of personal data across its group entities.

• BCR as Data Processor (BCR-P): Governs processing of Customer Personal Data of EEA data subjects on behalf of customers.
• BCR as Data Controller (BCR-C): Governs processing of personal data of EEA job applicants, website visitors, and personnel of customers, partners, and vendors for Octoze's own business purposes.

8. Contact Us

Should you have any questions or concerns about this Privacy Notice, please contact our data protection officer by any of the following means:

9. Changes to this Privacy Notice

Octoze may revise this Privacy Notice from time to time in order to comply with new laws and regulations; to conform to industry best practices; to reflect changes in Octoze product and service offerings; and for other reasons. The revised Privacy Notice will become effective when it is posted on this website.