Privacy Policy

1. Introduction

Open Mool ("we," "our," or "us") is committed to protecting the privacy of our users ("you" or "Guardians") while fulfilling our mission to preserve Himalayan cultural heritage. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our platform at openmool.org and related services.

By using Open Mool, you consent to the data practices described in this policy. If you do not agree with any part of this Privacy Policy, please do not use our services.

2. Information We Collect

2.1 Information You Provide

• Account Information: When you register via Auth0, we collect your email address, name, and authentication credentials. We do not store passwords directly.
• Profile Data: Optional information you provide such as your affiliation (researcher, guardian, institution), location, and areas of cultural expertise.
• Uploaded Content: Audio recordings, video files, images, documents, and associated metadata (geolocation, timestamps, cultural context, transcriptions) that you contribute to the archive.
• Communications: Any messages, feedback, or correspondence you send to us.

2.2 Information Collected Automatically

• Usage Data: Pages viewed, features used, search queries, and interaction patterns to improve user experience.
• Device Information: Browser type, operating system, device identifiers, and IP address (anonymized where possible).
• Cookies: Essential cookies for authentication and session management. We do not use advertising or tracking cookies.

2.3 Information from Third Parties

• Authentication Provider (Auth0): Basic profile information from your identity provider (e.g., Google, email) when you log in.
• Institutional Partners: Metadata about collections when partnering organizations bulk-upload archives.

3. How We Use Your Information

We use collected information to:

• Operate the Archive: Store, organize, transcribe (via AI), and make cultural content searchable and accessible.
• Authenticate Users: Verify your identity and maintain account security.
• Attribution & Karma: Credit contributors, award reputation points, and display contribution history publicly (with your consent).
• AI Processing: Use machine learning to transcribe audio, generate embeddings for semantic search, and tag content with metadata. AI processing is performed on our infrastructure or trusted processors.
• Research & Analytics: Aggregate, anonymized data to understand usage patterns and improve services.
• Communication: Send service updates, security alerts, and (with consent) newsletters about the project.
• Legal Compliance: Respond to legal requests and enforce our terms.

4. Cultural Content & Special Considerations

Open Mool handles culturally sensitive material. We take additional precautions:

• Consent of Subjects: When uploading recordings of individuals, you must have obtained appropriate consent. We encourage contributors to document consent (written or oral).
• Sacred & Sensitive Content: Content marked as ceremonially sensitive or restricted may have limited access controls applied at the contributor's request.
• Indigenous Data Sovereignty: We recognize the rights of Himalayan communities to their cultural heritage. The Open Mool Foundation acts as a custodian, not an owner, of cultural data.
• Right to Removal: Community members or their representatives can request removal of content that was uploaded without proper consent or that causes harm.

5. Data Sharing & Disclosure

We do not sell your personal information. We may share data in the following circumstances:

• Public Archive: Contributed cultural content (audio, video, images, transcriptions) is made publicly accessible as part of Open Mool's mission, with attribution to contributors.
• Service Providers: Trusted third parties who assist in operating our platform (e.g., Cloudflare for hosting, AI providers for transcription). These parties are bound by confidentiality agreements.
• Research Partners: Anonymized or aggregated data may be shared with academic researchers for non-commercial cultural research, subject to data use agreements.
• Legal Requirements: When required by law, court order, or to protect the rights, safety, or property of Open Mool, users, or others.
• Organizational Changes: In case of merger, acquisition, or asset sale, data may be transferred with prior notice to users.

6. Data Retention

• Account Data: Retained while your account is active. Upon account deletion, personal data is removed within 30 days (except for data required for legal compliance).
• Contributed Content: Cultural content is archived in perpetuity as part of our preservation mission. Contributors can request attribution changes or, under specific circumstances, removal.
• Usage Logs: Anonymized and aggregated logs retained for up to 2 years for analytics purposes.

7. Data Security

We implement industry-standard security measures:

• Encryption: Data in transit is encrypted using TLS 1.3. Sensitive data at rest is encrypted using AES-256.
• Access Controls: Role-based access, multi-factor authentication for administrative accounts, and regular access reviews.
• Infrastructure: Hosted on Cloudflare's edge network with DDoS protection, WAF, and global redundancy.
• Incident Response: Documented procedures for detecting, responding to, and notifying users of security incidents.

While we strive to protect your information, no method of transmission or storage is 100% secure. We cannot guarantee absolute security.

8. Your Privacy Rights

Depending on your jurisdiction, you may have the following rights:

• Access: Request a copy of personal data we hold about you.
• Rectification: Correct inaccurate or incomplete personal data.
• Deletion: Request deletion of your account and personal data (subject to legal retention requirements and archival exceptions for contributed content).
• Portability: Receive your data in a structured, machine-readable format.
• Objection: Object to certain processing activities (e.g., marketing communications).
• Withdrawal of Consent: Withdraw consent where processing is based on consent.

To exercise these rights, contact us at privacy@openmool.org.

9. International Data Transfers

Open Mool operates globally. Your data may be processed in countries outside your residence, including India and the United States. We ensure appropriate safeguards are in place, such as Standard Contractual Clauses (SCCs) where required.

10. Children's Privacy

Open Mool is not directed at children under 13 (or 16 in the EEA). We do not knowingly collect personal information from children. If you believe a child has provided us with personal data, please contact us, and we will delete it promptly.

11. Third-Party Links

Our platform may contain links to external websites or services not operated by us. We are not responsible for the privacy practices of these third parties. We encourage you to review their privacy policies.

12. Changes to This Policy

We may update this Privacy Policy periodically. Material changes will be communicated via email or a prominent notice on our website. Your continued use after changes constitutes acceptance of the updated policy.