Privacy Policy

This Privacy Policy explains how Oros Cedrus (“Oros Cedrus,” “we,” “our,” or “us”) collects, uses, stores, and protects personal information in connection with our decision perspectives activity platform. It applies to activity respondents, sponsoring organizations (“Sponsors”), and dashboard users.

By participating in an Oros Cedrus activity or using our platform, you acknowledge this Privacy Policy. If you have questions, please contact us using the information in Section 12.

1. Information We Collect

We collect information necessary to deliver our decision perspectives activity services. Depending on your role, this may include:

Activity Respondents

• Personal information configured by your sponsoring organization (which may include your name, email address, and role).
• Your responses to activity questions and any optional demographic information you choose to provide.
• Email address, if you choose to provide it for the purpose of receiving activity-related communications.

Dashboard Users (Sponsors & Administrators)

• Account registration information (name, organizational email address, password credentials managed through our authentication system).
• Usage data related to your interactions with the dashboard.

Automatically Collected Information

• Log data, cookies, and similar tracking technologies used to operate and improve our platform. See Section 5 for more detail.

Age Restriction

Our platform is not directed to individuals under the age of 13, and we do not knowingly collect personal information from children under 13. Sponsors are responsible for ensuring that activity participants meet this age requirement. If we become aware that we have inadvertently collected personal information from a child under 13, we will delete it promptly. Please contact us at results@oroscedrus.com if you believe such data has been collected.

2. How We Use Your Data

Delivering the Activity Service

We use your information to administer activities, generate results, and deliver those results to your sponsoring organization. Results provided to Sponsors include individual-level outputs (such as construct assignment and dimension scores) but do not include raw, item-by-item response data.

Email Communications

Where email addresses are provided and email delivery is enabled for a program, we use Resend, a third-party email delivery platform, to send transactional emails related to activity participation (such as completion confirmations and results). We send emails only to individuals who have provided their email address in connection with an activity enrollment or platform account. These are transactional communications necessary to deliver the service; they are not marketing messages.

If you receive communications from us that are not purely transactional, you have the right to opt out at any time. See Section 7 for details.

Research and Platform Improvement

We separately store fully anonymized records consisting of raw responses and any optional demographic information provided. These records contain no direct identifiers (such as name, phone number, or email address) and are used to improve feedback accuracy and to study how decision perspectives vary across different backgrounds and experiences.

3. Legal Basis for Processing

Where applicable law requires a legal basis for processing personal data (including under the EU General Data Protection Regulation, or “GDPR”), we rely on the following:

• Contractual necessity — to fulfill our obligations to Sponsors and to deliver the activity services respondents are enrolled in.
• Legitimate interests — to operate, secure, and improve our platform, where those interests are not overridden by your rights.
• Consent — where we request your consent for optional data uses (such as optional demographic information), you may withdraw consent at any time by contacting us.
• Legal obligation — to comply with applicable laws and regulations.

Controller and Processor Roles

In many cases, Oros Cedrus acts as a data processor on behalf of Sponsors, who are the data controllers directing the collection and use of respondent information within their programs. Sponsors are responsible for establishing their own lawful basis for processing respondent data and for informing participants about data practices as required by applicable law. Oros Cedrus processes respondent data only as directed by and on behalf of the Sponsor. Where Oros Cedrus independently determines the purposes and means of processing (for example, for platform security, anonymized research, or its own account management), Oros Cedrus acts as a data controller. Sponsors who require a Data Processing Agreement (DPA) to satisfy GDPR or other regulatory requirements may contact us at results@oroscedrus.com.

4. Data Sharing and Third-Party Processors

We do not sell your personal information. We share data only as described below:

Sponsors

Your sponsoring organization receives individual-level activity results — including your primary construct assignment and dimension scores — and answers to any Sponsor-configured personal information questions. Sponsors do not receive raw, item-by-item response data.

Service Providers (Data Processors)

We engage trusted third-party vendors to help us operate the platform. These processors handle data only on our behalf and under written agreements that restrict their use of your data. Current processors include:

• Amazon Web Services (AWS) — cloud hosting and data storage (US East region).
• Resend — transactional email delivery.

We may update this list as our service providers change. We will ensure that any replacement processors offer equivalent data protection commitments.

Legal Requirements

We may disclose information if required by law, court order, or regulatory authority, or to protect the rights, property, or safety of Oros Cedrus, our users, or others.

5. Cookies and Tracking Technologies

Our platform uses cookies and similar technologies (such as session tokens and analytics identifiers) to:

• Maintain authenticated sessions for dashboard users.
• Monitor platform performance and security.
• Analyze aggregate usage patterns to improve our service.

You may configure your browser to refuse cookies; however, doing so may affect the functionality of dashboard features. We do not use cookies for advertising or cross-site behavioral tracking.

6. Data Retention

• Sponsor-linked activity data (including respondent information collected for a Sponsor’s program) is retained while the Sponsor’s account is active and deleted within 30 days of account closure, subject to any legal hold obligations.
• Dashboard user account data is retained for the duration of the account and deleted upon request or account closure, subject to any legal hold obligations.
• Anonymized research data (containing no direct identifiers) may be retained indefinitely for statistical and research purposes.
• Transactional email logs may be retained by our email service provider in accordance with their data retention policies.

We will retain personal data for no longer than is necessary for the purposes described in this policy, or as required by applicable law.

7. Your Rights and Choices

Depending on your location, you may have the following rights regarding your personal data:

• Access — request a copy of the personal data we hold about you.
• Correction — request correction of inaccurate or incomplete data.
• Deletion — request deletion of your personal data, subject to legal retention obligations.
• Objection / Restriction — object to or request restriction of certain processing activities.
• Portability — request a machine-readable copy of data you have provided to us.
• Withdraw Consent — where processing is based on consent, withdraw that consent at any time without affecting the lawfulness of prior processing.

To exercise any of these rights, please contact us at results@oroscedrus.com or at the address in Section 12. We will respond within the timeframe required by applicable law (generally 30 days). We may need to verify your identity before processing your request.

US State Privacy Rights

If you are a resident of California or another US state with applicable privacy legislation, you may have additional rights, including the right to know what personal information we collect and how it is used, the right to request deletion, and the right to opt out of the sale of personal information. We do not sell personal information. To submit a request under applicable US state privacy law, please contact us at results@oroscedrus.com. We will not discriminate against you for exercising any of these rights.

Opt-Out of Email Communications

You may opt out of non-transactional email communications at any time by clicking the “Unsubscribe” link included in any such email, or by contacting us directly. We will honor opt-out requests within 7 days. Note that opting out of marketing communications does not affect transactional emails necessary to deliver an active service.

8. International Data Transfers

Our platform is hosted on Amazon Web Services in the United States (US East region). If you are located in the European Union, United Kingdom, or another jurisdiction with data transfer restrictions, please be aware that your personal data will be transferred to and processed in the United States.

Where required, we rely on appropriate transfer mechanisms (such as Standard Contractual Clauses approved by the European Commission, or other applicable data transfer frameworks) to ensure that personal data transferred outside the EEA or UK receives an adequate level of protection. Our service providers, including Resend and AWS, maintain their own GDPR-compliant data processing terms and participate in applicable data transfer frameworks.

9. Security

We implement industry-standard technical and organizational measures to protect your personal data against unauthorized access, disclosure, alteration, or destruction. These measures include:

• Encryption of data in transit via TLS/HTTPS.
• AWS infrastructure security controls for data at rest.
• Access controls limiting data access to authorized personnel.
• Hosting on AWS (US East), which maintains SOC 2 and ISO 27001 certifications.
• Regular review of our security practices.

No system is completely secure. If you believe your data has been compromised, please contact us immediately at results@oroscedrus.com.

10. Children’s Privacy

Our platform is not directed to children under the age of 13, and we do not knowingly collect personal information from children under 13. Sponsors are solely responsible for ensuring that participants enrolled in their programs meet this age requirement. If you believe a child under 13 has provided personal information through our platform, please contact us at results@oroscedrus.com and we will take prompt steps to delete that information.

11. Policy Updates

We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or service offerings. When we make material changes, we will:

• Update the “Last Updated” date at the top of this policy.
• Notify active Sponsors and dashboard users by email prior to the change taking effect.
• Post a prominent notice on our platform.

We encourage you to review this policy periodically. Continued use of our platform following notice of changes constitutes acceptance of the updated policy.

12. Contact

For questions, requests, or complaints regarding this Privacy Policy or our data practices, please contact us:

EU or UK individuals with complaints regarding our handling of personal data may also have the right to lodge a complaint with their local data protection supervisory authority.