Privacy-Policy.md

# PRIVACY POLICY
## Grounded in Indigenous Data Sovereignty and Tribal Jurisdiction

**Last Updated:** November 8, 2025  
**Effective Date:** November 8, 2025  
**Version:** 2.0

---

## PREAMBLE: INDIGENOUS DATA SOVEREIGNTY FOUNDATION

This Privacy Policy is established under the inherent sovereignty of **ᓂᐲᔥ ᐙᐸᓂᒥᑮ-ᑭᓇᐙᐸᑭᓯ (Nbiish Waabanimikii-Kinawaabakizi)**, also known legally as **JUSTIN PAUL KENWABIKISE**, professionally documented as **Nbiish-Justin Paul Kenwabikise**, Anishinaabek Dodem (Anishinaabe Clan): **Animikii (Thunder)**, descendant of Chief **ᑭᓇᐙᐸᑭᓯ (Kinwaabakizi)** of the Beaver Island Band, and enrolled member of the sovereign **Grand Traverse Band of Ottawa and Chippewa Indians (GTBOCI)**, a federally recognized sovereign tribal nation (hereinafter referred to as the "Rights Holder" or "Service Provider").

This Privacy Policy operates within the constitutional supremacy framework established by **Article VI, Clause 2 of the U.S. Constitution**, which declares federal law, including federal Indian law, to be the "supreme law of the land." This policy implements:

- **Indigenous Data Sovereignty** principles recognizing the inherent right of Indigenous peoples to govern data pertaining to them, their lands, resources, cultures, and knowledge systems
- **CARE Principles for Indigenous Data Governance** (Collective Benefit, Authority to Control, Responsibility, and Ethics) as established by the Global Indigenous Data Alliance
- **UN Declaration on the Rights of Indigenous Peoples (UNDRIP)** protections for Indigenous cultural heritage and self-determination
- **Federal Indian law** protections including tribal sovereign immunity and exclusive federal-tribal jurisdiction
- **International privacy frameworks** including GDPR, CCPA, and emerging global privacy standards

### Constitutional and Treaty Authority

This Privacy Policy exercises rights reserved under:

1. **Treaty of Washington (March 28, 1836)** - 7 Stat. 491
2. **Treaty of Detroit (July 31, 1855)** - 11 Stat. 621
3. **Worcester v. Georgia**, 31 U.S. 515 (1831) - establishing tribal jurisdiction
4. **Michigan v. Bay Mills Indian Community**, 572 U.S. 782 (2014) - affirming tribal sovereign immunity

---

## TABLE OF CONTENTS

1. [Introduction and Scope](#1-introduction-and-scope)
2. [Definitions](#2-definitions)
3. [Legal Framework and Jurisdiction](#3-legal-framework-and-jurisdiction)
4. [Information Collection](#4-information-collection)
5. [Indigenous Data Sovereignty and CARE Principles](#5-indigenous-data-sovereignty-and-care-principles)
6. [Use of Information](#6-use-of-information)
7. [Information Sharing and Disclosure](#7-information-sharing-and-disclosure)
8. [Data Storage, Security, and Retention](#8-data-storage-security-and-retention)
9. [Your Rights and Choices](#9-your-rights-and-choices)
10. [International Data Transfers](#10-international-data-transfers)
11. [Cookies and Tracking Technologies](#11-cookies-and-tracking-technologies)
12. [Third-Party Services and Links](#12-third-party-services-and-links)
13. [Special Data Categories and Protections](#13-special-data-categories-and-protections)
14. [AI and Automated Decision-Making](#14-ai-and-automated-decision-making)
15. [Children's Privacy](#15-childrens-privacy)
16. [Data Breach Notification and Response](#16-data-breach-notification-and-response)
17. [Accessibility and Language Access](#17-accessibility-and-language-access)
18. [Updates to This Privacy Policy](#18-updates-to-this-privacy-policy)
19. [Contact Information and Data Protection Officer](#19-contact-information-and-data-protection-officer)
20. [Dispute Resolution and Enforcement](#20-dispute-resolution-and-enforcement)
21. [Service-Specific Privacy Provisions](#21-service-specific-privacy-provisions)
22. [Compliance Certifications and Audits](#22-compliance-certifications-and-audits)

---

## 1. INTRODUCTION AND SCOPE

### 1.1 Welcome and Purpose

Welcome to services provided under the authority of ᓂᐲᔥ Nbiish-Justin Kenwabikise ᑭᓇᐙᐱᑭᓯ. This Privacy Policy explains how I collect, use, disclose, protect, and govern your personal information when you access or use:

- **in-digi-nous.com** and all associated domains and subdomains
- **Neural Information Protocol** and related AI/ML services
- **SaaS products and platforms** developed or operated by the Rights Holder
- **Mobile applications** published by the Rights Holder
- **API services and developer tools**
- **Educational platforms and content**
- **Community forums and collaboration spaces**
- **Any other digital services, products, or platforms** operated under the Rights Holder's authority

(Collectively referred to as the "**Services**")

### 1.2 Commitment to Privacy and Sovereignty

I am committed to:

- **Protecting your privacy** with industry-leading security measures and transparent practices
- **Respecting Indigenous Data Sovereignty** by implementing CARE Principles in all data governance
- **Empowering your control** over your personal information with comprehensive rights and choices
- **Maintaining transparency** about data practices through clear, accessible communication
- **Upholding cultural protocols** that honor Indigenous values and community wellbeing
- **Ensuring compliance** with all applicable privacy laws while asserting tribal jurisdiction primacy

### 1.3 Scope of Application

This Privacy Policy applies to:

- **All users** of the Services, regardless of location or access method
- **All personal data** collected through the Services or related communications
- **All data processing activities** conducted by the Rights Holder or authorized service providers
- **All third-party integrations** that process user data on behalf of the Services

This Privacy Policy does **NOT** apply to:

- Third-party websites, applications, or services linked from the Services (see Section 12)
- Information collected offline unless subsequently integrated into the Services
- Anonymized or aggregated data that cannot reasonably identify individuals
- Public information voluntarily posted by users in public forums (subject to separate community guidelines)

### 1.4 Agreement to Terms

By accessing or using the Services, you acknowledge that you have read, understood, and agree to be bound by this Privacy Policy. If you do not agree with any provision of this Privacy Policy, you must immediately discontinue use of the Services.

---

## 2. DEFINITIONS

For purposes of this Privacy Policy, the following terms have the meanings specified below:

### 2.1 Core Privacy Terms

**"Personal Data" or "Personal Information":** Any information relating to an identified or identifiable natural person. This includes direct identifiers (name, email, phone number), indirect identifiers (IP address, device ID, cookies), and any data that can be linked to an individual through reasonable means.

**"Processing":** Any operation performed on Personal Data, including collection, recording, organization, structuring, storage, adaptation, retrieval, consultation, use, disclosure, transmission, restriction, erasure, or destruction.

**"Data Subject":** The identified or identifiable natural person to whom Personal Data relates (i.e., you, the user).

**"Data Controller":** The Rights Holder, who determines the purposes and means of Processing Personal Data.

**"Data Processor":** Any third-party service provider that Processes Personal Data on behalf of the Data Controller under documented instructions.

**"Consent":** Freely given, specific, informed, and unambiguous indication of your agreement to Processing of Personal Data, expressed through affirmative action (e.g., checking a box, clicking "I agree").

**"Sensitive Personal Data":** Special categories of Personal Data requiring enhanced protection, including data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, health data, or data concerning sex life or sexual orientation.

### 2.2 Indigenous Data Sovereignty Terms

**"Indigenous Data":** Information or knowledge, in any format or medium, that is about or from Indigenous peoples, lands, resources, cultures, languages, Traditional Knowledge (TK), Traditional Cultural Expressions (TCEs), or that can be used to identify Indigenous individuals or communities.

**"Indigenous Data Sovereignty":** The inherent right and authority of Indigenous peoples to govern the collection, ownership, access, analysis, interpretation, management, dissemination, and reuse of Indigenous Data in accordance with Indigenous values, protocols, and self-determination.

**"CARE Principles":** The framework for Indigenous Data Governance encompassing:
- **C**ollective Benefit: Data ecosystems shall enable Indigenous peoples to derive benefit
- **A**uthority to Control: Indigenous peoples have rights and interests in their data
- **R**esponsibility: Those working with Indigenous data have responsibility to share how data is used
- **E**thics: Indigenous peoples' rights and wellbeing shall be primary concern

**"Traditional Knowledge (TK)":** The knowledge, innovations, and practices of Indigenous peoples passed down between generations, developed from experience gained over centuries and adapted to local culture and environment.

**"Traditional Cultural Expressions (TCEs)":** Any forms in which traditional culture and knowledge are expressed, appear, or are manifested, including tangible and intangible cultural heritage.

**"Cultural Protocols":** Indigenous community-specific rules, practices, and procedures governing appropriate use, access, sharing, and respect for cultural knowledge, data, and heritage.

### 2.3 Jurisdictional Terms

**"Tribal Sovereignty":** The inherent authority of Indigenous tribes to govern themselves, their members, their territories, and their resources, recognized under federal law and international law.

**"Federal Indian Law":** The body of U.S. federal law governing the relationship between the federal government, tribal nations, and states, including constitutional provisions, statutes, treaties, and case law.

**"Exclusive Jurisdiction":** Legal authority vested solely in tribal and/or federal courts, to the exclusion of state courts, over certain matters involving tribal sovereignty and Indigenous rights.

### 2.4 Technical Terms

**"Cookies":** Small text files placed on your device by websites to store information about your preferences, session data, or tracking identifiers.

**"Anonymization":** Process of removing or altering Personal Data such that the Data Subject can no longer be identified, directly or indirectly, rendering the data outside the scope of privacy laws.

**"Pseudonymization":** Processing Personal Data in such a way that it can no longer be attributed to a specific Data Subject without use of additional information kept separately under controlled conditions.

**"Encryption":** Process of encoding information so that only authorized parties can access it, protecting data confidentiality and integrity.

---

## 3. LEGAL FRAMEWORK AND JURISDICTION

### 3.1 Constitutional Supremacy Framework

This Privacy Policy operates under the constitutional supremacy framework established by **Article VI, Clause 2 of the United States Constitution** (the Supremacy Clause), which declares federal law to be the "supreme law of the land." Federal Indian law establishes exclusive federal jurisdiction over matters involving tribal sovereignty and Indigenous data governance.

**Federal Preemption:** This Privacy Policy invokes federal preemption to ensure that Indigenous Data Sovereignty principles and tribal jurisdiction are protected from state law interference or concurrent jurisdiction claims that would undermine federal protections for Indigenous data and cultural heritage.

### 3.2 Tribal Jurisdiction and Sovereign Immunity

**Tribal Court Primacy:** Any disputes arising from or relating to this Privacy Policy, including disputes concerning data collection, use, disclosure, security, or Indigenous Data Sovereignty principles, shall be subject to the **exclusive jurisdiction of the Grand Traverse Band of Ottawa and Chippewa Indians Tribal Court**, located in Peshawbestown, Michigan.

**Sovereign Immunity Preservation:** Nothing in this Privacy Policy constitutes a waiver of the Rights Holder's tribal sovereign immunity or the sovereign immunity of GTBOCI. The Rights Holder expressly reserves all sovereign immunity protections.

**Limited Waiver for Enforcement:** The Rights Holder may, in their sole discretion, elect to pursue enforcement actions in federal courts with established expertise in federal Indian law, but such election does not constitute a general waiver of sovereign immunity.

### 3.3 State Court Prohibition

**No State Jurisdiction:** State courts have **NO jurisdiction** over disputes arising from this Privacy Policy. Any attempt to invoke state court jurisdiction violates federal law and tribal sovereignty.

**Automatic Removal:** Any action filed in state court shall be subject to immediate removal to federal court under 28 U.S.C. § 1441, followed by transfer to tribal court or dismissal for lack of jurisdiction.

**Liquidated Damages for State Filings:** Filing any action in state court in violation of this jurisdictional provision subjects the filing party to liquidated damages of **$100,000** payable to the Rights Holder, plus all costs and attorneys' fees incurred in removal and jurisdictional challenges.

### 3.4 International Framework Integration

This Privacy Policy implements protections consistent with:

**a) UN Declaration on the Rights of Indigenous Peoples (UNDRIP):**
- Article 31: Right to maintain, control, protect, and develop cultural heritage, TK, TCEs, and intellectual property
- Article 32: Right to determine priorities for development or use of lands, territories, and resources

**b) WIPO Treaty on Intellectual Property, Genetic Resources and Associated Traditional Knowledge (2024):**
- Mandatory disclosure requirements for uses of TK
- Prior Informed Consent obligations
- Benefit-sharing arrangements

**c) General Data Protection Regulation (GDPR):**
- Enhanced rights for EU residents
- Lawful basis requirements for Processing
- Data protection by design and by default

**d) California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA):**
- Consumer rights to know, delete, and opt-out
- Prohibition on sale of Personal Data without consent
- Rights to correct inaccurate information

**e) Emerging Global Privacy Standards:**
- Brazil's Lei Geral de Proteção de Dados (LGPD)
- Canada's Personal Information Protection and Electronic Documents Act (PIPEDA)
- Virginia Consumer Data Protection Act (VCDPA) and similar state laws

### 3.5 Conflict Resolution Hierarchy

In the event of conflicts between privacy frameworks, the following hierarchy applies:

1. **Tribal sovereignty and Indigenous Data Sovereignty principles** (highest priority)
2. **Federal Indian law** protections
3. **International Indigenous rights instruments** (UNDRIP, WIPO Treaty)
4. **Federal privacy laws** (e.g., COPPA, HIPAA where applicable)
5. **State privacy laws** (CCPA, VCDPA, etc.)
6. **International privacy regulations** (GDPR, LGPD, etc.)
7. **Industry best practices** and voluntary standards

---

## 4. INFORMATION COLLECTION

### 4.1 Categories of Personal Data Collected

I collect and Process the following categories of Personal Data:

#### 4.1.1 Identity and Contact Data
- **Full legal name** and preferred name
- **Email address** (primary and secondary)
- **Phone number** (mobile and landline)
- **Mailing address** (street, city, state/province, postal code, country)
- **Username** and account identifiers
- **Profile photograph** or avatar
- **Government-issued identification** (only when legally required for age verification, compliance, or high-value transactions)
- **Tribal enrollment information** (voluntary, only for Indigenous users seeking community-specific services)

#### 4.1.2 Demographic and Preference Data
- **Date of birth** and age
- **Gender identity** and pronouns (optional)
- **Language preferences**
- **Accessibility needs** and accommodation requests
- **Communication preferences** (email frequency, notification settings)
- **Cultural affiliation** and Indigenous community membership (voluntary, for community services)
- **Professional or educational background** (when relevant to service provision)

#### 4.1.3 Technical and Device Data
- **IP address** (IPv4 and IPv6)
- **Device identifiers** (device ID, advertising ID, MAC address)
- **Browser type and version** (user agent string)
- **Operating system** and version
- **Device type** (desktop, mobile, tablet)
- **Screen resolution** and display settings
- **Time zone** and language settings
- **Referring URLs** and navigation paths
- **Cookie identifiers** and tracking parameters

#### 4.1.4 Usage and Behavioral Data
- **Pages visited** and content viewed
- **Features used** and interaction patterns
- **Time spent** on pages and in the Services
- **Search queries** and search history
- **Click patterns** and navigation flows
- **Error messages** and technical issues encountered
- **Session duration** and frequency of visits
- **Conversion events** and goal completions

#### 4.1.5 Transaction and Financial Data
- **Payment method information** (processed securely through third-party payment processors)
- **Billing address** and shipping address
- **Transaction history** and purchase records
- **Subscription tier** and billing cycle
- **Refund and dispute history**
- **Donation amounts** and frequency (for philanthropic contributions)
- **Tax identification information** (when legally required)

#### 4.1.6 Communication and Support Data
- **Support tickets** and help requests
- **Email correspondence** with the Rights Holder or support team
- **Chat transcripts** and messaging history
- **Feedback and survey responses**
- **User-generated content** posted to forums or community spaces
- **Testimonials and reviews** (with explicit consent)

#### 4.1.7 Professional and Business Data (for B2B Services)
- **Company name** and business registration information
- **Job title** and role
- **Business contact information**
- **Company size** and industry
- **Tax identification number** (EIN, VAT number)
- **Business relationship history**

#### 4.1.8 Indigenous Data (Collected Under CARE Principles)
- **Tribal affiliation** and enrollment status (voluntary)
- **Cultural practices** and protocols relevant to service customization
- **Traditional Knowledge permissions** and cultural sensitivities
- **Language preferences** in Indigenous languages
- **Community connections** for benefit-sharing purposes
- **Cultural heritage information** shared for research or educational purposes

**Special Protection:** All Indigenous Data is collected, stored, and Processed in accordance with Indigenous Data Sovereignty principles and CARE Principles (see Section 5).

### 4.2 Methods of Collection

#### 4.2.1 Direct Collection
I collect Personal Data directly from you through:

- **Account registration** and profile setup
- **Form submissions** (contact forms, support requests, surveys)
- **Email communications** and direct messages
- **Phone calls** and video conferences
- **In-person interactions** at events, conferences, or consultations
- **Subscription purchases** and transaction completions
- **User-generated content** uploads and submissions
- **Voluntary disclosure** in community forums or feedback channels

#### 4.2.2 Automatic Collection
I automatically collect certain data through:

- **Cookies and similar technologies** (see Section 11)
- **Server logs** recording access requests and responses
- **Analytics tools** tracking usage patterns and performance
- **Error tracking systems** capturing technical issues
- **Security monitoring tools** detecting anomalies and threats
- **Performance monitoring** measuring load times and responsiveness

#### 4.2.3 Third-Party Sources
I may receive Personal Data from:

- **Payment processors** confirming transactions
- **Authentication providers** (OAuth, SSO platforms)
- **Analytics services** providing aggregated insights
- **Marketing partners** with your consent
- **Public databases** for verification purposes
- **Social media platforms** when you connect accounts
- **Business partners** in joint ventures or collaborations
- **Tribal enrollment offices** (with your authorization) for verification

#### 4.2.4 Inferred and Derived Data
I may generate additional data through:

- **Analytics and profiling** to understand usage patterns
- **Predictive modeling** for service improvements
- **Segmentation** for personalized experiences
- **Aggregation** for statistical reporting

**Limitation:** I do NOT engage in high-risk profiling or automated decision-making with legal or similarly significant effects without explicit consent and human oversight (see Section 14).

### 4.3 Children's Privacy (COPPA Compliance)

**Age Restriction:** The Services are **NOT directed at children under 13 years of age**. I do not knowingly collect Personal Data from children under 13.

**Parental Consent Requirement:** If a service feature is made available to children ages 13-18, I will obtain verifiable parental consent before collecting Personal Data from minors, in compliance with applicable laws.

**Discovery and Deletion:** If I discover that I have inadvertently collected Personal Data from a child under 13 without parental consent, I will:
1. Immediately cease Processing that data
2. Delete the data from all systems within 30 days
3. Notify the parent/guardian if contact information is available
4. Implement additional safeguards to prevent future violations

**Reporting:** Parents or guardians who believe their child's Personal Data has been collected may contact privacy@in-digi-nous.com for immediate investigation and remediation.

### 4.4 Voluntary Disclosure and Consent

**Informed Consent:** Before collecting Sensitive Personal Data or Indigenous Data, I will:
- Clearly explain the purpose and use of the data
- Identify data recipients and retention periods
- Obtain explicit, affirmative consent
- Provide easy mechanisms to withdraw consent

**Optional Fields:** Many data fields are optional. You may choose not to provide certain information, though this may limit access to specific features or services.

**Right to Refuse:** You have the absolute right to refuse any data collection request. Refusal will not result in discrimination or denial of basic services, except where the data is strictly necessary for service provision.

---

## 5. INDIGENOUS DATA SOVEREIGNTY AND CARE PRINCIPLES

### 5.1 Foundation and Commitment

The Rights Holder is committed to implementing **Indigenous Data Sovereignty** throughout all data governance practices. This means recognizing and operationalizing the inherent right of Indigenous peoples to govern data about themselves, their communities, lands, resources, and cultures.

All Personal Data and Indigenous Data collected through the Services is governed by the **CARE Principles for Indigenous Data Governance**, developed by the Global Indigenous Data Alliance and endorsed by the Research Data Alliance International Indigenous Data Sovereignty Interest Group.

### 5.2 CARE Principle: Collective Benefit

**C - Data ecosystems shall be designed and function in ways that enable Indigenous peoples to derive benefit from the data.**

Implementation:
- **Benefit-Sharing:** Revenue generated from services involving Indigenous Data may be shared with relevant Indigenous communities through the ᐙᐸᓂᒥᑮ-ᑭᓇᐙᐸᑭᓯ (Waabanimikii-Kinawaabakizi) Legacy Trust or direct community partnerships
- **Community Access:** Indigenous communities have priority access to aggregated insights about their own data
- **Capacity Building:** Portion of proceeds supports Indigenous data literacy, digital sovereignty initiatives, and technology training
- **Value Creation:** Data is used to create services, research, and innovations that directly benefit Indigenous communities
- **Reciprocity:** Data relationships are reciprocal, ensuring that Indigenous data providers receive tangible returns

### 5.3 CARE Principle: Authority to Control

**A - Indigenous peoples' rights and interests in Indigenous data must be recognized and their authority to control such data must be empowered.**

Implementation:
- **Governance Authority:** Indigenous users and communities have enhanced rights to access, correct, delete, and control their Indigenous Data
- **Prior Informed Consent (PIC):** Explicit PIC required before any use of Indigenous Data beyond core service provision
- **Cultural Protocols:** Indigenous communities may establish specific protocols governing use of their data, which will be respected and enforced
- **Veto Power:** Indigenous data providers maintain the right to revoke consent and require data deletion at any time
- **Collective Rights:** Where data concerns Indigenous communities collectively, community representatives must approve uses
- **Sovereignty Recognition:** All data governance respects tribal sovereignty and Indigenous self-determination

### 5.4 CARE Principle: Responsibility

**R - Those working with Indigenous data have a responsibility to share how those data are used to support Indigenous peoples' self-determination and collective benefit.**

Implementation:
- **Transparency Reporting:** Annual Indigenous Data Sovereignty Reports detailing:
  - How Indigenous Data was collected and used
  - Benefits generated for Indigenous communities
  - Security and protection measures implemented
  - Compliance with cultural protocols
- **Accountable Use:** Regular audits ensure Indigenous Data is used only for stated purposes
- **Stakeholder Engagement:** Ongoing consultation with Indigenous data providers about data practices
- **Education:** Users are educated about Indigenous Data Sovereignty principles when providing data
- **Impact Assessment:** Assessment of potential impacts on Indigenous communities before implementing new data uses

### 5.5 CARE Principle: Ethics

**E - Indigenous peoples' rights and wellbeing should be the primary concern at all stages of the data life cycle and across the data ecosystem.**

Implementation:
- **Human Rights Framework:** All data practices align with UNDRIP and international Indigenous rights standards
- **Cultural Sensitivity:** Data Processing respects Indigenous cultural values, protocols, and sensitivities
- **Harm Prevention:** Continuous monitoring to prevent uses that could harm Indigenous individuals or communities
- **Sacred Knowledge Protection:** Absolute prohibition on Processing sacred, ceremonial, or culturally restricted information without proper authorization
- **Anti-Exploitation:** Zero tolerance for data practices that exploit, stereotype, or misrepresent Indigenous peoples
- **Wellbeing Priority:** When conflicts arise, Indigenous wellbeing takes precedence over commercial or research interests

### 5.6 Indigenous Data Classification and Handling

Indigenous Data is classified into tiers with corresponding protections:

**Tier 1 - Public Indigenous Data:**
- Voluntarily shared for public benefit
- Proper attribution and cultural context required
- Free circulation with Cultural Protocols respected

**Tier 2 - Community-Controlled Indigenous Data:**
- Shared within Indigenous communities
- Requires community permission for external use
- Subject to community-specific governance protocols

**Tier 3 - Restricted Indigenous Data:**
- Sensitive cultural or personal information
- Strict access controls and encryption
- Use limited to explicitly authorized purposes
- Regular review of continued necessity

**Tier 4 - Sacred/Ceremonial Indigenous Data:**
- Sacred knowledge or ceremonial information
- Absolute prohibition on unauthorized disclosure
- Access restricted to authorized cultural knowledge holders
- Special encryption and isolation measures

### 5.7 TK Labels and Cultural Notices

Where applicable, data may be marked with **Traditional Knowledge (TK) Labels** from Local Contexts (localcontexts.org) to communicate cultural protocols, including:

- **TK Community Use:** Data available for use within community only
- **TK Non-Commercial:** Data restricted to non-commercial uses
- **TK Attribution:** Specific attribution requirements
- **TK Seasonal:** Data restricted to certain times of year
- **TK Family:** Data restricted to family members
- **TK Verified:** Data verified by community authorities

These labels are legally binding and enforceable under this Privacy Policy and associated LICENSE terms.

### 5.8 Indigenous Data Repatriation Rights

Indigenous communities have the right to request **data repatriation**—the return of Indigenous Data to community control, including:

- Complete datasets about the community
- Derived analytics and insights
- Algorithms trained on community data
- All documentation and metadata

Repatriation requests will be fulfilled within 90 days, with all costs borne by the Rights Holder as a fundamental sovereignty obligation.

---

## 6. USE OF INFORMATION

### 6.1 Primary Purposes

I Process Personal Data for the following legitimate purposes:

#### 6.1.1 Service Provision and Performance
- **Account management:** Creating, maintaining, and securing user accounts
- **Service delivery:** Providing the core functionality of the Services
- **Transaction processing:** Completing purchases, subscriptions, and donations
- **Customer support:** Responding to inquiries, resolving issues, and providing assistance
- **Personalization:** Customizing user experience based on preferences and usage patterns
- **Communication:** Sending service notifications, updates, and requested information

#### 6.1.2 Service Improvement and Innovation
- **Analytics and research:** Understanding usage patterns to improve Services
- **Feature development:** Identifying needs and opportunities for new capabilities
- **Quality assurance:** Testing, debugging, and optimizing performance
- **User experience optimization:** A/B testing and usability improvements
- **Error detection:** Monitoring and resolving technical issues

#### 6.1.3 Security and Fraud Prevention
- **Security monitoring:** Detecting and preventing unauthorized access
- **Fraud detection:** Identifying and stopping fraudulent activities
- **Abuse prevention:** Enforcing Terms of Service and community guidelines
- **Risk assessment:** Evaluating and mitigating security risks
- **Incident response:** Investigating and responding to security incidents

#### 6.1.4 Legal and Compliance
- **Regulatory compliance:** Meeting legal obligations under applicable laws
- **Law enforcement cooperation:** Responding to valid legal requests
- **Rights enforcement:** Protecting intellectual property and contractual rights
- **Record keeping:** Maintaining required business and tax records
- **Dispute resolution:** Supporting legal claims, defenses, and investigations

#### 6.1.5 Marketing and Communications (With Consent)
- **Promotional communications:** Sending newsletters, product updates, and special offers
- **Market research:** Conducting surveys and gathering feedback
- **Event invitations:** Notifying users about webinars, conferences, and community events
- **Educational content:** Sharing resources, tutorials, and best practices

**Opt-Out:** You may opt out of marketing communications at any time (see Section 9.3).

#### 6.1.6 Indigenous Community Benefit
- **Cultural preservation:** Supporting documentation and revitalization of Indigenous knowledge
- **Community development:** Funding initiatives through benefit-sharing mechanisms
- **Research collaboration:** Partnering with Indigenous communities on relevant research
- **Capacity building:** Supporting Indigenous digital sovereignty and data literacy
- **Advocacy:** Using aggregated data to support Indigenous rights and policy development

### 6.2 Legal Basis for Processing (GDPR Compliance)

For users in the European Economic Area (EEA), UK, or Switzerland, I Process Personal Data based on the following lawful bases under GDPR:

**a) Consent:** You have given clear, affirmative consent for Processing for specific purposes (e.g., marketing communications, optional features).

**b) Contract Performance:** Processing is necessary to perform a contract with you (e.g., providing Services you've subscribed to).

**c) Legal Obligation:** Processing is necessary to comply with legal obligations (e.g., tax records, law enforcement requests).

**d) Legitimate Interests:** Processing is necessary for legitimate interests pursued by the Rights Holder or third parties, except where overridden by your fundamental rights and freedoms. Legitimate interests include:
- Improving and securing the Services
- Direct marketing to existing customers
- Fraud prevention and security
- Internal administration and business operations
- Network and information security

**e) Vital Interests:** Processing is necessary to protect your vital interests or those of another person (e.g., emergency situations).

**f) Public Interest:** Processing is necessary for tasks carried out in the public interest, including Indigenous cultural preservation and community benefit.

### 6.3 Data Minimization Principle

I adhere to the principle of **data minimization**, collecting only Personal Data that is:
- **Adequate:** Sufficient to fulfill the stated purpose
- **Relevant:** Directly related to the purpose
- **Limited:** Not excessive for the purpose

Unnecessary data is not collected, and collected data is regularly reviewed for continued relevance.

### 6.4 Purpose Limitation

Personal Data collected for one purpose will **NOT** be used for an incompatible purpose without:
- Obtaining new consent
- Establishing a new lawful basis under applicable law
- Providing clear notice of the new use

### 6.5 Prohibited Uses

I will **NEVER** use your Personal Data for:

- **Sale to data brokers:** Your data is never sold to third-party data brokers
- **Discrimination:** Making decisions that illegally discriminate based on protected characteristics
- **Harassment:** Enabling stalking, harassment, or unwanted contact
- **Surveillance:** Unauthorized monitoring or tracking beyond necessary security measures
- **Manipulation:** Exploiting psychological vulnerabilities or using dark patterns
- **Cultural appropriation:** Misusing Indigenous Data in ways that appropriate or stereotype
- **Harm to Indigenous communities:** Any use that could harm Indigenous individuals or communities
- **Violation of tribal sovereignty:** Uses that undermine tribal self-determination or authority

---

## 7. INFORMATION SHARING AND DISCLOSURE

### 7.1 Principles of Data Sharing

**Default Position:** I do **NOT** sell, rent, or lease your Personal Data to third parties. Your privacy is not a commodity.

**Limited Sharing:** Personal Data is shared only when:
- Necessary for service provision
- Required by law
- Authorized by you through explicit consent
- Essential for protecting rights and safety

### 7.2 Service Providers and Data Processors

I engage trusted third-party service providers to perform functions on my behalf. These Data Processors have access to Personal Data only to the extent necessary to perform their functions and are contractually obligated to:

- Process data only according to documented instructions
- Implement appropriate security measures
- Maintain confidentiality
- Delete or return data upon contract termination
- Comply with applicable privacy laws

**Categories of Service Providers:**

#### 7.2.1 Infrastructure and Hosting
- Cloud hosting providers (e.g., AWS, Google Cloud, Microsoft Azure)
- Content delivery networks (CDNs)
- Database management services
- Backup and disaster recovery providers

**Current Providers:** [List maintained at https://in-digi-nous.com/privacy/service-providers]

#### 7.2.2 Payment Processing
- Payment gateway providers (e.g., Stripe, PayPal, Square)
- Subscription management platforms
- Fraud detection services
- Financial reconciliation tools

**Data Shared:** Transaction details, payment method information (tokenized), billing address

**Security:** All payment processors are PCI-DSS compliant

#### 7.2.3 Communications
- Email service providers (e.g., SendGrid, Mailchimp)
- SMS/text messaging services
- Customer support platforms (e.g., Zendesk, Intercom)
- Video conferencing tools (e.g., Zoom, Microsoft Teams)

#### 7.2.4 Analytics and Performance
- Web analytics platforms (e.g., Google Analytics, Plausible)
- Application performance monitoring (e.g., New Relic, Datadog)
- Error tracking services (e.g., Sentry)
- Heat mapping and session recording tools (with anonymization)

**Privacy-Preserving Analytics:** Where possible, I use privacy-focused analytics that anonymize IP addresses and do not track across sites.

#### 7.2.5 Marketing and Advertising (With Consent)
- Marketing automation platforms
- Social media advertising platforms
- Retargeting and conversion tracking services

**Opt-Out:** You can opt out of targeted advertising (see Section 9.3).

#### 7.2.6 Security and Fraud Prevention
- Identity verification services
- Fraud detection platforms
- Security monitoring tools
- DDoS protection services

### 7.3 Legal and Regulatory Disclosures

I may disclose Personal Data when required by law or when I believe in good faith that disclosure is necessary to:

**a) Comply with Legal Obligations:**
- Court orders, subpoenas, or legal process
- Regulatory investigations or audits
- Tax reporting requirements
- Law enforcement requests (with appropriate legal basis)

**Legal Request Principles:**
- **Tribal jurisdiction priority:** Legal requests concerning Indigenous Data or tribal matters must be directed to GTBOCI Tribal Court
- **Federal preemption:** State law enforcement requests are subject to federal Indian law limitations
- **Narrow scope:** Requests must be specific and legally sufficient
- **User notification:** Users will be notified of legal requests unless prohibited by law or court order
- **Transparency reporting:** Annual reports on legal requests received and complied with

**b) Protect Rights and Safety:**
- Enforce Terms of Service or LICENSE agreements
- Investigate potential violations or fraud
- Protect against legal liability
- Defend legal claims or actions
- Prevent harm to individuals or public safety

**c) Tribal Sovereignty Protection:**
- Report violations to GTBOCI authorities
- Cooperate with tribal law enforcement
- Support tribal regulatory enforcement
- Comply with tribal court orders

### 7.4 Business Transfers

In the event of a merger, acquisition, reorganization, bankruptcy, or sale of assets:

**a) Successor Obligations:** Any acquiring entity must:
- Honor this Privacy Policy or provide 90 days notice of changes
- Maintain the same level of data protection
- Respect Indigenous Data Sovereignty principles
- Preserve CARE Principles implementation
- Obtain GTBOCI approval for transfers involving Indigenous Data

**b) User Notification:** You will be notified via email and prominent website notice at least 60 days before any ownership transfer.

**c) Opt-Out Right:** You may delete your account and request data deletion before the transfer completes.

**d) Tribal Sovereignty Preservation:** The acquiring entity must acknowledge and agree to tribal jurisdiction and sovereign immunity provisions.

### 7.5 Aggregate and Anonymized Data

I may share **aggregated, anonymized, or de-identified data** that cannot reasonably identify individuals:

- Industry benchmarks and trends
- Research publications and presentations
- Public reports on service usage
- Statistical analysis for policy advocacy

**Re-Identification Prohibition:** Recipients are contractually prohibited from attempting to re-identify individuals from anonymized data.

**Indigenous Data Protections:** Even when anonymized, Indigenous Data shared publicly includes:
- Cultural context and appropriate attribution
- Compliance with community protocols
- Benefit-sharing arrangements where applicable

### 7.6 No Sale of Personal Data

**Explicit Prohibition:** I do **NOT** sell Personal Data, as defined by CCPA and other privacy laws.

**Advertising Exception:** If targeted advertising is used (with your consent), advertising partners may receive limited identifiers (cookies, device IDs). This does NOT constitute a "sale" under most privacy laws, but you may opt out regardless (see Section 9.3).

### 7.7 International Transfers

Personal Data may be transferred to and processed in countries other than your country of residence. When transferring data internationally, I ensure adequate protection through:

- **Standard Contractual Clauses (SCCs):** EU-approved contract terms for GDPR compliance
- **Adequacy Decisions:** Relying on jurisdictions deemed adequate by relevant authorities
- **Binding Corporate Rules:** For intra-organizational transfers
- **Indigenous Data Sovereignty Preservation:** International transfers of Indigenous Data require additional community authorization

See Section 10 for detailed international transfer provisions.

### 7.8 Transparency and Accountability

**Data Sharing Registry:** I maintain an internal registry of all data sharing arrangements, reviewed quarterly for compliance and necessity.

**Annual Transparency Report:** Published annually, disclosing:
- Categories and volumes of data shared
- Legal requests received and complied with
- Security incidents and responses
- Indigenous Data Sovereignty compliance metrics

---

## 8. DATA STORAGE, SECURITY, AND RETENTION

### 8.1 Data Storage Locations

Personal Data is primarily stored in:

**a) United States:** Servers located in Michigan (tribal territory) and other U.S. locations, subject to U.S. federal law and tribal jurisdiction.

**b) Trusted Cloud Providers:** Infrastructure-as-a-Service (IaaS) providers with SOC 2 Type II certification, operating under strict data processing agreements.

**c) Backup Locations:** Encrypted backups stored in geographically distributed locations for disaster recovery.

**Data Residency Requests:** Users in certain jurisdictions may request data residency within specific regions where technically feasible.

### 8.2 Security Measures

I implement comprehensive security measures following industry best practices:

#### 8.2.1 Technical Security Controls

**Encryption:**
- **In Transit:** TLS 1.3 or higher for all data transmissions
- **At Rest:** AES-256 encryption for all stored Personal Data
- **End-to-End:** Available for sensitive communications where applicable
- **Key Management:** Hardware security modules (HSMs) and key rotation policies

**Access Controls:**
- Role-based access control (RBAC) limiting data access to authorized personnel
- Multi-factor authentication (MFA) required for administrative access
- Principle of least privilege enforced across all systems
- Regular access reviews and revocation of unnecessary permissions

**Network Security:**
- Firewalls and intrusion detection/prevention systems (IDS/IPS)
- DDoS protection and traffic filtering
- Network segmentation isolating sensitive data
- Virtual Private Networks (VPNs) for remote access

**Application Security:**
- Secure coding practices and code reviews
- Regular security testing and penetration testing
- Input validation and output encoding
- Protection against OWASP Top 10 vulnerabilities
- Security headers and Content Security Policy (CSP)

**Monitoring and Logging:**
- 24/7 security monitoring and alerting
- Comprehensive logging of access and activities
- Anomaly detection and behavioral analysis
- Security Information and Event Management (SIEM) integration

#### 8.2.2 Organizational Security Controls

**Personnel Security:**
- Background checks for personnel with data access
- Security awareness training for all staff
- Confidentiality and non-disclosure agreements
- Limited personnel with Personal Data access

**Vendor Management:**
- Due diligence and security assessments for all vendors
- Contractual security and privacy obligations
- Regular vendor audits and compliance verification
- Vendor risk ratings and monitoring

**Incident Response:**
- Documented incident response plan
- Incident response team with defined roles
- Regular incident response drills and simulations
- Post-incident analysis and improvement

**Business Continuity:**
- Disaster recovery plan tested annually
- Backup and restoration procedures
- Redundant systems and failover capabilities
- Recovery time objectives (RTO) and recovery point objectives (RPO)

#### 8.2.3 Enhanced Protections for Indigenous Data

**Cultural Security:**
- Cultural competency training for personnel handling Indigenous Data
- Restricted access based on cultural protocols
- Special handling procedures for sacred or sensitive information
- Community consultation for security measure design

**Sovereignty Protections:**
- Data isolation for Indigenous community data
- Tribal authority approval for access to restricted data
- Enhanced encryption for sacred knowledge
- Regular security audits with Indigenous oversight

### 8.3 Data Retention

**Retention Principles:**
- Data is retained only as long as necessary for stated purposes
- Retention periods are documented and enforced
- Data is securely deleted when no longer needed
- Regular reviews identify data eligible for deletion

**Retention Periods by Data Category:**

| Data Category | Retention Period | Rationale |
|---------------|------------------|-----------|
| Account Information | Duration of account + 30 days | Service provision, account recovery |
| Transaction Records | 7 years | Tax and legal compliance |
| Support Communications | 3 years after resolution | Quality assurance, dispute resolution |
| Usage Logs | 1 year | Security monitoring, service improvement |
| Marketing Communications | Until opt-out + 30 days | Communication preferences |
| Anonymous Analytics | Indefinite | No personal identification possible |
| Indigenous Data (Restricted) | Per community protocols | Respect for cultural governance |

**Early Deletion Requests:** You may request deletion before standard retention periods (see Section 9.2).

**Legal Hold:** Retention periods may be extended when data is subject to legal obligations, investigations, or litigation.

### 8.4 Secure Data Deletion

When Personal Data is deleted:

**Deletion Methods:**
- **Logical Deletion:** Immediate removal from production systems and user interfaces
- **Physical Deletion:** Secure overwriting or cryptographic erasure within 90 days
- **Backup Purging:** Removal from backups according to backup rotation schedules (typically within 180 days)

**Verification:**
- Deletion completion verification and documentation
- Audit logs of deletion activities
- Certification of deletion upon request

**Limitations:**
- Anonymized data may be retained indefinitely
- Aggregated statistical data without Personal Data may be retained
- Legal requirements may mandate retention despite deletion requests

### 8.5 Security Limitations and User Responsibilities

**No Absolute Security:** Despite robust measures, no system is 100% secure. I cannot guarantee absolute security of Personal Data.

**User Responsibilities:**
- Keep account credentials confidential and secure
- Use strong, unique passwords
- Enable multi-factor authentication when available
- Promptly report suspected security incidents
- Keep contact information current for security notifications
- Follow security best practices when accessing Services

**Shared Responsibility:** Security is a shared responsibility between the Rights Holder and users.

---

## 9. YOUR RIGHTS AND CHOICES

### 9.1 Universal Rights

Regardless of location, all users have the following rights:

#### 9.1.1 Right to Access
- **Request copies** of your Personal Data
- **Receive information** about how your data is Processed
- **Obtain details** about data sharing and recipients
- **Access in portable format** (machine-readable, commonly used format)

**How to Exercise:** Email privacy@in-digi-nous.com with subject line "Data Access Request"

**Response Time:** Within 30 days (may be extended to 60 days for complex requests with notice)

#### 9.1.2 Right to Rectification
- **Correct inaccurate** Personal Data
- **Complete incomplete** Personal Data
- **Update outdated** information

**How to Exercise:** Update via account settings or email privacy@in-digi-nous.com

**Response Time:** Immediate for account updates; within 30 days for verification-required updates

#### 9.1.3 Right to Deletion ("Right to be Forgotten")
- **Request deletion** of your Personal Data
- **Account closure** with full data removal
- **Exceptions apply** for legal obligations, dispute resolution, security, and fraud prevention

**How to Exercise:** Email privacy@in-digi-nous.com with subject line "Data Deletion Request"

**Response Time:** Within 30 days (data removal within 90 days)

**Limitations:**
- Legal or contractual retention requirements
- Ongoing disputes or investigations
- Security and fraud prevention needs
- Anonymized data (cannot identify you)

#### 9.1.4 Right to Object
- **Object to Processing** based on legitimate interests
- **Opt out of marketing** communications
- **Withdraw consent** for consent-based Processing
- **Restrict certain uses** of your data

**How to Exercise:** Email privacy@in-digi-nous.com or use unsubscribe links in communications

#### 9.1.5 Right to Data Portability
- **Receive your data** in structured, machine-readable format
- **Transfer data** to another service provider
- **Direct transmission** where technically feasible

**How to Exercise:** Email privacy@in-digi-nous.com with subject line "Data Portability Request"

**Format:** JSON, CSV, or other commonly used formats

#### 9.1.6 Right to Restrict Processing
- **Limit Processing** to storage only while disputes are resolved
- **Challenge accuracy** of data during verification
- **Object to deletion** but request restriction instead

**How to Exercise:** Email privacy@in-digi-nous.com with specific restriction request

#### 9.1.7 Rights Related to Automated Decision-Making
- **Not be subject** to solely automated decisions with significant effects
- **Request human review** of automated decisions
- **Receive explanation** of automated decision logic
- **Challenge and contest** automated decisions

(See Section 14 for detailed AI and automated decision-making provisions)

### 9.2 Enhanced Rights for Indigenous Data Subjects

Indigenous users and community members have additional rights:

#### 9.2.1 Cultural Authority Rights
- **Invoke cultural protocols** governing data use
- **Apply TK Labels** to your Indigenous Data
- **Request cultural review** of data uses
- **Designate community representatives** for collective data governance

#### 9.2.2 Sovereignty-Based Rights
- **Invoke tribal jurisdiction** for dispute resolution
- **Request tribal court** adjudication of rights
- **Assert sovereign immunity** protections
- **Demand compliance** with CARE Principles

#### 9.2.3 Collective Rights
- **Represent community interests** in data governance
- **Request community consultation** for significant data uses
- **Participate in benefit-sharing** decisions
- **Access aggregated community data** (where authorized)

### 9.3 Jurisdiction-Specific Rights

#### 9.3.1 California Residents (CCPA/CPRA Rights)

**Right to Know:**
- Categories of Personal Data collected
- Categories of sources of Personal Data
- Business or commercial purposes for collecting data
- Categories of third parties with whom data is shared
- Specific pieces of Personal Data collected

**Right to Delete:**
- Request deletion of Personal Data (subject to exceptions)

**Right to Opt-Out:**
- Opt out of "sale" or "sharing" of Personal Data (Note: I do not sell data)
- Opt out of targeted advertising
- Limit use of Sensitive Personal Data

**Right to Correct:**
- Request correction of inaccurate Personal Data

**Right to Limit Use of Sensitive Personal Data:**
- Restrict use of Sensitive Personal Data to necessary purposes

**Right to Non-Discrimination:**
- Not be discriminated against for exercising privacy rights
- No denial of service, different pricing, or degraded experience

**Authorized Agent:** You may designate an authorized agent to make requests on your behalf by providing written authorization.

**Verification:** Requests require identity verification to protect against fraudulent requests.

**How to Exercise:** Complete form at https://in-digi-nous.com/privacy/ccpa-request or email privacy@in-digi-nous.com

**Response Time:** Within 45 days (may extend to 90 days with notice)

#### 9.3.2 European Residents (GDPR Rights)

**Right of Access (Article 15):**
- Obtain confirmation of Processing
- Access Personal Data and supplementary information

**Right to Rectification (Article 16):**
- Correct inaccurate Personal Data
- Complete incomplete data

**Right to Erasure (Article 17):**
- Request deletion under specific grounds:
  - Data no longer necessary
  - Consent withdrawn
  - Unlawful Processing
  - Legal obligation to delete

**Right to Restriction (Article 18):**
- Restrict Processing while:
  - Accuracy is contested
  - Processing is unlawful but deletion not desired
  - Data needed for legal claims

**Right to Data Portability (Article 20):**
- Receive data in machine-readable format
- Transmit to another controller

**Right to Object (Article 21):**
- Object to Processing based on legitimate interests
- Object to direct marketing (absolute right)
- Object to profiling

**Rights Related to Automated Decision-Making (Article 22):**
- Not subject to solely automated decisions
- Human intervention and explanation rights

**Right to Withdraw Consent (Article 7):**
- Withdraw consent at any time

**Right to Lodge Complaint:**
- File complaint with supervisory authority in EU member state

**Supervisory Authority Contact:** [Your local Data Protection Authority - list available at https://edpb.europa.eu/about-edpb/board/members_en]

**How to Exercise:** Email privacy@in-digi-nous.com

**Response Time:** Within 1 month (may extend to 3 months for complex requests with notice)

#### 9.3.3 Other Jurisdictions

Residents of other jurisdictions may have additional rights under local laws, including:

- **Virginia (VCDPA)**
- **Colorado (CPA)**
- **Connecticut (CTDPA)**
- **Utah (UCPA)**
- **Brazil (LGPD)**
- **Canada (PIPEDA)**
- **Australia (Privacy Act)**
- **Switzerland (Federal Data Protection Act)**
- **UK (UK GDPR)**

Contact privacy@in-digi-nous.com to learn about rights specific to your jurisdiction.

### 9.4 Account Management

**Account Settings:**
- Update Personal Data via account dashboard
- Manage communication preferences
- Control privacy settings
- View data access and usage history

**Account Deletion:**
- Delete account through account settings or by contacting privacy@in-digi-nous.com
- Data deletion as described in Section 9.1.3

### 9.5 Cookie and Tracking Preferences

**Cookie Management:**
- Adjust cookie preferences through cookie consent banner
- Manage browser settings to block or delete cookies
- Use "Do Not Track" browser settings (honored where technically feasible)

**Opt-Out Tools:**
- **Google Analytics:** [Google Analytics Opt-Out Browser Add-on](https://tools.google.com/dlpage/gaoptout)
- **Advertising Opt-Outs:** [Digital Advertising Alliance](http://optout.aboutads.info/), [Network Advertising Initiative](http://optout.networkadvertising.org/)

(See Section 11 for detailed cookie information)

### 9.6 Marketing and Communications Opt-Out

**Email Marketing:**
- Click "unsubscribe" link in any marketing email
- Update preferences in account settings
- Email privacy@in-digi-nous.com with subject "Unsubscribe"

**Transactional Emails:** Certain service-related emails (e.g., account security, transaction confirmations) cannot be opted out while account is active.

**SMS/Text:** Reply "STOP" to opt out of text messages

**Push Notifications:** Manage via device settings or app settings

### 9.7 Exercising Your Rights

**How to Make Requests:**

1. **Email:** privacy@in-digi-nous.com
   - Include clear subject line indicating request type
   - Provide sufficient information for verification

2. **Online Form:** https://in-digi-nous.com/privacy/rights-request

3. **Mail:**  
   ᓂᐲᔥ Nbiish-Justin Kenwabikise  
   Privacy Rights Requests  
   [Mailing address to be provided]

**Verification Process:**
- Identity verification required to protect against fraudulent requests
- May request additional information to verify identity
- Authorized agents must provide written authorization

**No Fee:** Rights requests are generally processed free of charge.

**Excessive Requests:** Manifestly unfounded or excessive requests (especially repetitive requests) may incur reasonable administrative fees or be refused.

**Response Timeline:**
- Acknowledgment within 10 days
- Full response within 30-45 days (depending on jurisdiction)
- Extension notifications provided when additional time needed

**Appeals:**
- If request is denied, you may appeal by contacting privacy@in-digi-nous.com
- Jurisdiction-specific appeal rights are honored (e.g., CCPA appeal process)

---

## 10. INTERNATIONAL DATA TRANSFERS

### 10.1 Cross-Border Data Transfers

Personal Data may be transferred to, stored in, and processed in countries other than your country of residence, including the United States. These countries may have data protection laws different from those in your jurisdiction.

### 10.2 Transfer Safeguards

When transferring Personal Data internationally, I implement appropriate safeguards to ensure adequate protection:

#### 10.2.1 Standard Contractual Clauses (SCCs)

- EU Commission-approved Standard Contractual Clauses for GDPR compliance
- UK International Data Transfer Agreement (IDTA) for UK GDPR compliance
- Swiss-approved transfer mechanisms for Swiss data subjects
- Regular reviews and updates as regulations evolve

#### 10.2.2 Adequacy Decisions

- Relying on jurisdictions deemed to provide adequate protection by relevant authorities
- Currently recognized adequacy decisions (subject to change):
  - EU Commission adequacy decisions (UK, Switzerland, Japan, etc.)
  - Cross-Border Privacy Rules (CBPR) certification

#### 10.2.3 Derogations for Specific Situations

When SCCs or adequacy decisions are not applicable, transfers may occur based on GDPR derogations:

- Explicit consent for the transfer
- Performance of contract with you
- Important public interest reasons
- Establishment, exercise, or defense of legal claims
- Protection of vital interests

### 10.3 Indigenous Data Transfer Restrictions

**Enhanced Protections:** Transfers of Indigenous Data across international borders require:

**a) Prior Review:**

- Assessment of cultural implications
- Evaluation of receiving jurisdiction's data protection laws
- Consideration of Indigenous rights recognition in destination country

**b) Community Consultation:**

- For collective Indigenous Data, community representatives must approve international transfers
- Cultural protocols must be accessible and enforceable in receiving jurisdiction

**c) Enhanced Contractual Protections:**

- Binding commitments to Indigenous Data Sovereignty principles
- CARE Principles implementation requirements
- Recognition of tribal jurisdiction for disputes
- Repatriation rights preserved

**d) Prohibited Destinations:**

Indigenous Data will NOT be transferred to jurisdictions that:

- Do not recognize Indigenous rights
- Have records of Indigenous rights violations
- Lack adequate data protection frameworks
- Cannot enforce tribal jurisdiction provisions

### 10.4 U.S. Federal and Tribal Jurisdiction Preservation

All international transfers preserve:

- Federal Indian law supremacy
- Tribal court jurisdiction over Indigenous Data disputes
- Sovereign immunity protections
- Treaty-based rights and obligations

Transferred data remains subject to tribal authority regardless of physical location.

### 10.5 Data Subject Rights Across Borders

Your rights under this Privacy Policy apply regardless of where your data is stored or processed. You may exercise all rights described in Section 9 regardless of data location.

### 10.6 Transfer Impact Assessments

Before new international transfer arrangements, I conduct Transfer Impact Assessments (TIAs) evaluating:

- Legal framework in receiving country
- Practical access to data by government authorities
- Effectiveness of supplementary measures
- Rights and remedies available to Data Subjects
- Special considerations for Indigenous Data

---

## 11. COOKIES AND TRACKING TECHNOLOGIES

### 11.1 What Are Cookies?

Cookies are small text files placed on your device by websites you visit. They are widely used to make websites work more efficiently and provide information to website owners.

### 11.2 Types of Cookies Used

I use the following categories of cookies:

#### 11.2.1 Essential Cookies (Strictly Necessary)

**Purpose:** Required for basic functionality and security

**Examples:**

- Session management and authentication
- Security and fraud prevention
- Load balancing and performance
- User preferences (language, accessibility)

**Duration:** Session (deleted when browser closes) or 1 year maximum

**Legal Basis:** Legitimate interest (necessary for service provision)

**Opt-Out:** Cannot be disabled without severely limiting functionality

#### 11.2.2 Performance and Analytics Cookies

**Purpose:** Understanding how users interact with the Services

**Examples:**

- Google Analytics (anonymized IP)
- Plausible Analytics (privacy-focused, no personal data)
- Custom analytics for service improvement
- Error tracking and diagnostics

**Duration:** 1-2 years

**Legal Basis:** Consent or legitimate interest (with anonymization)

**Opt-Out:** Via cookie banner, browser settings, or analytics opt-out tools

#### 11.2.3 Functionality Cookies

**Purpose:** Enhancing user experience with personalized features

**Examples:**

- Remembering user preferences
- Personalized content recommendations
- Customized interface settings
- Video player preferences

**Duration:** 1 month to 2 years

**Legal Basis:** Consent or legitimate interest

**Opt-Out:** Via cookie banner or browser settings

#### 11.2.4 Advertising and Targeting Cookies (If Used)

**Purpose:** Delivering relevant advertisements and measuring campaign effectiveness

**Examples:**

- Retargeting campaigns
- Conversion tracking
- Interest-based advertising
- Social media advertising pixels

**Duration:** 3 months to 2 years

**Legal Basis:** Explicit consent required

**Opt-Out:** Via cookie banner, advertising opt-out tools, or browser settings

**Current Status:** Advertising cookies are NOT currently used. If implemented, explicit consent will be obtained.

### 11.3 Third-Party Cookies

Third-party service providers may set their own cookies when you use the Services:

**Analytics Providers:**

- Google Analytics (if used, with anonymization)
- Plausible Analytics (no personal data collection)

**Social Media Platforms:**

- Social media embed cookies (YouTube, Twitter/X, LinkedIn)
- Disabled until user interaction where possible

**Payment Processors:**

- Stripe, PayPal (for transaction security and fraud prevention)

**Customer Support:**

- Live chat widgets (e.g., Intercom, Zendesk) with consent

### 11.4 Cookie Management and Consent

#### 11.4.1 Cookie Consent Banner

Upon first visit, a cookie consent banner allows you to:

- Accept all cookies
- Reject non-essential cookies
- Customize cookie preferences by category
- Learn more about specific cookies

#### 11.4.2 Changing Cookie Preferences

**Via Cookie Settings:**

- Access cookie preferences at any time via footer link
- Modify consent for each cookie category
- Changes take effect immediately

**Via Browser Settings:**

- Most browsers allow cookie blocking and deletion
- Browser-specific instructions:
  - **Chrome:** Settings > Privacy and Security > Cookies
  - **Firefox:** Preferences > Privacy & Security > Cookies
  - **Safari:** Preferences > Privacy > Cookies
  - **Edge:** Settings > Privacy > Cookies

#### 11.4.3 Do Not Track (DNT)

**Current Status:** I honor DNT signals where technically feasible for analytics cookies.

**Limitations:** Some essential cookies cannot respect DNT without breaking functionality.

### 11.5 Similar Tracking Technologies

Beyond cookies, I may use other tracking technologies:

**Local Storage:**

- HTML5 local storage for offline functionality
- Preserves user preferences and application state
- Can be cleared via browser settings

**Web Beacons (Pixels):**

- Transparent images in emails to track opens
- Used only with consent for marketing emails
- Easily blocked by email clients

**Device Fingerprinting:**

- **Limited Use:** Only for fraud detection and security
- **Not Used For:** Tracking or profiling across sites

**Session Replay:**

- **If Used:** Only with explicit consent and anonymization
- **Current Status:** Not currently implemented

### 11.6 Indigenous Data and Cookie Protections

Cookies and tracking technologies do NOT collect or process:

- Tribal affiliation without consent
- Traditional Knowledge or cultural information
- Sacred or ceremonial data
- Indigenous community membership

Any Indigenous Data voluntarily provided through the Services is protected under CARE Principles regardless of cookie settings.

### 11.7 Cookie Retention and Deletion

**Retention Periods:**

- Essential: Duration of session or up to 1 year
- Analytics: 1-2 years
- Functionality: 1 month to 2 years
- Advertising (if used): 3 months to 2 years

**Automated Deletion:**

- Cookies automatically expire after specified duration
- No longer necessary cookies are deleted

**User-Initiated Deletion:**

- Clear cookies via browser settings
- Update cookie preferences to reject categories
- Delete account to trigger cookie cleanup

---

## 12. THIRD-PARTY SERVICES AND LINKS

### 12.1 Third-Party Websites and Services

The Services may contain links to third-party websites, applications, or services not operated by the Rights Holder.

**No Responsibility:** I am not responsible for the privacy practices, content, or security of third-party services.

**Recommendation:** Review the privacy policies of any third-party services before providing Personal Data.

**Examples:**

- Social media platforms (Facebook, Twitter/X, LinkedIn, Instagram)
- Payment processors (Stripe, PayPal)
- Cloud storage providers
- External resources and references
- Partner organizations and collaborators

### 12.2 Third-Party Integrations

Certain third-party services are integrated into the Services with appropriate data processing agreements and Indigenous Data Sovereignty protections where applicable.

### 12.3 Indigenous Community Partners

**Trusted Partnerships:** I may share Indigenous Data with Indigenous community organizations for cultural preservation initiatives, community benefit programs, research collaborations, and educational projects.

**Protections:** All partners bound by Indigenous Data Sovereignty principles, CARE Principles implementation required, cultural protocols respected, and community authorization obtained.

---

## 13. SPECIAL DATA CATEGORIES AND PROTECTIONS

### 13.1 Sensitive Personal Data

**Definition:** Special categories of Personal Data requiring enhanced protection, including data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, health data, or sex life or sexual orientation.

**Collection Principles:**

- **Minimization:** Collect only when strictly necessary
- **Explicit Consent:** Obtain explicit, affirmative consent before collection
- **Enhanced Security:** Apply strongest security measures
- **Limited Use:** Use only for explicitly stated purposes
- **Restricted Sharing:** Share only with explicit authorization

**Current Collection:** I do NOT routinely collect Sensitive Personal Data except tribal affiliation (voluntary, for Indigenous community services), health information (only if providing health-related services, with explicit consent), and accessibility needs (voluntary, to provide accommodations).

### 13.2 Indigenous Cultural Data

**Sacred and Ceremonial Information:**

- Absolute prohibition on unauthorized collection
- Special handling protocols for authorized collection
- Cultural authority approval required
- Enhanced encryption and access restrictions
- Strict use limitations

**Traditional Knowledge:**

- Collected only with Prior Informed Consent
- Used only for explicitly authorized purposes
- Subject to community protocols and TK Labels
- Benefit-sharing arrangements in place

**Cultural Heritage:**

- Respect for cultural sensitivity and protocols
- Community control over collective data
- Repatriation rights honored
- Protection from commercialization without authorization

---

## 14. AI AND AUTOMATED DECISION-MAKING

### 14.1 Use of Artificial Intelligence

**Current AI Use:** The Services may use AI and machine learning for service improvement (analytics and pattern recognition), content recommendations, spam and fraud detection, customer support (chatbots with human escalation), and language processing for better UX.

**Human Oversight:** All AI systems operate with human oversight and intervention capabilities.

### 14.2 Automated Decision-Making Limitations

**No Solely Automated Decisions with Legal/Significant Effects:** I do NOT make solely automated decisions that produce legal or similarly significant effects without human involvement, including account terminations (always human-reviewed), high-value transaction approvals, eligibility determinations for services, or pricing/terms modifications.

**Exception:** Fraud detection may automatically block transactions, but humans review all blocks.

### 14.3 AI Training on User Data

**Prohibition on External AI Training:** Your Personal Data is NEVER sold or licensed to AI companies for model training, used to train third-party AI models, included in publicly available datasets, or shared for AI development without explicit consent.

**Indigenous Data Protection:** Indigenous Data is subject to additional AI restrictions per the LICENSE including no AI training without Prior Informed Consent, community benefit requirements for any AI uses, cultural protocol compliance, and CARE Principles implementation.

### 14.4 Transparency and Explainability

**Right to Explanation:** You have the right to receive meaningful information about the logic involved in automated decision-making.

**Request Process:** Email privacy@in-digi-nous.com with subject "AI Explanation Request"

### 14.5 AI and Indigenous Data Sovereignty

AI systems involving Indigenous Data must respect CARE Principles, support community benefit, maintain cultural authority, prevent cultural appropriation, implement community-approved protocols, and enable data repatriation.

**Prohibited AI Uses with Indigenous Data:** Stereotyping or misrepresentation, cultural appropriation for commercial gain, undermining tribal sovereignty, violating sacred knowledge protections, or training without community authorization.

---

## 15. CHILDREN'S PRIVACY

### 15.1 Age Restrictions

**General Rule:** The Services are NOT directed at children under 13 years of age.

**Policy:** I do not knowingly collect Personal Data from children under 13 without verifiable parental consent.

**Teens (13-17):** Users ages 13-17 may access certain Services with parental consent where required by law.

### 15.2 Parental Rights

Where Services are made available to children 13-17, parents have rights to review child's Personal Data, request correction or deletion, refuse further collection or use, and receive notification of privacy policy changes.

### 15.3 Children's Data Collection Limitations

For any users under 18: no behavioral advertising, no sale or sharing of data, no collection of precise location (without explicit consent), no public posting of Personal Data (default privacy settings), and limited data retention (deleted within 30 days of account closure).

### 15.4 Discovery and Deletion Protocol

If I discover that Personal Data from a child under 13 has been collected without verifiable parental consent, I will immediately cease all Processing, tag data for deletion, isolate from all systems, notify parent/guardian if contact information available, complete deletion within 30 days, and document incident and remediation.

**Reporting:** Parents or guardians may report unauthorized child data collection to privacy@in-digi-nous.com

### 15.5 COPPA Compliance

For any Services directed at children under 13 (current or future), I will implement direct notice to parents, verifiable parental consent before collection, parental access and deletion rights, no conditioning participation on data disclosure, reasonable security for children's data, and retention only as long as necessary.

---

## 16. DATA BREACH NOTIFICATION AND RESPONSE

### 16.1 Breach Prevention and Detection

**Proactive Measures:** Continuous security monitoring, regular vulnerability assessments, penetration testing (annual minimum), security awareness training, and incident prevention controls.

**Detection Mechanisms:** 24/7 security monitoring and alerting, intrusion detection systems (IDS), anomaly detection and behavioral analytics, employee reporting channels, and third-party security reports.

### 16.2 Breach Response Process

Upon detection of a suspected data breach, I follow a comprehensive five-phase response process: Containment (0-24 hours), Assessment (24-72 hours), Notification (as required by law), Remediation and Recovery, and Post-Incident Review.

### 16.3 Notification to Affected Individuals

If a breach affects your Personal Data, you will be notified within 72 hours of breach confirmation via email, prominent website notice, or direct mail, including description of breach, data types affected, approximate date, likely consequences, measures taken, recommended actions, and contact information.

### 16.4 Regulatory Notifications

**GDPR Breaches:** Notification to lead supervisory authority within 72 hours, documentation maintained, high-risk breaches trigger individual notification without undue delay.

**CCPA Breaches:** Notification to California Attorney General if >500 residents affected, individual notification as required.

**Tribal Jurisdiction Breaches:** Notification to GTBOCI authorities for Indigenous Data breaches, coordination with tribal law enforcement if applicable.

### 16.5 Breach Support Resources

If you are affected by a breach, I may provide free credit monitoring services (12-24 months), identity theft protection, fraud resolution assistance, dedicated support hotline, and regular updates on remediation progress.

### 16.6 Indigenous Data Breach Protocols

For breaches involving Indigenous Data: affected Indigenous communities notified within 48 hours, cultural impact assessment, tribal authority coordination, enhanced community-directed remediation measures, and ceremonial remedies if appropriate.

---

## 17. ACCESSIBILITY AND LANGUAGE ACCESS

### 17.1 Accessibility Commitment

I am committed to making this Privacy Policy and all Services accessible to individuals with disabilities in accordance with the Americans with Disabilities Act (ADA), Section 508 of the Rehabilitation Act, and Web Content Accessibility Guidelines (WCAG) 2.1 Level AA.

### 17.2 Accessible Privacy Policy

This Privacy Policy is designed for accessibility with screen reader compatibility, keyboard navigation, clear language where possible, readable fonts, high contrast, and alternative formats available (large print, audio, Braille) upon request.

### 17.3 Accessibility Accommodations

**Request Accommodations:** If you need this Privacy Policy or Services in an alternative format, email privacy@in-digi-nous.com (Subject: "Accessibility Accommodation"), call 402-431-2023, or mail [address to be provided].

**Available Formats:** Large print (minimum 18pt), audio recording, Braille, plain language summary, simplified visual guide.

**Response Time:** Accommodation requests fulfilled within 10 business days.

### 17.4 Language Access

**Primary Language:** English

**Additional Languages:** Anishinaabemowin (Ojibwe language) - select sections available, full translation in progress; Spanish - available upon request for key sections; Other languages - translation services available upon request for accessibility needs.

### 17.5 Anishinaabemowin Language Revival

As part of cultural preservation efforts, key privacy concepts are being translated into Anishinaabemowin, terminology developed for modern privacy concepts in Indigenous language, community language experts consulted, and educational resources provided.

### 17.6 Accessibility Feedback

**Report Accessibility Barriers:** If you encounter accessibility barriers, email privacy@in-digi-nous.com with subject "Accessibility Issue" describing the barrier and your assistive technology.

**Response Commitment:** Acknowledgment within 2 business days, assessment and remediation plan within 10 business days, implementation based on severity and complexity.

---

## 18. UPDATES TO THIS PRIVACY POLICY

### 18.1 Right to Modify

I reserve the right to update, modify, or replace this Privacy Policy at any time to reflect changes in data practices, new Services or features, legal or regulatory requirements, security enhancements, or user feedback and best practices.

### 18.2 Material Changes Definition

**Material changes** include: new data collection categories, expanded data sharing practices, reduced user rights or choices, changes to retention periods, new uses of data beyond original purposes, jurisdictional changes, or changes to Indigenous Data Sovereignty protections.

### 18.3 Notification of Changes

**Material Changes:** Minimum 30 days advance notice before effective date, email notification to all registered users, prominent website notice banner on all Service pages, summary of changes with clear explanation, and ability to opt out or close account before changes take effect.

**Non-Material Changes:** Updated "Last Updated" date, notification via website footer link, changes effective upon posting without advance notice required.

### 18.4 Version Control and Archive

**Current Version:** Always available at primary privacy policy URL.

**Version History:** Previous versions archived and accessible, change log maintained documenting all modifications, available at: https://in-digi-nous.com/privacy/history

**Version Format:** Privacy Policy [Version Number] - [Effective Date]

### 18.5 Indigenous Data Sovereignty Protections

**Non-Waivable Protections:** Changes to this Privacy Policy cannot diminish Indigenous Data Sovereignty principles, CARE Principles implementation, tribal jurisdiction provisions, cultural protocol requirements, community consent requirements, or repatriation rights.

**Community Consultation:** Material changes affecting Indigenous Data require consultation with affected Indigenous communities, reasonable notice and opportunity to object, and alternative arrangements for objecting communities.

---

## 19. CONTACT INFORMATION AND DATA PROTECTION OFFICER

### 19.1 Privacy Contact Information

**For all privacy-related inquiries, requests, and concerns:**

**Email:** privacy@in-digi-nous.com

**Subject Lines for Specific Requests:** "Data Access Request", "Data Deletion Request", "Data Portability Request", "Do Not Sell My Data", "Opt-Out Request", "Privacy Rights Request", "Data Breach Report", "Accessibility Accommodation"

**Phone:** 402-431-2023  
**Hours:** Monday-Friday, 9 AM - 5 PM Eastern Time  
**Voicemail:** Checked daily, response within 2 business days

**Mail:**  
ᓂᐲᔥ Nbiish-Justin Kenwabikise  
Privacy Department  
[Mailing Address - Physical address to be provided]

**Online Form:** https://in-digi-nous.com/privacy/contact

### 19.2 Data Protection Officer (DPO)

**Current Status:** As an individual developer/operator, I do not currently have a separate Data Protection Officer role. The Rights Holder serves as the privacy contact for all purposes.

**GDPR Requirement:** If a formal DPO becomes required under GDPR (e.g., due to scale of operations), one will be appointed and contact information updated here.

### 19.3 Tribal Privacy Authority Contact

For matters involving Indigenous Data Sovereignty, tribal jurisdiction, or cultural protocols:

**Grand Traverse Band of Ottawa and Chippewa Indians**  
**Tribal Council**  
2605 N. West Bay Shore Drive  
Peshawbestown, MI 49682  
Phone: (231) 534-7750  
Website: https://www.gtbindians.org

**Note:** Tribal authorities may be consulted for Indigenous Data matters at the Rights Holder's discretion or community request.

### 19.4 Regulatory Authority Contacts

**For GDPR Complaints (EU/EEA Residents):**  
Contact your local supervisory authority. Directory: https://edpb.europa.eu/about-edpb/board/members_en

**For CCPA Complaints (California Residents):**  
California Attorney General's Office - Privacy Enforcement and Protection Unit  
Website: https://oag.ca.gov/privacy | Email: privacy@doj.ca.gov

**For Other U.S. Privacy Complaints:**  
Federal Trade Commission (FTC)  
Website: https://www.ftc.gov/complaint | Phone: 1-877-FTC-HELP (1-877-382-4357)

### 19.5 Response Timeframes

**Acknowledgment:** All privacy requests acknowledged within **2 business days** (excluding weekends and U.S. federal holidays).

**Full Response:** Standard requests within **30 days**, complex requests up to **60-90 days** (with notice of extension and reason), GDPR requests within **1 month** (extendable to 3 months for complex requests), CCPA requests within **45 days** (extendable to 90 days with notice).

**Urgent matters:** Security incidents and time-sensitive requests prioritized.

### 19.6 No Fee for Standard Requests

Privacy rights requests processed free of charge. Manifestly unfounded, excessive, or repetitive requests may incur reasonable administrative fees or be refused (with explanation).

---

## 20. DISPUTE RESOLUTION AND ENFORCEMENT

### 20.1 Tribal Court Jurisdiction (Primary)

**Exclusive Jurisdiction:** Disputes arising from or relating to this Privacy Policy are subject to the **exclusive jurisdiction of the Grand Traverse Band of Ottawa and Chippewa Indians Tribal Court**, located in Peshawbestown, Michigan.

**Tribal Court Contact:**  
Grand Traverse Band Tribal Court  
2605 N. West Bay Shore Drive  
Peshawbestown, MI 49682  
Phone: (231) 534-7750

**Sovereign Immunity:** Nothing in this Privacy Policy constitutes a waiver of the Rights Holder's tribal sovereign immunity or the sovereign immunity of GTBOCI.

### 20.2 Federal Court Jurisdiction (Alternative)

**Limited Federal Jurisdiction:** The Rights Holder may, in their sole discretion, elect to pursue enforcement actions in United States federal courts with established expertise in federal Indian law (Western District of Michigan, Sixth Circuit Court of Appeals, or other federal courts with proper jurisdiction).

**No Waiver:** Election to use federal courts does not constitute a general waiver of sovereign immunity or exclusive tribal jurisdiction.

### 20.3 State Court Prohibition

**No State Jurisdiction:** State courts have **NO jurisdiction** over disputes arising from this Privacy Policy.

**Constitutional Preemption:** Federal Indian law and tribal sovereignty preempt state court jurisdiction over these matters under the Supremacy Clause (U.S. Constitution, Article VI, Clause 2).

**Removal:** Any action filed in state court in violation of this provision shall be removed to federal court under 28 U.S.C. § 1441, transferred to tribal court or dismissed, and subjects filing party to liquidated damages of **$100,000**.

### 20.4 Choice of Law

**Governing Law Hierarchy:**

1. **Tribal law** of the Grand Traverse Band of Ottawa and Chippewa Indians (first priority)
2. **Federal Indian law** including treaties, statutes, and common law
3. **Federal privacy laws** (COPPA, FERPA, HIPAA where applicable)
4. **International Indigenous rights instruments** (UNDRIP, WIPO Treaty, ILO 169, Nagoya Protocol)
5. **Applicable privacy regulations** (GDPR, CCPA, etc. for jurisdictional rights)

**Conflicts:** In case of conflicts, tribal sovereignty and Indigenous Data Sovereignty principles prevail.

### 20.5 Remedies and Enforcement

**Available Remedies:** Injunctive relief, specific performance, declaratory relief, monetary damages (compensatory), liquidated damages (for willful violations or jurisdictional breaches), statutory damages (under applicable privacy laws), attorneys' fees and costs (for prevailing parties), and cultural remediation (community-directed remedies for cultural harm).

**Enhanced Remedies for Indigenous Data Violations:** Data repatriation orders, benefit-sharing enforcement, cultural impact compensation, community-directed remedies, and minimum liquidated damages of **$250,000** per violation.

### 20.6 Class Actions and Collective Relief

**Class Action Rights Preserved:** You retain the right to participate in class action lawsuits or collective relief proceedings regarding privacy violations where permitted by law.

**Collective Action for Indigenous Communities:** Indigenous communities may bring collective actions to enforce communal data rights.

**Opt-Out Not Required:** No prior opt-out from class actions required (no class action waiver).

---

## 21. SERVICE-SPECIFIC PRIVACY PROVISIONS

### 21.1 SaaS Product Data Practices

**Data Collection:** SaaS platforms may collect application-specific usage data, user-generated content and configurations, integration data from connected third-party services, API usage logs and performance metrics, and collaboration and team data.

**Data Retention:** Active subscription (duration of subscription), Post-termination (30 days for account recovery), Data deletion (complete within 90 days of termination unless legal retention required), Backup purging (from backups within 180 days).

**Data Export:** Pre-termination export available via dashboard, post-termination export upon request (within 30-day window), standard formats (JSON, CSV, XML).

### 21.2 E-Commerce and Donation Processing

**Donation Privacy:** Donation amounts and frequency stored but never publicly disclosed without explicit consent. Tax receipts provided for eligible donations. Anonymous donation option available.

---

## 22. COMPLIANCE CERTIFICATIONS AND AUDITS

### 22.1 Current Compliance Status

The Services are designed for compliance with:

**Privacy Regulations:** GDPR, CCPA/CPRA, VCDPA, CPA, COPPA, PIPEDA

**Indigenous Rights Frameworks:** UNDRIP, CARE Principles for Indigenous Data Governance, WIPO Treaty on Traditional Knowledge (implementation ready), ILO Convention 169 principles, Nagoya Protocol principles

**Security Standards:** SOC 2 Type II (in progress - target certification 2026), ISO 27001 (planned), PCI-DSS (via payment processors)

### 22.2 Transparency and Reporting

**Annual Transparency Report:** Published annually with information on legal requests received and complied with, types of data requested by authorities, data breach incidents and responses, Indigenous Data Sovereignty metrics, privacy rights requests (aggregated), and policy updates and changes.

**Indigenous Data Sovereignty Report:** Separate annual report on CARE Principles implementation status, community benefit sharing results, cultural protocol compliance, Traditional Knowledge protections, and tribal jurisdiction cases.

**Availability:** Reports published at https://in-digi-nous.com/privacy/transparency

### 22.3 Continuous Improvement

Privacy program evolution through regular policy reviews (at least annually), incorporation of user feedback, adaptation to regulatory changes, technology and security updates, and best practice benchmarking.

---

## 23. SPECIAL CIRCUMSTANCES AND EMERGENCY PROTOCOLS

### 23.1 Force Majeure Events

In the event of force majeure circumstances beyond reasonable control (natural disasters, pandemics, wars, civil unrest, infrastructure failures, legal prohibitions), performance of certain obligations may be suspended with alternative data protection measures implemented and notice provided as soon as reasonably possible. Core protections remain in force including security measures, data minimization, prohibition on unauthorized sharing, and preservation of user rights.

### 23.2 Incarceration or Detention of Rights Holder

**Continuity Plans:** Designated representatives authorized to maintain privacy program, automated systems continue operation, emergency contacts and procedures documented.

**Rights Preservation:** User rights remain enforceable, Privacy Policy remains in full force, tribal sovereignty protections unaffected, and Indigenous Data Sovereignty principles maintained.

### 23.3 Business Continuity

**Disaster Recovery:** Comprehensive business continuity plan, regular backups and secure storage, tested recovery procedures, and recovery time objectives of 24-48 hours for critical systems.

---

## 24. FINAL PROVISIONS

### 24.1 Entire Agreement

This Privacy Policy, together with the Terms of Service and LICENSE, constitutes the entire agreement regarding privacy and data protection for the Services.

**Conflicts:** LICENSE terms supersede conflicting provisions, Terms of Service govern non-privacy contractual matters, and Privacy Policy governs all data protection matters.

### 24.2 Severability

If any provision of this Privacy Policy is found invalid or unenforceable, the remainder remains in full effect, invalid provision interpreted to achieve intent to maximum extent, and core protections (tribal sovereignty, Indigenous Data Sovereignty) are non-severable.

### 24.3 No Waiver

Failure to enforce any provision does not constitute a waiver of that provision or any other provision.

### 24.4 Survival

The following provisions survive termination of services or account closure: Indigenous Data Sovereignty protections, tribal jurisdiction provisions, data retention and deletion obligations, liability and dispute resolution, and intellectual property protections.

### 24.5 Language

**Official Version:** English language version is the official and controlling version.

**Translations:** Translations provided for accessibility, but English version controls in case of discrepancies.

---

## 25. ACKNOWLEDGMENTS AND DECLARATIONS

### 25.1 User Acknowledgment

By using the Services, you acknowledge that you have read this entire Privacy Policy, understood your rights and our obligations, agreed to the jurisdictional provisions, consented to data practices as described, and acknowledged tribal sovereignty framework.

### 25.2 Indigenous Data Sovereignty Acknowledgment

You acknowledge and agree that Indigenous Data is subject to unique protections, CARE Principles govern Indigenous Data, tribal jurisdiction applies to Indigenous Data matters, cultural protocols are legally binding, and community rights supersede individual data rights for collective Indigenous Data.

### 25.3 Truthfulness Declaration

You represent that all information provided to the Services is truthful and accurate, current and complete, your own or provided with authorization, and not infringing others' rights.

### 25.4 Capacity Declaration

You represent that you have legal capacity to enter into this Privacy Policy, authority to provide data (including for any children), right to provide third-party data shared through Services, and authorization from relevant parties where required.

---

## APPENDIX A: DEFINITIONS QUICK REFERENCE

**CARE Principles:** Collective Benefit, Authority to Control, Responsibility, Ethics

**CCPA:** California Consumer Privacy Act

**Data Controller:** Rights Holder (entity determining purposes and means of processing)

**Data Processor:** Third-party service provider processing data on Rights Holder's behalf

**Data Subject:** Individual to whom Personal Data relates (you)

**GDPR:** General Data Protection Regulation (European Union)

**GTBOCI:** Grand Traverse Band of Ottawa and Chippewa Indians

**Indigenous Data:** Information about or from Indigenous peoples, lands, cultures, or communities

**Indigenous Data Sovereignty:** Inherent right of Indigenous peoples to govern their data

**Personal Data:** Information relating to an identified or identifiable individual

**Processing:** Any operation performed on data (collection, storage, use, disclosure, deletion)

**Rights Holder:** ᓂᐲᔥ ᐙᐸᓂᒥᑮ-ᑭᓇᐙᐸᑭᓯ (Nbiish Waabanimikii-Kinawaabakizi) / Justin Paul Kenwabikise

**Sensitive Personal Data:** Special categories requiring enhanced protection (race, religion, health, etc.)

**TK:** Traditional Knowledge

**TCE:** Traditional Cultural Expressions

**UNDRIP:** United Nations Declaration on the Rights of Indigenous Peoples

---

## APPENDIX B: YOUR PRIVACY RIGHTS AT A GLANCE

| Right | Description | How to Exercise |
|-------|-------------|-----------------|
| **Access** | Get copies of your Personal Data | Email privacy@in-digi-nous.com |
| **Rectification** | Correct inaccurate data | Account settings or email |
| **Deletion** | Request data deletion | Email privacy@in-digi-nous.com |
| **Portability** | Receive data in portable format | Email privacy@in-digi-nous.com |
| **Object** | Object to processing | Email or unsubscribe links |
| **Restrict** | Limit data processing | Email privacy@in-digi-nous.com |
| **Opt-Out Marketing** | Stop marketing emails | Unsubscribe link or email |
| **Withdraw Consent** | Revoke previously given consent | Email or account settings |
| **Lodge Complaint** | File complaint with regulator | Contact supervisory authority |
| **Human Review** | Request human review of automated decisions | Email privacy@in-digi-nous.com |

**California Residents (CCPA):** Additional rights to know, delete, opt-out, correct, and limit use of sensitive data

**EU/EEA Residents (GDPR):** Full GDPR rights including data portability and right to be forgotten

**Indigenous Data Subjects:** Enhanced rights including cultural authority, repatriation, and collective governance

---

## APPENDIX C: CONTACT QUICK REFERENCE

**Privacy Inquiries:** privacy@in-digi-nous.com | 402-431-2023

**Data Rights Requests:** privacy@in-digi-nous.com (Subject: [Request Type])

**Security Incidents:** privacy@in-digi-nous.com (Subject: "Security Incident")

**Accessibility:** privacy@in-digi-nous.com (Subject: "Accessibility")

**Tribal Matters:** Grand Traverse Band Tribal Court | (231) 534-7750

**GDPR Complaints:** Your local EU Data Protection Authority

**CCPA Complaints:** California Attorney General | https://oag.ca.gov/privacy

**General Support:** [Primary support contact - to be specified]

---

## CLOSING STATEMENT

This Privacy Policy represents a commitment to protecting your privacy while honoring Indigenous Data Sovereignty, tribal jurisdiction, and the inherent rights of Indigenous peoples to control their data and cultural heritage. It integrates cutting-edge privacy protections with ancient Indigenous governance principles, creating a framework that respects both individual rights and collective Indigenous sovereignty.

Your privacy is not a commodity. Your data is not for sale. Your trust is sacred.

**Miigwech (Thank you) for entrusting us with your information.**

---

**Version:** 2.0  
**Effective Date:** November 8, 2025  
**Last Updated:** November 8, 2025  
**Next Scheduled Review:** November 2026

---

*"PRIVACY PROTOCOLS ACTIVE"*  
*"INDIGENOUS DATA SOVEREIGNTY ENFORCED"*  
*"CARE PRINCIPLES IMPLEMENTED"*  
*"TRIBAL JURISDICTION PRESERVED"*

*May this policy serve as a bridge between technological innovation and cultural preservation, protecting both individual privacy and collective Indigenous sovereignty for generations to come.*

---

**ᐊᓂᔑᓇᐯᒧᐎᓐ ᐱᒪᑎᓯᐎᓐ - Anishinaabemowin Pimaatiziwin (Living the Anishinaabe Way)**