This Data Protection Policy ("Policy") sets out SoraMinds LLC’s commitment to protecting personal data across all five platforms — SoraAnalyst, SoraMobility, SoraScholar, SoraRobolink, and SoraEcoXmall — and their solutions. It establishes the principles, responsibilities, and technical and organisational measures that govern how SoraMinds handles personal data in compliance with applicable data protection laws, including GDPR, CCPA, HIPAA (where applicable), COPPA, FERPA, and the Michigan Data Breach Notification Act.

This Policy applies to:

• All personal data processed by SoraMinds LLC in connection with any of its platforms, solutions, APIs, avatar services, or consulting engagements.
• All SoraMinds employees, contractors, consultants, and third-party processors who handle personal data on SoraMinds’ behalf.
• All data subjects whose personal information is processed through SoraMinds systems, including platform users, senior care recipients (SoraLiva), learners (SoraLyric), vehicle operators (SoraLift), and commerce customers (SoraLoop).

This Policy is complementary to and should be read alongside SoraMinds’ Privacy Policy, Terms of Use and Service Agreement, and any platform-specific data processing agreements.

SoraMinds processes all personal data in accordance with the following principles:

• Personal data is processed only on a valid lawful basis, in a manner that is fair and transparent to data subjects.: Lawfulness, fairness, and transparency
• Data is collected for specified, explicit, and legitimate purposes and not further processed in a manner incompatible with those purposes.: Purpose limitation
• Only personal data that is adequate, relevant, and limited to what is necessary for the stated purpose is collected and retained.: Data minimisation
• Personal data is kept accurate and up to date. Inaccurate data is corrected or deleted without delay.: Accuracy
• Personal data is retained only for as long as necessary for its stated purpose, in accordance with the retention schedules in Section 8.: Storage limitation
• Personal data is processed with appropriate security, protecting against unauthorised access, loss, destruction, or damage.: Integrity and confidentiality
• SoraMinds takes responsibility for demonstrating compliance with these principles and maintains records of processing activities.: Accountability

SoraMinds processes the following categories of personal data across its platforms:

• Identification data: name, email address, phone number, organisation, job title.
• Technical data: IP address, device identifiers, browser information, session logs.
• Usage and interaction data: SoraGuru conversation logs, platform feature usage, click and navigation data.
• Account and preference data: login credentials (hashed), communication preferences, platform configurations.

• Health and care data (SoraRobolink / SoraLiva): daily routines, health reminders, wellness indicators, and care interaction data for senior users. Processed only with explicit consent and subject to enhanced protections.
• Biometric data: where SoraRobolink deployments involve voice recognition or facial recognition for senior user authentication, processed only with explicit consent and subject to applicable biometric data laws.

• Vehicle and telemetry data (SoraMobility / SoraLift): V2X communications, OTA update logs, vehicle performance data.
• Learning and assessment data (SoraScholar / SoraLyric): learner progress, assessment scores, engagement metrics, content interaction history.
• Commerce and transaction data (SoraEcoXmall / SoraLoop): order data, service selections, reservation records, kiosk interaction logs.
• Safety and surveillance data (SoraAnalyst / SoraLogic): traffic imagery analysis data, VRU detection logs, incident alert records. Retained only in anonymised or aggregated form after processing.

Lawful Basis	When Applied	Applicable Platforms
Contract	Service delivery to registered users and licensees	All platforms
Legitimate interests	Platform security, fraud prevention, AI model improvement (anonymised)	All platforms
Consent	Health/care data, biometric data, precise location, marketing	SoraLiva, SoraMobility, all (marketing)
Legal obligation	Tax records, breach notification, regulatory compliance	All platforms
Vital interests	Emergency care scenarios involving SoraLiva senior users	SoraRobolink / SoraLiva

SoraMinds respects and upholds the rights of all data subjects. The following procedures apply:

Data subjects may submit rights requests by emailing privacy@soraminds.com with subject line “Data Subject Request”. Requests must include sufficient information to verify identity. We will respond within 30 days (extendable by a further 60 days for complex requests, with notice).

• GDPR (EEA / UK): access, rectification, erasure, restriction, portability, objection, and rights related to automated decision-making.
• CCPA (California): right to know, right to delete, right to opt out of sale (note: SoraMinds does not sell personal data), right to non-discrimination.
• HIPAA (US healthcare): right of access to PHI, right to amendment, right to an accounting of disclosures, right to request restrictions.
• COPPA (children under 13): parental right to review, delete, and refuse further collection of a child’s personal data.

All data subject requests are logged, assigned to a responsible team member, and tracked to resolution. Verification of identity is required before any data is disclosed or deleted. Requests that cannot be fulfilled (e.g., due to legal retention obligations) will be explained in writing.

SoraMinds operates in the following roles depending on the context:

• When we determine the purposes and means of processing personal data directly (e.g., user account management, SoraGuru AI training, platform analytics): Data Controller
• When we process personal data on behalf of a business customer who has deployed SoraMinds platforms (e.g., a care home using SoraLiva, a restaurant using SoraLoop): In this case, the customer is the Data Controller and SoraMinds acts under their documented instructions.: Data Processor
• In certain partner integrations where both SoraMinds and a partner jointly determine purposes and means of processing: Joint Controller arrangements are documented in writing.: Joint Controller

Business customers deploying SoraMinds platforms as Data Controllers must execute a Data Processing Agreement (DPA) with SoraMinds prior to processing personal data. Contact contact@soraminds.com to request a DPA.

SoraMinds engages third-party sub-processors to support service delivery. All sub-processors are:

• Bound by Data Processing Agreements containing GDPR-compliant standard contractual clauses.
• Subject to SoraMinds’ security and data protection standards assessments prior to engagement.
• Listed in SoraMinds’ Sub-Processor Register, available to customers on request.

Categories of sub-processors used include cloud infrastructure providers, analytics platforms, customer support systems, cybersecurity monitoring services, and payment processors. SoraMinds will notify customers of material sub-processor changes with reasonable advance notice.

Data Category	Retention Period	Legal Basis
Account and registration data	Duration of account + 3 years	Contract / Legal obligation
SoraGuru interaction logs	12 months, then anonymised	Legitimate interests
Health and care data (SoraLiva)	Active use + 30 days post-closure	Consent / Vital interests
Vehicle / telemetry data (SoraLift)	24 months, then anonymised	Legitimate interests / Legal obligation
Learning analytics (SoraLyric)	Per institutional agreement, typically enrolment + 1 year	Contract
Commerce / transaction data (SoraLoop)	7 years	Legal obligation (financial)
Safety / traffic data (SoraLogic)	Processed in real time; anonymised within 24 hours	Legitimate interests
Security and access logs	12 months	Legitimate interests / Legal obligation
Marketing communications	Until opt-out or 3 years of inactivity	Consent

SoraMinds applies the following technical and organisational security measures across all platforms:

• Encryption in transit: TLS 1.2 or higher on all data communications.
• Encryption at rest: AES-256 for all stored personal data.
• Access control: role-based access control (RBAC) with least-privilege principles; multi-factor authentication (MFA) for all internal systems.
• Network security: firewalls, intrusion detection systems, and network segmentation for all SoraCore infrastructure.
• SoraLift Rust architecture: memory-safe codebase eliminating classes of vulnerabilities common in C/C++ automotive systems.
• Kiosk and POS security (SoraLoop): end-to-end encrypted transactions; card data passed directly to PCI-compliant payment processors; no card data stored on SoraMinds systems.
• Vulnerability management: regular automated and manual security scanning; penetration testing at least annually.

• Data protection training: all SoraMinds employees and contractors complete mandatory data protection training annually.
• Access reviews: quarterly reviews of access rights to personal data systems.
• Vendor assessments: security and data protection assessments for all sub-processors before engagement.
• Incident response: documented incident response plan with defined roles, notification timelines, and regulatory reporting procedures.
• Data Protection Officer: SoraMinds designates a responsible individual for data protection oversight, reachable at privacy@soraminds.com.

In the event of a personal data breach, SoraMinds will:

• Contain the breach and assess its scope, severity, and impact on affected data subjects.
• Notify relevant supervisory authorities within 72 hours of becoming aware of a reportable breach (GDPR); or without undue delay as required by applicable US state breach notification laws, including the Michigan Identity Theft Protection Act.
• Notify affected data subjects without undue delay where the breach is likely to result in a high risk to their rights and freedoms.
• Document all breaches, including those not meeting the notification threshold, in SoraMinds’ internal breach register.
• Conduct a post-incident review and implement corrective measures to prevent recurrence.

For health and care data breaches involving SoraLiva, HIPAA breach notification rules apply in addition to the above, including notification to the Department of Health and Human Services (HHS) where required.

Where personal data is transferred outside the country of collection, SoraMinds ensures appropriate safeguards are in place:

• For transfers from the EEA or UK to the United States: Standard Contractual Clauses (SCCs) as approved by the European Commission.
• For transfers to other third countries: adequacy decisions, SCCs, or binding corporate rules as applicable.
• All international transfers are documented in SoraMinds’ Records of Processing Activities (ROPA).

SoraMinds embeds data protection into the design of all platforms, solutions, and processes:

• Privacy impact assessments (PIAs / DPIAs) are conducted for all new platform features, SoraGuru deployments, and third-party integrations that involve high-risk personal data processing.
• Data minimisation is applied at the point of collection — only data necessary for the stated purpose is requested.
• Privacy-preserving AI techniques including differential privacy and federated learning are evaluated for SoraCore training processes where technically feasible.
• Default platform settings are configured to maximise privacy protection. Users may choose to share additional data to enable optional features.

Deployments involving traffic cameras, public space monitoring, or VRU detection must comply with applicable CCTV, surveillance, and biometric data regulations in the deployment jurisdiction. Deploying organisations are responsible for signage, consent mechanisms, and regulatory notifications required by local law.

Vehicle data processing must comply with UNECE WP.29 cybersecurity regulations, ISO/SAE 21434, and applicable automotive data privacy laws. OTA update records are retained for safety audit and regulatory traceability purposes.

Health and care data is classified as sensitive personal data and subject to the highest level of protection. Business Associate Agreements (BAAs) are available for HIPAA-covered deployments. All SoraLiva health data processing requires explicit, informed consent from the senior user or their authorised representative.

Institutional operators deploying SoraScholar for learners under 18 must ensure COPPA and FERPA compliance, including parental consent for under-13 users. SoraMinds provides FERPA-compliant data processing agreements to educational institutions on request.

POS and kiosk deployments must comply with PCI-DSS requirements for payment data. Guest and customer data collected through SoraLoop is the responsibility of the deploying business as Data Controller. SoraMinds provides GDPR and CCPA-compliant data processing agreements to deploying businesses on request.

This Data Protection Policy is reviewed annually, or following any material change to SoraMinds’ processing activities, applicable law, or regulatory guidance. Responsibility for maintaining this Policy rests with SoraMinds’ designated Data Protection Officer.

All SoraMinds employees and contractors are required to acknowledge this Policy annually. Non-compliance may result in disciplinary action up to and including termination of engagement.

For data protection inquiries, to request a Data Processing Agreement or Business Associate Agreement, or to report a data concern:

Data subjects in the EEA or UK who are not satisfied with our response may lodge a complaint with their local supervisory authority (e.g., the ICO in the UK, or the relevant EU DPA in their member state).