Privacy Policy

This Privacy Policy explains how the ESRO Platform (“ESRO,” “we,” “our,” or “us”), operated by Sophia Speira LLC, collects, uses, stores, and protects personal information in connection with our ecosystem resource optimization platform. It applies to platform users, domain operators, provider organizations, activity respondents, and customer portal users.

By using the ESRO Platform or participating in an activity hosted on it, you acknowledge this Privacy Policy. If you have questions, please contact us using the information in Section 12.

1. Information We Collect

We collect information necessary to deliver our platform services. Depending on your role, this may include:

Platform and Organization Users

• Account registration information (name, organizational email address, password credentials managed through our authentication system).
• Organization details provided during onboarding (organization name, type, contact information).
• Usage data related to your interactions with the platform.

Activity Respondents

• Personal information configured by your sponsoring organization (which may include your name, email address, and role).
• Your responses to activity questions and any optional demographic information you choose to provide.
• Email address, if you choose to provide it for the purpose of receiving activity-related communications.

Automatically Collected Information

• Log data, cookies, and similar tracking technologies used to operate and improve our platform. See Section 5 for more detail.

Age Restriction

Our platform is not directed to individuals under the age of 13, and we do not knowingly collect personal information from children under 13. Organization administrators are responsible for ensuring that activity participants meet this age requirement. If we become aware that we have inadvertently collected personal information from a child under 13, we will delete it promptly. Please contact us at privacy@esro.systems if you believe such data has been collected.

2. How We Use Your Data

Delivering Platform Services

We use your information to operate the platform, manage organizations, facilitate exchange transactions, administer activities, generate results, and deliver those results to authorized parties. Activity results provided to sponsors include individual-level outputs (such as construct assignment and dimension scores) but do not include raw, item-by-item response data.

Email Communications

Where email addresses are provided and email delivery is enabled, we use Resend, a third-party email delivery platform, to send transactional emails related to platform activity (such as invitation codes, onboarding confirmations, and activity results). These are transactional communications necessary to deliver the service; they are not marketing messages.

If you receive communications from us that are not purely transactional, you have the right to opt out at any time. See Section 7 for details.

Research and Platform Improvement

We separately store fully anonymized records consisting of raw responses and any optional demographic information provided. These records contain no direct identifiers (such as name, phone number, or email address) and are used to improve feedback accuracy and to study how decision perspectives vary across different backgrounds and experiences.

3. Legal Basis for Processing

Where applicable law requires a legal basis for processing personal data (including under the EU General Data Protection Regulation, or “GDPR”), we rely on the following:

• Contractual necessity — to fulfill our obligations to organizations and to deliver the platform services users are enrolled in.
• Legitimate interests — to operate, secure, and improve our platform, where those interests are not overridden by your rights.
• Consent — where we request your consent for optional data uses (such as optional demographic information), you may withdraw consent at any time by contacting us.
• Legal obligation — to comply with applicable laws and regulations.

Controller and Processor Roles

In many cases, the ESRO Platform acts as a data processor on behalf of domain operators and sponsoring organizations, who are the data controllers directing the collection and use of respondent information within their programs. Domain operators are responsible for establishing their own lawful basis for processing respondent data and for informing participants about data practices as required by applicable law. Where ESRO independently determines the purposes and means of processing (for example, for platform security, anonymized research, or its own account management), ESRO acts as a data controller. Organizations who require a Data Processing Agreement (DPA) to satisfy GDPR or other regulatory requirements may contact us at privacy@esro.systems.

4. Data Sharing and Third-Party Processors

We do not sell your personal information. We share data only as described below:

Organizations and Sponsors

Your sponsoring organization or domain operator receives individual-level activity results — including primary construct assignment and dimension scores — and answers to any configured personal information questions. Organizations do not receive raw, item-by-item response data.

Service Providers (Data Processors)

We engage trusted third-party vendors to help us operate the platform. These processors handle data only on our behalf and under written agreements that restrict their use of your data. Current processors include:

• Amazon Web Services (AWS) — cloud hosting, data storage, and encryption services (US East region, with additional regional deployments as the platform expands).
• Resend — transactional email delivery.

We may update this list as our service providers change. We will ensure that any replacement processors offer equivalent data protection commitments.

Legal Requirements

We may disclose information if required by law, court order, or regulatory authority, or to protect the rights, property, or safety of the ESRO Platform, our users, or others.

5. Cookies and Tracking Technologies

Our platform uses cookies and similar technologies (such as session tokens and analytics identifiers) to:

• Maintain authenticated sessions for platform users.
• Monitor platform performance and security.
• Analyze aggregate usage patterns to improve our service.

You may configure your browser to refuse cookies; however, doing so may affect the functionality of platform features. We do not use cookies for advertising or cross-site behavioral tracking.

6. Data Retention

• Organization-linked activity data (including respondent information collected for an organization’s program) is retained while the organization’s account is active and deleted within 30 days of account closure, subject to any legal hold obligations.
• User account data is retained for the duration of the account and deleted upon request or account closure, subject to any legal hold obligations.
• Anonymized research data (containing no direct identifiers) may be retained indefinitely for statistical and research purposes.
• Transactional email logs may be retained by our email service provider in accordance with their data retention policies.

We will retain personal data for no longer than is necessary for the purposes described in this policy, or as required by applicable law.

7. Your Rights and Choices

Depending on your location, you may have the following rights regarding your personal data:

• Access — request a copy of the personal data we hold about you.
• Correction — request correction of inaccurate or incomplete data.
• Deletion — request deletion of your personal data, subject to legal retention obligations.
• Objection / Restriction — object to or request restriction of certain processing activities.
• Portability — request a machine-readable copy of data you have provided to us.
• Withdraw Consent — where processing is based on consent, withdraw that consent at any time without affecting the lawfulness of prior processing.

To exercise any of these rights, please contact us at privacy@esro.systems or at the address in Section 12. We will respond within the timeframe required by applicable law (generally 30 days). We may need to verify your identity before processing your request.

US State Privacy Rights

If you are a resident of California or another US state with applicable privacy legislation, you may have additional rights, including the right to know what personal information we collect and how it is used, the right to request deletion, and the right to opt out of the sale of personal information. We do not sell personal information. To submit a request under applicable US state privacy law, please contact us at privacy@esro.systems. We will not discriminate against you for exercising any of these rights.

Opt-Out of Email Communications

You may opt out of non-transactional email communications at any time by clicking the “Unsubscribe” link included in any such email, or by contacting us directly. We will honor opt-out requests within 7 days. Note that opting out of marketing communications does not affect transactional emails necessary to deliver an active service.

8. International Data Transfers

The ESRO Platform operates regional instances to support data residency requirements. Our primary instance is hosted on Amazon Web Services in the United States (US East region), with additional regional deployments planned. If you are located in the European Union, United Kingdom, or another jurisdiction with data transfer restrictions, your data will be processed in the regional instance designated for your jurisdiction where available, or in the United States.

Where required, we rely on appropriate transfer mechanisms (such as Standard Contractual Clauses approved by the European Commission, or other applicable data transfer frameworks) to ensure that personal data transferred outside the EEA or UK receives an adequate level of protection. Our service providers, including Resend and AWS, maintain their own GDPR-compliant data processing terms and participate in applicable data transfer frameworks.

9. Security

We implement industry-standard technical and organizational measures to protect your personal data against unauthorized access, disclosure, alteration, or destruction. These measures include:

• Encryption of data in transit via TLS/HTTPS.
• Encryption of data at rest using AES-256 encryption for all stored data, including database contents, file storage, and backups.
• Encryption key management through dedicated key management services with automatic key rotation.
• Access controls limiting data access to authorized personnel.
• Hosting on AWS, which maintains SOC 2 and ISO 27001 certifications.
• Multi-tenant data isolation ensuring organizations cannot access other organizations’ data.
• Regular review of our security practices and infrastructure.

No system is completely secure. If you believe your data has been compromised, please contact us immediately at privacy@esro.systems.

10. Children’s Privacy

Our platform is not directed to children under the age of 13, and we do not knowingly collect personal information from children under 13. Organization administrators are solely responsible for ensuring that participants enrolled in their programs meet this age requirement. If you believe a child under 13 has provided personal information through our platform, please contact us at privacy@esro.systems and we will take prompt steps to delete that information.

11. Policy Updates

We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or service offerings. When we make material changes, we will:

• Update the “Last Updated” date at the top of this policy.
• Notify active organizations and platform users by email prior to the change taking effect.
• Post a prominent notice on our platform.

We encourage you to review this policy periodically. Continued use of our platform following notice of changes constitutes acceptance of the updated policy.

12. Contact

For questions, requests, or complaints regarding this Privacy Policy or our data practices, please contact us:

EU or UK individuals with complaints regarding our handling of personal data may also have the right to lodge a complaint with their local data protection supervisory authority.