Privacy Policy

This Privacy Policy governs the collection, processing, storage, and disclosure of personal data by the Embassy Row Project ("Organization," "we," "us," or "our"), acting as Data Controller, in connection with your use of the Platform at jamesscotticit.expert and all associated services.

This Policy applies to all Users, including website visitors, scholarship applicants, donors, and registered account holders. It does not apply to third-party websites or services linked from the Platform, which are governed by their own privacy policies.

For EU/EEA residents, this Policy constitutes the required transparency notice under Article 13 and 14 of the General Data Protection Regulation (GDPR). For California residents, this Policy satisfies the disclosure requirements of the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA).

• "Personal Data" means any information that identifies or can reasonably be used to identify a natural person, directly or indirectly.
• "Processing" means any operation performed on Personal Data, including collection, storage, use, disclosure, and deletion.
• "Data Controller" means the Embassy Row Project, which determines the purposes and means of processing Personal Data.
• "Data Processor" means a third party that processes Personal Data on behalf of the Organization under a data processing agreement.
• "Sensitive Data" means Personal Data revealing racial or ethnic origin, health information, financial account details, or other categories warranting heightened protection under applicable law.

The Organization collects the following categories of Personal Data:

A. Identity and Contact Data: Full name, email address, country of residence, and any other identifying information voluntarily submitted through contact forms, scholarship applications, or account registration.

B. Application Data: Scholarship or grant application content, including educational background, organizational affiliation, project descriptions, supporting documents, and any other information submitted as part of an application.

C. Donation and Financial Data: Donation amounts, payment method type, and transaction identifiers. The Organization does not store full payment card numbers, CVV codes, or bank account credentials. These are processed exclusively by the third-party payment processor.

D. Account Data: For Users who create an account via the Manus OAuth authentication system: user identifier, display name, email address, and session tokens. The Organization stores only the data necessary to maintain your session and account preferences.

E. Usage and Technical Data: IP address, browser type and version, operating system, referring URL, pages visited, time spent on pages, and interaction events, collected via analytics tools (see Cookie Policy).

F. Deep Analysis Tool Data: Queries and inputs submitted to the Deep Analysis tool are processed to generate analytical outputs. These inputs are stored for the duration necessary to complete the analysis and may be retained in anonymized or aggregated form for service improvement.

G. Communications Data: Content of messages submitted through the contact form, including any attachments or supporting materials.

The Organization processes Personal Data on the following legal bases under GDPR Article 6:

• Contractual Necessity (Art. 6(1)(b)): Processing required to fulfill the Terms of Service, including account management, application evaluation, and donation processing.
• Legitimate Interests (Art. 6(1)(f)): Processing necessary for the Organization's legitimate interests in operating the Platform, preventing fraud, maintaining security, and improving services, where these interests are not overridden by the User's rights and freedoms.
• Legal Obligation (Art. 6(1)(c)): Processing required to comply with applicable law, including financial record-keeping, regulatory reporting, and responding to lawful legal process.
• Consent (Art. 6(1)(a)): Where the Organization relies on consent as the legal basis (e.g., for non-essential analytics cookies), consent is obtained through a clear affirmative action and may be withdrawn at any time without affecting the lawfulness of processing prior to withdrawal.

• Service Delivery: Processing scholarship applications, evaluating eligibility, communicating decisions, and administering scholarship disbursements.
• Donation Processing: Facilitating voluntary donations, issuing acknowledgment receipts, and maintaining donation records for financial reporting.
• Account Management: Creating and maintaining user accounts, authenticating sessions, and managing account preferences.
• Deep Analysis Tool Operation: Processing user-submitted queries through the MPPT analytical framework to generate outputs.
• Platform Security: Detecting, preventing, and investigating fraud, abuse, unauthorized access, and other security incidents.
• Legal Compliance: Fulfilling obligations under applicable law, responding to lawful requests from regulatory or law enforcement authorities, and enforcing the Organization's legal rights.
• Analytics and Improvement: Understanding how Users interact with the Platform to improve content, functionality, and user experience. Analytics data is collected in aggregated or pseudonymized form where possible.
• Communications: Responding to inquiries submitted through the contact form.

The Organization does not sell, rent, or trade Personal Data. Personal Data is shared with third parties only in the following circumstances:

• Payment Processors: Donation transactions are processed by third-party payment processors. These processors receive only the data necessary to complete the transaction and are bound by their own privacy policies and applicable payment card industry standards.
• Authentication Provider: Account creation and login are handled via the Manus OAuth system. The authentication provider processes identity data in accordance with its own privacy policy.
• Analytics Providers: Aggregated or pseudonymized usage data is shared with analytics service providers to support Platform improvement. These providers are contractually prohibited from using the data for their own purposes.
• Legal Compliance: Personal Data is disclosed to law enforcement, regulatory authorities, or courts when required by applicable law, court order, or to protect the rights, property, or safety of the Organization, its Users, or the public.
• Organizational Affiliates: Personal Data may be shared with institutes and organizations within the Embassy Row Project ecosystem solely to the extent necessary to evaluate applications or deliver services requested by the User.

All third-party processors engaged by the Organization are required to implement appropriate technical and organizational safeguards consistent with this Policy.

The Organization retains Personal Data for the minimum period necessary to fulfill the purposes for which it was collected, subject to applicable legal retention requirements:

• Application Data: Retained for a minimum of five (5) years following the conclusion of the application process, to support audit, compliance, and dispute resolution purposes.
• Donation Records: Retained for a minimum of seven (7) years in compliance with financial record-keeping obligations under applicable law.
• Account Data: Retained for the duration of the account's existence and for up to two (2) years following account deletion, to support security investigations and legal claims.
• Contact Form Messages: Retained for up to two (2) years following the resolution of the inquiry.
• Analytics Data: Aggregated or pseudonymized analytics data is retained for up to twenty-six (26) months.
• Deep Analysis Tool Inputs: Retained for the duration necessary to complete the analysis. Anonymized or aggregated data may be retained indefinitely for service improvement.

Upon expiration of the applicable retention period, Personal Data is securely deleted or anonymized using industry-standard methods.

The Organization implements administrative, technical, and organizational safeguards designed to protect Personal Data against unauthorized access, disclosure, alteration, and destruction. These measures include: encrypted data transmission via TLS; access controls restricting data access to authorized personnel on a need-to-know basis; regular security assessments of Platform infrastructure; and contractual data security requirements imposed on all third-party processors.

No method of electronic transmission or storage provides an absolute guarantee of security. In the event of a personal data breach that creates a risk to the rights and freedoms of affected Users, the Organization will: (a) notify the relevant supervisory authority within 72 hours of becoming aware of the breach, where required by GDPR; and (b) notify affected Users without undue delay where the breach is likely to result in a high risk to their rights and freedoms.

Subject to applicable law, Users have the following rights with respect to their Personal Data:

• Right of Access (GDPR Art. 15): You have the right to request confirmation of whether the Organization processes your Personal Data and, if so, to receive a copy of that data.
• Right to Rectification (GDPR Art. 16): You have the right to request correction of inaccurate or incomplete Personal Data.
• Right to Erasure (GDPR Art. 17): You have the right to request deletion of your Personal Data where it is no longer necessary for the purposes for which it was collected, subject to legal retention obligations.
• Right to Restriction (GDPR Art. 18): You have the right to request that the Organization restrict processing of your Personal Data in certain circumstances.
• Right to Data Portability (GDPR Art. 20): Where processing is based on consent or contractual necessity and carried out by automated means, you have the right to receive your Personal Data in a structured, commonly used, machine-readable format.
• Right to Object (GDPR Art. 21): You have the right to object to processing based on legitimate interests. The Organization will cease such processing unless it demonstrates compelling legitimate grounds that override your interests.
• Right to Withdraw Consent: Where processing is based on consent, you have the right to withdraw consent at any time. Withdrawal does not affect the lawfulness of processing prior to withdrawal.
• CCPA Rights (California Residents): California residents have the right to know what Personal Data is collected, the right to delete Personal Data, the right to correct inaccurate Personal Data, the right to opt out of the sale or sharing of Personal Data (the Organization does not sell or share Personal Data for cross-context behavioral advertising), and the right to non-discrimination for exercising these rights.

To exercise any of these rights, submit a written request through the contact form at jamesscotticit.expert/contact. The Organization will respond within thirty (30) days of receipt of a verifiable request.

The Platform uses cookies and similar tracking technologies. For detailed information on the types of cookies used, their purposes, and how to manage your preferences, see the Cookie Policy.

The Platform is not directed to children under the age of 13. The Organization does not knowingly collect Personal Data from children under 13. If scholarship programs are made available to minors, a separate Children's Privacy Notice will be published and verifiable parental consent will be obtained prior to data collection.

If you believe the Organization has inadvertently collected Personal Data from a child under 13, contact us immediately through the contact form and the Organization will take prompt action to delete such data.

The Organization is based in the United States. Personal Data submitted by Users located in the European Economic Area, United Kingdom, or other jurisdictions with data transfer restrictions is transferred to the United States for processing. Such transfers are conducted under appropriate safeguards, including Standard Contractual Clauses approved by the European Commission, where required by applicable law.

The Organization reserves the right to modify this Privacy Policy at any time. Material changes will be communicated by updating the effective date on this page and, where practicable, by posting a notice on the Platform. Continued use of the Platform following the posting of a revised Policy constitutes acceptance of the revised Policy.

This Privacy Policy is governed by the laws of the State of Delaware, United States. EU/EEA Users have the right to lodge a complaint with their local data protection supervisory authority. A list of EU supervisory authorities is available at edpb.europa.eu.

For privacy-related inquiries, data subject requests, or complaints, contact the Organization through the official contact form:

Website: jamesscotticit.expert/contact

Entity: Embassy Row Project

Subject line: Privacy Inquiry / Data Subject Request

The Organization will acknowledge privacy requests within five (5) business days and provide a substantive response within thirty (30) days.