Policy Sorone Limited (NZBN 9429052981753)

PRIVACY POLICY

Welcome to Sorone

INTRODUCTION

This privacy policy applies between you, the visitor to this website (whether directly as our customer and user of our product or as personnel of our customer), and us, Sorone Limited (NZBN 9429052981753) (‘ Sorone’ ‘our’, ‘we’ or ‘us’ ), the owner and provider of this website. This privacy policy applies to our use of any and all data collected by us or provided by you in relation to your use of the website and the provision of services to you, including our mobile Application (‘ Services’ ). We take our privacy obligations seriously and we’ve created this privacy policy to explain how we collect and treat your personal information. Personal information is that information which is identifiable as being about you or a third party, as provided by you.

CONTROL

We act as a when we process your personal data, or third party personal data, on behalf of our data processor customers, particularly in relation to platform users (teachers, professionals, and administrators). For the purposes of GDPR, our hosting provider, Supabase, may also act as a data controller. Our speech-to-text provider, Deepgram , acts solely as a data processor for audio files you choose to record in the Application, processing them only to convert speech into text with respect to the processing of Usage Data for its own operational purposes. Usage Data means personal data relating to users use of the Services, including information about how frequently users access the Services, the pages users view on the Services and information about the customer data that users upload and manage through the Services, in each case that Supabase collects or generates in connection with the provision of the Services. Teachers, schools, professionals or other users using our Services act as data controllers for any personal data they upload or manage through the Application, including student information (photos, videos, voice notes, and other identifiers). We process the data strictly in accordance with users’ instructions. Responsibilities for privacy compliance (including responding to access or correction requests and managing data breaches) are set out in our Data Processing Agreement with Supabase and our Data Breach Response Plan. For inquiries, please contact us at help@sorone.app These agreements reflect our joint commitment to upholding the New Zealand Privacy Principles (NZPPs) under the Privacy Act 2020 (NZ) , and, where relevant, GDPR obligations, ensuring transparency and lawful processing of personal information.

LAWS AND STANDARDS WE COMPLY WITH

We comply with: the Privacy Act 2020 (NZ) and the Information Privacy Principles (IPPs); and to the extent the European Union’s General Data Protection Regulation 2016/679 (GDPR) applies to us and our use of your information, the GDPR If the GDPR applies to your personal information and we do not have a physical presence in the EU, we have appointed the following company as our GDPR representative under Article 27: UK – Euverify Ltd, Postal Address: 3rd Floor, 86-90 Paul Street, London EC2A 4NE United Kingdom, Email: gdpr@euverify.com EU – Euverify Ltd, Postal Address: Unit 3D North Point House, North Point Business Park, New Mallow Road Cork, T23 AT2P Ireland, Email: gdpr@euverify.com

TYPES OF PERSONAL INFORMATION WE COLLECT

The personal information we collect may include the following: name; mailing or street address; email address; telephone number and other contact details; date of birth; credit card or other payment information; school affiliation (see Disclaimer* below); folder names as uploaded by you; photographs taken by you using the Application; videos taken by you using the Application; voice notes recorded by you using the Application - only if you explicitly opt in to this feature. This is not a default feature of the Application and requires your active consent to enable; student names, classroom details or other identifiers only if uploaded by you to the Application (see Disclaimer* below); metadata such as the time/date of images or recordings uploaded by you to the Application; Any sensitive information you choose to upload to the Application; your device identity and type, I.P. address, geo-location information, page view statistics, advertising data and standard web log information; details of the products and services we have provided to you or that you have enquired about, including any additional information necessary to deliver those products and services and respond to your enquiries; any additional information relating to you that you provide to us directly through our websites or products or indirectly through your use of our websites or products or online presence or through other websites or accounts from which you permit us to collect information; any other personal information that may be required in order to facilitate your dealings with us; and information about third parties as provided by you to us. *DISCLAIMER* We encourage you not to include identifiable information (such as full names of students, staff, or school names) when uploading or creating content in the Application. If you choose to include such identifiable data in our Application, you do so at your own risk. You remain responsible for ensuring that you have obtained all necessary consents (for example, from parents or legal guardians for minors) and that the data is processed in accordance with applicable privacy laws, including GDPR. We do not accept any liability for any loss, damage, or privacy breach that may result from including identifiable information in our Application.

HOW WE COLLECT PERSONAL INFORMATION

We endeavour to ensure that information we collect is complete, accurate, accessible and not subject to unauthorised access. We may collect personal information either directly from you, or from third parties, including where you: contact us through our website; receive goods or services from us (register on our website or use our Application); communicate with us via email, telephone, SMS, social media applications (such as LinkedIn or Facebook) or otherwise; interact with our website, social applications, services, content and advertising; and invest in our business or enquire as to a potential purchase in our business. We may also collect personal information from you when you use or access our website or our social media pages. This may be done through use of web analytics tools, ‘cookies’ or other similar tracking technologies that allow us to track and analyse your website usage. Cookies are small files that store information on your computer, mobile phone or other device and enable and allow the creator of the cookie to identify when you visit different websites. Cookies may be used to serve relevant ads to website visitors through third party services such as Google Adwords. These ads may appear on this website or other websites you visit. We use Cookieyes, a cookie management platform to obtain your consent before placing non-essential cookies. You can manage your preferences at any time by visiting https://www.cookieyes.co.com . For more detail, see our Cookie Policy . If you do not wish for information to be stored as a cookie, you can disable cookies in your web browser. We may use Google Analytics 4 (GA4) to collect and process data, including when you use third party websites or apps. To find out more see How Google uses data when you use our partners’ sites or apps.

USE OF YOUR PERSONAL INFORMATION

We collect and use personal information for the following purposes: to provide services or information to you; for record keeping and administrative purposes including analytics; to operate, protect, improve and optimise our websites, products, business and our users’ experience, such as to conduct research to improve our services; to personalise content and communications, improve and optimise our service offering and customer experience; to manage user preferences and consent; to provide information about you to our hosting provider, contractors, employees, consultants, agents or other third parties for the purpose of providing services to you; to comply with our legal obligations, resolve disputes or enforce our agreements with third parties; to send you service, support and administrative messages, reminders, notices, updates, security alerts, and other information requested by you; and to consider an application of employment from you. We may disclose your personal information to: 1 . our hosting provider, Supabase ; 2 . our voice transcription provider, Deepgram , which processes audio recordings solely for the purpose of converting speech to text. Deepgram does not use audio submitted through the Application for model training, advertising, or profiling, and Sorone maintains contractual safeguards through a Data Processing Agreement to ensure compliance with applicable privacy laws; 3 . carefully selected contractors who provide services necessary for the operation of our Application. Where such contractors are located outside of New Zealand, we ensure that appropriate data protection safeguards are in place, consistent with applicable privacy laws (such as the NZ Privacy Act 2020 and the GDPR); 4 . our employees and related bodies corporate; 5 . anyone to whom our assets or businesses (or any part of them) are transferred; and 6 . other persons, including government agencies, regulatory bodies and law enforcement agencies, where required, authorised, or permitted by law. Information that we collect may from time to time be stored, processed in or transferred between parties or sites located in countries outside of New Zealand. These may include, but are not limited to Australia, UK, New Zealand and USA. You consent to the transfer, storage and retention of that information onto the servers of our host provider used from time to time by us, regardless of the location of those servers. We’ve endeavoured to ensure that our use and collection of your data is clear and as transparent as possible, but in the interests of keeping this policy concise it’s not possible to list every circumstance in which we will use your data. We may use third party service providers for disaster recovery services. To the extent necessary to receive those disaster recovery services, we will provide your data to that third party service provider. We may also use third party service providers to audit the infrastructure and applications we use to store your data. To the extent necessary to receive those audit services, we will provide your data to that third party service provider.

PROVIDING INFORMATION FOR MINORS

• 1.a. If you are providing personal data on behalf of someone who is defined as a minor in New Zealand (under 18 years old) (‘ Minor ’), you must have the consent of the Minor’s parent or legal guardian, either explicitly or as part of your employers broader photography or data collection policy, for the Minor’s personal data to be collected, used, and disclosed in accordance with this Privacy Policy. This includes any situation where you are uploading or managing data about a Minor on our Application.
• b.You indemnify us against any loss, liability, or claim arising from a failure to obtain proper parental or guardian consent.
• c.We reserve the right to request evidence of such consent at any time.
• d.We do not knowingly collect or process data of Minors without parental, guardian, or school authority consent. Users, including educational institutions or teachers acting on their behalf, are responsible for ensuring that all necessary consents are obtained before using our Services to upload information about Minors.
• e.As the user, you acknowledge that, in accordance with the New Zealand Privacy Act 2020, the New Zealand Privacy Principles, and GDPR Recital 38, the processing of minors’ personal data is only lawful where verifiable parental or guardian consent has been provided.

SENSITIVE INFORMATION

In the context of our Application, biometric data may include voice notes or recordings that could be used to uniquely identify an individual. Voice notes recorded by you or on behalf of a Minor are only considered biometric if the data is capable of uniquely identifying a person. This feature is not standard and must be explicitly activated by you/ opted in by the user. Where biometric or other sensitive information is collected:

• 1.1. It is collected only with your explicit consent , or in the case of a Minor, with the explicit consent of a parent or legal guardian, or as part of an organisations broader consent policy. Biometric data (voice notes) may be used solely for purposes related to the provision of our Services, including organising, storing, and retrieving content within the Application. Such voice recordings are securely transmitted to our transcription provider, Deepgram, solely for conversion into text, after which the transcription is returned to the Application.
• c.Your (or others as provided by you) biometric or sensitive information may also be used or disclosed to comply with legal obligations, or in circumstances where consent has been provided for analytics or for service improvement purposes, but only in accordance with applicable privacy laws (e.g., NZ Privacy Act 2020 and GDPR). legal bases for processing We rely on the following legal bases to collect and process your personal information: Your consent (Article 6(1)(a) of GDPR); The performance of a contract with you (Article 6(1)(b) of GDPR); Compliance with a legal obligation (Article 6(1)(c) of GDPR); Legitimate interests (Article 6(1)(f) of GDPR), such as improving our services (unless these override your rights); The protection of vital interests, especially where children's safety is concerned.

MARKETING

We will not use your personal information, or that of any other individual as provided by you, for marketing . Youwillnotreceivemarketingmaterialsfromus,andyourpersonaldatawillonlybeusedinaccordancewith purposes this Privacy Policy.

SECURITY

We take reasonable steps to ensure your personal information is secure and protected from misuse, interference, unauthorised access and loss. Our information technology systems are password protected, and we use a range of administrative and technical measures to protect these systems. For example. we use a secure third party data provider to store all personal information. However, we cannot guarantee the security of your personal information.

LINKS

Our website may contain links to other websites. Those links are provided for convenience and may not remain current or be maintained. We are not responsible for the privacy practices of those linked websites and we suggest you review the privacy policies of those websites before using them.

REQUESTING ACCESS OR CORRECTING YOUR PERSONAL INFORMATION

You have various rights with respect to our use of your personal data: Access : You have the right to obtain access to your information (if we’re processing it) and certain other information (similar to that provided in this privacy notice). This is so that you’re aware and can check that we’re using your information in accordance with data protection law. Be informed : You have the right to be provided with clear, transparent and easily understandable information about how we use your information and your rights. This is why we’re providing you with the information in this privacy policy. Rectification : We aim to keep your personal data accurate, current, and complete. We encourage you to contact us using our contact form to let us know if any of your personal data is not accurate or changes, so that we can keep your personal data up-to-date. Objecting : You also have the right to object to processing of your personal data in certain circumstances, including processing for direct marketing. Restricting : You have the right to ‘block’ or suppress further use of your information. When processing is restricted, we can still store your information but may not use it further. Erasure : You have the right to ask us to erase your personal data when the personal data is no longer necessary for the purposes for which it was collected, or when, among other things, your personal data has been unlawfully processed. Portability : You have the right to request that some of your personal data is provided to you, or to another data controller, in a commonly used, machine-readable format. Complaints : If you believe that your data protection rights may have been breached, you have the right to lodge a complaint with the applicable supervisory authority. In the UK, the supervisory authority is the Information Commissioner’s Office. In New Zealand, the authority is the Office of the Privacy Commissioner (OPC). Withdraw consent : If you have given your consent to anything we do with your personal data, you have the right to withdraw your consent at any time. This includes your right to withdraw consent to us using your personal data for marketing purposes. You may, at any time, exercise any of the above rights, by contacting our email address provided below and providing your name and contact details. We may need to verify your identity before providing you with your personal information. In some cases, we may be unable to provide you with access to all your personal information and where this occurs, we will explain why. We will deal with all requests for access to personal information within a reasonable timeframe. Where you are a resident of the European Union and the GDPR applies to your personal information, you have the right to ask for ‘subject access request’ or ‘SAR’ being a copy of your personal data held by us. Where we do hold such data about you, we will provide you with a copy of the data we hold about you. This will be in a commonly used machine- readable file where you request us to e-mail the information to you. We will also give you a description of the data, tell you why we are holding it and tell you who we could have disclosed it to.

HOW LONG WE KEEP DATA / rETENTION PERIODS

We retain your personal data for as long as necessary to fulfil the purposes for which it was collected, including to satisfy legal, contractual, educational, or reporting obligations. Unless otherwise required by applicable laws or institutional policy, personal data is retained for 30 days following cessation of service use, to allow you to export your data. Our Data Protection Officer ( DPO ) is responsible for ensuring data security and enforcing data retention policies. Questions about how long your data is stored can be directed to our DPO or via the contact information below.

DATA BREACH NOTIFICATION POLICY

We are committed to protecting personal information and handling data breaches in accordance with applicable privacy laws in New Zealand and, where relevant, other jurisdictions. In the event of a data breach involving personal information that is likely to result in serious harm (under New Zealand law) or a risk to the rights and freedoms of individuals (under the GDPR), we will act promptly to assess the situation and, where required:

• a.a. Notify affected individuals and the Privacy Commissioner (New Zealand) as soon as practicable, in accordance with the Notifiable Data Breaches requirements under the Privacy Act 2020 (NZ); and
• b.Where GDPR applies, notify the relevant supervisory authority without undue delay and, where feasible, within 72 hours of becoming aware of the breach, in accordance with Article 33 of the GDPR; and Provide affected individuals with timely information about the nature of the breach, the data involved, potential impacts, and steps they can take to protect themselves.
• b.Our processes for assessing, responding to, and reporting data breaches are set out in full in our Data Breach Response help@sorone.app , which is followed by our team in all incidents. For inquiries, please contact us at Plan

CHANGE OF CONTROL

If there is a change of control in our business or a sale or transfer of business assets, we reserve the right to transfer to the extent permissible at law our user databases, together with any personal information and non-personal information contained in those databases. This information may be disclosed to a potential purchaser under an agreement to maintain confidentiality. We would seek to only disclose information in good faith and where required by any of the above circumstances. TRANSFERS OUTSIDE NZ and the EUROPEAN ECONOMIC AREA (‘EEA’) To provide our services, we may transfer the personal data we collect to countries outside of NZ, the UK or EEA, which do not provide the same level of data protection as the country in which you reside and are not recognised by the European Commission as providing an adequate level of data protection. When we do this, we will make sure that it is protected to the same extent as in NZ, the EEA and UK and we will put in place appropriate safeguards to protect your personal data, which may include standard contractual clauses approved by the European Commission or UK International Data Transfer Agreements. For more information, please contact us at our email address provided below.

COMPLAINTS

If you wish to complain about how we handle your personal information or held by us, please contact us using the details set out below including your name and contact details. We will investigate your complaint promptly and respond to you within a reasonable time. For data which is subject to the GDPR, you have the right to lodge a complaint with the local regulator in your jurisdiction in Europe if you do not feel we have adequately upheld your rights under GDPR. If you are located in the United Kingdom, you have the right to contact the Information Commissioner's Office (ICO) at www.ico.org.uk if you believe your data has not been handled in accordance with the law.

Contact Us

For further information about our privacy policy or practices, or to access or correct your personal information, or make a complaint, please contact our DPO using the details set out below: Phone: +6429122631 Email: help@sorone.app Post: 2/3 Nuffield Ave, Napier, New Zealand 4110 External Complaint Form found here https://www.privacy.org.nz/your-rights/making-a-complaint-to-the-privacy-commissioner/ By providing personal information to us, you consent to our storage, maintenance, use and disclosing of personal information in accordance with this privacy policy. We may change this privacy policy from time to time by posting an updated copy on our website and we encourage you to check our website regularly to ensure that you are aware of our most current privacy policy. 1