Privacy Policy

Last updated: August 31, 2025

1. Introduction

Welcome to SnapGenius, a product of FIRAT (Foresight Institute of Research and Translation) ("FIRAT", "we", "us", or "our"). SnapGenius is a research-grade data collection platform designed specifically for researchers, academicians, and educational institutions. Our Privacy Policy governs your use of SnapGenius and explains how we collect, protect, and handle information in accordance with the highest standards of research ethics and data protection. By using our Service, you agree to the collection and use of information in accordance with this policy and our commitment to advancing research while protecting participant privacy.

FIRAT is committed to supporting scientific research and academic excellence through secure, ethical, and compliant data collection tools. Unless otherwise defined in this Privacy Policy, terms used have the same meanings as in our Terms and Conditions.

2. Definitions

  • Research Data: Any data collected through SnapGenius for research, academic, or educational purposes, including survey responses, questionnaires, and study data;
  • Research Participant: Any individual who provides data through SnapGenius forms or surveys for research purposes;
  • Principal Investigator (PI): The lead researcher responsible for a research project using SnapGenius;
  • Institutional Review Board (IRB): An ethics committee that reviews and monitors research involving human subjects;
  • Data Controller: The research institution or individual researcher who determines the purposes and means of processing personal data;
  • Data Processor: FIRAT, acting on behalf of the Data Controller to process research data;
  • Personal Data: Any information relating to an identified or identifiable natural person, including research participants;
  • Service: SnapGenius platform, including website, applications, and AI-powered features;
  • Usage Data: Data collected automatically from platform usage, including analytics and system logs;
  • Sensitive Data: Special categories of personal data including health data, genetic data, biometric data, and other data requiring enhanced protection.

3. Research Ethics and Compliance

FIRAT is committed to the highest standards of research ethics and regulatory compliance:

  • We support compliance with IRB requirements and research ethics protocols;
  • We facilitate adherence to international research standards including ICH-GCP, Declaration of Helsinki, and Belmont Report principles;
  • We provide tools for obtaining and managing informed consent from research participants;
  • We maintain detailed audit trails for research data integrity and regulatory compliance;
  • We support data anonymization and pseudonymization techniques for participant protection;
  • We comply with applicable regulations including GDPR, HIPAA, FERPA, and local data protection laws;
  • We provide data export capabilities to support research publication and data sharing requirements.

4. Information Collection and Use

We collect information to provide research-grade data collection services and support academic research activities:

a. Researcher Account Data

  • Name, email address, and institutional affiliation;
  • Research credentials and institutional verification;
  • Project information and research objectives;
  • IRB approval documentation and ethics compliance records;
  • Payment and subscription information for institutional accounts.

b. Research Participant Data

  • Survey responses and questionnaire data as defined by researchers;
  • Consent records and participant agreement documentation;
  • Demographic information only when relevant to research objectives;
  • Any data collected is strictly limited to what researchers specify and participants consent to provide;
  • Sensitive data is processed only with explicit consent and enhanced security measures.

c. Platform Usage Data

  • System logs and access records for security and audit purposes;
  • Performance analytics to improve platform reliability;
  • AI interaction data to enhance research tools and recommendations;
  • Technical data necessary for platform operation and security.

5. Data Use and Processing

FIRAT processes data exclusively for research and academic purposes:

  • To provide secure, reliable data collection services for research projects;
  • To support researchers in maintaining compliance with ethics and regulatory requirements;
  • To facilitate data analysis and research insights through AI-powered tools;
  • To maintain platform security, integrity, and performance;
  • To provide technical support and ensure service quality;
  • To enable data export and integration with research analysis tools;
  • To support institutional reporting and compliance requirements;
  • To improve our research tools and platform capabilities;
  • To fulfill legal obligations and respond to lawful requests from authorities;
  • We do NOT use research data for commercial purposes, marketing, or any purpose not directly related to supporting research activities.

6. Data Security and Protection

FIRAT implements enterprise-grade security measures appropriate for research data:

  • End-to-end encryption for all data transmission and storage;
  • Advanced access controls and multi-factor authentication;
  • Regular security audits and penetration testing;
  • Compliance with SOC 2 Type II and ISO 27001 standards;
  • Secure data centers with physical and environmental controls;
  • Employee background checks and security training;
  • Incident response procedures and breach notification protocols;
  • Data backup and disaster recovery capabilities;
  • Network security monitoring and threat detection;
  • Regular security updates and vulnerability management.

7. Data Retention and Deletion

We retain data only as long as necessary for research purposes and legal compliance:

  • Research data is retained according to institutional and regulatory requirements (typically 3-10 years post-study completion);
  • Account data is retained while accounts remain active and for necessary post-closure periods;
  • Usage data is retained for security and service improvement purposes;
  • Data is permanently deleted upon request, subject to legal and regulatory obligations;
  • Researchers maintain full control over their research data retention periods;
  • We provide data export tools to facilitate researcher data archiving requirements;
  • Deletion requests are processed within 30 days unless legal retention requirements apply.

8. International Data Transfers

FIRAT may transfer data internationally to support global research collaboration:

  • All international transfers comply with applicable data protection laws;
  • We use Standard Contractual Clauses (SCCs) and adequacy decisions where required;
  • Researchers are notified of data transfer locations and can specify geographic restrictions;
  • Additional safeguards are implemented for sensitive research data transfers;
  • We maintain documentation of all data transfer activities for audit purposes.

For details about our subprocessors and data locations, please see our GDPR Compliance Page.

9. Research Participant Rights

Research participants have comprehensive rights regarding their data:

  • Right to informed consent and withdrawal of consent;
  • Right to access their personal data and research participation records;
  • Right to rectification of inaccurate data;
  • Right to erasure (subject to research and legal obligations);
  • Right to data portability in machine-readable formats;
  • Right to restrict processing under certain circumstances;
  • Right to object to processing;
  • Right to lodge complaints with supervisory authorities;
  • Right to receive clear information about data use in research context.

Participants should contact the Principal Investigator of their research study for data-related requests. FIRAT will assist researchers in fulfilling these obligations.

10. AI and Automated Processing

SnapGenius includes AI-powered features for research enhancement:

  • AI assists in form creation, data analysis, and research insights;
  • Automated processing is used for data quality checks and anomaly detection;
  • No automated decision-making affects research participants without human oversight;
  • AI training does not use identifiable research participant data;
  • Researchers maintain full control over AI-generated recommendations;
  • AI processes are transparent and auditable for research integrity;
  • Participants can request information about automated processing affecting them.

11. Changes to This Privacy Policy

We may update this Privacy Policy to reflect changes in our practices or legal requirements:

  • Material changes will be announced with 30 days advance notice;
  • Researchers will be notified via email and platform notifications;
  • Policy changes requiring new consent will be clearly identified;
  • Previous versions will remain accessible for reference;
  • Ongoing research projects may continue under previous policy terms if required for study integrity.

11A. Data Protection Liability Limitations

Shared Responsibility Model: While FIRAT implements robust security measures, data protection is a shared responsibility:

FIRAT's Responsibilities

  • Implement appropriate technical and organizational security measures;
  • Process data only as instructed by research controllers;
  • Provide breach notification within required timeframes;
  • Assist with data subject rights requests within technical capabilities;
  • Maintain compliance with applicable data protection laws;
  • Provide security documentation and audit support.

Researcher/Controller Responsibilities

  • Obtain valid informed consent from research participants;
  • Establish lawful basis for data processing activities;
  • Implement additional security measures for sensitive data;
  • Respond to data subject rights requests from participants;
  • Conduct Data Protection Impact Assessments when required;
  • Ensure compliance with institutional and ethical requirements;
  • Provide clear privacy notices to research participants.

Liability Limitations: FIRAT's liability for data protection violations is limited to:

  • Regulatory fines directly attributable to FIRAT's processing failures;
  • Technical remediation costs for security vulnerabilities we caused;
  • Direct damages up to the annual subscription fees paid by the affected controller;
  • Notification costs for breaches originating from our systems.

Excluded Liabilities: FIRAT is not liable for:

  • Data breaches caused by controller's security practices or credential sharing;
  • Processing without valid consent or lawful basis;
  • Violations of research ethics or institutional policies;
  • Third-party service provider failures or security breaches;
  • Data loss due to force majeure events or infrastructure failures;
  • Costs of alternative research methods or data re-collection;
  • Publication delays, funding loss, or research opportunity costs.

11B. Cross-Border Data Transfer Risk Acknowledgment

International Transfer Risks: Research often requires international collaboration. You acknowledge that cross-border data transfers involve inherent risks:

  • Different privacy laws and enforcement standards across jurisdictions;
  • Potential government access to data in accordance with local laws;
  • Varying levels of data protection infrastructure and security standards;
  • Political and economic changes affecting data protection frameworks;
  • Currency fluctuations affecting breach notification and penalty calculations;
  • Cultural differences in privacy expectations and data handling practices.

Risk Mitigation Measures: FIRAT implements safeguards but cannot eliminate all risks:

  • Standard Contractual Clauses (SCCs) with all international subprocessors;
  • Encryption in transit and at rest using industry-standard protocols;
  • Regular security assessments and penetration testing;
  • Data minimization and pseudonymization where technically feasible;
  • Vendor due diligence and security requirement compliance;
  • Incident response procedures for cross-border breach notifications.

Controller Risk Assessment: As the data controller, you should conduct your own risk assessment considering:

  • Sensitivity of research data and participant populations;
  • Applicable laws in your jurisdiction and participant locations;
  • Institutional risk tolerance and data governance requirements;
  • Alternative research methods with lower data transfer risks;
  • Additional contractual protections you may require;
  • Insurance coverage for data protection liability.

11C. Data Breach Response and Limitations

Breach Response Commitment: In the event of a data security incident affecting personal data:

  • Immediate incident response team activation and containment measures;
  • Forensic investigation to determine scope, cause, and impact;
  • Notification to affected controllers within 24 hours of discovery;
  • Assistance with regulatory notifications and data subject communications;
  • Coordination with law enforcement and regulatory authorities as required;
  • Post-incident analysis and security improvement implementation.

Breach Liability Limitations: Our liability for data breaches is limited to:

  • Actual costs of breach notification and regulatory communication;
  • Technical remediation measures within our systems;
  • Reasonable legal and forensic investigation costs;
  • Credit monitoring services for affected individuals (where legally required);
  • Regulatory penalties directly attributable to our processing failures;
  • Maximum aggregate liability not exceeding annual subscription fees paid.

Breach Exclusions: We are not liable for:

  • Breaches caused by social engineering or phishing attacks on users;
  • Unauthorized access due to shared or compromised user credentials;
  • Third-party service provider breaches beyond our control;
  • Data misuse by authorized users within research organizations;
  • Participant complaints or reputational damage to research institutions;
  • Research delays, funding impacts, or publication schedule disruptions;
  • Consequential damages or opportunity costs related to data incidents.

Insurance and Additional Protection: We maintain cyber liability insurance and recommend that research institutions carry appropriate coverage for their data protection and research liability risks.

12. Contact Information

For privacy-related inquiries, data protection concerns, or research ethics questions:

FIRAT - Foresight Institute of Research and Translation
Data Protection Officer: Chief Privacy Officer
Email: privacy@firat.rw
Research Ethics Inquiries: ethics@firat.rw
General Support: support@snapgenius.tech
Response Time: We respond to all inquiries within 2 business days, with urgent matters addressed within 24 hours.