Privacy Policy

Last updated: December 3, 2025

1. Introduction

Welcome to SnapGenius, a product of FIRAT (Foresight Institute of Research and Translation) ("FIRAT", "we", "us", or "our"). SnapGenius is a data collection platform for creating forms, surveys, and questionnaires. Our Privacy Policy governs your use of SnapGenius and explains how we collect, protect, and handle your information in accordance with applicable data protection laws. By using our Service, you agree to the collection and use of information in accordance with this policy.

FIRAT is committed to protecting your privacy and maintaining secure data handling practices. Unless otherwise defined in this Privacy Policy, terms used have the same meanings as in our Terms and Conditions.

2. Definitions

  • Form Data: Any data collected through SnapGenius forms, surveys, and questionnaires, including responses submitted by users;
  • Form Respondent: Any individual who provides data through SnapGenius forms or surveys;
  • Data Controller: The individual or organization who creates forms and determines the purposes and means of processing personal data collected through those forms;
  • Data Processor: FIRAT, acting on behalf of the Data Controller to process form data;
  • Personal Data: Any information relating to an identified or identifiable natural person;
  • Service: SnapGenius platform, including website, applications, and AI-powered features;
  • Usage Data: Data collected automatically from platform usage, including analytics and system logs;
  • Sensitive Data: Special categories of personal data including health data, genetic data, biometric data, and other data requiring enhanced protection.

3. Data Protection Principles

FIRAT is committed to protecting your data in accordance with applicable data protection laws:

  • We process data lawfully, fairly, and transparently;
  • We collect data only for specified, explicit, and legitimate purposes;
  • We keep data accurate and up to date;
  • We retain data only as long as necessary;
  • We implement appropriate security measures to protect data;
  • We comply with GDPR, CCPA, and other applicable data protection regulations;
  • We provide data export capabilities and honor user rights to access, correct, and delete their data.

4. Information Collection and Use

We collect information to provide form creation and data collection services:

a. Account Data

  • Name, email address, and optional profile information;
  • Account preferences and settings;
  • Project information and form metadata;
  • Payment and subscription information.

b. Form Response Data

  • Survey responses and questionnaire data as defined by form creators;
  • Any data collected is limited to what form creators specify and respondents choose to provide;
  • Sensitive data is processed only with appropriate security measures.

c. Platform Usage Data

  • System logs and access records for security purposes;
  • Performance analytics to improve platform reliability (with consent);
  • AI interaction data to enhance platform features;
  • Technical data necessary for platform operation and security.

5. Data Use and Processing

FIRAT processes data to provide and improve our services:

  • To provide secure, reliable form creation and data collection services;
  • To support users in collecting and managing form responses;
  • To facilitate data analysis through AI-powered features;
  • To maintain platform security, integrity, and performance;
  • To provide technical support and ensure service quality;
  • To enable data export in common formats;
  • To improve our platform capabilities;
  • To fulfill legal obligations and respond to lawful requests from authorities;
  • We do NOT sell your data or use it for purposes unrelated to providing our services.

6. Data Security and Protection

FIRAT implements strong security measures to protect your data:

  • TLS 1.3 encryption for all data transmission;
  • AES-256 encryption for data at rest;
  • Multi-factor authentication (MFA) support;
  • Our infrastructure providers (Supabase, Vercel) maintain SOC 2 Type II certification;
  • Secure data centers with physical and environmental controls;
  • Employee security training and background checks;
  • Incident response procedures and breach notification protocols (within 72 hours per GDPR);
  • Automated backups with point-in-time recovery;
  • Network security monitoring and DDoS protection;
  • Regular security updates and vulnerability management.

For Team plans, HIPAA-compliant infrastructure is available through our Supabase partnership.

7. Data Retention and Deletion

We retain data only as long as necessary:

  • Form data is retained as long as the form creator's account is active;
  • Account data is retained while accounts remain active and for 30 days post-closure;
  • Usage logs are retained for 90 days for security purposes;
  • Backups are retained for 90 days;
  • Data is permanently deleted upon request, subject to legal obligations;
  • Form creators maintain control over their form data retention;
  • We provide data export tools in JSON and CSV formats;
  • Deletion requests are processed within 30 days unless legal retention requirements apply.

8. International Data Transfers

FIRAT may transfer data internationally to support global research collaboration:

  • All international transfers comply with applicable data protection laws;
  • We use Standard Contractual Clauses (SCCs) and adequacy decisions where required;
  • Researchers are notified of data transfer locations and can specify geographic restrictions;
  • Additional safeguards are implemented for sensitive research data transfers;
  • We maintain documentation of all data transfer activities for audit purposes.

For details about our subprocessors and data locations, please see our GDPR Compliance Page.

9. Your Data Rights

You have comprehensive rights regarding your personal data:

  • Right to access your personal data;
  • Right to rectification of inaccurate data;
  • Right to erasure (subject to legal obligations);
  • Right to data portability in machine-readable formats;
  • Right to restrict processing under certain circumstances;
  • Right to object to processing;
  • Right to withdraw consent;
  • Right to lodge complaints with supervisory authorities;
  • Right to receive clear information about how your data is used.

For form respondents: Contact the form creator for data-related requests regarding responses you've submitted. FIRAT will assist form creators in fulfilling these obligations.

For account holders: Contact privacy@firat.rw to exercise your data rights.

10. AI and Automated Processing

SnapGenius includes AI-powered features:

  • AI assists in form creation, data analysis, and insights;
  • Automated processing is used for data quality checks;
  • No automated decision-making significantly affects users without human oversight;
  • AI training does not use identifiable personal data;
  • Users maintain full control over AI-generated recommendations;
  • You can request information about automated processing affecting you by contacting privacy@firat.rw.

11. Changes to This Privacy Policy

We may update this Privacy Policy to reflect changes in our practices or legal requirements:

  • Material changes will be announced with 30 days advance notice;
  • Researchers will be notified via email and platform notifications;
  • Policy changes requiring new consent will be clearly identified;
  • Previous versions will remain accessible for reference;
  • Ongoing research projects may continue under previous policy terms if required for study integrity.

11A. Data Protection Liability Limitations

Shared Responsibility Model: While FIRAT implements robust security measures, data protection is a shared responsibility:

FIRAT's Responsibilities

  • Implement appropriate technical and organizational security measures;
  • Process data only as instructed by research controllers;
  • Provide breach notification within required timeframes;
  • Assist with data subject rights requests within technical capabilities;
  • Maintain compliance with applicable data protection laws;
  • Provide security documentation and audit support.

Researcher/Controller Responsibilities

  • Obtain valid informed consent from research participants;
  • Establish lawful basis for data processing activities;
  • Implement additional security measures for sensitive data;
  • Respond to data subject rights requests from participants;
  • Conduct Data Protection Impact Assessments when required;
  • Ensure compliance with institutional and ethical requirements;
  • Provide clear privacy notices to research participants.

Liability Limitations: FIRAT's liability for data protection violations is limited to:

  • Regulatory fines directly attributable to FIRAT's processing failures;
  • Technical remediation costs for security vulnerabilities we caused;
  • Direct damages up to the annual subscription fees paid by the affected controller;
  • Notification costs for breaches originating from our systems.

Excluded Liabilities: FIRAT is not liable for:

  • Data breaches caused by controller's security practices or credential sharing;
  • Processing without valid consent or lawful basis;
  • Violations of research ethics or institutional policies;
  • Third-party service provider failures or security breaches;
  • Data loss due to force majeure events or infrastructure failures;
  • Costs of alternative research methods or data re-collection;
  • Publication delays, funding loss, or research opportunity costs.

11B. Cross-Border Data Transfer Risk Acknowledgment

International Transfer Risks: Research often requires international collaboration. You acknowledge that cross-border data transfers involve inherent risks:

  • Different privacy laws and enforcement standards across jurisdictions;
  • Potential government access to data in accordance with local laws;
  • Varying levels of data protection infrastructure and security standards;
  • Political and economic changes affecting data protection frameworks;
  • Currency fluctuations affecting breach notification and penalty calculations;
  • Cultural differences in privacy expectations and data handling practices.

Risk Mitigation Measures: FIRAT implements safeguards but cannot eliminate all risks:

  • Standard Contractual Clauses (SCCs) with all international subprocessors;
  • Encryption in transit and at rest using industry-standard protocols;
  • Regular security assessments and penetration testing;
  • Data minimization and pseudonymization where technically feasible;
  • Vendor due diligence and security requirement compliance;
  • Incident response procedures for cross-border breach notifications.

Controller Risk Assessment: As the data controller, you should conduct your own risk assessment considering:

  • Sensitivity of research data and participant populations;
  • Applicable laws in your jurisdiction and participant locations;
  • Institutional risk tolerance and data governance requirements;
  • Alternative research methods with lower data transfer risks;
  • Additional contractual protections you may require;
  • Insurance coverage for data protection liability.

11C. Data Breach Response and Limitations

Breach Response Commitment: In the event of a data security incident affecting personal data:

  • Immediate incident response team activation and containment measures;
  • Forensic investigation to determine scope, cause, and impact;
  • Notification to affected controllers within 24 hours of discovery;
  • Assistance with regulatory notifications and data subject communications;
  • Coordination with law enforcement and regulatory authorities as required;
  • Post-incident analysis and security improvement implementation.

Breach Liability Limitations: Our liability for data breaches is limited to:

  • Actual costs of breach notification and regulatory communication;
  • Technical remediation measures within our systems;
  • Reasonable legal and forensic investigation costs;
  • Credit monitoring services for affected individuals (where legally required);
  • Regulatory penalties directly attributable to our processing failures;
  • Maximum aggregate liability not exceeding annual subscription fees paid.

Breach Exclusions: We are not liable for:

  • Breaches caused by social engineering or phishing attacks on users;
  • Unauthorized access due to shared or compromised user credentials;
  • Third-party service provider breaches beyond our control;
  • Data misuse by authorized users within research organizations;
  • Participant complaints or reputational damage to research institutions;
  • Research delays, funding impacts, or publication schedule disruptions;
  • Consequential damages or opportunity costs related to data incidents.

Insurance and Additional Protection: We maintain cyber liability insurance and recommend that research institutions carry appropriate coverage for their data protection and research liability risks.

12. Contact Information

For privacy-related inquiries or data protection concerns:

FIRAT - Foresight Institute of Research and Translation
Alh, Adedeji Avenue
Eleyele, Nigeria
Data Protection Officer: Chief Privacy Officer
Privacy Email: privacy@firat.rw
General Support: support@snapgenius.tech
Response Time: We respond to privacy inquiries within 10 business days, with full responses within 45 days as required by GDPR/CCPA.