PRIVACY POLICY

Effective Date: March 5, 2026  |  Last Updated: March 5, 2026
AISA Solutions, Inc. — A Delaware Corporation
11201 Cedar Avenue, Cleveland, OH 44106

At AISA Solutions, Inc. (“AISA Solutions”, “we”, “us”, or “our”), we are deeply committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your personal information when you use the AISA School application (“App”) on iOS, Android, and web, and our website at www.aisa.solutions (together, the “Services”).

We are incorporated in the State of Delaware, USA. Our Services are directed to users globally, including in the United States, Canada, the European Union, and the United Kingdom. This Policy is designed to comply with the EU General Data Protection Regulation (“GDPR”), UK GDPR, California Consumer Privacy Act (“CCPA”)/California Privacy Rights Act (“CPRA”), Canada’s Personal Information Protection and Electronic Documents Act (“PIPEDA”), the U.S. Children’s Online Privacy Protection Act (“COPPA”), and other applicable data protection laws.

By using our Services, you acknowledge that you have read and understood this Privacy Policy and consent to the practices described herein.

---

1. Data Controller Information

AISA Solutions, Inc. is the data controller of your personal data processed in connection with the Services. For the purposes of GDPR, the UK GDPR, and CCPA, we are responsible for how your data is collected, used, and stored.

Contact for Privacy Matters:
Email: info@aisa.solutions
Company: AISA Solutions, Inc. (Delaware C-Corporation)
Website: www.aisa.solutions

If you are located in the European Economic Area (EEA) or the United Kingdom, you may also have the right to contact your local data protection authority. A list of EU supervisory authorities is available at https://edpb.europa.eu. The UK supervisory authority is the Information Commissioner’s Office (ICO) at https://ico.org.uk.

2. Information We Collect

We collect the following categories of personal information:

2.1 Information You Provide to Us

• Authentication Data: When you register using OTP, we collect your phone number or email address. When you register using Google OAuth, we receive your Google account email address and display name from Google.
• Onboarding Data: During the initial setup flow, we ask for: (i) your display name or nickname; (ii) your level of hearing; (iii) your target daily learning duration; and (iv) your current sign language proficiency level. This information is used to personalize your learning experience.
• Payment Information: If you subscribe to AISA Premium, payment processing is handled by Stripe, Inc. We do not collect or store your full credit card number, CVV, or banking details. We may receive from Stripe a tokenized payment identifier, the last four digits of your card, and your billing country for subscription management purposes.

2.2 Information We Collect Automatically

• Usage Data: We collect information about how you interact with the App, including lessons accessed, signs practiced, mistakes made, learning streaks, session duration, and feature usage. This data is used to power our dynamic learning system’s engine.
• Device and Technical Data: We collect your device type, operating system and version, App version, IP address (processed and not permanently stored in identifiable form), and general location data derived from IP address (country-level only).
• Log Data: Our servers automatically record standard log data including access times, pages or features viewed, and crash reports for diagnostic purposes.

2.3 Keypoint Matrix Data (AI Sign Recognition)

When you use the optional camera-based sign recognition feature or Collaboration Mode, video processing occurs entirely on your device via MediaPipe, an open-source computer vision library by Google. Only the resulting anonymized skeletal keypoint matrix (representing mathematical coordinates of your hands, shoulders, and face landmarks) is transmitted to our servers. This matrix does not contain any photographic, biometric, or facial image data. For standard sign recognition, these matrices are encrypted and are not stored after processing. For Collaboration Mode contributors, matrices may be retained in encrypted form for AI model training (see Section 5).

Depending on the applicable jurisdiction, keypoint data derived from hand and face landmarks may be classified as biometric data. We treat this data with the highest level of protection regardless of legal classification. We do not use this data for any purpose other than sign language recognition and model improvement as described herein.

2.4 Information We Do Not Collect

We explicitly do not collect:

• Raw video footage or photographs from your camera;
• Facial images or facial recognition templates;
• Audio recordings;
• Your legal name (a display name or pseudonym is sufficient);
• Precise geolocation data;
• Financial account numbers or full payment card details; or
• Social media content or contacts from your device.

3. How We Use Your Information

We use the personal information we collect for the following purposes:

• Service Delivery: To authenticate your account, provide you with the App’s core features, and deliver personalized learning content.
• Personalization: To generate and continuously refine your adaptive learning path based on your onboarding responses and in-app performance.
• AI Model Operation: To analyze keypoint matrices and return sign recognition results in real time.
• Subscription Management: To process payments, manage your AISA Premium subscription, and prevent fraud.
• Account Management: To communicate critical transactional information strictly necessary to operate your account, such as OTP codes and security alerts.
• App Improvement: To analyze aggregated, de-identified usage patterns to improve the App’s features, content, and performance.
• AI Training (Collaboration Mode only): To improve our sign-recognition AI using keypoint matrices contributed by users who have opted into Collaboration Mode.
• Legal Compliance: To comply with applicable laws, respond to lawful requests from public authorities, and enforce our Terms of Service.

We do not use your personal data for targeted advertising, behavioral profiling for third-party commercial purposes, or sale to data brokers.

4. Legal Bases for Processing (GDPR and UK GDPR)

For users in the EEA and the United Kingdom, we rely on the following legal bases under Article 6 GDPR:

• Performance of a Contract (Art. 6(1)(b)): Processing your account data, onboarding information, and subscription data is necessary to provide the Services you have requested.
• Legitimate Interests (Art. 6(1)(f)): Processing usage data and log data to maintain App security, prevent fraud, and improve the Services, where our interests are not overridden by your rights.
• Consent (Art. 6(1)(a)): Where we rely on your consent for specific processing activities, including the transmission of keypoint matrices for sign recognition and participation in Collaboration Mode. You may withdraw consent at any time without affecting the lawfulness of processing prior to withdrawal.
• Legal Obligation (Art. 6(1)(c)): Where processing is required to comply with applicable law.

Where we process data that may be classified as biometric data under Article 9 GDPR, we rely on your explicit consent (Article 9(2)(a)).

5. Collaboration Mode and AI Training Data

Collaboration Mode is a strictly voluntary feature that allows you to contribute anonymized key points data to improve AISA Solutions’ proprietary AI models. The following safeguards apply:

• All video remains on your device. Only encrypted key points matrices are transmitted.
• Contributed matrices are stored in encrypted form on AISA Solutions’ secure servers and are accessible only to authorized AI research personnel.
• Contributed matrices are de-linked from your account profile in our AI training systems, meaning they are processed in aggregated batches and not individually associated with your account for training purposes.
• We will never share, sell, or license contributed training data to third parties.
• You may withdraw from Collaboration Mode at any time by toggling it off in Settings, and you may request deletion of your contributed data by contacting info@aisa.solutions.

6. Cookies and Tracking Technologies

The AISA School App (mobile and web) uses minimal tracking technologies:

• Essential Cookies/Storage: We use session storage and local device storage strictly necessary to authenticate your session, maintain your preferences, and enable App functionality. These cannot be disabled without breaking core App features.
• Analytics: We may use privacy-preserving, aggregate analytics to understand general App performance and user flows. Any such analytics are configured to avoid collection of personally identifying information where possible.

We do not place third-party advertising cookies or tracking pixels in the App. For our website at www.aisa.solutions, a cookie consent notice is presented in accordance with ePrivacy Directive requirements.

7. How We Share Your Information

We do not sell your personal information. We may share your information in the following limited circumstances:

• Service Providers: We share data with trusted third-party service providers who process data on our behalf under data processing agreements, including Stripe (payment processing) and cloud infrastructure providers (hosting and data storage). These providers are prohibited from using your data for any purpose other than providing services to us.
• Google (Authentication): If you use Google OAuth, authentication is handled by Google. We receive only the minimum necessary account information (email address) from Google.
• Legal Requirements: We may disclose your information to law enforcement or government authorities if required by applicable law, court order, or to protect the rights, safety, or property of AISA Solutions or others.
• Business Transfers: In the event of a merger, acquisition, asset sale, or similar transaction, your personal data may be transferred as part of that transaction. We will notify you before your data becomes subject to a materially different Privacy Policy.
• With Your Consent: We may share your information in any other manner with your prior explicit consent.

8. Children’s Privacy

8.1 COPPA (United States)

The App is not directed to children under the age of 13 in the United States. We do not knowingly collect personal information from children under 13 without prior verifiable parental consent. If you are a parent or guardian and believe your child under 13 has provided us with personal information without your consent, please contact us immediately at info@aisa.solutions. We will promptly delete such information from our systems.

8.2 GDPR Age of Digital Consent (EU/UK)

In the European Economic Area and the United Kingdom, the age of digital consent varies by country (from 13 to 16). Where a user’s age falls below the applicable digital consent age for their country, we require verified parental or guardian consent before activating the account and processing any personal data. We implement age-screening during the onboarding flow for this purpose.

8.3 Protections for Minor Users

For users who are minors (under 18 or the applicable age of majority in their jurisdiction):

• We do not display advertising of any kind (including in our ad-free App).
• We do not share minor users’ data with third parties except as strictly necessary to provide the Services.
• We do not create behavioral profiles of minor users for commercial purposes.
• Parental or guardian consent is required for activation of the camera-based sign recognition feature and Collaboration Mode for minor users.
• Parents or guardians may contact us at info@aisa.solutions to access, correct, or delete their child’s account and data.

9. Your Privacy Rights

Depending on your jurisdiction, you may have the following rights regarding your personal data:

9.1 Rights Under GDPR and UK GDPR (EEA and UK Users)

• Right of Access (Art. 15): You have the right to obtain a copy of your personal data and information about how it is processed.
• Right to Rectification (Art. 16): You have the right to have inaccurate or incomplete personal data corrected.
• Right to Erasure (Art. 17): You have the right to request deletion of your personal data in certain circumstances. Deleting your account through the App settings fulfills this right for most data.
• Right to Restriction of Processing (Art. 18): You have the right to request that we limit processing of your data in certain circumstances.
• Right to Data Portability (Art. 20): You have the right to receive your personal data in a structured, machine-readable format.
• Right to Object (Art. 21): You have the right to object to processing based on legitimate interests.
• Right to Withdraw Consent: Where processing is based on consent, you may withdraw it at any time. Withdrawal does not affect the lawfulness of prior processing.

9.2 Rights Under CCPA/CPRA (California Residents)

California residents have the right to: (i) know what personal information we collect, use, disclose, and sell; (ii) delete personal information we have collected; (iii) opt out of the sale or sharing of personal information (note: we do not sell or share personal information for cross-context behavioral advertising); (iv) correct inaccurate personal information; and (v) non-discrimination for exercising privacy rights.

To submit a verifiable consumer request, contact us at info@aisa.solutions with the subject line “CCPA Privacy Request.”

9.3 Rights Under PIPEDA (Canadian Users)

Canadian users have the right to access their personal information held by us and to challenge its accuracy and completeness. Please contact info@aisa.solutions to exercise these rights.

9.4 Exercising Your Rights

To exercise any of the above rights, please contact us at info@aisa.solutions. We will respond to verified requests within the timeframe required by applicable law (generally within 30 days for GDPR, 45 days for CCPA). We may ask you to verify your identity before fulfilling your request.

10. Account Deletion

You may permanently delete your AISA School account directly from within the App at any time through the account settings menu. Upon deletion:

• Your profile data, learning history, and onboarding information will be permanently deleted from our active systems within 30 days.
• Any key points matrices you contributed through Collaboration Mode will be deleted upon request submitted to info@aisa.solutions.
• We may retain certain limited information for longer periods where required by law (e.g., payment transaction records for tax compliance purposes, typically up to 7 years), or as required to resolve disputes and enforce our agreements. Such retained data will be held securely and will not be used for any other purpose.
• Deletion of your account will terminate your AISA Premium subscription effective at the end of the then-current billing period.

11. Data Retention

We retain your personal information for as long as your account is active, or as necessary to provide you with the Services. Specific retention periods include:

• Account and Profile Data: Retained for the duration of your account, then deleted within 30 days of account deletion.
• Learning Progress Data: Retained for the duration of your account to maintain continuity in your learning path.
• Standard Sign Recognition Keypoint Matrices: Not retained beyond the duration of a single analysis session (typically seconds).
• Collaboration Mode Keypoint Matrices: Retained in encrypted form for AI training until your Collaboration Mode is disabled and a deletion request is submitted, or until you delete your account.
• Payment Records: Retained for up to 7 years as required by applicable tax and accounting laws.
• Log and Diagnostic Data: Retained for up to 90 days.

12. International Data Transfers

AISA Solutions is incorporated in the United States. If you are located in the EU, UK, or another jurisdiction with data transfer restrictions, your personal information may be transferred to and processed in the United States or other countries where our service providers operate.

For transfers from the EEA or UK to the United States, we rely on appropriate safeguards including:

• Standard Contractual Clauses (SCCs) approved by the European Commission; and/or
• The UK International Data Transfer Agreement (IDTA), as applicable.

By using the Services, you acknowledge that your data may be transferred to the United States. We take appropriate contractual and technical steps to ensure your data receives an equivalent level of protection regardless of where it is processed.

13. Security

We implement industry-standard technical and organizational security measures to protect your personal data against unauthorized access, disclosure, alteration, and destruction. Our security measures include:

• Encryption of data in transit using TLS (Transport Layer Security);
• Encryption of keypoint matrices at rest;
• Access controls limiting data access to authorized personnel on a need-to-know basis;
• Regular security reviews and vulnerability assessments; and
• Secure cloud infrastructure with reputable providers.

While we strive to protect your personal information, no method of transmission over the Internet or electronic storage is completely secure. We cannot guarantee absolute security, and you use the Services at your own risk. In the event of a data breach that is likely to result in a risk to your rights and freedoms, we will notify you and relevant supervisory authorities as required by applicable law.

14. Updates to This Privacy Policy

We may update this Privacy Policy periodically to reflect changes in our practices, legal requirements, or the Services. When we make material changes, we will:

• Update the “Last Updated” date at the top of this Policy;
• Display a prominent in-app notice; and/or
• Send a notification to the contact information associated with your account.

Your continued use of the Services after the effective date of any changes constitutes your acceptance of the revised Privacy Policy. If you do not agree to the updated Policy, you must stop using the Services and delete your account.

15. Contact Us and Data Protection Officer

For any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

AISA Solutions, Inc.
Legal Entity: Delaware C-Corporation
Address: 11201 Cedar Avenue, Cleveland, OH 44106
Email: info@aisa.solutions
Website: www.aisa.solutions

We are committed to working with you to obtain a fair resolution of any complaint or concern about privacy. If, after contacting us, you feel your concern has not been adequately addressed, EU residents may also contact their national data protection authority, and UK residents may contact the ICO at https://ico.org.uk.

---

This Privacy Policy was last reviewed and updated on March 5, 2026.