1. INDIGENOUS DATA SOVEREIGNTY FRAMEWORK

This website operates under Indigenous Data Sovereignty principles, which recognize the inherent right of Indigenous peoples to govern the collection, ownership, access, analysis, interpretation, management, storage, dissemination, and reuse of data pertaining to them, their lands, resources, cultures, knowledge systems, or any information derived therefrom.

1.1 Governing Legal Framework

• Primary governance by the laws, customs, and traditions of the Grand Traverse Band of Ottawa and Chippewa Indians
• Federal Indian law, including treaty rights and tribal sovereignty doctrine
• International Indigenous rights frameworks (UNDRIP, WIPO Treaty on Traditional Knowledge)
• COMPREHENSIVE RESTRICTED USE LICENSE FOR INDIGENOUS CREATIONS WITH TRIBAL SOVEREIGNTY, DATA SOVEREIGNTY, AND WEALTH RECLAMATION PROTECTIONS

3. DATA COLLECTION AND PROCESSING

3.1 Types of Data Collected

• Technical Data: IP addresses, browser information, device identifiers, access logs
• Usage Data: Pages visited, time spent, interaction patterns, referral sources
• Communication Data: Contact form submissions, email communications, feedback
• Cultural Context Data: Any information that may relate to Indigenous knowledge, cultural expressions, or traditional practices

3.2 Indigenous Data Categorization

All data is categorized according to cultural sensitivity and restricted access requirements:

• Unrestricted data: May be shared with proper attribution
• Limited access data: Requires specific permission
• Culturally sensitive data: Subject to strict usage protocols
• Sacred or ceremonial data: Heightened protections under tribal law

5. DATA SECURITY AND PROTECTION

5.1 Technical Safeguards

• Encryption standards appropriate to data sensitivity levels
• Access controls implementing principle of least privilege
• Authentication mechanisms for sensitive data access
• Comprehensive logging and auditing of all data access

5.2 Cultural Protections

• Respect for traditional protocols regarding knowledge sharing
• Recognition of collective rights alongside individual privacy
• Integration of Indigenous values in data handling practices
• Consultation with tribal authorities on culturally sensitive matters

6. YOUR RIGHTS UNDER INDIGENOUS DATA SOVEREIGNTY

6.1 Individual Rights

• Right to know what data is collected and how it's used
• Right to access your personal data
• Right to correct inaccurate information
• Right to request deletion of your data
• Right to data portability

6.2 Collective Indigenous Rights

• Right to collective control over Indigenous data
• Right to benefit from data use
• Right to cultural protocols being respected
• Right to participate in data governance decisions

7. SACRED SITE AND CULTURAL LANDSCAPE PROTECTIONS

Special protections apply to any data, imagery, or information related to:

• The sacred ceremonial stone circle on ᐋᒥᒃ ᐙᑲᓐᑕ (Aamik'Waakanda / Beaver Island)
• Traditional burial grounds on Garden Island (Gitigaan Minising)
• Other sacred sites and cultural landscapes

Any unauthorized collection, use, or distribution of such data constitutes a violation of tribal sovereignty and cultural rights.

8. JURISDICTION AND DISPUTE RESOLUTION

Any disputes regarding this Privacy Policy or data practices shall be resolved according to the following hierarchy:

1. Traditional dispute resolution of the Grand Traverse Band of Ottawa and Chippewa Indians
2. GTBOCI Tribal Court
3. Federal courts under federal Indian law principles

All proceedings must respect tribal sovereignty and Indigenous rights frameworks.

9. CONTACT INFORMATION

For questions about this Privacy Policy or to exercise your rights:

Rights Holder: ᓂᐲᔥ ᐙᐸᓂᒥᑮ-ᑭᓇᐙᐸᑭᓯ (Nbiish Waabanimikii-Kinawaabakizi)
Email: nbiish@umich.edu

For tribal governance matters, you may also contact the Grand Traverse Band of Ottawa and Chippewa Indians through their official channels.

10. CHANGES TO THIS POLICY

This Privacy Policy may be updated to reflect changes in our practices or legal requirements. Updates will be posted on this page with a revised "Last Updated" date. Continued use of this website constitutes acceptance of any changes, subject to the overriding principles of Indigenous Data Sovereignty and tribal law.

11. SAAS SUBSCRIPTION SERVICES DATA HANDLING

11.1 Subscription Data Collection

For our SaaS subscription services, we collect additional data necessary for service delivery:

• Account Information: Username, email address, subscription tier, account status
• Billing Information: Payment method details, billing address, transaction history
• Usage Analytics: Feature usage, session duration, API calls, service utilization
• Support Data: Help desk interactions, technical support communications
• Service Configuration: User preferences, custom settings, integration configurations

11.2 Payment Processing

Payment processing is handled by third-party processors who maintain their own privacy policies. We do not store complete payment card information on our servers. Payment processors may collect:

• Credit/debit card information
• Billing addresses and contact information
• Transaction history and payment status

11.3 Subscription Data Retention

Subscription-related data is retained according to the following schedule:

• Active Subscriptions: Data retained for duration of subscription plus 7 years for tax/legal compliance
• Cancelled Subscriptions: Account data retained for 90 days, then anonymized or deleted
• Billing Records: Retained for 7 years as required by law
• Usage Analytics: Aggregated data may be retained indefinitely; individual data deleted after 2 years

12. GDPR AND CCPA COMPLIANCE

12.1 GDPR Rights (European Users)

Under the General Data Protection Regulation (GDPR), European users have the following rights:

• Right to Access: Request copies of your personal data
• Right to Rectification: Request correction of inaccurate data
• Right to Erasure: Request deletion of your data ("right to be forgotten")
• Right to Restrict Processing: Request limitation of data processing
• Right to Data Portability: Request transfer of data to another service
• Right to Object: Object to processing based on legitimate interests
• Right to Withdraw Consent: Withdraw consent for data processing

12.2 CCPA Rights (California Residents)

Under the California Consumer Privacy Act (CCPA), California residents have the following rights:

• Right to Know: Request information about data collection and use
• Right to Delete: Request deletion of personal information
• Right to Opt-Out: Opt-out of sale of personal information
• Right to Non-Discrimination: Equal service regardless of privacy choices

12.3 Legal Basis for Processing (GDPR)

We process personal data under the following legal bases:

• Contract Performance: Processing necessary for subscription service delivery
• Legitimate Interest: Service improvement, security, and business operations
• Consent: Marketing communications and optional features
• Legal Obligation: Compliance with tax, accounting, and legal requirements

13. INTERNATIONAL DATA TRANSFERS

As a SaaS provider, we may transfer data internationally for service delivery. All transfers comply with applicable data protection laws:

• Adequacy Decisions: Transfers to countries with adequate protection levels
• Standard Contractual Clauses: EU-approved clauses for other transfers
• Binding Corporate Rules: Internal data protection standards
• Tribal Sovereignty Protections: Additional protections under Indigenous law

14. AUTOMATED DECISION MAKING AND PROFILING

Our SaaS services may use automated processing for:

• Service Optimization: Automated performance tuning and resource allocation
• Security Monitoring: Automated threat detection and prevention
• Usage Analytics: Automated analysis of service utilization patterns
• Billing Automation: Automated subscription billing and invoicing

Users have the right to request human review of automated decisions that significantly affect them.

15. DATA BREACH NOTIFICATION

In the event of a data breach affecting personal data:

• We will notify relevant supervisory authorities within 72 hours where required by law
• Affected individuals will be notified without undue delay if the breach poses high risk
• Tribal authorities will be notified for breaches affecting Indigenous data
• We maintain comprehensive incident response procedures

16. CHILDREN'S PRIVACY

Our SaaS services are not intended for children under 13 years of age. We do not knowingly collect personal information from children under 13. If we become aware that we have collected such information, we will take steps to delete it promptly.

For users between 13-18, parental consent may be required depending on jurisdiction and service type.