Privacy Policy

1. Introduction

Cari ("we," "our," or "us") is a citizen empowerment platform that bridges the gap between government and citizens through AI-powered engagement, mission management, and verifiable credentials. We are committed to protecting your privacy and ensuring the security of your personal information.

This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our platform, including our web dashboard, mobile application, and AI-powered services. It covers our unique features including:

• AI-powered citizen guidance using local Gemma-3-1b models
• Government mission participation and tracking
• Verifiable credentials and digital identity management
• Multimodal citizen feedback submission (text, audio, images)
• Government dashboard and analytics
• Offline-capable mobile applications

By using Cari, you agree to the collection and use of information in accordance with this policy.

2. Information We Collect

2.1 Personal Information

• Identity Information: Name, email address, phone number, date of birth
• Location Data: City, state, country, and geographic coordinates (when enabled)
• Government Identification: National ID numbers, passport information (when required for credential verification)
• Profile Information: Bio, skills, interests, profile images, and preferences
• Authentication Data: Passkey credentials, 4-digit security codes, and authentication tokens

2.2 Digital Identity & Credentials

• Decentralized Identifiers (DIDs): Unique identifiers following the format did:cari:user:uuid
• Verifiable Credentials: W3C-compliant digital certificates for identity, skills, and achievements
• Credential Proofs: Cryptographic signatures and verification data using Ed25519/Secp256k1
• Mission Records: Participation history, completion status, and performance metrics
• Skill Assessments: Competency evaluations and achievement badges
• Government Interactions: Service usage records and feedback submissions

2.3 AI and Analytics Data

• AI Interaction Data: Queries, recommendations, and responses from our local AI models
• Content Analysis: Text, audio, and image content for AI processing and safety filtering
• Usage Patterns: App usage statistics, feature engagement, and user behavior analytics
• Goal and Mission Data: Personal goals, mission preferences, and progress tracking
• Feedback Content: Multimodal feedback submissions including voice recordings and images

2.4 Technical Information

• Device Information: Device type, operating system, app version, and hardware specifications
• Network Data: IP address, connection type, and network performance metrics
• Security Logs: Authentication attempts, security events, and audit trail data
• Offline Data: Cached content, offline files, and local storage data
• Performance Metrics: App performance, crash reports, and error logs

3. How We Use Your Information

3.1 Core Platform Services

• Provide and maintain our citizen empowerment platform and mobile applications
• Process, issue, and verify your verifiable credentials and digital identity
• Enable participation in government missions and civic engagement activities
• Facilitate communication between citizens and government agencies
• Provide offline-capable services and data synchronization

3.2 AI-Powered Features

• Local AI Processing: Generate personalized recommendations using our local Gemma-3-1b model
• Citizen Matching: Match citizens with relevant government missions based on skills and interests
• Content Safety: Analyze and filter content for harmful, biased, or inappropriate material
• Goal Analysis: Assist in breaking down government goals into actionable citizen missions
• Multimodal Analysis: Process text, audio, and image feedback for categorization and routing

3.3 Government Services

• Enable government agencies to manage missions, goals, and citizen engagement
• Provide analytics and reporting on citizen participation and platform usage
• Facilitate feedback collection and processing for government decision-making
• Support KPI monitoring and strategic planning for government objectives

3.4 Security and Compliance

• Ensure platform security and prevent fraud or unauthorized access
• Maintain audit logs and compliance with government security standards
• Implement role-based access control and data protection measures
• Comply with legal obligations and government requirements

4. AI and Machine Learning

Cari uses advanced AI technologies to provide personalized services while maintaining your privacy:

4.1 Local AI Processing

• Privacy-First Approach: Our primary AI model (Gemma-3-1b) runs locally on your device
• No Data Transmission: Personal data used for local AI recommendations is not sent to external servers
• Offline Capability: AI features work without internet connection for enhanced privacy
• Model Transparency: We use open-source models with known capabilities and limitations

4.2 Cloud AI Services

• Content Analysis: External AI services may process feedback content for safety and categorization
• Data Minimization: Only necessary data is sent to cloud AI services, with personal identifiers removed when possible
• Provider Selection: We use reputable AI providers with strong privacy commitments
• Retention Limits: Data sent to cloud AI services is not retained longer than necessary

4.3 AI Safety and Bias Prevention

• Content Filtering: Automated detection of harmful, discriminatory, or inappropriate content
• Bias Detection: Monitoring for and prevention of biased recommendations or decisions
• Human Oversight: AI decisions are subject to human review when appropriate
• Transparency: Clear indication when AI is being used and how it affects your experience

5. Information Sharing and Disclosure

We do not sell, trade, or rent your personal information to third parties. We may share your information only in the following circumstances:

5.1 Government Agencies

• When required for mission participation or government service delivery
• To verify your identity and credentials for official purposes
• To process feedback and improve government services
• When mandated by law or government regulation

5.2 Service Providers

• Trusted partners who help us operate our platform (hosting, analytics, AI services)
• Providers are bound by strict confidentiality agreements
• We only share the minimum necessary information for service provision

5.3 Legal Requirements

• When required by law, court order, or government request
• To protect our rights, property, or safety, or that of our users
• In connection with legal proceedings or investigations

5.4 Consent-Based Sharing

• When you explicitly consent to sharing specific information
• For research purposes with anonymized data
• To improve platform services with aggregated, non-identifiable data

6. Data Security and Protection

We implement comprehensive security measures to protect your information:

6.1 Encryption and Security

• End-to-End Encryption: All sensitive data encrypted in transit and at rest
• Cryptographic Standards: Industry-standard encryption using AES-256 and TLS 1.3
• Key Management: Secure key generation, storage, and rotation for verifiable credentials
• Secure Authentication: Passkey-based authentication with WebAuthn standards

6.2 Access Controls

• Role-Based Access: 36 distinct user roles with granular permission controls
• Multi-Factor Authentication: Additional security layers for sensitive operations
• Audit Logging: Complete audit trail of all data access and modifications
• Regular Security Audits: Ongoing security assessments and penetration testing

6.3 Infrastructure Security

• Secure Hosting: Data stored in secure, compliant cloud infrastructure
• Network Security: Firewalls, intrusion detection, and network monitoring
• Data Backup: Regular, encrypted backups with disaster recovery procedures
• Compliance Standards: Adherence to government security standards and best practices

7. Your Rights and Choices

You have comprehensive rights regarding your personal information:

7.1 Data Access and Control

• Access Rights: View and download all personal information we hold about you
• Correction Rights: Update or correct inaccurate or incomplete data
• Deletion Rights: Request deletion of your account and associated data
• Portability: Export your data in a machine-readable format

7.2 Privacy Controls

• Consent Management: Withdraw consent for specific data processing activities
• Communication Preferences: Opt out of non-essential communications
• Location Services: Control location data collection and usage
• AI Processing: Opt out of certain AI-powered features while maintaining core functionality

7.3 Verifiable Credentials

• Credential Management: View, revoke, or update your verifiable credentials
• Selective Disclosure: Control what information is shared when presenting credentials
• Revocation Rights: Revoke credentials that are no longer valid or needed

8. Data Retention and Deletion

We retain your information only as long as necessary for legitimate purposes:

8.1 Retention Periods

• Account Data: Retained while your account is active and for 30 days after deletion
• Verifiable Credentials: Retained as required by government regulations (typically 5-7 years)
• Mission Records: Retained for 3 years for historical and analytical purposes
• Audit Logs: Retained for 1 year for security and compliance purposes
• Feedback Data: Retained for 2 years for government analysis and service improvement

8.2 Deletion Process

• Secure Deletion: Data is permanently and securely deleted from all systems
• Backup Cleanup: Data is removed from backup systems within 90 days
• Third-Party Cleanup: We ensure data is deleted from all third-party services
• Verification: We provide confirmation of data deletion upon request

9. International Data Transfers

Your information may be transferred to and processed in countries other than your own. We ensure appropriate safeguards are in place:

• Adequacy Decisions: We prioritize transfers to countries with adequate data protection laws
• Standard Contractual Clauses: We use EU-approved standard contractual clauses for transfers
• Data Minimization: Only necessary data is transferred internationally
• Local Processing: AI processing occurs locally on your device when possible

10. Children's Privacy

Our services are designed for citizens aged 13 and above. We do not knowingly collect personal information from children under 13. If you become aware that a child has provided us with personal information, please contact us immediately so we can take appropriate action.

11. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or legal requirements. We will notify you of any material changes by:

• Posting the updated Privacy Policy on our website
• Sending you an email notification (if you have provided an email address)
• Displaying a prominent notice in our mobile application
• Updating the "Last updated" date at the top of this policy

Your continued use of our services after any changes constitutes acceptance of the updated Privacy Policy.

12. Contact Us

If you have any questions about this Privacy Policy, our data practices, or wish to exercise your rights, please contact us: