1. Scope of This Policy
This Privacy Policy describes how the ASEAN Institute Cambodia Intelligence Platform ("Platform," "we," "us," or "our") collects, uses, stores, shares, and protects personal information when you access or use our website, services, and analytical tools. This Policy applies to all users, including visitors who browse without registering and authenticated users who access protected features.
We process personal data in compliance with applicable data protection laws, including the General Data Protection Regulation (Regulation (EU) 2016/679) ("GDPR") and the California Consumer Privacy Act (Cal. Civ. Code 1798.100 et seq.) ("CCPA"), as applicable to your jurisdiction.
2. Data Controller
The data controller responsible for your personal data is ASEAN Institute, operating the ASEAN Institute Cambodia Intelligence Platform from Phnom Penh, Kingdom of Cambodia. For privacy inquiries, contact us through the channels listed in Section 13.
3. Data We Collect
3.1 Information You Provide Directly
| Category | Specific Data Elements | Purpose |
|---|---|---|
| Account Information | Full name, email address, OAuth provider identifier (Google account ID via Manus OAuth) | Account creation, authentication, session management, and service delivery |
| Analysis Inputs | Text queries, uploaded documents (PDF, DOCX, TXT, and other supported formats), and contextual parameters submitted to the MPPT Deep Analysis system | Delivering multi-phase investigative analysis, decision support, and document vectorization services |
| Decision Agent Interactions | Questions submitted to the Decision Agent, conversation history within a session | Providing real-time streaming decision support and maintaining conversational context |
| Contact Submissions | Name, title, organization, email address, message content submitted through the contact form | Responding to briefing requests, partnership inquiries, and general communications |
3.2 Information Collected Automatically
| Category | Specific Data Elements | Purpose |
|---|---|---|
| Device and Browser Data | IP address, browser type and version, operating system, screen resolution, device type | Security monitoring, analytics, and service optimization |
| Usage Data | Pages visited, features accessed, session duration, navigation paths, interaction events | Platform improvement and user experience optimization via Manus Analytics |
| Authentication Data | JWT session tokens, OAuth callback data, login timestamps, session identifiers | Secure session management and access control |
| MPPT Job Metadata | Job identifiers, session identifiers, job status, timestamps, analysis phase progression | Job lifecycle management, progress tracking, and historical job retrieval |
| Cookies | Essential session cookies (JWT), analytics identifiers | See our Cookie Policy for complete details |
3.3 Information We Do Not Collect
The Platform does not collect payment card information, bank account details, social security numbers, government-issued identification numbers, biometric data, or health information. The Platform does not currently accept donations or process financial transactions.
4. Legal Basis for Processing (GDPR)
For users in the European Economic Area, we process personal data on the following legal bases:
| Legal Basis | Applicable Processing Activities |
|---|---|
| Contractual Necessity (Art. 6(1)(b)) | Account management, delivering MPPT analysis results, processing Decision Agent queries, maintaining job history |
| Legitimate Interest (Art. 6(1)(f)) | Platform security and fraud prevention, aggregate analytics for service improvement, infrastructure monitoring |
| Consent (Art. 6(1)(a)) | Non-essential analytics cookies, optional communications. You may withdraw consent at any time without affecting the lawfulness of processing performed prior to withdrawal. |
| Legal Obligation (Art. 6(1)(c)) | Compliance with applicable laws, regulations, or enforceable governmental requests |
5. How We Use Your Data
We use collected data exclusively for the following purposes:
- Authenticating users through the Manus OAuth system and maintaining secure JWT-based sessions.
- Delivering MPPT Deep Analysis services, including multi-phase investigative analysis, branch generation, quantum ranking computation, and decision extraction.
- Processing Decision Agent queries and maintaining conversation context within active sessions.
- Storing and retrieving analysis job history and decision records for authenticated users.
- Vectorizing and processing uploaded documents for analytical purposes.
- Responding to contact form submissions, briefing requests, and support communications.
- Monitoring Platform security, detecting unauthorized access, and preventing abuse.
- Generating aggregate, de-identified analytics via Manus Analytics to improve Platform performance.
- Complying with legal obligations and responding to lawful requests from governmental authorities.
6. Data Sharing and Third Parties
We do not sell, rent, or trade your personal data. We share personal data only in the following limited circumstances:
| Recipient Category | Purpose | Safeguards |
|---|---|---|
| Manus Platform (OAuth and Analytics) | User authentication, session management, and aggregate analytics | Data processing agreement, encrypted transmission |
| MPPT Analysis API (api.jamesscott.tech) | Processing analysis queries, document vectorization, decision agent interactions | Server-side proxy (no direct browser-to-API communication), encrypted transmission |
| Cloud Infrastructure Providers | Hosting, data storage, and content delivery | Industry-standard security certifications, data processing agreements |
| Legal Authorities | Compliance with applicable laws, regulations, legal process, or enforceable governmental requests | Disclosure limited to legally required minimum |
All analysis queries and document uploads are proxied through our backend server. Your browser does not communicate directly with third-party analysis APIs, ensuring that your IP address and browser fingerprint are not exposed to upstream processors.
7. Data Retention
| Data Category | Retention Period | Basis |
|---|---|---|
| Account Information | Duration of account activity plus twelve (12) months after last login or account deletion request | Contractual necessity |
| Analysis Inputs and Outputs | Retained by the upstream MPPT API according to its own retention policy; our proxy does not independently store analysis content | Service delivery |
| Decision Agent Conversations | Session-scoped; retained by the upstream API according to its retention policy | Service delivery |
| Contact Submissions | Twenty-four (24) months from date of submission | Legitimate interest |
| Server Logs and Security Data | Twelve (12) months | Security and legal compliance |
| Analytics Data | Aggregate, de-identified data retained indefinitely; individual session data retained per Manus Analytics retention policy | Legitimate interest |
Upon expiration of the applicable retention period, personal data is securely deleted or irreversibly anonymized. You may request earlier deletion by contacting us (see Section 13).
8. Your Rights
Depending on your jurisdiction, you hold the following rights with respect to your personal data:
| Right | Description | Applicable Law |
|---|---|---|
| Access | Request a copy of the personal data we hold about you. | GDPR Art. 15, CCPA 1798.100 |
| Rectification | Request correction of inaccurate or incomplete personal data. | GDPR Art. 16 |
| Erasure | Request deletion of your personal data, subject to legal retention obligations. | GDPR Art. 17, CCPA 1798.105 |
| Restriction | Request that we restrict processing of your personal data under certain circumstances. | GDPR Art. 18 |
| Data Portability | Receive your personal data in a structured, commonly used, machine-readable format. | GDPR Art. 20 |
| Objection | Object to processing based on legitimate interests. | GDPR Art. 21 |
| Withdraw Consent | Withdraw previously given consent at any time, without affecting the lawfulness of prior processing. | GDPR Art. 7(3) |
| Non-Discrimination | Exercise your privacy rights without receiving discriminatory treatment. | CCPA 1798.125 |
| Opt-Out of Sale | We do not sell personal data. This right is documented for transparency. | CCPA 1798.120 |
We will respond to verified requests within thirty (30) days, or within the timeframe required by applicable law. We may request identity verification before processing your request to prevent unauthorized access to personal data.
9. Data Security
We implement administrative, technical, and organizational safeguards designed to protect personal data against unauthorized access, alteration, disclosure, or destruction. These measures include:
- Encrypted data transmission using TLS 1.2 or higher for all communications between your browser and our servers.
- JWT-based session management with cryptographically signed tokens.
- Server-side API proxying to prevent direct exposure of user data to third-party endpoints.
- Access controls based on the principle of least privilege for all system components.
- Regular security assessments and incident response procedures.
No method of electronic transmission or storage is completely secure. While we strive to protect your personal data, we cannot guarantee absolute security. In the event of a data breach that poses a risk to your rights and freedoms, we will notify affected individuals and relevant supervisory authorities within seventy-two (72) hours, in accordance with GDPR Article 33.
10. International Data Transfers
Your personal data may be transferred to and processed in jurisdictions outside your country of residence, including the United States and other jurisdictions where our infrastructure providers and the MPPT analysis API operate. When transferring data internationally, we implement appropriate safeguards, including standard contractual clauses approved by the European Commission (Commission Decision 2021/914), to ensure that your personal data receives adequate protection.
11. Children's Privacy
The Platform is not directed at children under the age of thirteen (13), or under the age of sixteen (16) for users in the European Economic Area. We do not knowingly collect personal data from children below these age thresholds. If we become aware that we have collected personal data from a child below the applicable age threshold, we will take immediate steps to delete such data. If you believe that a child has provided personal data to us, please contact us immediately through the channels listed in Section 13.
12. Changes to This Policy
We may update this Privacy Policy periodically to reflect changes in our data practices, legal requirements, or operational needs. Material changes will be communicated through a prominent notice on the Platform at least fourteen (14) days before the changes take effect. Your continued use of the Platform after the effective date of changes constitutes your acceptance of the updated Policy.
13. Contact Information
For privacy-related inquiries, data subject requests, or complaints, contact us through the following channels:
| Entity | ASEAN Institute Cambodia Intelligence Platform |
|---|---|
| Address | Phnom Penh, Kingdom of Cambodia |
| Contact Page | Submit a Privacy Request |
| Response Time | Within thirty (30) days of receipt of a verified request |
If you are located in the European Economic Area and believe that our processing of your personal data violates applicable data protection law, you have the right to lodge a complaint with your local supervisory authority pursuant to GDPR Article 77.