Legal
Effective: 22 April 2026 · Version 1.0
Applicable jurisdictions: Global — with specific provisions for the European Economic Area (EEA / GDPR), United Kingdom (UK GDPR), United States (CCPA/CPRA, COPPA), and all applicable African and other regional data protection frameworks.
Section 1
The Society of Open Systems ("the Society", "we", "us", "our") is a decentralised collective of builders and maintainers dedicated to sovereign, offline-first, privacy-respecting digital infrastructure for communities in low-and-middle-income contexts and beyond. We have no formal corporate headquarters. We are not a registered commercial entity at the time of this policy's publication.
Our primary contact for all privacy matters is: oponsystems@icloud.com
Section 2
We are a data-minimalist organisation. Our position is simple: the least data we hold, the least harm we can cause. We do not run analytics platforms, advertising networks, or data broker services. We do not sell, rent, license, or share personal data with third parties for commercial purposes.
Our applications are designed to run primarily in your browser, on your device, with your data staying on your device. Where data must leave the device, we tell you explicitly, and we provide you with the ability to decline.
Section 3
The table below sets out the data interactions across our surfaces. In all cases, "collect" means temporarily processed and never stored on our servers unless explicitly stated.
| Surface | Data Involved | Where It Goes | Stored? |
|---|---|---|---|
| Landing pages & Manifesto | None. No tracking, no cookies, no analytics. | Nowhere. | No. |
| Dispatches feed | None — articles are fetched from static files. | Your browser cache only (Service Worker). | Local only. |
| Dispatch submission (email) | Your email address and the content you choose to send. | Your device's email client → our inbox. Standard email protocol. | In email inbox only. |
| Application grid (Apps) | None from the hub page itself. | Nowhere. | No. |
| Individual apps | All operational data (patient records, ledger entries, attendance) is stored locally in the browser's IndexedDB / localStorage. | Your device only, unless you explicitly export or sync. | Local only by default. |
| Sponsor node links | If you click an external sponsor link, you are navigating to a third-party site. Their privacy policy applies from that point. | Third-party site of your choosing. | Not by us. |
| Service Worker / PWA | Cached page assets for offline use (HTML, CSS, JS, static JSON files). | Your browser's cache storage. | Local only. |
Section 4
We do not set any cookies. We do not use third-party tracking scripts. We do not use advertising cookies, session-tracking cookies, or persistent identifiers.
Our applications use the browser's built-in storage mechanisms (localStorage, IndexedDB, Cache API via Service Worker) solely for the purpose of enabling offline functionality. This data never leaves your device unless you explicitly export it.
You may clear this local data at any time through your browser's settings. Doing so will reset application data to its initial state.
Section 5
Because the Society operates globally and our tools are used across multiple continents, we recognise and honour the rights granted under all applicable regional frameworks. Where multiple frameworks apply, we apply the highest standard.
European Union & EEA
You have the right to: access personal data we hold about you; rectify inaccurate data; erasure ("right to be forgotten"); restriction of processing; data portability; object to processing; withdraw consent at any time. Because we collect near-zero personal data, most of these rights are exercised simply by clearing your local browser storage. For email submissions, contact us to request deletion.
Legal basis: Legitimate interests (Art. 6(1)(f)) for static content delivery; consent for any optional data interactions.
United Kingdom
The UK GDPR, retained post-Brexit, mirrors the EU GDPR in its material provisions. All rights and obligations described under the GDPR section apply equally to UK residents. We do not transfer personal data to countries without an adequacy decision or equivalent safeguards.
United States
California residents have the right to know what personal data is collected, to delete personal data, to opt out of the sale of personal data, and to non-discrimination for exercising these rights. We do not sell personal data. We do not collect personal information beyond what is described in Section 3. Children under 13 are not the intended users of our services; if you believe a child has provided personal information, contact us immediately.
Africa — Regional Frameworks
We recognise and respect: Nigeria's NDPA 2023 and NDPR 2019; South Africa's POPIA 2013 (POPI Act); Ghana's Data Protection Act 2012; Kenya's Data Protection Act 2019; the African Union Convention on Cyber Security and Personal Data Protection (Malabo Convention); and all other national data protection laws in African jurisdictions where our tools are deployed. Residents of these jurisdictions hold the same fundamental rights as described above: access, correction, deletion, and objection. Contact us at oponsystems@icloud.com to exercise any right.
Canada
Under Canada's Personal Information Protection and Electronic Documents Act, you have the right to access and correct personal information we hold about you and to withdraw consent for its collection. As our data collection is minimal and primarily local to your device, these rights are largely self-executable via browser storage management.
All Other Jurisdictions
Regardless of where you are, we apply the same core principle: we collect the minimum necessary, store it locally on your device wherever possible, and never sell or commercially exploit your data. If your jurisdiction grants data rights not listed here, we will honour them. Contact us.
Section 6
Our pages load Tailwind CSS from a CDN (cdn.tailwindcss.com). This is a stylesheet delivery request; no personal data is transmitted. You may inspect the network requests in your browser's developer tools to verify. We do not use Google Analytics, Meta Pixel, Hotjar, Intercom, Segment, or any other behavioural analytics service.
External links to sponsor nodes, referenced tools, or partner networks are clearly marked. Once you leave our pages, the privacy policy of the destination applies. We have no control over and accept no responsibility for third-party privacy practices.
Section 7
Application data stored in your browser is retained until you clear it. We do not set expiry timers on your local data.
Email communications sent to us are retained in our inbox for as long as operationally necessary (typically no longer than 24 months). You may request deletion of any email correspondence at any time.
Section 8
Our tools are designed for use by adults and organisations. We do not knowingly collect personal data from children under the age of 13 (or under 16 in the EU/UK). Our EduTrack attendance application is operated by institutional administrators, not by children directly. If you are aware of a child under the relevant age having submitted personal data through our channels, contact us at oponsystems@icloud.com and we will delete it promptly.
Section 9
Because we do not maintain central servers holding your personal data, the primary security layer is your own device. We recommend using an up-to-date browser and operating system, and applying standard device security practices (screen lock, strong passwords, regular backups).
Our static pages are served over HTTPS. The offline-first architecture means that even if our hosting is compromised, the data held locally on your device remains under your control.
Section 10
We will update this policy when our practices change or when regulations require. Material changes will be noted in a Dispatch and the effective date at the top of this page will be updated. Continued use of our tools after a change constitutes acceptance of the revised policy.
To exercise any right, ask a question, or raise a concern: oponsystems@icloud.com