top of page

The Democracy Lab Foundation (Demo Lab)
Privacy Policy

 Last updated: November 2025

(This English version is provided for international users. In case of conflict or interpretation issues, the Spanish version, drafted under Costa Rican law, shall prevail)

 

1. Introduction

This Privacy Policy explains how The Democracy Lab Foundation (hereinafter “Demo Lab,” “we,” “us,” “our”), a non-profit foundation based in Costa Rica, collects, uses, stores, protects, and shares the personal data of users who access our website, associated educational platforms (including the Freedom Academy and the Freedom Course), and our online forms.

 

Demo Lab processes personal data in compliance with Costa Rica’s Law No. 8968 on the Protection of the Person Regarding the Processing of Personal Data and its Regulations (Executive Decree No. 37554-JP), as well as aligned with relevant international data protection standards.

By using our website or registering for our programs, you acknowledge that you have read and understood this Privacy Policy.

2. Scope of this Policy

This Policy applies to:

  • Demo Lab’s official website and any related subdomains.

  • Online learning platforms (LMS) we use to deliver courses and programs.

  • Online registration, contact, subscription and participation forms.

  • Electronic communications related to our educational services.

It does not apply to third-party websites that may be linked from our platforms.

 

3. Personal data we collect

 

Demo Lab may collect the following categories of personal data:

 

3.1 Data provided directly by the user

  • Full name.

  • Email address.

  • Identification number (when required for enrollment or certificate issuance).

  • Telephone number.

  • Country and place of residence.

  • Educational institution, company or organization you are associated with (if applicable).

  • Role (student, teacher, partner, donor, etc.).

  • Information included in registration, contact, survey or assessment forms.

3.2 Academic data and platform usage data

Particularly for programs such as Freedom Academy or the Freedom Course:

  • Courses the user is enrolled in.

  • Course progress.

  • Activities completed and passed.

  • Results of quizzes, tests or assessments.

  • Participation in forums, comments, or other educational interactions.

3.3 Browsing and usage data

Automatically collected when you visit our website:

  • IP address of your device.

  • Browser type and version.

  • Operating system.

  • Pages visited, time spent on each page, and navigation paths.

  • Cookies identifiers and similar technologies.

3.4 Sensitive data

Demo Lab does not intentionally collect sensitive data (such as race, health information, political, religious or sexual orientation), unless it is strictly necessary for a legitimate purpose and based on the prior, explicit, informed and written consent of the data subject, in accordance with Costa Rican Law No. 8968 and its Regulations.

4. Purposes of data processing

Demo Lab will use personal data only for the following legitimate purposes:

  1. Provision of educational services

    • Creating and managing user accounts.

    • Providing access to courses, programs, certifications and educational content.

    • Issuing and validating certificates of participation or completion (including in partnership with universities and other institutions).

  2. Academic management and support

    • Sending reminders, notifications about assignments, assessments and key dates.

    • Providing academic and technical support and guidance on how to use the platforms.

  3. Institutional and community communications

    • Sending information about activities, initiatives, events, educational campaigns and participation opportunities.

    • Sending newsletters and updates, provided the user has chosen to receive them.

  4. Continuous improvement and statistical analysis

    • Analyzing, in aggregate form, how our platforms are used, in order to improve course quality and user experience.

    • Generating anonymized or aggregated impact reports whenever reasonably possible.

  5. Administrative management and legal compliance

    • Internal administrative and accounting management.

    • Compliance with applicable legal and regulatory obligations.

    • Responding to lawful requests from competent authorities.

  6. Security and fraud prevention

    • Protecting the integrity of our systems and platforms.

    • Detecting and preventing unauthorized or unlawful activities.

Demo Lab does not use personal data to sell databases or for commercial purposes unrelated to its educational and non-profit mission.

 

5. Legal basis and consent

Demo Lab processes personal data based on:

  • The consent of the data subject, given freely, specifically, informed and unambiguously.

  • The performance of a legal or educational relationship (for example, providing access to a course).

  • Compliance with legal obligations under Costa Rican law.

  • Legitimate interest, when duly balanced and when it does not override the fundamental rights and freedoms of data subjects.

You may withdraw your consent at any time, without retroactive effect, through the mechanisms described in this Policy.

 

6. Sharing your information

Personal data may be disclosed only to the following categories of recipients, to the extent necessary:

 

6.1 Service providers (data processors)

  • Cloud hosting and infrastructure providers.

  • LMS platforms and learning management tools.

  • Email, messaging and communication service providers.

  • Data analytics and impact measurement tools.

These providers act as data processors, under contracts that include confidentiality obligations and data protection clauses consistent with Law No. 8968 and comparable standards.

 

6.2 Educational partners and associated organizations

  • Universities, educational institutions and organizations with which we jointly develop programs.

  • Only the data strictly necessary to:

    • Validate student participation.

    • Issue joint certificates or academic recognitions.

    • Follow up on scholarship or support programs.

 

6.3 Public authorities

Data may be shared with administrative or judicial authorities that legitimately request it in accordance with applicable law.

 

6.4 Other third parties

Only when the data subject has provided prior, express and informed consent, or when the law expressly allows or requires it.

Demo Lab does not sell, rent or commercially trade personal data.

7. Data subject rights

In line with Costa Rican Law No. 8968 and other relevant regulations, users have, among others, the following rights:

  1. Right of access: to know which personal data is being processed, its origin and the purposes of processing.

  2. Right to rectification: to request correction or update of inaccurate, incomplete or outdated data.

  3. Right to cancellation (erasure): to request the deletion of data when it is no longer necessary for the purposes for which it was collected, or when the retention period has expired.

  4. Right to object: to object to certain processing activities, provided there is no overriding legal obligation.

  5. Right to data portability (where applicable): to receive your data in a structured, commonly used and machine-readable format and to transmit it to another controller.

  6. Right to withdraw consent at any time.

 

8. How to exercise your rights

You may exercise your rights by sending a request to Demo Lab through:

  • Email: info@demolabcr.org

  • Physical address: The Democracy Lab Foundation, Escazú Village, WeWork, San Rafael de Escazú, San José, Costa Rica.

Your request should include at least:

  • Your full name.

  • A contact method to receive a response (email or postal address).

  • A clear description of the right you wish to exercise and the data involved.

  • A copy of a valid identification document (where required by law) or a reasonable identity verification mechanism.

Demo Lab will respond within the time frames established by Costa Rican law. Users may also file a complaint before the Costa Rican Data Protection Authority (Prodhab) when applicable.

 

9. Security measures

Demo Lab adopts administrative, technical and physical security measures to protect personal data against unauthorized access, loss, alteration, disclosure or destruction, including:

  • Encryption of data in transit and, where appropriate, at rest.

  • Role-based access controls and need-to-know restrictions.

  • Internal information security policies and staff training.

  • Use of providers that meet recognized international security standards (e.g., ISO 27001, SOC 2 or equivalents).

  • Logging and monitoring of relevant access and operations.

  • Incident response procedures and notification mechanisms, where required.

While no security measure is absolutely infallible, Demo Lab is committed to implementing reasonable and appropriate safeguards in light of the nature of the data processed.

 

10. Data retention

Personal data will be retained only for as long as necessary to fulfill the purposes for which it was collected, or for the periods required by applicable law and regulations.

Once such purposes or periods have been fulfilled, the data will be deleted, blocked or anonymized, unless there is an additional legal obligation to retain it.

 

11. Links to third-party sites and services

Our website and platforms may contain links, content or integrations to third-party sites or services (for example, video platforms, external forms, or social media). Demo Lab is not responsible for the processing of personal data carried out by those third parties.

We recommend that users review the privacy policies of such third parties before providing them with personal data.

 

12. Use of cookies and similar technologies

Demo Lab uses cookies and similar technologies to enhance user experience, analyze website performance and provide educational features efficiently.

Cookies are small text files stored in the user’s browser that allow us to recognize the device, remember preferences or understand how the site is used.

 

12.1 Types of cookies we use

a) Strictly necessary cookies
Essential for the basic operation of the website and educational platforms, for example:

  • Maintaining logged-in sessions.

  • Enabling secure access to restricted areas.

  • Storing essential technical settings.

Without these cookies, certain services may not work properly. They cannot be disabled within our systems.

b) Performance or analytics cookies
These cookies collect information about how users interact with the site, such as:

  • Pages visited.

  • Time spent on each page.

  • Loading errors or performance issues.

This (usually aggregated) information helps us improve functionality, content and the overall user experience. We may use tools such as Google Analytics or similar services.

c) Functionality cookies
These cookies allow the website to remember user choices, such as:

  • Preferred language.

  • Display settings.

  • Optional form data to make future visits more convenient.

They enhance personalization and ease of use.

d) Institutional campaign / educational marketing cookies
Demo Lab does not use cookies for mass commercial advertising; however, we may use, on a limited basis, cookies or pixels to:

  • Measure the impact of informational campaigns about educational programs.

  • Optimize the reach of institutional communications, never to sell data to third parties.

These cookies will be used only with the user’s consent, where required by applicable law.

 

12.2 Legal basis and consent for cookies

  • Strictly necessary cookies rely on Demo Lab’s legitimate interest in ensuring website functionality and security.

  • Analytics, advanced functionality and institutional campaign cookies rely on informed user consent, whenever required by applicable regulations.

Users may accept or reject certain categories of cookies through browser settings or, where available, via the cookie banner or preference panel on the site.

 

12.3 Managing or disabling cookies

You may configure your browser to:

  • Accept all cookies.

  • Reject all cookies.

  • Accept only some cookies.

  • Notify you before a cookie is stored.

Cookie management procedures vary between browsers; please check your browser’s help section for more information. Disabling certain cookies may affect full functionality of the website or educational platforms.

 

12.4 Third-party cookies

Some cookies may be set by third-party services integrated into the site, such as:

  • Embedded video or content platforms.

  • Analytics services.

  • Social media integrations or external forms.

These third parties are responsible for their own data processing practices in accordance with their privacy policies. Demo Lab seeks to work only with providers that offer adequate data protection safeguards.

 

13. Alignment with international standards (GDPR, CCPA, LGPD, LFPDPPP)

Although Demo Lab is established in Costa Rica and primarily subject to Costa Rican Law No. 8968, we acknowledge the international nature of our community and aim to align our practices with global data protection standards, including:

  • GDPR – General Data Protection Regulation (European Union).

  • CCPA/CPRA – California Consumer Privacy Act / California Privacy Rights Act (State of California, USA).

  • LGPD – Brazilian General Data Protection Law.

  • LFPDPPP – Mexican Federal Law on Protection of Personal Data Held by Private Parties.

Demo Lab does not claim that all of these regulations apply to every situation, but it adopts principles and safeguards that are equivalent or higher, to strengthen security, transparency and respect for data subject rights.

 

13.1 Adopted international principles

  • Data minimization (GDPR): we only collect data that is strictly necessary.

  • Purpose limitation (GDPR, LGPD, LFPDPPP): data is used solely for the purposes previously informed.

  • Transparency (GDPR, CCPA, LGPD): we provide clear information about data processing.

  • Security and confidentiality (all): we maintain appropriate technical and organizational security measures.

  • International transfers with safeguards (GDPR): we use contractual clauses and data processing agreements with adequate providers.

  • Impact assessments (GDPR, LGPD): we assess risks when processing data in high-impact projects.

 

13.2 Additional rights recognized on an equivalent basis

In addition to the rights granted under Costa Rican law, Demo Lab recognizes, where appropriate, rights equivalent to those provided by the GDPR, LGPD and LFPDPPP, such as:

  • Data portability: the possibility of receiving your data in a structured format and transmitting it to another controller, where applicable.

  • Restriction of processing: the ability to request the suspension of certain processing activities under specific conditions.

  • Right not to be subject solely to automated decisions that produce legal effects or significantly affect you, without human intervention, where such regimes apply.

For users residing in California (USA), we recognize rights consistent with the CCPA, to the extent applicable, including:

  • The right to know which categories of data are collected and for what purposes.

  • The right to request deletion of personal data, subject to legal exceptions.

  • The right to know if personal data is sold (Demo Lab does not sell personal data).

  • The right not to be discriminated against for exercising privacy rights.

 

13.3 International data transfers

When it is necessary to transfer personal data to other countries (for example, due to the use of technology providers located outside Costa Rica), Demo Lab:

  • Seeks to use providers that offer adequate data protection safeguards (certifications, recognized standards, etc.).

  • Signs Data Processing Agreements (DPAs) and specific contractual data protection clauses.

  • Restricts access to personal data only to staff and providers who need it for the authorized purposes.

 

14. Processing personal data of minors

Demo Lab recognizes the special protection required for minors.

  • For children under fifteen (15) years of age, the Freedom Course and any equivalent content must be taken under the guidance, supervision and direction of their parents or legal guardians, who are responsible for accompanying the educational process and granting the necessary permissions.

  • When it is necessary to collect personal data from minors, we will seek verifiable consent from their parents or legal guardians, in accordance with applicable law.

  • We will not use minors’ data for commercial purposes, nor will we share it with third parties, except when legally required or expressly authorized by parents or guardians.

 

15. Changes to this Privacy Policy

Demo Lab may update this Privacy Policy from time to time, to reflect changes in the law, our services, or our internal processes.

We will post the date of the last update at the top of this document and, when changes are material, we may inform users through the website, email, or other reasonable means.

Continued use of the website and platforms after any changes are posted will constitute acceptance of the revised Policy.

16. Contact information

For questions, requests or to exercise your data protection rights under this Policy, please contact us at:

  • Email: info@demolabcr.org

  • Physical address: The Democracy Lab Foundation, Escazú Village, WeWork, San Rafael de Escazú, San José, Costa Rica.

bottom of page