1.1 Scope

This Policy applies to all natural persons and legal entities that access or register on the Platform, whether as Problem Owners (“Seekers”) or Solution Providers (“Providers”), regardless of their country of domicile, with a primary operational focus on Mauritius and the African region.

Any queries relating to this Policy or the exercise of data subject rights may be directed to the AI Unit’s designated compliance representative at: [aiunit@govmu.org].

1.2 Personal Data Collected

Upon registration, the Platform collects and processes the following categories of personal and organisational data:

• Full name of the authorised representative
• National Identity Card (NIC) number or passport number (for non-Mauritian registrants)
• Job title and organisational role
• Work email address
• Company registered address
• Business Registration Number (BRN) for Mauritian Start-Ups

The collection of NIC or passport information is collected solely for the purpose of identity verification and eligibility confirmation as defined in the Marketplace Terms & Conditions.

1.3 Lawful Basis for Processing

Processing of personal data under this Policy is grounded in the following lawful bases under the Data Protection Act:

• Performance of a public task: The Platform operates as a national digital infrastructure initiative of MITCI in furtherance of the National AI Strategy.
• Legitimate interests: Facilitating professional matchmaking between AI problem-owners and solution-providers within Mauritius.
• Consent: Where processing extends beyond the primary facilitation purpose (e.g., marketing communications or analytics), explicit consent will be obtained separately via opt-in mechanisms.

1.4 Algorithmic Matching & Automated Decisions

Purpose

The Platform utilises algorithmic sorting and ranking logic to generate “Best Match” recommendations between Seekers and Providers, based on sector, technology domain, maturity level and geographic preference.

Automated Decision-Making and the Right to Human Review

In accordance with Section 38 of the Data Protection Act, where a recommendation or exclusion is generated wholly or substantially by automated processing and produces a significant effect on a registered entity, that entity has the right to:

1. Request a manual review of the automated recommendation or exclusion.
2. Receive a plain-language explanation of the primary factors influencing the recommendation within ten (10) business days of the request.
3. Contest the outcome and request a human-reviewed alternative matching exercise.

Automated matching outputs are advisory only and do not constitute official government endorsement of any listed entity or solution.

1.5 Cross-Border Data Flows

To fulfil the Platform’s regional mandate, data contained in Problem Statements and Company Profiles may be made accessible to entities domiciled in African jurisdictions outside Mauritius.

The AI Unit ensures that all such cross-border transfers comply with Section 36 of the Data Protection Act, specifically:

• Transfer to jurisdictions that have been assessed as providing an adequate level of data protection equivalent to Mauritius standards; or
• Transfer governed by a signed Data Sharing Agreement (DSA) between the AI Unit and the recipient entity, incorporating the obligations set out in the Mandatory Data Sharing Agreement; or
• Transfer with the explicit and informed consent of the data subject, where neither of the above mechanisms applies.

The AI Unit further acknowledges the obligations arising under the African Union Convention on Cyber Security and Personal Data Protection (Malabo Convention) and the COMESA Digital Trade Protocol as relevant frameworks for cross-border data governance in the region. Compliance with these instruments is pursued on a best-efforts basis and will be formalised as ratification and implementing legislation in relevant jurisdictions progresses.

1.6 Data Retention

Registered profiles and associated data will be retained for a period of twelve (12) months following the date of de-registration or the last recorded activity on the Platform, whichever is later.

Upon expiry of the retention period, personal data will be securely deleted or anonymised such that re-identification is not possible. Organisational data may be retained in anonymised, aggregated form for statistical and policy research purposes indefinitely.

1.7 Data Security & Breach Notification

The AI Unit maintains technical and organisational measures consistent with recognised international standards to protect personal data against unauthorised access, loss, destruction, or disclosure.

In the event of a personal data breach, the AI Unit commits to the following notification timelines:

• Notification to the Data Protection Commissioner: Within 72 hours of the AI Unit becoming aware of the breach, where it is likely to result in a risk to the rights and freedoms of individuals, in accordance with Data Protection Act obligations.
• Notification to affected data subjects: Within 5 business days of confirmed identification of the affected individuals, where the breach is likely to result in a high risk to their rights and freedoms.

Breach notifications to data subjects will include the nature of the breach, categories of data involved, likely consequences and measures taken or proposed.

1.8 Your Data Subject Rights

Under the Data Protection Act, all registered individuals retain the following rights with respect to their personal data:

• Right of access: To obtain a copy of personal data held by the Platform.
• Right to rectification: To request correction of inaccurate data.
• Right to erasure: To request deletion, subject to any overriding legal retention obligation.
• Right to object: To object to processing based on legitimate interests.
• Right to restriction: To request restricted processing pending resolution of an objection.
• Right to data portability: To receive data in a structured, machine-readable format.
• Right to human review of automated decisions: As detailed in Section 1.4 above.

Requests to exercise any of the above rights should be submitted to the controller (MITCI – AI Unit) at: [aiunit@govmu.org]. The AI Unit will respond within 28 days of receipt of a valid request.

1.9 DPIA Status & Seeker Obligations

The Data Protection Office has assessed the processing operations of the Regional AI Marketplace platform. As the platform’s processing operations do not meet two or more criteria for high-risk processing, no DPIA submission to the Data Protection Office is required for the platform itself.

All AI projects implemented by Problem Owners (“Seekers”) operating in Mauritius that arise from connections made via this Platform are independently subject to DPIA assessment requirements under Section 34 of the Data Protection Act. Where applicable, Seekers are required to submit a DPIA to the Data Protection Office prior to commencing processing.

1.10 Policy Review

This Policy will be reviewed annually or upon any material change to the Data Protection Act, the Mauritius National Cybersecurity Strategy, or the operational scope of the Platform. The current version and its effective date are published on the Platform.