Privacy Policy

1. Scope

This Policy covers data processed through our public website, platform application, assessments (including Quick Wins (free entry), Monthly Platform, and Enterprise Realignment), collaboration features, support channels, and scheduling pages.

2. Data We Collect

Account & Identity

• Name, email address, organization, role/title (provided by you)
• Authentication identifiers (managed by our auth provider)

Assessment & Organizational Inputs

• Survey responses (structural, process, governance questions)
• Uploaded org charts / CSV / role metadata
• Job description or cost center summaries (optional)

Usage & Technical

• Log events (pages, feature activations, CTA clicks)
• Approximate region (derived from IP, not stored as raw IP after short‑term security logs)
• Device/browser attributes (for security & compatibility)

Derived & Analytical

• Algorithmic indices (OCI™, HOCI™, JCI™, DSCH, CRF, LEI)
• Benchmark normalization values
• Scenario model outputs and savings projections

Support Communications

• Emails, form submissions, scheduling notes

3. Data Sources

We obtain data directly from you, authorized teammates you invite, and system instrumentation. We do not purchase third‑party marketing lists.

4. How We Use Data

• Provide and maintain assessments, dashboards, algorithmic outputs
• Generate benchmarking and scenario modeling
• Support expert consultations and implementation guidance
• Improve accuracy and reliability of proprietary algorithms
• Detect, prevent, and investigate security issues or abuse
• Comply with legal/regulatory obligations (e.g. accounting, tax)
• Communicate feature updates, material policy changes, or service notices

5. Legal Bases (GDPR)

Where GDPR applies: (a) Contract – delivering the service you requested; (b) Legitimate Interests – product improvement, basic analytics, fraud prevention; (c) Consent – optional marketing communications; (d) Legal Obligation – records retention and compliance.

6. How We Share

We do not sell or rent personal data. Limited sharing occurs with vetted processors strictly for service enablement:

• Infrastructure (cloud hosting, database, storage)
• Payment processing (Stripe)
• Email delivery (transactional + some notifications)
• Error monitoring & security tooling

Access is role‑restricted and governed by confidentiality obligations.

7. Retention

We retain assessment data for active accounts. On cancellation or written request we (a) queue structured deletion within 30 days, (b) preserve minimal financial / audit records as legally required, and (c) purge encrypted backups on their rolling lifecycle (≤ 90 days).

8. Security

• Encryption in transit (TLS 1.3) & at rest (AES‑256)
• Role‑based access controls + optional MFA
• Audit logging of administrative actions
• Least privilege service design
• Periodic dependency & vulnerability reviews

No system is perfectly secure; if we discover a breach affecting you we will notify you without undue delay consistent with applicable law.

9. International Transfers

Data may be processed in the United States (primary) and other regions where our subprocessors operate. Where required, we rely on Standard Contractual Clauses or equivalent safeguards for cross‑border transfers.

10. Your Rights

Depending on jurisdiction (e.g., EU/UK GDPR, CCPA/CPRA), you may have rights to access, correct, delete, restrict, port, or object to certain processing. Submit requests via privacy@northpathstrategies.org. We'll verify identity before fulfilling requests. You will not receive discriminatory treatment for exercising rights.

11. Cookies & Tracking

We use:

• Essential cookies – session management & authentication
• Functional – remembering configuration preferences
• Limited analytics – aggregate feature usage & CTA performance (non‑intrusive, no cross‑site advertising)

You can adjust browser settings to refuse non‑essential cookies. Our CTA tracking stores only anonymized event metadata (e.g., cta_click, timestamp, destination) without persistent personal identifiers.

12. Payments (Stripe)

All card transactions are processed by Stripe. We never store full card numbers. Stripe acts as an independent data controller for payment data—see their privacy documentation for details.

13. Infrastructure & Vendors

• Application hosting & compute (cloud platform)
• Database & storage (managed relational + object storage)
• Email delivery (transactional + some user notifications)
• Authentication provider (session + security events)

Vendor list may evolve; material changes will be reflected in an updated Policy or direct notice when required.

14. Algorithmic & AI Processing

Our proprietary (patent‑pending) algorithms (OCI™, HOCI™, JCI™, DSCH, CRF, LEI) compute organizational structure, clarity, and optimization indicators. We do not use uploaded confidential documents to train third‑party foundation models. Limited model outputs may be cached for performance. Human expert review adds interpretation before external sharing.

15. Children

Services are not directed to individuals under 16. We do not knowingly collect personal data from children. If you believe a child has provided data, contact us for removal.

16. Do Not Track

Because no consistent industry standard exists, we presently do not respond to Do Not Track (DNT) browser signals. We limit tracking to essential/aggregate metrics and do not run behavioral advertising.

17. Policy Changes

If we make material changes we will update the "Effective Date" at the top and provide prominent notice (email or in‑app). Continued use after changes indicates acceptance.

18. Contact

Questions / Rights Requests: privacy@northpathstrategies.org

Security Reports: security@northpathstrategies.org

Mailing Address: NorthPath Strategies – Privacy, PO Box ####, City, State, Country