Privacy Notice

1. Introduction

This Privacy Notice explains how information about participants is collected, used, protected, and retained when an organization deploys the Diagnostic to its faculty, staff, or members, and the rights participants have over their information. The Diagnostic is operated by Patrick Dempsey ("we," "us"), who acts as the data controller responsible for the information described here. Contact details are in Section 11.

2. Definitions

• Participant: an individual who completes the Diagnostic.
• Organization: the institution that deploys the Diagnostic to its people and receives the aggregated report.
• Controller: the party that determines how and why participant information is processed (Patrick Dempsey).
• Service provider / subprocessor: a third party engaged to support processing (for example, cloud hosting or AI summarization) under contractual confidentiality and security obligations.

3. Information we collect

Each participant record contains three categories of information and nothing further:

• Identifying and firmographic information: name and up to three short Organization-configured questions about the participant's place in the Organization (typically role level, department or function, and one optional custom field such as subject taught or campus).
• AI context: length of AI use at work and a self-rated fluency level. Participants who indicate they do not use AI for work are asked a brief follow-up on the main reason.
• Responses: for education deployments, three "phase" questions about AI's role with students; for all deployments, the paired A/B perspective questions, the agree/disagree statements about the Organization's AI environment, the applied use cases, and three short open-text reflections.

We do not collect email address, phone number, IP-based identifiers, employee ID, manager, or human-resources data. The Diagnostic uses no tracking pixels, analytics SDKs, behavioral telemetry, identity-linked cookies, or session recording.

4. How we use information

We use participant information for a single purpose: to analyze responses at the group level and produce an aggregated readiness report for the Organization, together with the follow-up analysis that supports it. Each participant also receives their own individual result on screen at the end of the Diagnostic. We do not use participant information for advertising, marketing, or any purpose unrelated to producing that report.

5. Legal basis

Our basis for processing is the participant's consent, provided by voluntarily completing the Diagnostic. Participation is voluntary, and consent may be withdrawn at any time as described in Section 9, without affecting the lawfulness of processing carried out before withdrawal.

6. How we share information and service providers

We do not sell participant information, and we do not share individual responses with advertising or marketing tools. Aggregated, anonymized findings are used only to produce the Organization's report.

We engage a limited number of service providers to operate the Diagnostic, specifically a managed cloud hosting provider and a vetted AI provider used to generate the individual synthesis paragraph and team-level summaries. These providers process information only as needed to deliver their service, under confidentiality and security obligations. Under the AI provider's current terms, submitted content is not used to train foundation models. A current list of service providers, and the retention terms then in effect, is available on request.

We disclose information to any other third party only where required by law or valid legal process, and only to the extent required.

7. What the Organization receives

The report delivered to the Organization is aggregated. It presents group-level patterns, themes, and distributions. Participant names and individual response rows are not included in the report, and an individual participant's responses are not returned to the Organization in identifiable form through the report. Authorized administrators acting on behalf of the Organization may, separately, view individual records through the passcode-protected administrative interface for the purpose of preparing the engagement.

8. Data storage, location, and security

Participant information is encrypted in transit (HTTPS/TLS) and at rest, and is stored in a managed PostgreSQL database within a SOC 2 Type 2-compliant cloud environment located in the United States. The database enforces per-row access controls, so responses are accessible only to an authenticated administrator through a passcode-protected interface, never to other participants or the public. Each engagement runs on its own scoped session link, isolating one Organization's data from another's. Access to identifiable responses is limited to authorized personnel who require it to produce the report.

9. Your rights

Participants have the following rights with respect to their information:

• Voluntary participation: participation may be stopped at any time; a partial record can be excluded from analysis and deleted on request.
• Access: to obtain confirmation of, and a copy of, the information held about them.
• Correction: to have inaccurate identifying or firmographic information corrected.
• Deletion: to have their record deleted, with written confirmation of deletion provided on request.
• Withdrawal of consent: to withdraw consent at any time, without affecting prior lawful processing.
• Objection: to object to processing of their information.

To exercise any of these rights, contact Patrick Dempsey at thepatrickdempsey@gmail.com. We will respond within 30 days. Participants who believe their information has been handled improperly may also raise the matter with the relevant data protection or consumer protection authority in their jurisdiction.

10. Data retention

We retain participant information for the duration of the engagement plus 12 months, to support follow-up analysis and any reassessment the Organization requests. After that period, or earlier on request, the information is deleted. Written confirmation of deletion is available.

11. Contact

Questions about this Privacy Notice, or requests to exercise any right above, may be directed to:

Patrick Dempsey
thepatrickdempsey@gmail.com

12. Changes to this Notice

We may update this Privacy Notice from time to time. The effective date below reflects the most recent revision, and material changes affecting participant rights will be communicated through the deploying Organization.

Last updated: June 30, 2026.