PRIVACY POLICY
Effective Date: May 22, 2026 | Last Updated: May 22, 2026 | Version: 2.0
Entity: Project Baseline Inc. | Supersedes: Privacy Policy v1.0 (effective March 10, 2026)
Project Baseline Inc. ("Project Baseline," "PB," "we," "our," or "us") is a Colorado profit corporation (EIN 27-0639457) headquartered in Broadview, Illinois. We provide strategic consulting, AI implementation services, and related professional services to nonprofit organizations, small and mid-market businesses, civic organizations, and individuals.
This Privacy Policy explains what personal information we collect, how we use it, who we share it with, how long we keep it, and what rights you have. If you have questions or want to exercise your rights, email [email protected]. We respond within 7 calendar days.
1. About this policy
This Privacy Policy applies to every Project Baseline service, including:
- Our marketing websites and product pages
- AI readiness assessment tools (deployed under PB-owned or partner-branded URLs)
- The PB Report Engine (free and paid report tiers)
- Funding intelligence landing pages
- The Project Baseline Nonprofit Client Portal
- Our consulting engagements (nonprofit consulting, AI training, strategy consulting, subcontractor engagements)
- Future PB tools and services
2. What we collect
We collect only what we need to deliver our services and run our business. We do not buy personal data from data brokers. We do not collect data for advertising purposes.
2.1 Information you give us directly
Depending on which PB service you use, we may collect:
- Contact information: Name, email address, phone number, mailing address
- Organizational information: Business or organization name, EIN, 501(c)(3) status, mission, programs, financial information, staff and board details
- Account information: Email and password if you create a client portal account (passwords are bcrypt-hashed with cost factor 12 and are never stored in plain text)
- Service intake information: Responses to intake questionnaires, project briefs, business context for AI tools, trade specialization for TAD AI Readiness submissions, ZIP code, years in business, crew size, certification status, and stated pain points
- Uploaded documents: Files you submit through the client portal (articles of incorporation, bylaws, financials, program materials, photographs, deliverables-in-progress)
- Communications: Email correspondence, portal messages, scheduled call notes, meeting transcripts produced by our transcription sub-processor when you participate in a recorded meeting (you are notified before recording starts)
- Payment information: When you pay for a PB service, payment is processed by Stripe. We receive a payment confirmation, the payer name and email, and an amount. We never receive or store full payment card numbers, bank account numbers, or any other sensitive financial data. Stripe's privacy policy is at stripe.com/privacy.
2.2 Information collected automatically
When you use our websites or tools, we collect:
- Usage data: Pages visited, actions taken, login times, submission timestamps
- Device and connection data: Browser type, operating system, IP address, user agent string
- Abuse-control telemetry: For AI-powered tools (TAD AI Readiness, Fundable Chicago, PB Report Engine), we record submission timestamps and source IP addresses for rate-limiting and abuse-detection purposes only. These records are retained for 90 days, then automatically purged.
We do not use third-party advertising cookies, social tracking pixels, or cross-site tracking technologies. We do not sell, rent, or trade your personal information.
2.3 Information from third parties
In limited cases, we may receive information about you from:
- Referrers: When a current or past client refers you to PB by name or email
- Public sources: Publicly available business directories, social media profiles you have made public, organizational websites and 990 filings (for nonprofit prospect research)
- Sub-processors: Service providers that route information to us (for example, FormSubmit.co for the ai.project-baseline.com inquiry form, Stripe for payment confirmations)
3. How we use your information
We use your information for these purposes only:
| Purpose | Information used | Legal basis (GDPR) |
|---|---|---|
| Deliver the consulting service, AI tool, or report you requested | Contact info, organizational info, intake responses, documents | Contract performance |
| Communicate with you about your engagement, account, or submission | Contact info, communications, account info | Contract performance |
| Process payments | Contact info, payment metadata from Stripe | Contract performance |
| Prevent abuse, fraud, and unauthorized use of our tools | IP address, submission timestamps, email, business name | Legitimate interest |
| Improve our services using aggregated, anonymized usage data | Aggregated usage data with PII stripped | Legitimate interest |
| Send transactional notices (engagement updates, security notices, policy changes) | Contact info | Contract performance and legal obligation |
| Comply with legal obligations, including tax record retention | All applicable categories | Legal obligation |
| Defend against legal claims or respond to lawful requests | All applicable categories | Legitimate interest |
We do not use your personal information to train artificial intelligence models. We also prohibit our AI sub-processors (Anthropic, OpenAI, Google Gemini) from using your information to train their models, and we use their API products under terms that prohibit this practice.
4. Who we share your information with
We share your information only in the limited ways described below.
4.1 Sub-processors
Sub-processors are vendors that process information on our behalf to deliver our services. As of the effective date of this policy, our sub-processors are:
| # | Sub-processor | Service | Information shared | Location |
|---|---|---|---|---|
| 1 | Google LLC (Google Workspace: Gmail, Drive, Docs, Sheets, Calendar) | Email, document storage, scheduling | All client and prospect communications, contracts, deliverables, meeting notes, attachments | United States |
| 2 | Cloudflare, Inc. | DNS, TLS, WAF, DDoS mitigation, CDN | Web traffic to PB domains | United States (edge locations worldwide) |
| 3 | GitHub, Inc. (Microsoft) | Static site hosting and source code repositories | Public marketing content; source code | United States |
| 4 | Stripe, Inc. | Payment processing | Payer email, name, payment metadata (Stripe-tokenized, no card numbers reach PB) | United States |
| 5 | FormSubmit.co | Inquiry form relay | Name, email, business name, message | United States |
| 6 | Anthropic, PBC | AI generation for AI readiness tools and the PB Report Engine | Submitted business context (business name, trade, ZIP, brief pain points); email for report delivery. Anthropic does not train on API data per their commercial terms. | United States |
| 7 | OpenAI, L.L.C. | Occasional AI use via API | Limited business context for internal automation. OpenAI does not train on API data per their commercial terms. | United States |
| 8 | Google LLC (Gemini API) | Occasional AI use via API | Limited business context. Google does not train on API data per their commercial terms. | United States |
| 9 | Perplexity AI, Inc. | Research lookups during consulting work | Search queries (no client PII) | United States |
| 10 | Resend, Inc. | Email delivery for PB Report Engine outputs | Recipient email, subject, HTML body, PDF attachment | United States |
| 11 | Fireflies.ai (Fred AI, Inc.) | Meeting transcription | Audio and transcripts of meetings where transcription is enabled (you are notified before recording begins) | United States |
| 12 | DigitalOcean, LLC | Hosting for self-hosted PB tools | All self-hosted application data, including client portal accounts, uploaded documents, generated PDFs, abuse-control telemetry | United States |
| 13 | Supabase, Inc. | Database services for dashboard snapshots | Limited operational data | United States |
| 14 | Mailchimp (Rocket Science Group LLC) | Email marketing (placeholder, not currently active for PB) | If activated, contact info for opt-in recipients only | United States |
We require sub-processors to maintain appropriate security and confidentiality protections through their published Data Processing Addenda (DPA) or equivalent contractual commitments. Clients with specific concerns about any sub-processor may request additional detail by email.
The current sub-processor list lives at https://www.project-baseline.com/privacy and is updated as our service stack changes. We will notify clients with active engagements at least 30 days in advance of adding a new sub-processor that will handle their data.
4.2 Legal requirements
We may disclose your information when required by law, court order, subpoena, or valid government request, and when we believe disclosure is necessary to protect our rights, your safety, or the safety of others. Where legally permitted, we will notify you before disclosure so you can seek a protective order.
4.3 Business transfer
If Project Baseline is involved in a merger, acquisition, sale of substantially all assets, or financing transaction, your information may be transferred to the successor entity. You will be notified before the transfer, and the successor entity will be bound by terms no less protective than this Privacy Policy or you will be offered a way to delete your data.
4.4 With your consent
When you specifically ask us to share information with a third party (for example, a co-consultant working on your engagement, or a grant program you are applying to), we will share only the information you authorize.
4.5 What we do not do
- We do not sell your personal information, in the everyday meaning of "sell" or in the technical CCPA definition (no exchange of personal information for monetary or other valuable consideration).
- We do not share your personal information with advertisers.
- We do not use cross-site tracking or third-party advertising cookies.
- We do not use your personal information to train artificial intelligence models, and we contractually prohibit our AI sub-processors from doing so.
5. How long we keep your information
We retain information only as long as needed for the purposes described in this policy, then we delete or anonymize it.
| Information category | Retention period |
|---|---|
| Client engagement deliverables and contracts | Duration of engagement plus 7 years (Colorado / Illinois statute of limitations for professional services claims and tax record requirements) |
| Client communications (Gmail) | Duration of engagement plus 7 years; you may request earlier deletion of non-contractual messages |
| Client uploaded documents (nonprofit portal) | 90 days after engagement completion, or 30 days after account deletion, whichever is earlier |
| Nonprofit portal account records | Active for life of account; deleted accounts purged after 30 days |
| TAD AI Readiness abuse-control records (IP, email, business name, submission timestamps) | 90 days, then automatic purge |
| TAD AI Readiness generated PDFs (server cache) | 7 days after email delivery, then automatic purge. (You receive the PDF by email and control your own copy thereafter.) |
| ai.project-baseline.com inquiry-form submissions (in Gmail) | 2 years, then manual review and purge during annual data review |
| Stripe payment metadata (payment intent IDs, customer IDs, amounts; not card numbers) | 7 years (tax record requirement) |
| Meeting transcripts (Fireflies) | 1 year in Fireflies; exports to Drive follow the engagement retention schedule above |
| System logs (nginx, application) | 30 days |
| Backups (encrypted) | 90 days rolling, plus annual snapshots retained 7 years |
A complete data retention schedule, including disposal methods, is published in our internal Data Retention Policy and available to clients upon request.
Legal hold
If we receive notice of pending litigation, a regulatory investigation, or a subpoena affecting your information, retention is paused for the relevant data until the matter is resolved.
6. How we protect your information
We follow practices informed by the NIST Cybersecurity Framework 2.0 (NIST CSF 2.0), scaled appropriately for a solo consulting firm. Specific safeguards include:
- Encryption in transit: TLS 1.2 or higher on all customer-facing endpoints (HTTPS), enforced by Cloudflare and Let's Encrypt managed certificates
- Encryption at rest: Provider-managed encryption on Google Workspace (AES-256), DigitalOcean infrastructure, GitHub, and other sub-processors. Full-disk encryption (BitLocker AES-256) on the operator endpoint.
- Password security: Bcrypt password hashing with cost factor 12 on portal accounts
- Access control: Single-operator boundary (no employees or contractors with system access); MFA on all PB SaaS accounts; SSH key-only access (no password authentication) to PB infrastructure
- Application security: Helmet content security policy, HSTS, X-Frame-Options, X-Content-Type-Options, strict CORS configuration, rate limiting, body-size limits, Stripe webhook signature verification, multipart MIME validation for file uploads
- Abuse controls: Per-IP rate limits, per-email cooldowns, daily submission caps, daily AI-spend caps, honeypot fields for bot detection, duplicate-submission detection
- Logging and monitoring: Structured logs on the operator-controlled VPS; security alerts from sub-processors (GitHub, Cloudflare, Stripe, Google Workspace, DigitalOcean) routed to the operator
- Vendor management: Vendor and sub-processor registry maintained and reviewed annually; risk-classified vendor onboarding
No security program is perfect. We document risks honestly and remediate them on a published schedule. If you would like to review our security posture, please visit https://www.project-baseline.com/trust (our Trust Center).
7. Breach notification
If we confirm a security incident that has affected your personal information, we will notify you within 72 hours of confirmed exposure. Notification will include:
- What happened (factual description, not speculation)
- What information was involved (specific data types; if unknown, we will say so)
- What we are doing about it (containment, investigation, recovery)
- What you can do (specific protective steps where relevant)
- How to contact us with questions
Where required by law, we will also notify applicable regulators (per the GDPR 72-hour rule and applicable state breach notification laws) and any other affected parties.
Our complete Incident Response Plan, including severity levels and notification SLAs, is available to clients upon request.
8. Your rights
You have the following rights regarding your personal information. To exercise any of them, email [email protected]. We acknowledge requests within 7 calendar days and complete them within 30 days. We may need to verify your identity before completing certain requests (typically by confirming the request from the email address of record).
8.1 Rights for all users
- Access: Request a copy of the personal information we hold about you
- Correction: Ask us to correct inaccurate personal information
- Deletion: Ask us to delete personal information we hold about you, subject to legal retention requirements (we will tell you what we must retain and why)
- Export (data portability): Receive your personal information in a structured, machine-readable format
- Opt-out of marketing: We do not currently send marketing email, but if we ever do, you can opt out at any time
8.2 California residents (CCPA / CPRA)
If you are a California resident, you have these additional rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA):
- Right to know what categories of personal information we have collected about you, the sources, the business or commercial purpose for collection, and the categories of third parties with whom we have shared it
- Right to delete personal information we collected from you, subject to legal exceptions
- Right to correct inaccurate personal information
- Right to opt out of sale or sharing of personal information. Project Baseline does not sell or share personal information as defined by the CCPA.
- Right to limit use of sensitive personal information. We do not collect "sensitive personal information" as defined by the CCPA, except occasionally an account password (which is bcrypt-hashed and never visible to us).
- Right to non-discrimination for exercising any of these rights. We will not deny service, charge different prices, or provide a different quality of service because you exercised a CCPA right.
- Authorized agents: You may designate an authorized agent to exercise these rights on your behalf. We will require proof of the agent's authorization (typically a signed permission and identity verification of the consumer).
Categories of personal information we have collected in the past 12 months (CCPA)
| CCPA category | Specific information | Source | Purpose | Disclosed to (categories of third parties) |
|---|---|---|---|---|
| Identifiers | Name, email, phone, business name | Direct from you, referrals | Service delivery, communications | Sub-processors (Google Workspace, Cloudflare, Stripe, etc.) |
| Customer records (Cal. Civ. Code section 1798.80(e)) | Business address, billing details | Direct from you | Service delivery, billing | Sub-processors (Google, Stripe) |
| Commercial information | Service history, package selections | Direct from you, our records | Service delivery, billing | Sub-processors (Stripe) |
| Internet activity | Pages visited, IP address, submission timestamps | Automatic collection on our websites | Service operation, abuse prevention | Sub-processors (Cloudflare, DigitalOcean) |
| Geolocation (general, not precise) | IP-derived city / region | Automatic | Abuse detection, geographic relevance | Sub-processors (Cloudflare) |
| Professional information | Organization name, role, mission, financials | Direct from you | Service delivery (consulting) | Sub-processors (Google Workspace) |
| Inferences | Service fit assessments derived from your inputs | Derived from your submissions | Service delivery | Sub-processors only as needed |
We have not sold or shared any of the above categories of personal information in the past 12 months.
How to exercise CCPA rights
Email [email protected] with the subject line "California Privacy Request." We will acknowledge within 10 business days and complete within 45 days (extendable once by 45 additional days with notice).
8.3 European Economic Area, United Kingdom, and Switzerland residents (GDPR)
If you are in the European Economic Area, the United Kingdom, or Switzerland, you have these rights under the General Data Protection Regulation (GDPR), the UK GDPR, and the Swiss Federal Act on Data Protection:
- Right of access (Article 15)
- Right to rectification (Article 16)
- Right to erasure ("right to be forgotten") (Article 17)
- Right to restriction of processing (Article 18)
- Right to data portability (Article 20)
- Right to object to processing based on legitimate interest (Article 21)
- Rights related to automated decision-making and profiling (Article 22). We do not engage in automated decision-making with legal or similarly significant effects.
- Right to withdraw consent at any time (where processing is based on consent)
- Right to lodge a complaint with your local supervisory authority
Lawful basis for processing: As described in Section 3, our processing is based on (a) contract performance, (b) legitimate interest (limited to service operation and abuse prevention), and (c) legal obligation (tax records, breach notification).
International transfers: Project Baseline is based in the United States, and all of our sub-processors process data in the United States. When we transfer your personal information from the EEA, UK, or Switzerland to the United States, we rely on (a) sub-processor commitments under the EU-US Data Privacy Framework where applicable, (b) Standard Contractual Clauses incorporated by reference into sub-processor DPAs, or (c) your explicit consent for the specific transfer.
Data Protection Officer: Todd Walton, [email protected]. As a small organization, we do not maintain a separate DPO role; the Principal serves as the data protection contact.
To exercise GDPR rights, email [email protected] with the subject line "GDPR Request." We will respond within 30 days.
8.4 Other US state privacy laws
If you reside in a US state with a comprehensive consumer privacy law (Virginia, Colorado, Connecticut, Utah, Texas, Oregon, Montana, Iowa, Indiana, Tennessee, New Hampshire, New Jersey, Delaware, Minnesota, Maryland, or other applicable jurisdictions), you have rights similar to those described above. Exercise them by emailing [email protected].
9. Cookies and similar technologies
We use minimal cookies and local-storage values only as needed to operate our services:
- Authentication tokens stored in your browser to maintain login sessions on the client portal
- Session cookies to support form submissions and CSRF protection
- Functional cookies to remember your preferences within a session
We do not use:
- Third-party advertising cookies
- Cross-site tracking pixels
- Behavioral analytics that profile individual users
- Social plugins that track users on third-party sites
We do not respond to "Do Not Track" browser signals because there is no industry standard for what compliance means. We honor your CCPA opt-out and GDPR rights regardless of browser signals.
10. Children's privacy
Our services are intended for adults (18+) and for organizations. We do not knowingly collect personal information from children under 13 (or under 16 in jurisdictions where that is the applicable age). If you believe we have collected information from a child, contact [email protected] and we will delete it.
11. Third-party links
Our websites may contain links to third-party services (Stripe, Calendly, social media platforms, our sub-processors, partner organizations). When you follow a link to a third-party site, that site's privacy policy governs the information they collect. We encourage you to review the privacy policies of any third-party services you use through our tools.
12. Sub-processor change notification
When we add a new sub-processor that will process the personal information of clients with active engagements, we provide at least 30 days' advance notice via (a) update to this Privacy Policy at https://www.project-baseline.com/privacy and (b) direct email to active clients. Clients may object to a new sub-processor; we will discuss whether the engagement can continue under modified processing terms.
13. Changes to this policy
We may update this Privacy Policy from time to time. Material changes will be communicated via email to clients with active engagements at least 30 days before the change takes effect. Non-material changes (clarifications, typo corrections, updates to a sub-processor's legal name) take effect on the "Last Updated" date below.
When the policy changes, we maintain prior versions for reference and post a summary of the change at the top of this document for at least 90 days after the effective date.
14. Contact us
For any privacy question, request, or concern:
Project Baseline Inc.
Email: [email protected]
Phone: (855) 616-6333
Website: https://www.project-baseline.com
Trust Center: https://www.project-baseline.com/trust
- For California Privacy Rights Act requests, use the subject line "California Privacy Request."
- For GDPR, UK GDPR, or Swiss FADP requests, use the subject line "GDPR Request."
- For security concerns or vulnerability reports, use the subject line "Security."
Document Control
- Version: 2.0
- Effective date: May 22, 2026
- Last updated: May 22, 2026
- Supersedes: Privacy Policy v1.0 (effective March 10, 2026)
- Owner: Todd Walton, Principal, Project Baseline Inc.
- Review cadence: Annual, plus event-driven on sub-processor change or material business change