The short version
We collect the minimum we need to run the site, talk with you, and deliver the work you've hired us for. We don't sell your data. We don't train AI models on it. We keep it as long as we need it, then we delete it.
addAItive is a small consultancy. We help organizations apply AI safely and meaningfully. Privacy is part of what we sell, so we hold ourselves to the same standards we ask our clients to adopt.
The rest of this page explains exactly what we do with the information that touches our systems. If you'd rather skim, each section opens with a one-sentence summary in a green box.
Who this covers
This policy covers everyone who visits addaitive.com, contacts us, or works with us as a client.
This privacy policy applies to:
- Visitors to addaitive.com and any other website we operate.
- Prospects who contact us through our forms, by email, or in person.
- Clients we work with under a written engagement agreement.
- Vendors and partners whose people we coordinate with.
Information we handle on behalf of a client (their data, their users' data) is governed by the contract with that client (see Client and engagement data). This policy describes what we do with information about you.
What we collect
Your name, work email, organization, what you wrote to us, and basic technical information about your visit.
Information you give us
Information we collect automatically
What we don't collect
We don't ask for, and we don't want, sensitive personal information through this site (Social Security numbers, bank details, health information, login credentials). If you send us something we don't need, we'll delete it.
Why we collect it
To answer your questions, deliver the work, keep the site secure, and improve what we publish.
We use the information described above to:
- Reply to you. If you write through the contact form or by email, we read it and respond.
- Deliver engagements. If we're working together, we use the information your team shares to do the work and to keep records of what we did.
- Send updates you asked for. If you subscribed to our writing, we send it.
- Keep the site running and safe. Server logs help us find bugs, defend against abuse, and meet our security obligations.
- Improve our work. Aggregate analytics tell us which pieces of writing are useful, which pages confuse people, and where to spend time.
- Meet legal obligations. If a law or court order requires us to retain or disclose information, we comply, narrowly.
What we don't do. We don't sell your data. We don't trade it. We don't use it for cross-site advertising. We don't send it to data brokers.
Who we share it with
A short list of vendors who help us run the business, and only when the law requires it.
We share information only in these specific cases:
- Service providers we depend on. Email delivery (transactional and newsletter), site hosting, error reporting, and the contact-form backend. Each vendor is bound by a written agreement, processes data only on our instructions, and is named on request.
- Professional advisors. Lawyers, accountants, and auditors, where the engagement is genuinely confidential.
- If the law requires it. A subpoena, court order, or other legal process. We push back on overly broad requests.
- If we sell or merge the business. The successor entity inherits the same obligations under this policy. We'll tell you before that takes effect.
We don't share your information with advertising networks. We don't share it with data brokers. We don't share it with marketing partners.
How long we keep it
As long as we're working together, plus a sensible window after, then we delete it.
You can ask us to delete your information sooner. See Your rights and choices.
How we protect it
Encryption in transit and at rest, the smallest possible access list, written incident response.
We apply the same security baseline we recommend to clients: data is encrypted in transit (TLS) and at rest, access is granted on a least-privilege basis, secrets live in a vault (never in code), and every change goes through review and audit logging.
No one can promise perfect security. We can promise that if something happens, we'll tell you in plain language, on a timeline that meets or exceeds applicable law, and we'll explain what we're doing about it.
Client and engagement data
If we're handling your organization's data, our contract with you, not this page, is the source of truth.
When we're engaged to work with a client's data (their documents, their staff information, their constituent records), the legal framework is the engagement contract and any data-processing agreement attached to it. Those documents specify:
- What data we're authorized to handle, and at what classification.
- Where it's stored, who at addAItive can see it, and for how long.
- Which laws apply (FERPA, HIPAA, COPPA, state privacy acts, sector rules).
- How a breach is communicated and on what timeline.
- What happens to the data when the engagement ends.
We default to the strictest reasonable handling: classification before access, local-only models for regulated tiers, audit trails on every action. If you're a client and you'd like a copy of your DPA, write us.
AI models and your data
We don't use your data to train AI models. We don't let our vendors do it either.
This is a question we get often, so we want to be specific:
- We do not train AI models on your information. Not the messages you send us, not the data we handle in engagements, not the writing you read on this site.
- We use commercial AI services in our work, in the same way other professional firms do. The services we use are configured so that your data is not used to train their models. We review those configurations periodically.
- For sensitive client data, we use models that run on the client's own infrastructure or in a sovereign tenant. Open-weight models (Llama, Mistral, Gemma) on a workstation or a small GPU rack, with data that never leaves the perimeter. Which path fits which engagement is decided at scoping time, before any data is touched.
- If a vendor's terms change in a way that would let them train on your data, we move off that vendor. This isn't a hypothetical, it's an ongoing review.
Cookies and analytics
Functional cookies only. Aggregate analytics with no advertising identifiers.
We use a small number of cookies to keep the site working (remembering your accessibility preferences, keeping a form from submitting twice). We don't set advertising cookies and we don't allow third-party advertising scripts.
For analytics, we use a privacy-respecting tool that records page views and traffic sources at an aggregate level. It does not assign you a persistent identifier, does not follow you across sites, and does not set advertising cookies. You can opt out of analytics with the standard browser controls (Do Not Track, Global Privacy Control); we honor those signals.
Your rights and choices
You can see what we have, correct it, delete it, or take it elsewhere. Email us; we'll respond within 30 days.
Wherever you live, you can ask us to:
- Show you the personal information we hold about you.
- Correct anything that's wrong.
- Delete it, except where we have a legal obligation to retain.
- Export it in a machine-readable format you can take elsewhere.
- Stop processing it for marketing purposes, immediately.
- Object to other processing where the law gives you that right.
For residents of California (CCPA/CPRA), the EU and UK (GDPR/UK GDPR), Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Utah (UCPA), and other states with comprehensive privacy laws, the same rights apply, and we comply with the procedural requirements those laws specify (verification, response timelines, appeal paths).
To exercise any of these rights, write to privacy@addaitive.com. We'll respond within 30 days, sooner where the law requires it.
Children's privacy
This site isn't directed to children. We don't knowingly collect information from anyone under 13.
addAItive's website and contact channels are aimed at organizations and the adults who run them. We do not knowingly collect personal information from children under 13 (or under 16 in some jurisdictions). If you believe a child has sent us information, write to privacy@addaitive.com and we'll delete it.
When we work with K-12 districts under contract, that work is governed by FERPA, COPPA where applicable, and the district's own data-sharing rules, not by this policy.
Where your data lives
Primarily in the United States. We use US-based vendors by default.
addAItive is a US company. Our default is to keep data in the United States, with US-based service providers. If you're writing from outside the US, you should know your information will travel here to reach us.
For client engagements with data-residency requirements (state, sector, or international), the engagement contract specifies where the data lives and we operate accordingly.
Changes to this policy
We update the date at the top when something meaningful changes. Subscribed clients get an email.
We update this policy when our practices change, when the law changes, or when we find a clearer way to explain something. Every change updates the "Last updated" date at the top of the page.
If a change is material (anything that affects what we collect, what we share, or what your rights are), we'll announce it on the homepage and email anyone who has an active subscription with us at least 30 days before it takes effect.
How to reach us
One human, one email. We answer in plain language.
For anything related to this policy, your information, or a request to exercise the rights described above:
If you've contacted us about a privacy concern and you don't feel we've resolved it, you have the right to complain to a data-protection authority in your jurisdiction. We'd appreciate the chance to fix it first.