Privacy & Data Access Policy

1. Introduction

The AGI Administration & Governance Framework ("Project") is committed to protecting your privacy and ensuring transparent data practices. This policy explains what data we collect, how we use it, and your rights regarding your information.

Last Updated: December 2024

2. Data We Collect

Assessment Data

• Organization Name: Name of the institution taking the assessment
• Assessment Responses: Your answers to governance questionnaire
• Calculated Scores: Derived from your responses (maturity levels, section scores)
• Timestamp: When the assessment was completed

User Account Data (if registered)

• Email address
• Name/Institution affiliation
• Account creation date
• Assessment history

Technical Data

• IP address (from server logs)
• Browser type and version
• Pages accessed
• Timestamps of activity
• Error logs if applicable

What We Do NOT Collect

• Sensitive personal information beyond what you provide
• Passwords in plain text (encrypted storage only)
• Credit card or payment information
• Biometric data
• Data about individuals within your organization

3. How We Use Your Data

Primary Purposes

• Assessment Processing: Calculate governance maturity scores and provide feedback
• Account Management: Maintain user accounts and assessment history
• Report Generation: Create downloadable assessment reports
• Research & Improvement: Anonymized data to improve assessment accuracy (with consent)

Secondary Purposes

• Communication: Send updates about framework improvements
• Security: Detect and prevent fraud or abuse
• Compliance: Meet legal and regulatory obligations
• Analytics: Understand how users interact with our tool

What We Do NOT Do

• Sell or share your data with third parties for marketing
• Use assessment data to rank or publicly compare organizations
• Share raw assessment responses without your consent
• Use data for purposes other than governance framework development

4. Data Storage & Security

Technical Safeguards

• Encryption: Data encrypted in transit (TLS 1.3) and at rest
• Access Control: Role-based access; only authorized staff access data
• Database Security: PostgreSQL with password authentication
• Regular Backups: Daily encrypted backups with tested recovery procedures
• Monitoring: Continuous security monitoring and intrusion detection

Data Retention

• Assessment Records: Retained for 2 years or until you request deletion
• User Accounts: Active while account exists; 30 days after deletion
• Server Logs: Retained for 90 days for security purposes
• Backup Data: Retained according to backup schedule

Infrastructure

• Hosted on secure servers with physical access controls
• Regular security audits and penetration testing
• Automatic security patches and updates
• Redundancy and disaster recovery capabilities

5. Your Data Rights & Access

Right to Access

You have the right to request a copy of all data we hold about you. We will provide this within 14 days in a machine-readable format.

Right to Rectification

If your data is inaccurate, you can request correction. Contact us with details of what needs to be updated.

Right to Erasure

You can request deletion of your account and associated data. We will delete within 14 days, except where legally required to retain.

Right to Restrict Processing

You can request that we limit how we use your data while we verify its accuracy or your rights.

Right to Data Portability

You can download your assessment data in JSON or CSV format for use elsewhere.

Right to Object

You can object to certain uses of your data, including analytics or research uses (where not essential).

How to Exercise These Rights

Contact us at: privacy@agi-framework.org

Include your assessment ID or registered email address and specify your request.

6. Anonymized & Aggregate Data

We may use anonymized and aggregated data (without identifying information) for:

• Improving assessment accuracy and relevance
• Understanding governance trends across organizations
• Publishing research on AGI governance maturity
• Benchmarking and performance comparisons (aggregate only)

Important: Anonymized data cannot be linked back to your organization. This data is never sold or shared with external parties for commercial purposes.

7. Third-Party Services

Services We Use

• Cloud Hosting: Infrastructure providers (details available on request)
• Email Services: For sending reports and notifications
• Analytics: Privacy-respecting analytics tools (no third-party tracking)

Data Sharing with Third Parties

We only share data with third parties:

• To provide the services you requested
• As required by law or court order
• With your explicit consent
• Under data processing agreements that include privacy protections

International Transfers

If data is transferred internationally, we ensure adequate protections through Standard Contractual Clauses or other legal mechanisms.

8. Children & Minors

This service is not intended for individuals under 18 years old. We do not knowingly collect data from minors. If we become aware a minor has provided data, we will delete it promptly.

9. Security Incident Response

If Your Data Is Compromised

• We will notify affected individuals within 72 hours of discovery
• We will provide details of the incident and protective measures
• We will cooperate with relevant authorities
• We will implement measures to prevent recurrence

Report Security Issues

If you discover a security vulnerability, please email: security@agi-framework.org

10. Policy Changes

We may update this policy periodically to reflect changes in our practices or legal requirements. We will:

• Post the updated policy here with a new "Last Updated" date
• Notify users of material changes via email
• Request consent for significant changes affecting your data

11. Contact & Complaints

Questions About This Policy

Email: privacy@agi-framework.org

Data Protection Officer

We maintain a Data Protection Officer to oversee privacy matters.

Complaints

You have the right to lodge a complaint with your local data protection authority if you believe we have violated your privacy rights.

Mailing Address

AGI Governance Framework
Privacy & Compliance
[Your Address]
[City, Country]

Summary: What We Promise

• ✓ Your data is encrypted and secure
• ✓ We don't sell or commercially exploit your information
• ✓ You can access, correct, or delete your data anytime
• ✓ Assessments are private unless you choose to share them
• ✓ We use anonymized data only to improve the framework
• ✓ Transparent practices with regular audits
• ✓ Clear communication if anything changes