Privacy Policy

Overview

Rowanstone LLC ("Rowanstone," "we," "us," or "our") is committed to the responsible handling of personal and institutional information. This Privacy Policy describes how Rowanstone collects, uses, stores, discloses, and protects information obtained through its website (rowanstone.org), diagnostic platform, and advisory engagements.

This Policy applies to all individuals who interact with Rowanstone's services, including website visitors, inquiry submitters, diagnostic survey participants, and institutional clients. By using Rowanstone's website or participating in a Rowanstone engagement, you acknowledge that you have read and understood this Policy.

Rowanstone is designed to provide organizational insight while preserving participant confidentiality and minimizing institutional risk. The protections described below reflect that commitment.

Information We Collect

Rowanstone collects only information that is reasonably necessary to operate its services and fulfill its professional obligations.

Contact and Inquiry Information

Information voluntarily submitted through website forms or direct communication, including name, professional email address, organizational affiliation, role or title, and message content.

Diagnostic Survey Responses

Participants in Rowanstone diagnostic engagements submit structured responses to questionnaires assessing organizational dynamics. These responses are collected solely to produce aggregated institutional analysis. Survey responses are not linked to individual identities in any report, output, or disclosure absent explicit written consent from the participant. See "Confidentiality of Diagnostic Data" below.

Professional and Organizational Context

Organizations and their representatives may voluntarily provide contextual information relevant to a diagnostic engagement, including organizational structure, governance arrangements, and operational history. This information is used exclusively in connection with the contracted engagement.

Technical and Usage Data

Rowanstone's website may collect standard technical data through analytics tools, including IP address (truncated or anonymized where practicable), browser type, device category, pages visited, and session duration. This data is used solely for website performance and improvement purposes and is not linked to identifiable individuals.

How We Use Information

Rowanstone uses collected information only for the following purposes:

• Responding to inquiries and managing client communications
• Administering and delivering diagnostic engagements
• Aggregating and analyzing survey responses to produce institutional reports
• Maintaining engagement records for professional and contractual purposes
• Complying with applicable legal obligations
• Improving website functionality and service quality

Rowanstone does not sell, rent, license, or otherwise transfer personal information to third parties for commercial, advertising, or unrelated purposes.

Confidentiality of Diagnostic Data

Rowanstone treats all diagnostic engagement data — including survey responses, organizational context, and report outputs — as confidential professional information governed by the terms of the applicable engagement agreement.

The following protections apply to all diagnostic engagements:

• Survey responses are analyzed exclusively in aggregate form. No individual response is attributed to a named participant in any report, summary, or disclosure without that participant's prior explicit written consent.
• Individual survey responses are not shared with a client's board, executives, managers, or other participants. Rowanstone reports aggregate findings, structural patterns, and organizational observations only.
• Rowanstone does not report findings for any subgroup where the number of respondents is too small to preserve anonymity. Responses from subgroups below a minimum threshold of five participants are merged into larger categories or omitted from subgroup-level reporting.
• Diagnostic reports describe structural patterns within institutions. They do not identify, quote, or characterize individual respondents.
• Engagement data — including client identity, scope of work, and findings — is not disclosed to third parties except as required by law or as expressly authorized in writing by the client institution.
• Access to identifiable diagnostic data is limited to Rowanstone personnel directly involved in the relevant engagement, each of whom is bound by professional confidentiality obligations.

Rowanstone's confidentiality obligations to institutional clients survive the conclusion of an engagement.

Use of Automated and AI Tools

Rowanstone may use automated and software-based tools to assist in organizing and analyzing diagnostic data. Where such tools are used, the following protections apply:

• Rowanstone does not use client responses, engagement data, or personal information to train artificial intelligence models, and does not contribute such data to any third-party model-training process.
• Any automated or AI tools used in analysis operate under contractual terms that prohibit the retention, reuse, or disclosure of client data for purposes beyond the contracted engagement.
• Client data is never sold, licensed, or used for unrelated commercial purposes.
• Diagnostic interpretation and final reporting remain subject to professional human review and oversight.

Data Storage and Security

Engagement data and personal information are stored using Supabase, a cloud database platform with infrastructure located in the United States. Supabase maintains SOC 2 Type II compliance and implements industry-standard encryption at rest and in transit.

Rowanstone maintains administrative, technical, and physical safeguards appropriate to the sensitivity of the information held, including access controls, limited internal data access, and secure data transmission protocols.

No method of electronic storage or internet transmission is unconditionally secure. Rowanstone takes commercially reasonable measures to protect data integrity and confidentiality, and will notify affected parties promptly in the event of a confirmed data breach involving personal information, consistent with applicable law.

Third-Party Service Providers

Rowanstone engages a limited number of third-party service providers to operate its website and diagnostic platform. These providers act as data processors on Rowanstone's behalf and are permitted to use information only as necessary to deliver contracted services.

• Hosting and infrastructure: Vercel
• Database and data storage: Supabase
• Payment processing: Stripe
• Email delivery: Resend

Each provider operates under its own privacy and security policies. Rowanstone selects providers that maintain standards consistent with this Policy and applicable data protection requirements. Rowanstone does not authorize third-party providers to use engagement data or personal information for their own commercial purposes.

Data Retention

Rowanstone retains personal information and engagement data only for as long as necessary to fulfill the purposes described in this Policy or as required by applicable law or professional obligation.

Raw diagnostic survey data is retained for twelve (12) months following delivery of the final report, after which it is permanently deleted or de-identified, unless a longer period is agreed in writing or required by law.

Upon written request, Rowanstone will permanently delete all identifiable project data following report delivery, subject to any overriding legal retention obligation. Individuals or institutional clients may also request earlier deletion of their data by contacting Rowanstone at the address below.

Your Rights

Individuals whose personal information is held by Rowanstone may request access, correction, deletion (subject to legal obligations), or restriction of processing.

Rowanstone does not discriminate against individuals who exercise their data rights.

Governing Law

This Policy is governed by the laws of the jurisdiction in which Rowanstone LLC is organized, without regard to conflict of law principles. Any disputes arising under this Policy shall be resolved in accordance with applicable law.

Updates to This Policy

Rowanstone may revise this Policy periodically to reflect changes in its operations, legal obligations, or service infrastructure. Material changes will be posted on the Rowanstone website with an updated effective date. Continued use of Rowanstone's services following the posting of a revised Policy constitutes acceptance of the updated terms.