Privacy Policy

Overview

Rowanstone LLC ("Rowanstone," "we," "us," or "our") is committed to the responsible handling of personal and institutional information. This Privacy Policy describes how Rowanstone collects, uses, stores, discloses, and protects information obtained through its website (rowanstone.org), diagnostic platform, and advisory engagements.

This Policy applies to all individuals who interact with Rowanstone's services, including website visitors, inquiry submitters, diagnostic survey participants, and institutional clients. By using Rowanstone's website or participating in a Rowanstone engagement, you acknowledge that you have read and understood this Policy.

Information We Collect

Rowanstone collects only information that is reasonably necessary to operate its services and fulfill its professional obligations.

Contact and Inquiry Information

Information voluntarily submitted through website forms or direct communication, including name, professional email address, organizational affiliation, role or title, and message content.

Diagnostic Survey Responses

Participants in Rowanstone diagnostic engagements submit structured responses to questionnaires assessing organizational dynamics. These responses are collected solely to produce aggregated institutional analysis. Survey responses are not linked to individual identities in any report, output, or disclosure absent explicit written consent from the participant. See "Confidentiality of Diagnostic Data" below.

Professional and Organizational Context

Organizations and their representatives may voluntarily provide contextual information relevant to a diagnostic engagement, including organizational structure, governance arrangements, and operational history. This information is used exclusively in connection with the contracted engagement.

Technical and Usage Data

Rowanstone's website may collect standard technical data through analytics tools, including IP address (truncated or anonymized where practicable), browser type, device category, pages visited, and session duration. This data is used solely for website performance and improvement purposes and is not linked to identifiable individuals.

How We Use Information

Rowanstone uses collected information only for the following purposes:

• Responding to inquiries and managing client communications
• Administering and delivering diagnostic engagements
• Aggregating and analyzing survey responses to produce institutional reports
• Maintaining engagement records for professional and contractual purposes
• Complying with applicable legal obligations
• Improving website functionality and service quality

Rowanstone does not sell, rent, license, or otherwise transfer personal information to third parties for commercial, advertising, or unrelated purposes.

Confidentiality of Diagnostic Data

Rowanstone treats all diagnostic engagement data — including survey responses, organizational context, and report outputs — as confidential professional information governed by the terms of the applicable engagement agreement.

The following protections apply to all diagnostic engagements:

• Survey responses are analyzed exclusively in aggregate form. No individual response is attributed to a named participant in any report, summary, or disclosure without that participant's prior explicit written consent.
• Diagnostic reports describe structural patterns within institutions. They do not identify, quote, or characterize individual respondents.
• Engagement data — including client identity, scope of work, and findings — is not disclosed to third parties except as required by law or as expressly authorized in writing by the client institution.
• Rowanstone personnel with access to engagement data are bound by professional confidentiality obligations.

Rowanstone's confidentiality obligations to institutional clients survive the conclusion of an engagement.

Data Storage and Security

Engagement data and personal information are stored using Supabase, a cloud database platform with infrastructure located in the United States. Supabase maintains SOC 2 Type II compliance and implements industry-standard encryption at rest and in transit.

Rowanstone maintains administrative, technical, and physical safeguards appropriate to the sensitivity of the information held, including access controls, limited internal data access, and secure data transmission protocols.

No method of electronic storage or internet transmission is unconditionally secure. Rowanstone takes commercially reasonable measures to protect data integrity and confidentiality, and will notify affected parties promptly in the event of a confirmed data breach involving personal information, consistent with applicable law.

Third-Party Service Providers

Rowanstone engages a limited number of third-party service providers to operate its website and diagnostic platform. These providers act as data processors on Rowanstone's behalf and are permitted to use information only as necessary to deliver contracted services.

• Hosting and infrastructure: Vercel
• Database and data storage: Supabase
• Payment processing: Stripe
• Email delivery: Resend

Each provider operates under its own privacy and security policies. Rowanstone selects providers that maintain standards consistent with this Policy and applicable data protection requirements. Rowanstone does not authorize third-party providers to use engagement data or personal information for their own commercial purposes.

Data Retention

Rowanstone retains personal information and engagement data only for as long as necessary to fulfill the purposes described in this Policy or as required by applicable law or professional obligation. Upon conclusion of an engagement, client data is retained for a defined period consistent with standard professional recordkeeping practices and then deleted or de-identified.

Individuals or institutional clients may request earlier deletion of their data by contacting Rowanstone at the address below.

Your Rights

Individuals whose personal information is held by Rowanstone may request access, correction, deletion (subject to legal obligations), or restriction of processing.

Rowanstone does not discriminate against individuals who exercise their data rights.

Governing Law

This Policy is governed by the laws of the jurisdiction in which Rowanstone LLC is organized, without regard to conflict of law principles. Any disputes arising under this Policy shall be resolved in accordance with applicable law.

Updates to This Policy

Rowanstone may revise this Policy periodically to reflect changes in its operations, legal obligations, or service infrastructure. Material changes will be posted on the Rowanstone website with an updated effective date. Continued use of Rowanstone's services following the posting of a revised Policy constitutes acceptance of the updated terms.