Privacy Policy

Project Baseline LLC ("Project Baseline," "we," "us," "our") is a strategy consulting practice based in Illinois, USA. This Privacy Policy explains how we collect, use, store, share, and protect your information when you use our website at project-baseline.com, audit.project-baseline.com, nonprofit.project-baseline.com, or any related Project Baseline service.

If you have questions, email todd@project-baseline.com.

1. What we collect

Information you give us directly

• Audit and intake forms. Email address, organization or project name, role, brief description of what you do, your AI usage tier, and your answers to the 10 readiness questions.
• Payment information. When you purchase a service, Stripe processes your payment. We receive your name, email, and the last four digits of the card. We never see or store full card numbers.
• Communications. Anything you email or message us, including replies to audit emails, scheduling requests, and consultation notes.
• Documents you share. If you engage us for a paid service (Brief, Setup, Foundation Package, etc.), we may receive documents from you (procedures, financials, IRS letters, brand assets) used solely to deliver the service you paid for.

Information collected automatically

• Standard server logs. Browser type, referring URL, request timestamp, IP address (for security and rate-limiting only). We do not use these for marketing.
• Attribution parameters. If you click a link with UTM parameters (e.g., utm_source=manychat), we record the parameter so we know which channel referred you.
• Cookies. Cloudflare may set strictly-necessary cookies for session management and bot protection. We do not use advertising cookies or sell tracking data.

2. How we use it

• To generate and deliver the AI Readiness Self-Audit you requested
• To deliver paid services you purchase (briefs, setups, packages, advisory)
• To respond to your messages and schedule sessions
• To process payments through Stripe
• To improve our services (we look at aggregated patterns: audit completion rate, common dimension scores, etc.)
• To comply with legal obligations

We do not sell your information. We do not share it for advertising. We do not use it to train any third-party AI model.

3. Third parties we work with

To run our service, we share limited information with the following processors:

• Anthropic (Claude API). Your audit inputs are sent to Anthropic's Claude model to generate the personalized report. Anthropic does not retain prompt data for training. Anthropic Privacy Policy.
• Resend. Email delivery. Resend Privacy Policy.
• Cloudflare. Website hosting and CDN. Cloudflare Privacy Policy.
• Stripe. Payment processing. Stripe Privacy Policy.
• Google Workspace. Email and calendar for Project Baseline staff. Google Privacy Policy.

We do not share your information with any other third party except when required by law (subpoena, court order) or in the event of a merger or acquisition (you would be notified).

4. How long we keep it

• Audit submissions and generated reports: 90 days, then automatically deleted unless you have engaged us for a paid service.
• Paid client records: 7 years (required for tax and accounting).
• Email communications: Retained until you ask us to delete or until the engagement is closed plus 7 years.
• Stripe payment records: Retained per Stripe's policies and tax law.

5. Your rights and choices

You can:

• Access a copy of the information we have about you
• Correct information that is wrong
• Delete your information (we will delete what we are not required to retain by law)
• Object to certain processing
• Receive a portable copy of your information in a common format
• Opt out of marketing emails via the unsubscribe link or by emailing us

To exercise any of these, email todd@project-baseline.com with the request and the email address you used. We respond within 30 days.

California (CCPA / CPRA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act, including the right to know what we collect, the right to delete, and the right to opt out of sale of personal information. We do not sell personal information.

European Economic Area / United Kingdom (GDPR / UK GDPR)

If you are in the EEA or UK, you have rights under GDPR including access, rectification, erasure, restriction, portability, and objection. The legal basis for our processing is your consent (when you submit the audit form), the performance of a contract (when you purchase a service), and legitimate interest (in running our business).

6. Children

Our services are not directed to children under 16 and we do not knowingly collect information from anyone under 16. If you believe we have collected information from a child under 16, email todd@project-baseline.com and we will delete it.

7. Security

We use industry-standard practices: encrypted connections (HTTPS), credentials in environment variables, audited cloud providers, and regular security review. No system is perfectly secure. If a security event affects you, we will notify you per applicable law.

8. International transfers

Project Baseline operates from the United States. If you access our service from outside the US, your information is transferred to and processed in the US. By using our service, you consent to this transfer.

9. Changes to this policy

We may update this policy. The "Effective" date at the top reflects the latest version. For material changes, we will notify users with active engagements via email.

10. Contact

Project Baseline LLC
Attn: Todd Walton, Founder
todd@project-baseline.com
Illinois, USA