Ampersand

1. Introduction

Ampersand Business Continuity, LLC ("Ampersand," "we," "us," or "our") operates the Ampersand Business Continuity platform ("Service"). This Privacy Policy describes the types of information we may collect or that you may provide when you use the Service, and our practices for handling that information. By using the Service, you acknowledge that you have read and understand this Privacy Policy.

This Privacy Policy does not guarantee any particular level of privacy protection or security. We make reasonable efforts to protect your information but cannot and do not guarantee that your information will be completely secure at all times.

2. Information We Collect

We may collect the following types of information:

Account Information

When you register, we collect your name, email address, organization name, and role within the organization. Organization administrators may also provide information about other team members when inviting them to the platform.

Business Continuity Data

You may enter business impact analyses, contingency plans, incident records, recovery procedures, contact information, and other organizational content into the Service ("User Content"). You are responsible for the content you submit and should not enter information that you are not authorized to share.

Usage and Technical Data

We automatically collect certain technical information when you use the Service, which may include IP addresses, browser type and version, operating system, pages visited, features used, timestamps, referring URLs, and general usage patterns.

AI Processing

The Service uses third-party artificial intelligence providers, including Anthropic (Claude), to power certain features such as content generation, analysis, and suggestions. When you use AI-powered features, your data, including User Content such as business impact analyses, contingency plans, and incident details, may be transmitted to and processed by these AI providers. We do not control how third-party AI providers handle data beyond our contractual agreements with them.

Cookies and Similar Technologies

We use essential cookies for authentication (session tokens) and security (CSRF protection tokens). These cookies are necessary for the Service to function. We may also use additional cookies or similar technologies in the future for analytics, performance, or other purposes.

3. How We Use Your Information

We may use the information we collect for any lawful purpose, including but not limited to:

• Providing, operating, maintaining, and improving the Service
• Authenticating your identity and managing access control
• Sending transactional communications (account verification, password resets, invitations, security alerts)
• Processing your data through third-party AI providers (such as Anthropic's Claude) to generate plans, analyses, suggestions, and other AI-powered features
• Analyzing usage patterns to improve the platform and develop new features
• Generating aggregated, anonymized, or de-identified data for analytics, benchmarking, research, or other purposes
• Enforcing our Terms of Service and protecting our rights and the rights of others
• Complying with applicable laws, regulations, legal processes, or governmental requests
• Any other purpose described to you at the time of collection or for which you provide consent

4. Data Sharing and Disclosure

We may share your information in the following circumstances:

• Service Providers and AI Providers: We may share information with third-party vendors, consultants, and service providers who perform services on our behalf, including hosting, data storage, analytics, customer support, and artificial intelligence providers (such as Anthropic) that process your data to power AI features of the Service
• Legal Requirements: We may disclose information if required to do so by law or in response to valid requests by public authorities (e.g., a court or government agency)
• Business Transfers: In connection with any merger, acquisition, sale of assets, financing, or transfer of all or a portion of our business, your information may be transferred as part of such transaction
• Protection of Rights: We may disclose information when we believe disclosure is necessary to protect our rights, your safety, or the safety of others, investigate fraud, or respond to a government request
• With Your Consent: We may share information for any other purpose with your consent or at your direction
• Aggregated/De-identified Data: We may share aggregated or de-identified data that cannot reasonably be used to identify you, without restriction

We do not sell your personal information to third parties for their direct marketing purposes.

5. Data Storage and Security

We use commercially reasonable technical and organizational measures to protect your information. These measures may include encryption, access controls, secure authentication mechanisms, and regular security assessments. However, no method of transmission over the Internet or method of electronic storage is completely secure, and we cannot guarantee the absolute security of your information.

You acknowledge and agree that you transmit information to and through the Service at your own risk. We shall not be liable for any unauthorized access, use, or disclosure of your information except to the extent such liability cannot be excluded by applicable law. In the event of a data breach affecting your personal information, we will notify affected users and relevant authorities as required by applicable law.

6. Data Retention

We retain your information for as long as your account is active or as needed to provide the Service. We may also retain and use your information as necessary to comply with our legal obligations, resolve disputes, enforce our agreements, and for other legitimate business purposes. Upon account termination, we may retain your data for a reasonable period as determined by us in our sole discretion. We are under no obligation to delete your data upon request, except as required by applicable law.

7. Your Choices

Depending on your location and applicable law, you may have certain rights regarding your information, which could include:

• Accessing the personal information we hold about you
• Requesting correction of inaccurate information
• Requesting deletion of your account (subject to our retention policies and legal obligations)
• Exporting your data through available platform features
• Opting out of non-essential communications

To exercise any applicable rights, please contact us using the information below. We will respond to requests in accordance with applicable law, but we reserve the right to decline requests that are unreasonable, impractical, or not required by law.

8. Cookies

We currently use essential cookies required for the Service to function (authentication and security tokens). We may in the future use additional cookies or similar tracking technologies for analytics, personalization, or other purposes. We will update this policy to reflect any material changes to our cookie practices. By continuing to use the Service, you consent to our use of cookies as described in this policy. We do not currently respond to "Do Not Track" browser signals.

9. Children's Privacy

The Service is not directed to individuals under the age of 16. We do not knowingly collect personal information from children under 16. If we learn that we have collected personal information from a child under 16, we will take steps to delete such information promptly.

10. International Data Transfers

Your information may be processed and stored in any country where we or our service providers operate. By using the Service, you consent to the transfer of your information to countries that may have different data protection laws than your country of residence.

11. California Privacy Rights

If you are a California resident, you may have additional rights under the California Consumer Privacy Act ("CCPA") and the California Privacy Rights Act ("CPRA"), including the right to know what personal information we collect and how it is used, the right to request deletion of your personal information, the right to correct inaccurate personal information, and the right to opt out of the "sale" or "sharing" of personal information. We do not sell your personal information as defined under the CCPA/CPRA. To exercise your California privacy rights, please contact us at the email address listed below. We will not discriminate against you for exercising any of your rights.

12. European and International Privacy Rights

If you are located in the European Economic Area, the United Kingdom, or another jurisdiction with applicable data protection laws, you may have additional rights under those laws, including the right to access, rectify, or erase your personal data, the right to restrict or object to processing, and the right to data portability. You may also have the right to lodge a complaint with your local data protection authority. To exercise any applicable rights, please contact us at the email address listed below. We will process requests in accordance with applicable law.

13. Changes to This Policy

We may update this Privacy Policy at any time in our sole discretion. Changes are effective upon posting of the revised policy with an updated "Last updated" date. Your continued use of the Service after any changes constitutes your acceptance of the updated policy. It is your responsibility to review this Privacy Policy periodically.

14. Contact Us

If you have questions about this Privacy Policy, please contact us at zachary@ampersandbusinesscontinuity.com.