Brownstone Analytics — Privacy & Data Handling

Effective date: 06 10, 2025
Contact: pb@brownstoneanalytics.org • (914) 348-5448

Our promise

We collect the minimum data needed to analyze your business, we never sell your data, we restrict access to those who need it, and we delete working files on a fixed schedule. You can request deletion at any time.

Scope

This policy covers client information and files shared with Brownstone Analytics for our analytics engagements (e.g., through our intake form, email, or secure links). It does not cover data processed by your own systems or public content you publish.

What we collect

  • Contact & context: name, work email, company, industry, project notes.

  • Client files: datasets you provide (typically operational/financial tables in CSV/XLSX).

  • Operational metadata: submission timestamps, file names/links, Run IDs.

Do not submit via our standard intake: protected health information (PHI), full payment card numbers, government ID numbers (e.g., SSNs), criminal justice information (CJIS), or other highly regulated personal data. If your project requires these, we will route you to a separate secure workflow and agreements.

How we use your data

  • To assess your request, perform analysis (including use of analytic tools), create an executive deck, and communicate with you about results.

  • We do not use your data to train public models or for advertising.

Where your data is processed (current tools)

We use reputable processors to deliver the service, including: Typeform (intake), Zapier (notifications), Google Workspace/Drive (storage & email), Julius (analysis), Gamma (deck creation), and Squarespace (website). These providers may process data in the U.S. and other jurisdictions. We review their security documentation and limit access to least-privilege.

Security

  • Enforced multi-factor authentication on all accounts; device encryption on our endpoints.

  • Least-privilege access; no public file sharing by default.

  • Transport encryption (TLS) for data in transit; providers’ encryption at rest.

  • Operational hygiene: password manager, change control for automations, periodic access review.

Retention & deletion

  • Working files are retained for [60] days after delivery unless otherwise agreed, then deleted from our working storage.

  • You may request deletion at any time at privacy@brownstoneanalytics.org. We will confirm completion within a reasonable period.

  • We may retain limited business records (e.g., invoices, statements of work, email headers) as required by law.

Your choices & control

  • You can submit de-identified or sample data.

  • You can request access, corrections, or deletion by emailing privacy@brownstoneanalytics.org.

  • If your data includes regulated elements, tell us in the intake form; we’ll switch to our secure workflow (e.g., de-identification checklist, restricted sharing, additional agreements such as DPA/BAA where applicable).

Incident handling

If we become aware of unauthorized access to client data in our control, we will investigate promptly and notify affected clients without undue delay, consistent with applicable law.

Children

Our services are for business clients and not directed to children.

Changes

We may update this notice to reflect process or legal changes. We’ll post the new effective date at the top. Material changes will be communicated to active clients.

Summary

  • We collect only what we need to analyze your business.

  • We never sell your data.

  • Files are stored in restricted folders, used to produce your deck, then deleted on a schedule.

  • You control your data—ask for deletion any time at privacy@brownstoneanalytics.org.