Legal

Privacy Policy, Disclaimer & Legal Notices

Effective Date: February 27, 2026  |  Last Updated: February 27, 2026

Brownstone Analytics ("Brownstone," "we," "us," or "our") is committed to protecting your privacy and the confidentiality of your data. This document contains our Privacy Policy, Disclaimer, Copyright & Trademark Notice, and related legal disclosures. As a firm that provides compliance financial intelligence to defense contractors, healthcare organizations, and government agencies, we hold ourselves to the same standards of data protection we help our clients achieve.

Contents 1. Disclaimer 2. Personal Data We Collect 3. Purposes and Legal Bases for Processing 4. Client Data & Confidentiality 5. Controlled Unclassified Information (CUI), ITAR & Federal Data 6. Protected Health Information (PHI) & HIPAA 7. Artificial Intelligence & Automated Tools 8. Disclosures & Information Sharing 9. Data Security & Standards Alignment 10. Data Location & Storage 11. Subprocessors & Third-Party Services 12. Incident Response & Breach Notification 13. Insurance & Liability 14. Right to Audit 15. Data Retention 16. Cookies & Similar Technologies 17. Your Privacy Rights (Jurisdiction-Dependent) 18. Additional Information for California Residents (CCPA/CPRA) 19. Children's Data 20. Changes to This Policy 21. Governing Law & Forum 22. Contact Information 23. Copyright & Trademark Notice

1. Disclaimer

The content on this site is provided by Brownstone Analytics for general informational purposes only and does not constitute financial, legal, or professional advice. Analyses, dashboards, forecasts, benchmarks, or recommendations presented by Brownstone are based on the data and assumptions available at the time and may not predict future outcomes. You should not rely on any single indicator or dashboard view to make business or investment decisions; consider your unique context and consult qualified professionals as needed.

Our website may contain links to third-party sites. We do not control and are not responsible for the content, security, or privacy practices of third parties. Use of our site and services is at your own risk. To the fullest extent permitted by law, Brownstone disclaims any liability for direct, indirect, incidental, consequential, special, exemplary, or punitive damages arising out of or relating to your use of the site or services.

2. Personal Data We Collect

We collect and process personal data in the following categories (depending on your interactions with us):

  • Identity & Contact Data: Name, title, company, email, phone, mailing address.
  • Account & Transaction Data: Invoices, payment status (payments are processed by PCI-compliant providers; we do not store full card data).
  • Usage & Technical Data: IP address, device identifiers, browser type/version, pages viewed, time on page, referral URLs, session metrics.
  • Communications & Support Data: Emails, meeting notes, project correspondence.
  • Client Dataset Inputs (B2B Services): Files and databases you provide for analytics engagements (which may contain limited personal information depending on your configuration); metadata necessary to process and deliver services.

This data is collected through Squarespace's built-in analytics. We do not use Google Analytics or other third-party tracking tools that share data with advertising networks.

3. Purposes and Legal Bases for Processing

We use personal data for:

  • Service Delivery & Operations: Provide, configure, and maintain our analytics services; process client datasets; ensure availability and security.
  • Customer Success & Support: Troubleshoot issues; respond to inquiries; conduct quality assurance.
  • Business Administration: Billing, account management, audits, compliance, fraud prevention, enforcing terms.
  • Communications: Send project updates, invitations, and educational content where permitted.
  • Legal & Regulatory: Comply with applicable laws, respond to lawful requests, enforce agreements, and protect our rights and users.

Legal bases (where required, e.g., EEA/UK): Performance of contract; legitimate interests (e.g., security, service improvement); consent (where mandated); and legal obligations.

What we do NOT do: We do not sell your personal information. We do not share your data with advertising networks. We do not use client data for product development, algorithm training, benchmarking, or any purpose beyond the scope of the specific engagement without explicit written client authorization.

4. Client Data & Confidentiality

As a business intelligence consulting firm, we access, process, and analyze client business data in the course of our engagements. Processing is governed by our service terms and/or a Data Processing Addendum (DPA). We process client data solely to provide services and as instructed by the client.

Our Commitment: Client business data is treated as strictly confidential. We do not use client data for any purpose other than the specific engagement for which it was provided.
  • Access controls: Client data is accessed only by authorized personnel directly involved in the engagement.
  • Encryption: Client data is stored using encrypted file storage and transmitted via encrypted connections (TLS 1.2+).
  • No secondary use: We do not use client data to build case studies, marketing materials, training datasets, benchmarks, or aggregate analytics without explicit written permission.
  • Return & deletion: Upon engagement completion, we follow client instructions for deletion or return of data. We will delete or return all client data upon written request.
  • NDAs available: We execute Non-Disclosure Agreements and confidentiality agreements upon request. For defense and government clients, we consider NDAs standard practice.
  • Separation of client data: Each client's data is logically separated and never co-mingled with data from other clients.

5. Controlled Unclassified Information (CUI), ITAR & Federal Data

Brownstone Analytics provides compliance financial intelligence services to defense contractors and federal suppliers.

Scope of our work: We provide financial analysis and dashboard reporting for compliance programs (CMMC, FedRAMP, DCAA, ITAR, etc.). We analyze compliance spend, budget variance, control implementation costs, and revenue-at-risk – not the underlying technical security data or classified information itself.
  • CUI handling: In the normal course of our work, we do not require access to Controlled Unclassified Information (CUI). If an engagement requires CUI access, we will establish appropriate safeguards, execute required agreements, and document handling procedures before any CUI is shared.
  • FCI handling: We may handle Federal Contract Information (FCI) such as contract values, pricing data, and procurement documentation. FCI is protected under our standard confidentiality controls.
  • ITAR-controlled data: We do not require access to ITAR-controlled technical data, defense articles, or defense services information in the normal course of our work. If an engagement involves data that may fall under ITAR or the Export Administration Regulations (EAR), we will identify the data classification, establish appropriate handling protocols, and ensure compliance before proceeding. We do not transfer ITAR-controlled data to foreign persons, entities, or servers.
  • DFARS compliance: For engagements involving defense contractor data, our data handling practices are informed by the principles of NIST SP 800-171 and DFARS 252.204-7012.
  • No classified information: We do not access, store, or process classified information under any circumstances.

6. Protected Health Information (PHI) & HIPAA

Brownstone Analytics provides compliance financial intelligence to healthcare organizations and healthcare-adjacent businesses.

  • Standard engagements: Our compliance financial analysis typically involves cost data, budget information, and compliance program metrics – not patient health information (PHI). In the normal course of our work, we do not require access to PHI or electronic PHI (ePHI).
  • Business Associate Agreements: If an engagement requires us to access, process, or store any data that may contain PHI, we will execute a Business Associate Agreement (BAA) in compliance with HIPAA before any PHI is shared.
  • Incidental exposure: If PHI is inadvertently included in data provided to us, we will promptly notify the client, isolate the data, and either return or securely destroy it in accordance with HIPAA requirements.
  • HIPAA awareness: We are committed to maintaining HIPAA data handling awareness and staying current with regulatory requirements to ensure we can identify and appropriately handle PHI if encountered.

7. Artificial Intelligence & Automated Tools

In the course of our work, we may use AI-assisted tools (such as AI features within Microsoft Power BI, Excel, or other business intelligence platforms) to enhance data analysis and dashboard development.

Our AI commitment: Client data is never uploaded to, processed by, or used to train public AI models, third-party AI services, or large language models without explicit written client authorization.
  • No training data: We do not submit client data to AI platforms for model training, improvement, or any purpose beyond the specific engagement scope.
  • Enterprise-grade tools only: When AI-assisted features are used, they are limited to enterprise-grade, commercially licensed tools with appropriate data protection agreements in place (e.g., Microsoft Copilot within a licensed Microsoft 365 environment with commercial data protection).
  • Transparency: If AI-assisted analysis is used in the creation of a deliverable, we will disclose this to the client upon request.
  • Client opt-out: Clients may request that no AI-assisted tools be used in their engagement. We will honor all such requests.

Automated Decision-Making: We do not make legally significant decisions based solely on automated processing without appropriate human review.

8. Disclosures & Information Sharing

We do not sell or rent personal data. We may disclose data to:

  • Service Providers / Subprocessors: Cloud hosting, data storage, email delivery, payment processors — bound by confidentiality and data protection obligations (see Section 11 for full list).
  • Corporate Transactions: In a merger, acquisition, financing, or sale of assets, data may be transferred subject to continued protections and appropriate notice to affected parties.
  • Legal/Compliance: To comply with applicable law, legal process, or enforceable governmental requests; to protect rights, safety, or integrity of our services.
  • With your consent: When you have given explicit written permission to share specific information.

We will never share defense contractor, government, or healthcare client data with unauthorized third parties under any circumstances. All data is processed in the United States (see Section 10).

9. Data Security & Standards Alignment

We employ administrative, technical, and physical safeguards designed to protect personal data and client datasets:

  • Encrypted file transfer and storage (AES-256 at rest, TLS 1.2+ in transit)
  • Password-protected systems and multi-factor authentication (MFA) on all business accounts
  • SSL/TLS encrypted connections on our website
  • Logical separation of client data across engagements
  • Access controls limited to authorized personnel
  • Regular review and update of data handling procedures
  • Secure disposal of client data upon engagement completion or client request

Standards Alignment

Our internal data handling practices are informed by the principles of NIST SP 800-171 (Protecting CUI), the NIST Cybersecurity Framework (CSF), and industry best practices for data confidentiality. While we do not currently hold a formal CMMC or SOC 2 certification for our own operations, we continuously align our practices with the same frameworks we help our clients navigate.

New York SHIELD Act Compliance

As a New York-based business, Brownstone Analytics complies with the New York Stop Hacks and Improve Electronic Data Security (SHIELD) Act. We maintain reasonable safeguards to protect the security, confidentiality, and integrity of private information of New York residents, including administrative safeguards (employee training, risk assessment), technical safeguards (encryption, access controls, monitoring), and physical safeguards (secure disposal, access limitations).

No method of transmission or storage is 100% secure; residual risk remains. We will notify affected parties promptly in the event of any security incident (see Section 12).

10. Data Location & Storage

  • Data residency: All client data is stored and processed within the United States. We do not transfer client data to servers or facilities outside the US unless explicitly authorized by the client in writing.
  • Cloud services: Client deliverables and working files are stored on US-based cloud infrastructure (Microsoft OneDrive/SharePoint, encrypted local storage). Our website is hosted by Squarespace on US-based servers.
  • Local storage: When client data is stored on local devices, those devices are protected by full-disk encryption, password protection, and MFA-enabled accounts.
  • No offshore processing: All data processing and analysis is performed within the United States by US-based personnel.

11. Subprocessors & Third-Party Services

We use the following third-party services. Each has been selected for its security practices and compliance posture.

ServicePurposeData Handled
SquarespaceWebsite hosting, analyticsWebsite visitor data
Microsoft 365Email, file storage, collaborationCorrespondence, client files
Microsoft Power BIDashboard creation & visualizationClient business data (analytics)
ZoomVideo meetings & consultationsMeeting recordings (if authorized)
Google WorkspaceCalendar, secondary collaborationScheduling data

We review our subprocessor list periodically and will update this section as our tools change. If a client requires advance notification of subprocessor changes, we will accommodate that request contractually. Each subprocessor's own privacy policy governs how they handle data.

12. Incident Response & Breach Notification

In the event of a data security incident involving client data or personal information, we will:

  • Investigate promptly: Identify the scope, cause, and impact of the incident within 24 hours of discovery.
  • Contain & remediate: Take immediate steps to contain the incident and prevent further unauthorized access.
  • Notify affected parties: Notify affected clients within 72 hours of confirmed discovery, providing details of the incident, data involved, and remediation steps taken.
  • Regulatory notification: Comply with all applicable breach notification laws, including New York SHIELD Act requirements, and where applicable, HIPAA breach notification rules and DFARS 252.204-7012 incident reporting requirements.
  • Preserve evidence: In accordance with DFARS requirements, we will preserve and protect images of affected information systems and all relevant monitoring data for at least 90 days following a cyber incident involving defense contractor data.
  • Document & improve: Conduct a root cause analysis and implement measures to prevent recurrence.

13. Insurance & Liability

Brownstone Analytics maintains appropriate business insurance:

  • Professional Liability / Errors & Omissions (E&O): Coverage for professional services, consulting errors, and omissions in deliverables.
  • General Liability: Standard commercial general liability coverage.
  • Cyber Liability: We are in the process of securing dedicated cyber liability insurance. This section will be updated upon policy activation.

Proof of insurance is available upon request.

14. Right to Audit

  • Audit support: We will cooperate with reasonable client audit requests related to our data handling practices and security controls.
  • Documentation: Upon request, we can provide documentation of our data security practices, subprocessor agreements, and incident response procedures.
  • Contractual provisions: For defense, healthcare, and government clients, we are willing to include right-to-audit clauses in engagement agreements.
  • Regulatory cooperation: We will cooperate with any regulatory audit or investigation related to data we process on behalf of a client, including DCAA audits, CMMC assessments, and HIPAA compliance reviews.

15. Data Retention

We retain personal data only for as long as necessary to fulfill the purposes above or to comply with legal, accounting, or reporting requirements. Typical retention guidelines:

  • Account & Transaction Records: Up to 7 years for tax/audit.
  • Support & Communications: 24–36 months, unless needed longer for dispute resolution.
  • Marketing Data: Until you opt out or data becomes inactive per internal schedules.
  • Client Datasets (B2B): As specified in the contract/DPA; we follow client instructions for deletion or return at end of engagement.
  • Defense contractor data: Retention periods will comply with applicable DFARS, FAR, and NARA record retention requirements.
  • Cyber incident data: Affected system images and relevant monitoring data preserved for a minimum of 90 days per DFARS 252.204-7012.

16. Cookies & Similar Technologies

We use cookies and similar technologies to:

  • Operate the Site (strictly necessary);
  • Measure Performance (analytics, diagnostics);
  • Enhance Features (preferences, saved sessions).

What We Do NOT Use

  • No third-party advertising cookies or retargeting pixels
  • No cross-site tracking
  • No sale of cookie data to third parties

You can control cookies via browser settings and designated opt-out tools. Disabling certain cookies may impact site functionality. We do not respond to "Do Not Track" signals at this time due to industry standards not being finalized.

17. Your Privacy Rights (Jurisdiction-Dependent)

Depending on your location, you may have rights to access, correct, delete, restrict, object to processing, port data, or withdraw consent. To exercise rights, contact pb@brownstoneanalytics.org. We may request verification and will respond within the required timeframes.

New York Residents

If you are a New York resident, you have rights under the New York SHIELD Act, including the right to be notified in the event of a security breach involving your private information. We maintain the administrative, technical, and physical safeguards required by the SHIELD Act.

18. Additional Information for California Residents (CCPA/CPRA)

Categories Collected: Identifiers; commercial information; internet/usage data; professional/employment data; inferences (e.g., preferences).

Sources: Directly from you; your devices/browser; your employer (for B2B services); service providers.

Purposes: As described in Sections 3 and 8.

Sharing/Selling: We do not sell personal data. We do not "share" personal information for cross-context behavioral advertising.

Sensitive Personal Information: We do not use or disclose SPI for inferring characteristics or for purposes beyond those allowed by law without your consent.

Your Rights: Know/access, correct, delete, opt out of "sharing," limit SPI use (if applicable), and non-discrimination.

How to Exercise: Email pb@brownstoneanalytics.org with "California Privacy Request." We will verify your identity and respond per statutory timelines. You may use an authorized agent with proper authorization.

19. Children's Data

Our services are not directed to individuals under 18 years of age. We do not knowingly collect children's personal data. If we become aware that we have inadvertently collected information from a minor, we will take steps to delete it promptly.

20. Changes to This Policy

We may update this Policy to reflect changes to our practices or legal requirements. Material changes will be noted by updating the "Last Updated" date and, where appropriate, additional notice. Active clients will be notified directly if changes materially affect how we handle their data.

21. Governing Law & Forum

This Policy and any dispute arising from it are governed by the laws of the State of New York, without regard to conflict-of-laws principles. Exclusive jurisdiction and venue reside in the state or federal courts located in New York, NY, USA.

22. Contact Information

Brownstone Analytics

Paul Brown, Founder & Principal Analyst

Elmsford, NY, United States

Email: pb@brownstoneanalytics.org

Phone: (914) 348-5448

Website: www.brownstoneanalytics.org

23. Copyright & Trademark Notice

© 2026 Brownstone Analytics. All Rights Reserved.

All site content — including text, graphics, logos, icons, software, dashboards, data visualizations, and other materials — is owned by Brownstone or licensed to Brownstone and protected by U.S. and international copyright laws. You may not reproduce, distribute, display, perform, create derivative works, or otherwise use content without our prior written permission, except for fair use or other permitted exceptions under applicable law.

Trademarks: Brownstone Analytics™ and "Smarter Decisions. AI-Powered Results."™ are trademarks of Brownstone Analytics. Other names and marks are the property of their respective owners. You may not use our trademarks without prior written consent, including in metatags, ads, or promotional materials, in any manner likely to cause confusion or imply endorsement.

License for Client Work Product: Unless your contract states otherwise, deliverables we create for you (e.g., dashboards, models, reports) are licensed for your internal business use. You may not redistribute, resell, or publicly publish our templates, models, or source materials unless expressly permitted in writing.

We Value Your Privacy