Privacy Policy

1. Identity and Contact

The data controller for both marketing surfaces is Nisana LLC, a limited liability company organized under the laws of the State of Missouri.

You can reach us at the role-based contact addresses listed in Section 15 (Contact Us).

2. Scope of This Policy

This Policy applies to your interaction with the marketing websites listed above, including any forms you complete on those sites (contact, waitlist, ambassador application).

This Policy does not apply to: the Osprey product application (mobile or web) once launched (which will publish its own Privacy Policy and, where applicable, will be governed by Data Processing Agreements with school districts and Business Associate Agreements with HIPAA-covered organizations); third-party websites that we link to from our marketing sites; or information you provide directly to a third party (for example, a social-media platform) outside our marketing sites.

3. Information We Collect

We collect personal information only in the categories described below. We do not collect Social Security numbers, government-issued identification numbers, financial-account numbers, payment-card numbers, precise geolocation, biometric identifiers, health information, information about union or political affiliation, or information about minors at the marketing-site layer.

Information you provide directly: (a) on the contact form (both sites): your name, your email address, and the free-text message you choose to send us; (b) on the waitlist form (both sites): your name, your email address, and a categorical “professional role” selection; (c) on the ambassador application form (osprey.education only): your name, your email address, a categorical “professional role” selection, and a free-text “about you” statement describing your practice setting and what you would want Osprey to address; (d) a hidden honeypot field on every form intended to catch automated submissions — a human visitor leaves this field blank and nothing about that visitor is recorded by way of this field.

Information we collect automatically: (a) server-side request metadata on both sites (your IP address, the user-agent string sent by your browser, the HTTP referer header if any, and the request timestamp), used for sliding-window rate-limiting on form submissions; (b) cookieless aggregate analytics on osprey.education only via Plausible, which does not set cookies, does not retain IP addresses, and does not fingerprint your device; (c) an opaque internal build identifier rendered into the page metadata for our own operations monitoring (osprey.education only).

Information we receive from third parties: we do not receive personal information about marketing-site visitors from third parties. We do not buy contact lists, ingest data brokers’ files, or enrich form submissions with third-party data.

4. How We Use Your Information

We use the information described in Section 3 only to: respond to your contact-form messages; operate the waitlist and notify you about the Osprey launch and a small number of pre-launch milestones (typically no more than two emails before launch); evaluate ambassador-program applications and coordinate program participation; operate, secure, and improve the marketing sites (including rate-limiting form submissions, preventing abuse, diagnosing operational issues, and — on osprey.education only — understanding aggregate traffic patterns); and comply with legal obligations and respond to lawful process.

We do not use your marketing-site information for advertising, for profiling that produces legal or similarly significant effects, or for training generative AI systems.

5. Service Providers

We rely on a small number of vetted service providers (“sub-processors”) that process information on our behalf under contractual obligations to use the information only for the purposes we direct. The following list is exhaustive for the marketing-site layer as of the Last Updated date above.

Microsoft Azure (Microsoft Corporation; United States) — hosting via Azure Static Web Apps; serverless backend via Azure Functions; rate-limit window state via Azure Table Storage; transactional email delivery via Azure Communication Services Email. All marketing-site workloads are deployed to U.S. Azure regions.

Plausible Analytics (Plausible Insights OÜ; Estonia, EU) — cookieless, aggregate web analytics for osprey.education only. Plausible does not set cookies, does not retain IP addresses beyond the moment of request, and does not fingerprint visitors. Plausible is loaded only when the production analytics flag is enabled.

We will update this list when we add or remove a sub-processor.

6. Cookies and Similar Technologies

We use only strictly-essential technologies required for the marketing sites to function (for example, transient session storage used to support form submission and basic CSRF protection). We do not use advertising or marketing cookies, cross-site tracking pixels or beacons, behavioral-advertising profiling cookies, device-fingerprinting techniques, or third-party social-network tracking widgets.

The analytics provider used on osprey.education (Plausible) is cookieless by design.

Because we do not deploy non-essential cookies, the marketing sites do not display a cookie consent banner. If we adopt any technology that requires consent under applicable law, we will update this Policy and present the appropriate consent surface before that technology is enabled.

7. How We Share Information

We do not sell personal information. We do not “share” personal information for cross-context behavioral advertising as those terms are defined under the California Consumer Privacy Act, as amended (Cal. Civ. Code § 1798.140), or under any other comparable U.S. state privacy law.

We disclose personal information only: to service providers acting on our behalf, as listed in Section 5, under contracts that limit their use of the information to the purposes we direct; to comply with law when we receive valid legal process (for example, a subpoena, court order, or other lawful request); to protect the rights, property, or safety of Nisana, our visitors, or the public when we have a good-faith basis to believe disclosure is necessary; and in connection with a corporate transaction (for example, a merger, acquisition, reorganization, financing, or sale of assets), with reasonable advance notice on this page if a transaction would materially change how your information is handled.

We have not sold or shared (for cross-context behavioral advertising) personal information of marketing-site visitors in the preceding twelve months, and we have no current plans to do so.

8. How Long We Keep Information

We retain personal information only as long as we need it for the purposes described in this Policy, and then we delete it.

Waitlist submissions are retained for up to 24 months from the date of signup, or for 6 months after the public launch of the Osprey product, whichever comes first; after that, the record is pruned unless you have converted to an Osprey product account, in which case retention is governed by the Product Privacy Policy.

Contact-form messages are retained for up to 24 months from receipt, then pruned. Messages that constitute a binding business record (for example, a contract inquiry leading to a signed agreement) may be retained longer under our records-retention schedule.

Ambassador applications are retained for up to 36 months from receipt, then pruned. Applications accepted into the program follow a separate program-record retention rule.

Server-side request metadata (IP, user-agent, referer, timestamp) is retained for up to 30 days in operational logs, then deleted or aggregated to non-identifying form. Rate-limit window state is retained only for the duration of the rate-limit window (typically minutes), then automatically expired by Azure Table Storage TTL. Plausible aggregate analytics retains only de-identified aggregate counts; no per-visitor record exists to retain.

If you request deletion under Section 10, we will delete your information sooner than the windows above, except where retention is required to comply with law or to defend a legal claim.

9. Security

We implement reasonable administrative, technical, and physical safeguards designed to protect the personal information we collect, including: encryption of data in transit using TLS for all visitor traffic to both marketing sites; encryption of data at rest using the underlying Azure platform’s default encryption; access limited to authorized Nisana personnel on a need-to-know basis; honeypot rejection and IP-based rate limiting to mitigate automated abuse; and secret rotation procedures for service credentials.

No system is perfectly secure, and we cannot guarantee that unauthorized access will never occur. If we determine that personal information has been subject to unauthorized acquisition or use, we will notify affected individuals and, where required, regulators without unreasonable delay, consistent with applicable law.

To report a vulnerability or a suspected security incident affecting either marketing site, contact security@nisana.io.

10. Your Rights and Choices

We extend the rights described in this Section to all U.S. visitors, regardless of state of residence. We do this for operational simplicity and as a sign of good faith; offering the superset of rights to everyone is a defensible posture under each state’s comprehensive privacy law and avoids tiered-rights operational overhead.

Subject to verification of your identity and to limited statutory exceptions, you may request that we: confirm and access what personal information we hold about you; correct information about you that is inaccurate; delete information we hold about you; provide a portable copy of the information you have provided to us, in a structured, commonly used format; opt out of any future processing of your personal information for cross-context behavioral advertising or for profiling that produces legal or similarly significant effects (we do not currently engage in either activity, but the opt-out remains available as a forward-looking commitment); and limit the use of “sensitive personal information” as defined under applicable law (we do not collect any such category at the marketing-site layer, but the request remains available as a forward-looking commitment).

California-specific disclosures: in addition to the above, California residents have the right under the California Consumer Privacy Act, as amended (CCPA/CPRA), to know the categories of personal information we have collected, the categories of sources from which it was collected, the business or commercial purposes for which it was collected, and the categories of third parties to whom we have disclosed it. Those categories are enumerated in Sections 3, 4, 5, and 7 above and are incorporated into this Section by reference. You also have the right to designate an authorized agent to submit a request on your behalf; we may require the agent to provide written proof of authorization and may require you to verify your identity directly with us before we honor an agent-submitted request. We will not discriminate against you for exercising any privacy right.

Appeals: if we decline a privacy request, you may appeal that decision by emailing privacy@nisana.io with the subject line “Privacy Request Appeal.” We will respond to appeals within 60 days of receipt and, where state law permits, will provide information about further recourse (for example, the Attorney General of your state).

Global Privacy Control: we honor the Global Privacy Control (GPC) browser signal as a valid opt-out preference where applicable. Today this commitment is largely moot because we do not sell or share for cross-context behavioral advertising; nonetheless, the commitment will be honored if our processing posture changes in the future.

How to submit a request: email us at privacy@nisana.io with the subject line “Privacy Request” and describe what you are asking us to do. We will acknowledge your request within 10 business days and respond substantively within 45 days of receipt. We may extend the response window by up to an additional 45 days where reasonably necessary, in which case we will tell you the reason and the expected response date before the original window closes.

11. Children’s Privacy

The marketing sites are intended for adult professionals (educators, clinicians, administrators), parents and guardians researching the Osprey product, and organizational decision-makers. The marketing sites are not directed to children under 13.

We do not knowingly collect personal information from children under 13 through the marketing sites. The waitlist and contact forms ask for the name and email of the person submitting the form; we ask that minors not submit these forms.

If you are a parent or guardian and you believe a child under 13 has submitted personal information through one of our marketing forms, contact privacy@nisana.io and we will delete the information promptly.

The Osprey product itself is designed to be used by adult practitioners on behalf of learners; children do not interact directly with the Osprey application. The Product Privacy Policy issued at product launch will explain that posture in full and will address the school-as-consent-agent doctrine under the Children’s Online Privacy Protection Act (COPPA) where applicable.

12. FERPA and HIPAA: Marketing-Site Scoping

We include this Section for the benefit of school districts, clinical organizations, and student-data-privacy reviewers (including the Student Data Privacy Consortium / NDPA review process) so that the scope of this marketing-site Policy is unambiguous.

FERPA: the marketing sites do not process student education records, and Nisana LLC is not acting as a “school official” with legitimate educational interest under 34 CFR § 99.31(a)(1)(i)(B) in the conduct of these marketing sites. The Osprey product application, when it launches, will be operated under a written agreement with each participating school or district that addresses the FERPA school-official exception, the prohibition on re-disclosure, and the requirements of any applicable state student data privacy law.

HIPAA: the marketing sites do not create or maintain protected health information, Nisana LLC is not a Covered Entity, and Nisana LLC is not acting as a Business Associate in the conduct of these marketing sites. Where the Osprey product application is used by a HIPAA-covered organization, a Business Associate Agreement will govern that use; that BAA is not in scope for this Policy.

13. Visitors Outside the United States

The Osprey product and the Nisana company offerings are oriented toward visitors and customers in the United States. Our marketing sites are hosted in U.S. Azure regions, and our service providers (other than Plausible Analytics) are based in the United States. Plausible Analytics processes only de-identified aggregate signals and is based in the European Union; no personal data is transferred to Plausible.

If you visit our marketing sites from outside the United States, your information is transmitted to and processed in the United States. We do not currently market to or solicit personal data from individuals in the European Union, the United Kingdom, the European Economic Area, the Russian Federation, the People’s Republic of China, or any other jurisdiction whose laws would require localized processing or specific cross-border transfer mechanisms. If you are located in such a jurisdiction and choose to contact us, please be aware that the protections of your local law may not apply.

14. Changes to This Policy

We may update this Policy from time to time. When we do, we will update the “Last updated” date at the top of the page.

For material changes — for example, a change to the categories of information we collect, the purposes for which we use it, the sub-processors we share it with, or the rights we extend — we will display a prominent notice on both marketing sites for at least 30 days following the change, and where we hold an email address as a result of your prior interaction with us (for example, your waitlist signup), we will notify you by email of the material change before it takes effect, where practicable.

Prior versions of this Policy are preserved in the public version history of the Nisana source repository (docs/legal/privacy-policy.md in the postrema/ALC repository).

15. Contact Us

You can reach us at the following role-based addresses:

• Privacy and data subject requests: privacy@nisana.io
• Legal notices, intellectual-property notices (including DMCA), and contractual correspondence: legal@nisana.io
• Security vulnerability disclosure and security incident reports: security@nisana.io
• Data protection contact: dpo@nisana.io