Privacy and data practices
What the NCSC AI Toolkit collects, how long it keeps it, and how to request deletion. Last updated 2026-05-22.
What we collect
- Workshop password path (Path A). No personal data collected. The session cookie carries an anonymized identifier (
workshop@charterts.com) and an expiration timestamp. - Annual-access path (Path B). Email address (required), name, school, role (each optional). Stored in our
workshop_leadstable. Used to identify you when an authorized request reaches the toolkit operator (Joseph Colarusso) for manual review. - Bypass token path. No personal data. Anonymized cookie (
bypass@charterts.com). - Audit reports you generate. The contract or terms you paste, the AI's output, and a fingerprint of the result. Anonymized for workshop/bypass sessions; identified only for annual sessions (where the audit is linked to your email).
- Visit metadata. Per-visit timestamp and visit count on your lead row. No browser fingerprinting. No third-party analytics.
What we don't do
- We don't sell or rent your contact information.
- We don't share it with vendors, partners, or affiliated CTS clients.
- We don't run third-party analytics or advertising trackers on the toolkit.
- We don't fingerprint your browser or device.
Retention
- Workshop leads. Auto-purged 18 months after last activity, unless flagged for follow-up.
- Workshop / bypass audit reports. No identifying email attached. Kept indefinitely as anonymized records of toolkit usage.
- Annual audit reports. Kept until you request deletion (see below) or until the underlying workshop_leads row is purged.
- Source-health logs. Per-URL availability checks, no personal data, retained indefinitely.
- Rate-limit counters. IP-keyed throughput buckets, auto-purged after 2 days.
Your rights
Regardless of jurisdiction, you can request: (a) a copy of the data we hold on you, (b) deletion of your lead and any associated audit reports, (c) correction of inaccurate information, (d) revocation of any active access link.
Email joseph.colarusso@charterts.com from the email address on file. Joe processes requests manually; expect a 5-business-day turnaround. Deletion is irreversible.
EU / California / New York residents
GDPR (EU), CCPA (California), and NY SHIELD Act recognize the rights above and add procedural requirements. The data we collect under Path B is processed with your explicit consent at submission. Withdraw consent anytime by emailing the address above.
Security
- All traffic served over HTTPS with HSTS preload.
- Session cookies are HttpOnly, Secure, host-locked (
__Host-prefix). - API endpoints carry per-IP rate limits and per-tier daily quotas.
- Stored in Atlas (Supabase Postgres) with row-level security and a per-app service role.
- Outbound email sent via authenticated Gmail SMTP or Resend; no third-party email tracking.
Contact
Joseph Colarusso · Charter Technology Solutions · joseph.colarusso@charterts.com · 866-399-3230