Privacy Policy

1. Information We Collect

Directly Provided Data: Name, email, professional affiliation, company or organization name, job title, and any information you submit through contact forms, intake forms, support requests, or direct communications.

Service-Related Data: Information you provide in connection with consultation engagements, software development work, or other company-operated Services that are not subject to a separate product-specific privacy policy, including project specifications, research questions, and related materials.

Automatically Collected Data: We may collect metadata such as IP address, browser type, device information, and usage patterns to improve website performance, security, and service operations.

Financial Data: Payments that we process directly are handled through Stripe. We do not store complete payment card numbers or other sensitive financial identifiers.

2. Information Handling & AI Training

Customer Data Ownership: We do not claim ownership of any proprietary data provided by customers in connection with consultation services or other client engagements.

No General Model Training: We do not use client-provided research data, personal statements, proprietary datasets, or engagement materials to train our foundational or general-purpose AI models.

Client-Specific Models: If a specific AI model or RAG system is developed for a client as a deliverable ("Work Product"), the handling of that data is governed by the specific Service Agreement for that project.

Work Product: Upon full payment, clients receive rights to deliverables as specified in the applicable Service Agreement or Statement of Work.

3. Prohibition on Protected Health Information (PHI)

If PHI is Detected

If we discover PHI in uploaded files or communications, we will:

1. Immediately quarantine the data
2. Notify you within 24 hours
3. Permanently delete the data within 72 hours
4. Suspend services until we receive written confirmation that no additional PHI will be provided

HIPAA-Compliant Services: If you require HIPAA-compliant data processing, contact us at [email protected] to discuss a separate Business Associate Agreement and migration to compliant infrastructure. Additional fees apply.

Your Responsibility: You are solely responsible for ensuring that any data provided to us does not contain PHI.

4. How We Use Your Information

We use the information we collect for the following purposes:

• To provide consultation, software development, and related business services as specified in Service Agreements or other applicable agreements
• To operate, secure, maintain, and improve mbshub.org and other company-operated Services not governed by a separate product-specific privacy policy
• To develop AI models, analyses, or deliverables for specific client projects
• To process payments and manage invoicing
• To respond to inquiries, requests, and support communications
• To monitor website usage and improve our Services through analytics, subject to consent requirements where applicable

We do not use your personal data for unsolicited marketing.

5. Data Retention and Storage

Project Data: Data related to consultation projects is retained for the duration of the project and as specified in the applicable Service Agreement. After project completion, data may be retained for a reasonable period to support potential follow-up work or as required by law.

Financial Records: Transaction records and invoices are retained for 7 years to comply with tax and accounting regulations.

Deletion Requests: If you request deletion of your data, we will delete or anonymize it within 30 days unless retention is required by law or contractual obligations.

Your data is stored on secure servers located in the United States. We employ industry-standard security practices, including encryption in transit and at rest, access restrictions, and regular security audits.

6. Sharing of Information

We do not sell your personal data. We may share your data only with trusted third parties:

Service Providers: We may use third-party service providers for technical infrastructure, including:

• AI platforms (OpenAI, Google Gemini) for project-specific model development and support features
• Infrastructure and security providers (Hetzner, Cloudflare)
• Analytics providers (Google Analytics 4) for website and service usage insights, subject to consent requirements where applicable

Payment Processors: Stripe processes transactions that we handle directly. Stripe collects payment information according to its privacy policy and maintains PCI-DSS compliance.

Legal Authorities: We may disclose your information if required to comply with applicable laws, regulations, or legal processes.

Separate product-specific privacy policies may describe additional providers used for those platforms. All third-party providers are contractually obligated to safeguard your data and not use it for unrelated purposes.

7. Cookies and Website Analytics

Our website may use cookies for essential functionality such as login sessions and website performance.

Essential Cookies: We may use necessary cookies for login sessions and website functionality. These cookies are required for service operation.

Analytics: We may use Google Analytics 4 and similar tools to understand website and service usage patterns. Where required by applicable law, non-essential analytics technologies are enabled only after user consent. Analytics data is used in aggregated or otherwise limited form to understand performance and improve our Services.

8. Data Subject Rights & Access Requests

In accordance with GDPR, CCPA, and other applicable privacy laws:

Access: You may request a summary of your stored data by emailing [email protected].

Correction: You may request correction of inaccurate or incomplete data.

Deletion: You may request deletion of your personal data, subject to legal retention requirements and contractual obligations.

Data Portability: You may request your data in a structured, commonly used format.

Response Timeline: We aim to fulfill verified requests within thirty (30) days. For complex requests, we may extend this by an additional 60 days with prior notice.

Data Transfers: As a Minnesota-based company, your data will be processed in the United States. By using the Services, you consent to this cross-border transfer.

9. Data Security

We employ reasonable technical and organizational safeguards to protect your personal information from loss, unauthorized access, misuse, or disclosure. These measures include:

• Pseudonymization of identifiers where feasible
• Secure storage environments and encrypted backups
• Strict access controls for internal tools and systems
• Monitoring for suspicious or unauthorized activity

Despite these safeguards, no system is 100% secure. We cannot guarantee absolute security of data transmitted over the internet.

Data Breach Notification: In the event of a data breach affecting your personal information, we will notify you via email within 5 business days of discovering the breach, as required by applicable law.

10. Children's Privacy

MB Solutions LLC does not knowingly collect personal information from children in connection with mbshub.org or our company-level Services in violation of applicable law. Age eligibility, youth access rules, and age-verification requirements for specific products are governed by the separate privacy policy for the relevant product, including The Match and MN Drive Test. If we become aware that we have collected information from a child in violation of applicable law, we will delete it promptly.

11. GDPR Notice for Users in the European Union

Legal Basis for Processing

We process your personal data based on one or more of the following legal grounds under Article 6 of the GDPR:

• Consent: When you voluntarily provide information or engage our services
• Contractual Necessity: To provide consultation services, process payments, or manage your account
• Legitimate Interest: For service improvement, analytics, and fraud prevention, provided these interests do not override your fundamental rights and freedoms

Your Rights Under GDPR

If you are covered by the GDPR, you have the following rights:

• Access – Request access to your personal data and obtain a copy
• Rectification – Request correction of inaccurate or incomplete data
• Erasure ("Right to Be Forgotten") – Request deletion of your personal data
• Restriction of Processing – Request that we restrict processing in certain circumstances
• Data Portability – Request to receive your data in a structured, commonly used format
• Objection – Object to processing based on our legitimate interests
• Withdraw Consent – Withdraw consent at any time without affecting prior processing

To exercise any of these rights, contact us at [email protected]. We will respond within 30 days in accordance with GDPR requirements.

Data Transfers Outside the EU

Your data may be processed on servers located in the United States. We implement appropriate safeguards, including Standard Contractual Clauses, pseudonymization, and encryption during transit to protect your information in accordance with GDPR standards.

Supervisory Authority

You have the right to lodge a complaint with a supervisory authority in your EU member state if you believe your data is being processed unlawfully or if we have not addressed your concerns adequately.

12. Updates to This Policy

We may update this Privacy Policy from time to time. Changes will be posted on our website at mbshub.org/privacy. The "Last Updated" date at the top will be updated. Continued use of the Services after changes are made constitutes your acceptance of the revised policy.