AI SIGMA
Request invitation

Privacy policy

Privacy.

How AI SIGMA collects, uses, and protects information when you visit aisigma.org or submit a form. We do not sell or rent personal data, we do not run tracking cookies, and we do not use your submissions to train AI.

Last updated May 3, 2026

1. Introduction

This Privacy Policy describes how AI SIGMA ("AI SIGMA," "the Institute," "we," "us," or "our") collects, uses, and protects information when you access or use the website at aisigma.org and all related features, tools, and services (the "Service"). The Institute is based in Marin County, California, United States.

We do not sell, rent, or trade your personal information to third parties. We never have, and we never will.

This Privacy Policy should be read in conjunction with our Terms of Service, which governs your use of the Service.

2. Definitions

  • "Service" refers to the AI SIGMA website at aisigma.org and all related features, tools, and services.
  • "Personal Information" means any information that identifies, relates to, or could reasonably be linked to you or your household.
  • "Processing" means any operation performed on Personal Information, whether automated or manual.
  • "Sub-Processor" means a third-party service provider that processes Personal Information on our behalf.

3. Information We Collect

3.1 Information You Provide Through Forms

We collect information you choose to submit through the Service's forms:

  • Membership interest form: first name, last name, work email, organization, role/title, practice area, free-text "why are you interested," and how-you-heard-about-us source
  • Press inquiry form: name, outlet, email, deadline, topic, brief description
  • General contact form: name, email, subject, message
  • Newsletter signup form: email and (optionally) name

Each form's required and optional fields are clearly indicated on the form itself.

3.2 Information Collected Automatically

When you visit aisigma.org, our hosting infrastructure (Vercel) automatically logs:

  • IP addresses (anonymized in aggregated analytics, retained briefly in raw logs for security)
  • Browser type and version, device type, operating system
  • Pages requested, referrer, and timestamps
  • HTTP response codes

3.3 Analytics

We use Vercel Web Analytics and Vercel Speed Insights for product and performance analytics. Both are cookie-free and do not identify individual visitors. They collect:

  • Aggregated page-view counts and navigation paths
  • Performance metrics (Core Web Vitals: LCP, INP, CLS)
  • Country-level geolocation derived from IP, then discarded
  • Device type and browser family

Vercel Analytics data is stored in the United States. Vercel's privacy policy is available at vercel.com/legal/privacy-policy.

3.4 Categories We Do Not Collect

  • No payment information (the Service is free)
  • No government IDs or social security numbers
  • No biometric data
  • No precise geolocation data
  • No advertising identifiers
  • No social-platform tracking pixels

4. How We Use Your Information

4.1 Responding to Your Inquiry

We use form submissions solely to respond to you, evaluate your interest in Founding Membership, schedule press conversations, or send the briefings you have subscribed to.

4.2 Operating the Service

  • Detect and prevent abuse, spam, and unauthorized access
  • Maintain the security and integrity of the Service
  • Diagnose and fix technical problems
  • Analyze aggregated usage to improve performance and content

4.3 Communications

We send transactional communications in response to your form submissions. We send the quarterly briefings only to addresses that have explicitly subscribed through the newsletter form, and you may unsubscribe at any time using the link included in every briefing.

4.4 Legal Compliance

We may process Personal Information to comply with applicable law, respond to lawful requests from public authorities, or enforce our Terms of Service.

5. Cookies and Tracking Technologies

5.1 No Tracking Cookies

AI SIGMA does not set advertising or cross-site tracking cookies on aisigma.org. The Service is a static website; no login is required, no advertising is served, and Vercel Analytics is cookie-free.

5.2 Local Storage and Functional Storage

The Service may use minimal local storage for functional preferences (for example, respecting a user's prefers-color-scheme system setting in a future dark mode). These items are stored locally in your browser and are not transmitted to AI SIGMA or any third party.

5.3 What We Do Not Use

  • No advertising cookies or ad-tracking pixels
  • No cross-site tracking for advertising purposes
  • No social media tracking pixels (no Facebook Pixel, no LinkedIn Insight Tag)
  • No third-party marketing cookies
  • No session-replay or "fullstory"-class behavioral recording

5.4 Future Changes

If we ever introduce tracking cookies or any analytics tool that uses cookies, we will update this Privacy Policy and present a consent mechanism before any non-essential cookie is set.

6. Data Storage and Security

6.1 Data Location

The Service is hosted by Vercel, with content delivered through Vercel's global edge network. Form submissions are processed by Formspree (United States). Email inboxes referenced on the Service (hello@, press@) are operated through Google Workspace.

6.2 Security Measures

  • Encryption in transit: all data transmitted between your browser and our servers is encrypted using TLS 1.2 or higher (HTTPS)
  • Encryption at rest: data held by our sub-processors is encrypted at rest (AES-256 or equivalent)
  • Limited access: only the Founding Co-Chair and a small operational circle have access to form submissions and email inboxes
  • Honeypot anti-spam: all forms include a honeypot field and Formspree performs server-side spam filtering
  • Regular review of sub-processor security practices and contracts

6.3 Security Limitations

No method of internet transmission or electronic storage is completely secure. While we strive to use commercially reasonable means to protect your Personal Information, we cannot guarantee its absolute security.

7. Information Sharing and Disclosure

We do not sell, trade, or rent your Personal Information to third parties.

We share information only in these limited circumstances:

  • Sub-Processors: with the trusted service providers listed in Section 8, solely for the purposes described in this Privacy Policy
  • Legal requirements: when required by law, court order, or valid government request
  • Safety and security: to protect the rights, property, or safety of AI SIGMA, our Members, or the public
  • Business transfers: in connection with a merger, acquisition, or transfer of substantially all assets, in which case we will notify affected users in advance and ensure successor protections at least equivalent to those in this Policy

8. Sub-Processors

The Institute uses the following sub-processors to operate the Service. Each is contractually obligated to protect your data and may only process it for the specific purposes described.

Service Purpose Data processed Location
Vercel Hosting, content delivery, web analytics, speed insights IP, request logs, performance metrics, aggregated usage United States
Formspree Form submission processing and routing All fields you submit through any form on the Service United States
Google Workspace Email delivery for Institute inboxes (hello@, press@) Email addresses and message content of correspondence with the Institute United States / Global
GitHub Source-code hosting for the public site repository None of your Personal Information; site source code only United States

We will update this list when we add or change sub-processors. Material additions affecting Personal Information processing will be flagged in the briefings newsletter or, where appropriate, communicated directly.

9. Data Retention

We retain information only as long as necessary to:

  • Provide the Service and respond to your inquiry
  • Comply with legal obligations
  • Resolve disputes
  • Enforce our Terms of Service

Specific retention periods:

  • Membership-interest submissions: retained through the founding-cohort evaluation period and for up to 24 months thereafter, after which they are deleted unless you have become a Member
  • Press inquiries: retained for up to 24 months
  • General contact submissions: retained for up to 24 months
  • Newsletter subscriptions: retained until you unsubscribe; suppression records (the fact that an address unsubscribed) retained indefinitely to honor your unsubscribe request
  • Server logs: retained for approximately 30 days, then rotated
  • Aggregated analytics: retained indefinitely in anonymized form

You may request earlier deletion at any time by emailing [email protected] with the subject line "Privacy Request."

10. Your Privacy Rights

Regardless of your location, you have the following rights:

  • Access: request a copy of all Personal Information we hold about you
  • Correction: request correction of inaccurate or incomplete Personal Information
  • Deletion: request that we delete your Personal Information, subject to legal retention requirements
  • Portability: request a copy of your Personal Information in a structured, commonly used format
  • Objection: object to specific processing activities

To exercise any of these rights, email [email protected] with the subject line "Privacy Request." We may need to verify your identity before fulfilling certain requests.

11. California Privacy Rights (CCPA/CPRA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA).

Categories of Personal Information collected, in CCPA terms:

  • Identifiers: name, email address, IP address
  • Professional or employment-related information: organization, role, practice area (membership/press/contact forms only)
  • Internet activity: aggregated browsing and interaction data via cookie-free analytics

We do not collect any of the following CPRA-defined sensitive Personal Information categories: government IDs, financial account numbers, precise geolocation, racial or ethnic origin, religious or philosophical beliefs, union membership, genetic data, biometric data, health data, or sexual-orientation data.

Your California rights:

  • Right to know: request disclosure of categories and specific pieces of Personal Information collected
  • Right to correct: request correction of inaccurate Personal Information
  • Right to delete: request deletion of your Personal Information
  • Right to opt out of sale or sharing: we do not sell or share Personal Information for cross-context behavioral advertising
  • Right to limit use of sensitive Personal Information: we do not collect sensitive Personal Information as defined by the CPRA
  • Right to non-discrimination: we will not discriminate against you for exercising your privacy rights

We will respond to verified CCPA requests within 45 days. Email [email protected] with subject line "CCPA Request."

12. Other U.S. State Privacy Rights

If you are a resident of Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Utah (UCPA), Texas (TDPSA), Oregon (OCPA), Montana (MCDPA), or another state with applicable consumer privacy legislation, you may have similar rights including:

  • Right to access your Personal Information
  • Right to correct inaccuracies
  • Right to delete your Personal Information
  • Right to data portability
  • Right to opt out of the sale of Personal Information (we do not sell your data)
  • Right to opt out of targeted advertising (we do not engage in targeted advertising)
  • Right to opt out of profiling for decisions that produce legal or similarly significant effects (we do not engage in such profiling)

To exercise these rights, email [email protected] with subject line "State Privacy Request." We will respond within the timeframe required by your state's law. If we deny your request, you may appeal by replying to our denial.

13. European and UK Privacy Rights (GDPR / UK GDPR)

13.1 Legal Bases for Processing

  • Contract performance: processing necessary to respond to your form submission or deliver newsletters you have subscribed to
  • Legitimate interests: operating, securing, and improving the Service; preventing abuse
  • Consent: for the briefings newsletter and any future analytics that require consent
  • Legal obligation: compliance with applicable laws

13.2 Your GDPR Rights

  • Access: request a copy of your Personal Information
  • Rectification: request correction of inaccurate data
  • Erasure: request deletion ("right to be forgotten")
  • Restriction: request restriction of processing
  • Portability: receive your data in a structured, machine-readable format
  • Objection: object to processing based on legitimate interests
  • Withdraw consent: withdraw consent at any time, where processing is based on consent
  • Lodge a complaint: file a complaint with your local data protection authority

13.3 Data Controller

AI SIGMA is the data controller. Sub-processors listed in Section 8 act as data processors on our behalf.

We will respond to GDPR and UK GDPR requests within 30 days. Email [email protected] with subject line "GDPR Request."

14. International Data Transfers

If you access the Service from outside the United States, your information will be transferred to and processed in the United States.

14.1 Transfer Mechanisms

For transfers from the EEA, UK, or Switzerland we rely on:

  • Standard Contractual Clauses (SCCs) where applicable through sub-processors
  • The EU-U.S. Data Privacy Framework (and the UK and Swiss extensions) where our sub-processors are certified
  • Your explicit consent where no other mechanism applies

14.2 Security of Transfers

All international data transfers are protected by TLS 1.2 or higher in transit and AES-256 encryption at rest.

15. Data Breach Notification

In the event of a data breach affecting your Personal Information:

  • Timeline: we will notify affected users within 72 hours of becoming aware of the breach
  • Method: direct email where we have your address; prominent notice on the Service for broader incidents
  • Content of notice: nature of the breach, categories of Personal Information involved, steps we are taking, steps you can take, and contact information for follow-up
  • Regulatory notification: we will notify relevant authorities as required by law, including the GDPR (within 72 hours) and California Civil Code §1798.82

16. Artificial Intelligence

16.1 No AI Processing of Your Personal Information

AI SIGMA does not run AI or machine-learning models against your Personal Information or your User Submissions. Form submissions are read and acted upon by humans.

16.2 No Training on Your Submissions

We do not use your Personal Information, your User Submissions, or any other data you provide through the Service to train artificial intelligence or machine-learning models, and we do not provide such data to third parties for that purpose.

16.3 AI Crawlers and Public Content

AI SIGMA welcomes indexing of its public Content by AI crawlers and answer engines (GPTBot, ClaudeBot, OAI-SearchBot, PerplexityBot, Google-Extended, and others). The published robots.txt grants explicit permission. AI crawlers see only public Content; they do not see your form submissions, your communications with the Institute, or any other Personal Information. The crawler-welcome posture is a policy decision about the Institute's published research and standards — it is not a permission to process your Personal Information.

16.4 Future AI Features

If we implement AI-powered features (for example, an AI-assisted search of the Annexes), we will update this Privacy Policy with clear disclosure, explain what data is processed, and provide opt-out mechanisms where feasible.

17. Do Not Track Signals

There is currently no universal standard for Do Not Track (DNT) signals. Because the Service does not engage in cross-site tracking, runs cookie-free analytics, and uses no advertising or tracking pixels, DNT signals do not change our data-collection practices in any material way. If a future feature triggers DNT-relevant behavior, this Policy will be updated.

18. Children's Privacy

The Service is not directed at, intended for, or designed for individuals under 18 years of age. We do not knowingly collect Personal Information from anyone under 18. If we become aware that we have collected Personal Information from a person under 18, we will delete it promptly. If you believe we have inadvertently collected information from a minor, please contact us immediately at [email protected].

The Service contains links to third-party websites, including the websites of intergovernmental bodies, frontier AI labs, the Beverly Hills Bar Association, and the Founding Co-Chair's professional websites. This Privacy Policy does not apply to those sites. We are not responsible for the privacy practices, content, or security of any third-party website. We encourage you to review the privacy policy of every site you visit.

20. Changes to This Privacy Policy

When we update this Privacy Policy:

  • We post the updated policy at this URL
  • We update the "Last updated" date at the top of the page
  • For material changes, we notify subscribers to the briefings newsletter at least 30 days before the changes take effect, with a summary of what changed

Your continued use of the Service after the effective date constitutes acceptance of the updated Policy. If you do not agree, you must stop using the Service.

21. Contact Information

For privacy-related questions or to exercise your rights, contact us at [email protected].

Recommended subject lines for routing:

  • "CCPA Request" — California privacy rights
  • "GDPR Request" — European or UK privacy rights
  • "State Privacy Request" — other U.S. state privacy rights
  • "Privacy Request" — access, correction, deletion, or portability generally
  • "Privacy Inquiry" — general questions about this Policy

AI SIGMA — AI Standards Institute for Global Machine Adoption
Marin County, California, United States