Skip to main content
Springboard Partners
AI Readiness Explorer
← Back

Data & Privacy Policy

Springboard AI Readiness Explorer

Version 1.1 — May 2026

Who we are

Springboard Partners is a Canadian management consulting firm that helps organizations build intelligent, AI-ready businesses. This assessment tool is operated by Springboard Partners on behalf of client organizations (“your organization”) who invite their employees and leadership to participate in the AI Readiness Explorer.

What this tool does

The Springboard AI Readiness Explorer is an online diagnostic questionnaire. Respondents answer a structured set of questions about their organization's AI strategy, workforce readiness, data infrastructure, governance, culture, and execution capability. Their answers are scored, combined with other respondents in the same organization, and used to produce a findings report that Springboard consultants use to advise the organization.

What information we collect

Information you provide directly

  • Account and identity information. When you accept an invitation to participate, you provide your name and email address. These are used to create your account, deliver your invitation, and associate your answers with your organization.
  • Assessment responses. Your answers to the questionnaire — including ratings on a 1–5 scale, multiple-choice selections, and any optional written comments you choose to add. Written comments are entirely optional. If you provide them, they are included in the AI-generated findings report for your organization.
  • Profile information. At the start of the assessment (version 2), you are asked a short set of questions about your organization: its size, sector, geography, and current stage of AI adoption. These help contextualize the findings and are not personally identifying.

Information collected automatically

  • Authentication activity. When you log in via magic link, we record that you authenticated. We do not store passwords.
  • Assessment progress. We save your progress automatically so you can resume if you close the browser. This includes which dimension you were on and which questions you had answered.
  • Basic technical data. Standard web server logs (IP address, browser type, pages visited, time of visit). These are retained for a maximum of 90 days and are used solely for security monitoring and debugging.

What we do not collect

  • Payment or financial information of any kind
  • Government identifiers (SIN, health card numbers, etc.)
  • Sensitive personal attributes (health, ethnicity, religion, sexual orientation)
  • Behavioral tracking, advertising identifiers, or cross-site tracking cookies
  • Audio, video, or biometric data

How we use your information

  • To deliver the assessment. Your responses are scored using our readiness framework and presented to you on your results page. Your responses are also combined with other respondents in your organization to produce aggregate findings.
  • To generate the AI findings report. When your organization requests an AI-generated report, your assessment responses — including any optional written comments — are included in a prompt sent to Anthropic's Claude AI API. See the section on AI processing below for details.
  • To communicate with you. We send you a magic-link email to log in, and may send reminder emails if you have not completed your assessment. We do not send marketing emails to respondents.
  • To help Springboard consultants advise your organization. Springboard Partners staff can view the aggregate results for your organization and the AI-generated report. Individual respondent answers are visible to Springboard admins and to your organization's designated administrator(s). They are not shared with other organizations.
  • For security and operations. We use access logs to monitor for abuse, unauthorized access attempts, and technical errors.

We do not sell your data. We do not use it for advertising. We do not share it with third parties except as described in this document.

AI processing — important disclosure

This tool uses Anthropic's Claude API to generate the narrative findings report. When you or your organization requests a report, the following information is sent to Anthropic's servers:

  • Your organization's name
  • Aggregate dimension scores and individual question ratings
  • Profile answers (organization size, sector, geography, AI stage)
  • Any optional written comments you provided
  • Responses to diagnostic questions (yes/no, multiple-choice)

Anthropic processes this data to generate the report text and returns the result to our servers. The generated report is then cached in our database and displayed to you and your organization's administrators.

Anthropic's data handling. Anthropic does not train their models on data submitted through the API by default. API inputs and outputs may be retained by Anthropic for up to 30 days for trust and safety review, after which they are deleted. See Anthropic's privacy policy for current details.

Written comments you provide in the assessment may be sent to Anthropic as part of the report generation process. We recommend avoiding including highly sensitive organizational information (personnel matters, unannounced strategic decisions, confidential financial data) in written comment fields.

Who can see your data

WhoWhat they can see
You (the respondent)Your own answers and your personal results page
Your organization's administratorAll respondents' completion status; aggregate scores for the organization; the AI-generated report
Springboard Partners staffAll of the above, plus individual respondent answers, for the purpose of consulting delivery
Other respondents in your organizationNothing — individual answers are not shared between respondents
Other organizationsNothing
AnthropicAssessment data sent for report generation (see AI processing section above)
Vercel (our hosting provider)Request logs, as part of normal infrastructure operation
Supabase (our database provider)Encrypted data at rest on their managed database infrastructure
Resend (our transactional email provider)Your name and email address, used solely to deliver magic-link login and assessment reminder emails
Sentry (our error monitoring provider)Application error events and stack traces; configured to scrub assessment answers and personal identifiers before transmission

Where your data is stored

Our application is hosted on Vercel and our database is managed by Supabase. Both services operate infrastructure in North America, including the United States.

If your organization is subject to Canadian data residency requirements (for example, certain public-sector mandates), please contact us at contact@springboardpartners.ca before participating so we can discuss options.

Data retention

Data typeRetention period
Assessment responses and scoresRetained for the duration of your engagement with Springboard Partners, plus 3 years
AI-generated reportsSame as above
Profile and account informationSame as above
Access and server logs90 days
Invitation records1 year after expiry or acceptance
Deleted organization dataPurged within 30 days of deletion request

After retention periods expire, data is permanently deleted from our systems. We do not archive deleted data to backups beyond our standard backup window (7 days for point-in-time recovery).

Your rights

  • Access your data. You can request a copy of the information we hold about you by emailing contact@springboardpartners.ca.
  • Correct inaccurate data. If your account details (name, email) are incorrect, you can request a correction.
  • Delete your data. You can request deletion of your account and assessment data. Note that if your responses have already been included in an aggregate report delivered to your organization, deletion of your individual record will not retroactively alter that report. We will confirm deletion within 30 days.
  • Withdraw from the assessment. You may stop participating at any time by simply not completing the assessment. Partial responses are saved automatically but will not be included in aggregate reporting unless your submission is marked complete.
  • Complain to a regulator. If you believe your privacy rights have been violated, you may file a complaint with the Office of the Privacy Commissioner of Canada (priv.gc.ca) or the applicable provincial privacy authority for your province.

To exercise any of these rights, email contact@springboardpartners.ca with the subject line “Privacy Request.” We will respond within 30 days.

Security measures

  • All data is transmitted over HTTPS with HSTS enforced
  • Authentication uses magic-link email (no passwords stored)
  • Database access is controlled by row-level security policies — each user can only access their own data and the data their role permits
  • API keys and secrets are stored as environment variables and are never included in application code or logs
  • The Anthropic API key, Supabase service key, and email API key are stored server-side only and never exposed to the browser
  • Access logs are reviewed for anomalous activity

No security measure is perfect. If you discover a security vulnerability in this tool, please report it responsibly to contact@springboardpartners.ca.

Cookies

This tool uses a single session cookie set by Supabase Auth to maintain your login state. It is a secure, HttpOnly cookie and does not track you across other websites. We do not use advertising cookies, analytics cookies, or third-party tracking scripts.

Changes to this policy

We may update this policy as the tool evolves. Material changes (for example, changes to how AI processing works or new third-party processors) will be communicated to active participants by email before taking effect. The version date at the top of this document reflects the last update.

Contact

Springboard Partners
contact@springboardpartners.ca
springboardpartners.ca

For privacy requests specifically, please use the subject line “Privacy Request” so we can route it to the right person promptly.

This policy is written to be consistent with the federal Personal Information Protection and Electronic Documents Act (PIPEDA) and applicable provincial privacy legislation. It is not legal advice. Organizations with specific compliance obligations (public sector, healthcare, financial services) should seek independent legal review.