Privacy Policy

1. Introduction

Mission Forward AI, LLC, a Virginia limited liability company doing business as "Mission Forward AI" ("we," "our," or "us"), provides AI strategy, implementation, and training services to nonprofit organizations. This Privacy Policy explains how we collect, use, disclose, and safeguard information when you visit this site, contact us, or engage us as a client.

2. Information We Collect

Information you provide

When you fill out our contact form, we collect:

• Your name and email address
• Your organization's name and type (nonprofit, church, foundation, association)
• Optional: annual operating budget range
• Optional: your EIN, used only to look up your public 990 filing before our first call
• The message you write to us

Information collected automatically

We use Plausible Analytics, a privacy-respecting analytics tool that:

• Uses no cookies and creates no persistent identifiers
• Collects no personal data — all metrics are anonymous and aggregate
• Records only page views, referral source, country, and device type
• Does not track individuals across sessions or sites

We currently do not use Google Analytics, advertising cookies, tracking pixels, or cross-site tracking technologies. There is no consent banner because there is nothing to consent to.

Client engagement information

When you engage us as a client, we may also collect:

• Documents, content, and data you provide for AI strategy or implementation work (collectively, "Engagement Training Data" when used for fine-tuning, embedding, or retrieval-augmented generation in your AI system)
• Workflow and process information needed to scope solutions
• AI system usage metrics from solutions we build for you

3. How We Use Your Information

We use information you provide to:

• Respond to your inquiry and prepare for our first call
• Deliver the AI strategy, implementation, and training services you engage us for
• Build and operate AI systems for your organization
• Communicate with you about active engagements
• Comply with legal obligations

4. AI-Specific Data Handling

Ownership of your data

• Your documents, content, and program data remain your property at all times
• We use your data solely to build solutions for your organization
• We do not use your client data to train, fine-tune, or improve any model that will be made available to other clients or to the public
• You can request deletion of your data at any time

Where we use third-party AI platforms (e.g., OpenAI, Anthropic, Google Cloud Vertex AI), we configure those platforms with the data-use opt-outs available to us, and we will identify the platforms used in your engagement on request. We cannot guarantee third-party platform behavior beyond their published terms.

Data retention

• Project data is retained for the duration of our service agreement
• Engagement Training Data is retained for 90 days after project completion unless otherwise agreed in writing
• Contact form submissions are retained only as long as needed to follow up — typically 90 days

Donor and beneficiary data

When our work involves donor records, beneficiary information, or other sensitive third-party data, we treat it as confidential. We do not extract, copy, or retain it beyond the scope of the engagement and our reasonable backup, audit, and legal-retention obligations. We design our practices to align with Maryland's MODPA, Virginia's CDPA, and equivalent state frameworks to the extent applicable to our business.

Health information (HIPAA)

We are not a HIPAA Covered Entity. If an engagement requires us to access, process, or store Protected Health Information (PHI) as defined under HIPAA, or substance-use treatment records under 42 CFR Part 2, we will execute a Business Associate Agreement (BAA) before any PHI is disclosed to us. Absent an executed BAA, clients agree not to provide PHI or 42 CFR Part 2 records to us. Specific engagements requiring PHI undergo a separate technical-controls review.

5. Information Sharing

We do not sell, trade, or rent personal information. Categories of third parties we share information with include:

• AI model providers (e.g., OpenAI, Anthropic, Google Cloud Vertex AI)
• Vector database and search providers (e.g., Pinecone, Weaviate, pgvector)
• Hosting and infrastructure providers (e.g., Vercel, Cloudflare)
• Email delivery (Resend)
• Analytics (Plausible)
• Authorities, where required to comply with legal obligations or respond to lawful requests
• Other parties only with your explicit consent

On request, we will identify the specific providers used in your engagement. We select third-party providers with strong security and privacy practices and use them only for authorized purposes.

6. Data Security

We implement reasonable technical and organizational measures, including:

• Encryption of data in transit, and at rest where we control storage
• Access controls and authentication on systems we operate
• Cookie-free, log-minimal analytics
• Cloudflare Turnstile on our contact form to deter automated abuse

In the event of a data breach affecting personal information, we will notify affected individuals and your organization in accordance with applicable state breach-notification laws, including DC Code § 28-3851 et seq., MD Code Comm. Law § 14-3504, and VA Code § 18.2-186.6.

No method of transmission over the internet is fully secure. We take reasonable precautions but cannot guarantee absolute security.

7. Your Rights

You have the right to:

• Access and receive a copy of personal information we hold about you
• Correct or update that information
• Request deletion of personal information and any Engagement Training Data tied to your engagement
• Withdraw consent where consent is the basis for processing
• Receive personal data in a structured, commonly used, machine-readable format, where technically feasible (this right does not apply to deliverables, work product, or trade secrets)

We respond to verifiable requests within 45 days as required by Maryland's MODPA, Virginia's CDPA, and similar state frameworks. If we decline a request, we will explain why and you may appeal that decision by replying to our response.

Where we act as a processor or service provider for a nonprofit client subject to state privacy laws, we will execute a written Data Processing Agreement that meets the requirements of VCDPA § 59.1-579, MODPA § 14-4607, and equivalent provisions.

To exercise any of these rights, email contact@missionforward.ai.

8. Children's Privacy

Our website

Our website is directed to adults running nonprofit organizations. We do not knowingly collect personal information from children under 13. If we learn we have collected such information, we will delete it.

Client engagements

Where a client engagement involves data about minors (e.g., program participants, mentees, foster youth), the client remains the data controller for that information. We process such data only as instructed under the engagement agreement and in compliance with COPPA (where the client operates an online service directed to children under 13), the Family Educational Rights and Privacy Act (FERPA) where applicable to educational records, and any client-imposed restrictions. We will execute additional safeguards or agreements (including parental-consent workflows) when required.

9. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be posted on this page with an updated "Last updated" date. We encourage you to review this policy periodically.

10. Contact

Questions about this Privacy Policy or our data practices?