Privacy Policy | Montgomery Kuykendall

1. Data Stewardship & Scope

1.1 Data Controller & Representatives

Montgomery Kuykendall is the data controller for the digital properties served from montgomerykuykendall.com and affiliated subdomains.

Primary contact: Montgomery Kuykendall
privacy@montgomerykuykendall.com
P.O. Box 2025, Seattle, WA 98111, USA
EU/EEA representative: MK Privacy Desk (EU), c/o DPO Centre, Herengracht 420, 1017 BZ Amsterdam, Netherlands
eu-privacy@montgomerykuykendall.com
UK representative: MK Privacy Desk (UK), 71-75 Shelton Street, London WC2H 9JQ, United Kingdom
uk-privacy@montgomerykuykendall.com

1.2 Applicable Regulations

This policy aligns with global privacy regulations relevant to the services offered, including the EU/UK General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA/CPRA), the Virginia Consumer Data Protection Act (VCDPA), and Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA). Where local law imposes stricter requirements, those controls take precedence.

1.3 Defined Terminology

Key Definitions
Term	Definition
Personal Data	Any information that identifies or can reasonably be linked to an identifiable individual, including contact details, device identifiers, and conversation transcripts.
Processor	A third-party service provider contracted to process personal data on behalf of Montgomery Kuykendall under documented instructions.
Subprocessor	A downstream processor engaged by a primary processor (for example, a cloud infrastructure provider used by the hosting platform).
Sensitive Data	Personal data categories receiving elevated protection under applicable law, such as government identifiers, precise geolocation, or health information. The services do not intentionally collect these fields.

2. Data Collection

Montgomery Kuykendall collects the minimum information required to operate and protect this site. Collected data can include:

Contact details you supply when you reach out through published channels.
Service metadata (such as IP address, user agent, and request identifiers) captured by hosting providers and security tooling.
Event logs from public frameworks, experimental canvases, and interactive demos that help detect abuse or runtime failures.
Prompts, responses, and safety signals generated when you engage with the site’s AI assistant.

2.1 Sources of Information

Information is gathered directly from you when you submit forms or contact requests, automatically through security and analytics instrumentation, and from AI interactions when you choose to engage with the assistant.

2.2 AI Interaction Data

The AI assistant runs on a session-limited graph service. When you start a conversation, the prompt, derived graph context, and returned answer are temporarily stored in memory so the assistant can maintain continuity. Conversations expire after roughly 20 minutes of inactivity or after the configured turn limit, whichever arrives first.

Personal Data Lifecycle Overview
Category	Primary Purpose	Legal Basis	Typical Retention	Subprocessors & Transfers
Contact Information	Respond to inbound inquiries, deliver requested follow-ups, and maintain opt-out preferences.	Legitimate interests in communicating with users; consent when you opt into ongoing updates; legal obligation for recordkeeping.	Active inquiry plus 24 months unless legal obligations require longer retention.	Vercel, Inc. (USA) for secure form delivery; email relay providers located in the USA under Standard Contractual Clauses (SCCs) when serving EU/UK data.
Device & Service Metadata	Maintain service reliability, prevent fraud, and generate aggregate usage insights.	Legitimate interests in securing the platform and ensuring availability; legal obligation to maintain security logs.	Rolling 30 to 180 days depending on the log type and security investigation needs.	Vercel, Inc. (USA) and Cloudflare, Inc. (USA/EU). Transfers rely on SCCs and supplemental encryption controls.
Interaction Telemetry	Debug performance issues, tune accessibility, and validate new releases.	Legitimate interests; consent where regional law requires prior approval for analytics cookies.	Aggregated within 24 hours and retained for 14 months in anonymized form.	Plausible Insights OÜ (Estonia, EU). Data is stored in the EU; transfers outside the EEA are not performed.
AI Conversation Data	Generate responses, enforce safety boundaries, and investigate abuse.	Legitimate interests in providing the requested AI interaction; contractual necessity when delivering protected content.	Ephemeral processing memory during the session plus up to 30 days for abuse review in hashed form.	OpenAI, L.L.C. (USA) under EU/UK SCCs with regional data segregation; encrypted transit via TLS 1.2+.

3. How Information Is Used

Collected data enables essential site functionality, maintains security, and supports ongoing improvements. Communications sent through contact channels are used to respond to inquiries. Technical telemetry prioritizes fixes, informs accessibility improvements, and validates new framework releases. AI interaction data is used in real time to compose responses, enforce safety boundaries, and measure abuse rates.

3.1 Legal Basis

Data is processed on the basis of legitimate interests in providing secure services, fulfilling user requests, and complying with applicable legal obligations. Consent is requested when required for optional features or communications.

3.2 Automated Decision-Making Limitations

The AI assistant generates automated responses based on your prompts and curated knowledge graphs. It does not produce legally or financially binding decisions about individuals, nor does it profile users for marketing segmentation. Automated safeguards may refuse or redact content that violates published policies, and those interventions are logged for safety review only.

4. Cookies & Analytics

The site uses minimal cookies and privacy-focused analytics to understand aggregate usage without tracking individuals. Privacy-first analytics (for example, Plausible) collect anonymized page views, device types, and coarse geography to measure engagement without using advertising identifiers or cross-site tracking.

4.1 Managing Preferences

You can configure your browser to block or delete cookies. Blocking necessary cookies may impact session persistence for protected manuals or labs, but general navigation will remain available.

5. Data Sharing & Processors

Montgomery Kuykendall does not sell personal data. Limited information is shared with trusted processors strictly to deliver core services:

Hosting and security providers supply infrastructure, mitigate abuse, and deliver cached content.
Analytics providers measure aggregate engagement without storing identifiable user profiles.
AI infrastructure partners process conversation prompts and responses to generate the assistant’s output. Prompts and outputs are transmitted securely, logged for short-term abuse detection, and are not added to public training datasets. Treat any AI conversation as sensitive and avoid sharing confidential details.

Each processor is bound by data protection agreements requiring them to use the information only for the contracted service, maintain appropriate safeguards, and respect applicable privacy regulations.

6. Your Rights & Request Handling

Depending on your jurisdiction, you may have rights to access, correct, delete, or restrict processing of your personal information, opt out of targeted advertising or profiling, and receive a copy of your data in a portable format. Montgomery Kuykendall honors these rights consistent with applicable law and contractual commitments.

6.1 Request Workflow

Submit a request through the dedicated privacy intake form, email, or postal channel listed below. Please indicate the specific rights you wish to exercise.
Receive confirmation within 7 calendar days acknowledging the request and outlining the verification steps.
Complete the verification process by responding to the secure link or providing identifying information that matches existing records.
Receive a substantive response within 30 days (extendable once by an additional 30 days for complex requests). You will be notified if more time is required.
Where a request is rejected, the response will include the reason and the appeal instructions.

6.2 Identity Verification

Verification requirements depend on the sensitivity of the data involved. At minimum, you may be asked to confirm the email address or session identifier associated with the interaction. For access, deletion, or portability requests, additional evidence such as a confirmation code sent to your contact email may be required. Verification data is used solely to authenticate the request and is deleted within 60 days.

6.3 Appeal & Escalation

If you disagree with the outcome of a request, you may appeal within 45 days by replying to the decision notice or emailing privacy-appeals@montgomerykuykendall.com. Appeals are reviewed by privacy and legal counsel, who respond within 30 days. You also have the right to contact your local data protection authority at any time.

6.4 Dedicated Channels

Email: privacy@montgomerykuykendall.com
EU/UK email: eu-privacy@montgomerykuykendall.com
Postal mail: Montgomery Kuykendall, P.O. Box 2025, Seattle, WA 98111, USA
Secure form: montgomerykuykendall.com/contact (select “Privacy request”)

6.5 Data Retention

Personal information is retained only as long as necessary to provide services, comply with legal requirements, or resolve disputes. Contact correspondence is archived while an inquiry is active. AI conversations are stored in volatile memory for approximately 20 minutes, and high-level safety telemetry may persist longer to investigate abuse or service failures. Log data from hosting or security providers rotates on a rolling basis to minimize retention of sensitive metadata.

7. Security & Incident Response

Montgomery Kuykendall applies layered safeguards—including transport encryption, least-privilege access, content security policies, and automated abuse detection—to protect collected data. No online service can guarantee absolute security, so please avoid transmitting sensitive personal or proprietary information unless explicitly requested and secured.

7.1 Incident Response & Notification

Security incidents are triaged using a documented response plan that covers identification, containment, eradication, and post-incident review. Affected users and regulators will be notified without undue delay and within timelines mandated by applicable law. Notifications include the nature of the incident, the categories of data involved, mitigation steps taken, and contact details for follow-up.

8. Additional Disclosures

8.1 Cross-Border Data Transfers

Personal data may be processed in the United States and the European Union. When data moves across borders, Montgomery Kuykendall relies on Standard Contractual Clauses, supplementary technical measures (including end-to-end encryption for transit and storage), and periodic transfer impact assessments to confirm an adequate level of protection.

8.2 Children’s Data

The services are intended for individuals aged 16 and older. The site does not knowingly collect personal data from children. If you believe a child has provided personal information, contact privacy@montgomerykuykendall.com so the data can be deleted promptly.

8.3 Analytics & AI Opt-Outs

You can opt out of analytics collection by enabling the Do Not Track signal in your browser or by blocking analytics scripts at the network level; the site honors these signals where technically feasible. AI conversation logs can be suppressed by declining to engage with the assistant or by requesting deletion after a session completes. These opt-out choices do not impact access to the static portions of the site.

8.4 Automated Decision-Making Transparency

Automated scoring or profiling for advertising, employment, or credit purposes is not performed. Any future use of automated decision-making that materially affects individuals will include prior notice, human review, and opt-out capabilities where required by law.

9. Contact & Oversight

Questions or privacy requests can be submitted via the public contact portal at contact.html. For sensitive disclosures, use the official communication channels published on the site or referenced in the security documentation.

Privacy and legal counsel reviewed and validated the March 2025 revisions prior to publication.

9.1 Updates to This Policy

This privacy policy may evolve to reflect changes in services or regulatory requirements. Significant updates will be highlighted on this page with a revised effective date.