Privacy Policy
Last Updated: November 2, 2025
AI Colorado ("we", "us", "our") provides statewide AI education programs, including AI Education Day: Colorado. We collect only what we need to run the program, measure impact, and improve services. We do not sell personal data. We do not use targeted advertising. We honor Global Privacy Control browser signals.
1) What we collect
- Identifiers: name, email, phone.
- Civic and logistics: county, preferred site, participation role.
- Program metadata: age range, self-reported AI experience, areas of interest.
- Organization details for moderators, hosts, and sponsors.
- Device and service logs: IP, timestamps, and standard HTTP events for security and performance.
We do not collect sensitive personal data unless you explicitly provide it for accessibility accommodations. If we ever need to process sensitive data, we will request your opt-in consent first.
2) Why we use it
- Register you, place you in a county cohort, and send event logistics.
- Match participants to sessions and local sites.
- Coordinate moderators, hosts, and sponsors.
- Produce de-identified statistics for public reporting on statewide impact.
- Improve curriculum and operations.
3) How we use cookies and signals
- We use functional cookies for session management.
- We do not run targeted advertising cookies.
- We honor Universal Opt-Out Mechanisms, including Global Privacy Control. If your browser sends a GPC signal, we treat it as an opt-out for any processing that would qualify as targeted advertising or sale.
4) Colorado privacy rights and how to use them
Colorado residents can request access, correction, deletion, and portability, and can opt out of targeted advertising, sale, or profiling used for decisions with legal or similarly significant effects. Submit requests at [aicolorado.org/privacy-request] or email support@aicolorado.org. We respond within 45 days, extendable once by 45 days when reasonably necessary. If we deny your request, you can appeal at [aicolorado.org/privacy-appeal]. We will provide a written decision within 45 days. If your appeal is denied, you may contact the Colorado Attorney General.
5) Your choices
- Email. Unsubscribe using the link in any message. We honor unsubscribes promptly and within 10 business days as required by CAN-SPAM. Campaign emails include our physical mailing address.
- SMS. For marketing texts we obtain prior express written consent. Every message includes opt-out instructions, for example "Reply STOP to opt out."
6) Data sharing
We do not sell, trade, or rent personal data. We share data only with:
- Service providers acting on our instructions for registration, communications, analytics, hosting, and security. Example: Airtable for registration workflow.
- Host locations when needed to run an in-person session you registered for.
- Legal when required to comply with the law or protect rights.
We require providers to sign data-processing terms and to use reasonable security controls. A current list of subprocessors is posted at [aicolorado.org/subprocessors].
7) Security
We apply layered security controls aligned to the NIST Privacy Framework and operate a privacy information management system based on ISO 27701 principles. Controls include TLS in transit, encryption at rest where supported, least-privilege access, audit logging, third-party risk reviews, and incident response testing.
8) Data retention
We keep personal data only as long as needed for program delivery, reporting, and follow-up, then delete or de-identify it. Our default retention windows:
- Registration and cohort logistics: 18 months after the event
- Email and SMS subscription data: until you unsubscribe or for 24 months of inactivity
- Support tickets and appeals: 24 months
- System logs: 90 days
If law requires a longer period, we comply with that requirement. We publish updates to this schedule at [aicolorado.org/retention].
9) De-identified data
We may use and publish de-identified, aggregated statistics about participation and skill lift. We commit not to attempt to re-identify de-identified data.
10) Children's privacy
Our services are not directed to children under 13. We do not knowingly collect personal information from children under 13. If we learn that we collected such information, we will delete it. This standard aligns with the Children's Online Privacy Protection Act and current FTC guidance.
11) Data breach notification
If a data breach creates a risk of harm, we will notify affected individuals as soon as practicable and no later than 30 days after determination, consistent with Colorado law and any law-enforcement needs.
12) Changes
We update this policy as our programs evolve. We will post changes here and revise the Last Updated date. Material changes will be announced in email to registered participants when feasible.