Privacy and Data Handling Policy

Last Updated: May 2026

Part I – Institutional Client Data Handling

Purpose

Post-Captain Consulting, LLC (“Post Captain”) is committed to protecting the confidentiality, integrity, and appropriate handling of institutional, student, employee, and operational data accessed in the course of providing consulting and operational support services to higher education institutions. This policy establishes baseline expectations for privacy, data handling, and responsible information management.

Scope

This policy applies to all Post Captain personnel, contractors, consultants, and approved third-party service providers who access, process, store, transmit, or otherwise handle client-related information or company business data.

Categories of Data Handled

Post Captain may access or process the following categories of information while performing services for clients:

  • Student, applicant, enrollment, retention, advancement, and alumni-related records maintained within client-managed systems such as Slate CRM
  • FERPA-protected educational records
  • Personally identifiable information (“PII”)
  • Donor, constituent, parent, and event participation information
  • Employee, faculty, staff, or applicant information provided by clients
  • Institutional operational, reporting, and communications data
  • CRM configuration, workflow, segmentation, and business process information
  • Proprietary institutional information, including operational practices, strategic planning materials, and confidential business information
  • Authentication credentials or authorized system access information
  • Communications, scheduling, and project-related information
  • Limited financial, contractual, or billing-related information necessary for business operations

Post Captain does not intentionally collect sensitive personal data beyond what is required to perform authorized consulting services.

Operational Purpose for Data Access

Access to client data is limited to legitimate business and operational purposes, including:

  • CRM administration, configuration, and operational support
  • Enrollment, admissions, student success, retention, advancement, and alumni engagement consulting
  • Reporting, analytics, segmentation, and workflow optimization
  • Communication strategy, campaign support, and constituent engagement operations
  • Technical troubleshooting, implementation assistance, integrations, and system testing
  • Data quality review, process improvement, and operational assessment
  • Project management and client-requested operational tasks

Personnel may only access information necessary to perform assigned responsibilities.

FERPA and Privacy Compliance Awareness

Post Captain recognizes that many client institutions are subject to the Family Educational Rights and Privacy Act (“FERPA”) and other applicable privacy laws and regulations.

Personnel handling institutional data are expected to:

  • Maintain confidentiality of student and institutional information
  • Access records only as authorized by the client institution
  • Avoid unauthorized disclosure or secondary use of data
  • Follow client-specific privacy and security requirements where applicable

Post Captain acts as a service provider to client institutions and does not independently determine educational record disclosure rights.

International and State Privacy Considerations

Post Captain acknowledges that client institutions may be subject to international or state privacy frameworks, including but not limited to:

  • General Data Protection Regulation (“GDPR”)
  • China Personal Information Protection Law (“PIPL”)
  • California Consumer Privacy Act (“CCPA”) and similar state laws

Where applicable, Post Captain will reasonably cooperate with client institutions in supporting compliance obligations consistent with contractual responsibilities and operational capabilities.

Data Minimization

Post Captain follows data minimization principles and seeks to:

  • Access only the minimum data necessary for authorized work
  • Avoid unnecessary downloading, duplication, or local storage of client data
  • Limit retention of institutional information outside client-managed systems
  • Use de-identified or aggregated information whenever feasible

Data Retention and Secure Disposal

Client data retained by Post Captain shall be limited to operational necessity, contractual requirements, or legal obligations.

When no longer required, data will be securely deleted or destroyed using reasonable administrative and technical safeguards appropriate to the sensitivity of the information.

Post Captain personnel may not retain institutional data after project completion unless specifically authorized.

Restrictions on Unauthorized Disclosure

Personnel may not:

  • Share client information with unauthorized individuals
  • Use institutional data for personal benefit
  • Disclose confidential information outside approved business purposes
  • Transfer data to unauthorized systems or applications

Confidential information remains the property of the client institution.

Law Enforcement and Legal Requests

Post Captain will not voluntarily disclose client data to law enforcement or government authorities unless:

  • Required by valid legal process, subpoena, court order, or applicable law; or
  • Authorized in writing by the client institution

Where legally permissible, Post Captain will seek to notify the affected client institution prior to disclosure.

Data Subject Rights Requests

Because Post Captain operates as a service provider to client institutions, requests related to:

  • Access
  • Correction
  • Deletion
  • Restriction
  • Portability
  • Privacy complaints regarding institutional records

should generally be directed to the applicable client institution, which remains the primary data controller or educational records authority.

Post Captain will reasonably cooperate with institutional requests related to applicable privacy obligations.

Security Incident and Breach Notification

Post Captain personnel must promptly report suspected or confirmed security incidents involving institutional data.

Where Post Captain becomes aware of unauthorized access, disclosure, or loss of client information, the company will:

  • Investigate the incident promptly
  • Take reasonable containment and remediation measures
  • Notify affected client institutions within a commercially reasonable timeframe consistent with contractual obligations and applicable law

Third-Party Vendors and Service Providers

Post Captain uses commercially reasonable and reputable vendors to support operations, including cloud productivity, communication, password management, scheduling, AI, and project management platforms.

Examples may include:

  • Microsoft 365
  • AWS
  • Asana
  • 1Password
  • Calendly
  • Loom
  • OpenAI
  • Anthropic Claude
  • Canva

Third-party tools are used solely for legitimate business purposes and are expected to maintain reasonable security protections.

AI and Privacy Restrictions

Personnel may not input confidential institutional data, FERPA-protected information, or sensitive personal information into public or consumer AI systems unless:

  • Explicitly authorized by the client institution; and
  • Approved by Post Captain management under applicable internal AI usage requirements

AI-generated outputs must be reviewed for accuracy, confidentiality, and appropriateness before use.

No Sale, Brokerage, or Commercial Exploitation of Data

Post Captain does not sell, rent, trade, broker, or commercially exploit institutional or student data.

Client information is used solely for authorized consulting and operational support purposes.

Part II – Post Captain Operational Privacy Practices

Information Collected Directly

In addition to institutional data accessed on behalf of clients, Post Captain may collect and process business and operational information directly from individuals and organizations interacting with the company.

This information may include:

  • Names, email addresses, phone numbers, employer or institutional affiliation, and professional role information
  • Webinar, training, and event registration information
  • Newsletter subscriptions and communication preferences
  • Prospect, client, vendor, and business relationship information
  • Communications, meeting notes, scheduling information, and correspondence
  • Payment and transaction-related information associated with events or services
  • Applicant, resume, curriculum vitae (“CV”), and recruiting-related information

Post Captain primarily manages operational relationship and communications data within Slate CRM and related business systems.

Operational Use of Information

Post Captain may use operational and business information for legitimate business purposes, including:

  • Managing client and prospect relationships
  • Delivering consulting services and operational support
  • Organizing events, webinars, and trainings
  • Processing registrations and payments
  • Sending newsletters, updates, announcements, and operational communications
  • Responding to inquiries and scheduling meetings
  • Recruiting personnel and evaluating applicants
  • Improving business operations, communications, and service delivery

Marketing Communications and Opt-Outs

Post Captain may send newsletters, event announcements, service updates, and other business communications to individuals who have opted in to receive such communications or who otherwise maintain an existing business relationship with the company where permitted by applicable law.

Recipients may opt out of marketing communications at any time through unsubscribe links or by contacting Post Captain directly.

Transactional or operational communications related to services, registrations, projects, or active business relationships may still be sent where appropriate.

Cookies and Analytics

Post Captain may use cookies, analytics tools, and related technologies to understand website usage, improve user experience, support communications tracking, and analyze operational engagement.

These technologies may include:

  • Google Analytics
  • Slate Ping and related CRM engagement tracking tools

Individuals may manage cookie preferences through browser settings or applicable opt-out tools where available.

Data Retention for Operational Records

Post Captain may retain operational business records, communications history, recruiting materials, event participation records, and client relationship information as reasonably necessary for legitimate business, legal, contractual, archival, or operational purposes.

Where applicable, individuals may request deletion or correction of personal information, subject to operational, legal, contractual, security, or recordkeeping obligations.

Financial, contractual, and compliance-related records may be retained in accordance with applicable legal and business requirements.

AI Usage and Operational Safeguards

Post Captain may use approved AI-enabled tools to support internal business operations, communications drafting, meeting summarization, analytics, and operational efficiency.

Post Captain personnel are expected to:

  • Avoid entering sensitive personal information or confidential institutional data into public or consumer AI systems
  • Use commercially reasonable safeguards, including approved private workspaces, anonymization practices, and internal usage guidance
  • Review AI-generated outputs for accuracy, appropriateness, and confidentiality prior to use

Post Captain does not sell or use personal information for AI model training purposes beyond the authorized functionality of approved business tools and service providers.

Part III – General Privacy Administration

Privacy Complaints and Questions

Questions or concerns regarding privacy practices or data handling may be directed to Post-Captain Consulting, LLC through official company contact channels.

Post Captain will review privacy-related concerns in good faith and respond appropriately based on the nature of the request and applicable obligations.

Commitment to Responsible Data Practices

Post Captain is committed to maintaining reasonable administrative, technical, and operational safeguards appropriate to the nature of the information handled by the company. Privacy, confidentiality, and responsible data stewardship are expected components of Post Captain’s consulting, operational, and business practices.

Enforcement

Violations of this policy may result in disciplinary action, removal of system access, termination of contractual relationships, or other appropriate corrective measures.

Post Captain reserves the right to update this policy periodically to reflect operational, legal, or regulatory changes.