Privacy Policy

AI Governance for HR
Effective date: 2-1-2026

This Privacy Policy explains how AI Governance for HR (”we,” “us,” “our”) collects and uses personal data in connection with our newsletter, The HR + AI Governance Weekly Brief, and the CoLab community (together, the “Services”). It is intended to complement, not replace, Substack Inc.’s Privacy Policy, which also applies when you use our publication on Substack.

If you do not agree with this Policy, please do not use the Services.

1. Data controller

For the purposes of applicable data protection laws, including the EU and UK General Data Protection Regulation (GDPR), the data controller for personal data we process in connection with our own activities as a creator is:

AI Governance for HR / The Inclusion Learning Lab
Attn: Privacy
P O box 211835
West Palm Beach, FL 33421
[Email: theoversightdesk@aigovernanceforhr.com

Substack Inc. is a separate, independent data controller for personal data it processes when you use its platform; please refer to Substack’s Privacy Policy for details.

2. Personal data we collect

We may collect and process the following categories of personal data:

· Contact details: name, email address, organization, role/title.

· Subscription and account information: subscription status, CoLab membership tier, preferences for topics and formats, communication preferences.

· Payment-related information: limited billing details (e.g., membership tier, payment status) as provided via Substack or our payment processor; we do not directly store your full card details.

· Usage data: information about how you interact with our emails and content (opens, clicks, downloads), CoLab session attendance, and participation in events or surveys.

· Technical data: IP address, device and browser type, time zone, and other technical identifiers as made available to us by Substack or our analytics tools.

· User-generated content: comments, questions, poll responses, feedback, or materials you choose to share in the CoLab or via email.

We generally obtain this information when you subscribe, join the CoLab, interact with our emails, or engage with us through Substack or our own channels.

3. How we use personal data and legal bases (GDPR)

We process personal data for the following purposes and legal bases:

1. Newsletter delivery and account management

o To create and manage your subscription and send you the newsletter and related communications you request.

o Legal basis: performance of a contract (Art. 6(1)(b) GDPR).

2. CoLab access and member services

o To provide access to the CoLab, including member communications, learning experiences, events, and resources.

o Legal basis: performance of a contract (Art. 6(1)(b) GDPR).

3. Service improvement, analytics, and personalization

o To understand what content is most valuable, improve our offerings, and personalize topics, formats, and timing.

o Legal basis: legitimate interests (Art. 6(1)(f) GDPR) in operating and improving our business, balanced against your privacy rights.

4. Marketing and community updates

o To send information about new programs, events, or offerings related to AI governance, HR leadership, and the CoLab, where permitted.

o Legal basis:

§ Consent (Art. 6(1)(a) GDPR) where required, especially for EU/UK subscribers;

§ Legitimate interests (Art. 6(1)(f) GDPR) for existing customer relationships, where local law allows.

o You can opt out at any time via the unsubscribe link or by contacting us.

5. Legal, compliance, and enforcement

o To comply with legal obligations, respond to lawful requests, and enforce our Terms of Service.

o Legal bases: legal obligation (Art. 6(1)(c) GDPR) and legitimate interests (Art. 6(1)(f) GDPR).

We do not use your personal data for automated decision-making that produces legal or similarly significant effects within the meaning of GDPR Articles 22.

4. Cookies and tracking technologies

Substack, and any third-party tools it integrates, may use cookies and similar technologies on our publication for authentication, analytics, performance, and personalization. Cookie use on our Substack publication is primarily controlled by Substack; please refer to Substack’s cookie disclosures and your browser settings to manage preferences.

Where required by law (for example, in certain EU countries), we will rely on your consent for the use of non-essential cookies and similar technologies.

5. How we share personal data

We may share personal data only as necessary and subject to appropriate safeguards:

· With Substack: when you subscribe or interact with our publication, Substack processes your data under its own Privacy Policy as an independent controller.

· Service providers: such as email delivery tools, analytics providers, payment processors, event platforms, and document storage systems, who act as processors on our behalf under data protection agreements.

· Professional advisors: such as lawyers, accountants, or compliance consultants, where necessary to protect our legal rights.

· Legal and regulatory authorities: where we are required to do so by law or in connection with legal claims.

· Business transfers: if we reorganize, merge, sell, or transfer some or all of our business, personal data may be transferred as part of that transaction, subject to applicable laws.

We do not sell your personal data.

6. International transfers

We are based in the United States and may process personal data in the US and other countries where our service providers operate. For data subjects in the EU/EEA or UK, this means your personal data may be transferred outside your jurisdiction.

Where required by GDPR, we will ensure that appropriate safeguards are in place for such transfers, for example:^[2][1]

· Adequacy decisions by the European Commission or UK authorities;

· Standard Contractual Clauses (SCCs) approved by the European Commission or UK IDTA/Addendum;

· Other lawful transfer mechanisms recognized under applicable data protection laws.

You may contact us for more information about the safeguards we use for international transfers.

7. Data retention

We retain personal data only for as long as reasonably necessary to fulfill the purposes described in this Policy, including:

· Active subscription or membership period;

· Periods necessary to maintain records for legal, tax, and accounting purposes;

· Reasonable time to analyze and improve our offerings after interactions.

We will delete or anonymize personal data when it is no longer required for these purposes, unless we are legally required or permitted to retain it longer.

8. Your rights (EU/UK and other applicable jurisdictions)

Depending on your location and applicable law, you may have the following rights regarding your personal data:

· Right of access: to obtain confirmation whether we process your personal data and, if so, to receive a copy.

· Right to rectification: to have inaccurate or incomplete data corrected.

· Right to erasure: to request deletion of your personal data, in certain circumstances.

· Right to restriction: to request that we restrict processing in certain circumstances.

· Right to data portability: to receive certain data in a structured, commonly used, machine-readable format and have it transmitted to another controller where technically feasible.

· Right to object:

o to processing based on our legitimate interests;

o to direct marketing at any time.

· Right to withdraw consent: where processing is based on consent, you may withdraw it at any time, without affecting prior lawful processing.

To exercise any of these rights, please contact us at: theovesightdesk@aigovernanceforhr.com and clearly describe your request and the email address associated with your subscription or account.

You also have the right to lodge a complaint with your local data protection authority if you believe your data protection rights have been violated. Contact details for EU/EEA data protection authorities are available via the European Data Protection Board website.

9. Security

We use reasonable technical and organizational measures designed to protect personal data from loss, misuse, unauthorized access, disclosure, alteration, or destruction. However, no system can be guaranteed 100% secure, and you are responsible for maintaining the confidentiality of any passwords or access credentials associated with your accounts.

10. Children’s privacy

Our Services are intended for professionals and are not directed to children under 18. We do not knowingly collect personal data from children under 18. If we become aware that we have collected such data, we will take steps to delete it.

11. Third-party links and content

Our content may include links to external websites, platforms, or resources. We are not responsible for the privacy practices or content of third-party sites. We encourage you to review their privacy policies before providing any personal data.

12. Changes to this Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or services. We will indicate the latest “Effective date” at the top of this Policy and may provide additional notice (for example, by email or through the Services) for material changes.

Your continued use of the Services after an updated Policy becomes effective constitutes your acceptance of the revised Policy.

13. Contact us

If you have questions or concerns about this Privacy Policy or our data practices, or if you wish to exercise your rights, please contact:

AI Governance for HR / The Inclusion Learning Lab
Attn: Privacy
P O Box 211835
West Palm Beach, FL 33421
Email: theoversightdesk@aigovernanceforhr.com