Privacy Policy
Effective date: 2026-04-01
1. Introduction
Rubber Duck Engineering ("we," "us," or "our") is committed to protecting the privacy and security of the information we collect, process, and store. This policy describes our practices regarding personal data and is intended to satisfy vendor assessment requirements, including the Higher Education Community Vendor Assessment Toolkit (HECVAT).
2. Scope
This policy applies to all personal data collected through our website (rubberducklabs.info), our consulting engagements, and any related communications.
3. Data We Collect
| Category | Examples | Basis |
|---|---|---|
| Contact information | Name, email address, phone number | Legitimate interest / consent |
| Business information | Company name, role, project details | Contract performance |
| Technical data | IP address, browser type, access logs | Legitimate interest |
| Engagement data | Code, documents, or system access shared during consulting | Contract performance |
We do not collect sensitive personal data (e.g., health, biometric, or financial information) unless explicitly required by an engagement and governed by a separate data processing agreement.
4. How We Use Your Data
- To deliver consulting services under contract
- To communicate about engagements and inquiries
- To maintain and improve the security of our website
- To comply with legal obligations
We do not sell, rent, or trade personal data to third parties. We do not use personal data for automated decision-making or profiling.
5. Data Sharing and Sub-processors
We may share data with the following categories of third parties, solely as needed to deliver our services:
- Cloud infrastructure providers — for website hosting and email (e.g., Cloudflare)
- Professional tools — project management and communication platforms used during engagements
- Legal and financial advisors — as required by law
All sub-processors are evaluated for adequate security and privacy practices. We maintain a list of sub-processors and will provide it upon request.
6. Data Retention
We retain personal data only as long as necessary to fulfill the purposes for which it was collected:
- Engagement data: deleted or returned within 30 days of engagement completion, unless otherwise agreed in writing
- Contact information: retained for the duration of the business relationship plus 12 months
- Technical/access logs: retained for up to 90 days
7. Data Security
We implement administrative, technical, and physical safeguards to protect personal data, including:
- Encryption in transit (TLS 1.2+) and at rest where applicable
- Access controls limited to authorized personnel on a need-to-know basis
- Multi-factor authentication on all internal systems
- Regular review of security practices and tooling
- Secure disposal of data at end of retention period
8. Incident Response
In the event of a data breach involving personal data, we will notify affected parties and relevant authorities within 72 hours of becoming aware of the breach, consistent with applicable regulations (e.g., GDPR Article 33, state breach notification laws).
9. Your Rights
Depending on your jurisdiction, you may have the right to:
- Access the personal data we hold about you
- Request correction of inaccurate data
- Request deletion of your data
- Object to or restrict processing
- Request data portability
- Withdraw consent at any time (where consent is the legal basis)
To exercise any of these rights, contact us at the address below. We will respond within 30 days.
10. International Data Transfers
Our operations are based in the United States. If you are located outside the US, your data may be transferred to and processed in the US. We rely on appropriate safeguards such as contractual clauses to ensure adequate protection for international transfers.
11. Cookies and Tracking
This website does not use cookies for tracking or analytics. We do not use third-party analytics services. Server access logs are retained as described in Section 6.
12. Children's Privacy
Our services are not directed at individuals under the age of 16. We do not knowingly collect personal data from children.
13. HECVAT Reference
This privacy policy is designed to support institutional vendor assessments. For HECVAT-specific responses or a completed HECVAT questionnaire, please contact us directly. Key points for assessors:
- We do not store student data (FERPA) unless explicitly scoped in a data processing agreement
- We support execution of BAAs where HIPAA-covered data is in scope
- We can provide evidence of security controls upon request under NDA
- We do not operate multi-tenant SaaS; engagements are isolated per client
- Data residency is US-based (Cloudflare infrastructure)
14. Changes to This Policy
We may update this policy from time to time. Material changes will be posted on this page with an updated effective date. We encourage you to review this page periodically.
15. Contact
For privacy-related inquiries, data subject requests, or to request HECVAT documentation:
Rubber Duck Engineering
Email: privacy@rubberducklabs.info
Web: rubberducklabs.info