ActionAblist and A2RA Privacy Policy
Effective Date: June 18, 2026
Last Updated: June 18, 2026
ActionAblist respects the privacy and security of the individuals and organizations that visit our website, communicate with us, use the A2RA AI Regulatory Readiness Assessment, and purchase or receive ActionAblist products and services.
This Privacy Policy explains how ActionAblist collects, uses, stores, discloses, and protects personal information.
1. Who We Are
ActionAblist is a Virginia sole proprietorship operated by Dr. Marina Theodotou and based in Alexandria, Virginia, United States.
For most website, account, customer-service, payment, and direct-purchase activities, ActionAblist is the organization responsible for determining how and why personal information is processed.
When an employer, government agency, institution, company, or other organization provides access to A2RA and determines how assessment information will be collected and used, that organization may be the data controller or business responsible for the information, and ActionAblist may process certain information on its behalf. ActionAblist may remain independently responsible for account administration, security, payment, legal compliance, and service operations.
Questions or privacy requests may be submitted through the ActionAblist Contact page or to:
Privacy Contact: [insert privacy email address]
Mailing Address: [insert business mailing address, if one will be published]
2. Scope of This Policy
This Privacy Policy applies to:
The ActionAblist website;
The A2RA AI Regulatory Readiness Assessment;
Free A2RA summaries;
A2RA Premium Leadership Reports;
Customer accounts and assessment records;
Purchases and payment administration;
Contact forms, inquiries, and customer support;
Newsletters and professional communications;
ActionAblist workshops, advisory services, executive education, and related offerings; and
Other services that link to this Privacy Policy.
This Policy does not govern third-party websites or services that have their own privacy policies.
3. Information We Collect
The information collected depends on how you interact with ActionAblist and A2RA.
A. Contact and Identity Information
We may collect:
Name;
Professional title;
Organization or employer;
Department, unit, or function;
Email address;
Telephone number;
Country and jurisdiction;
Billing address; and
Other contact information you provide.
B. Account and Authentication Information
If A2RA provides user accounts or saved assessments, we may collect:
Account username or email;
Authentication and account-status information;
Login timestamps;
Password-reset information;
Account preferences; and
Records of assessments associated with the account.
Passwords should be stored through the applicable authentication provider in protected or encrypted form. ActionAblist does not need access to your readable password.
C. Organization and Professional Information
We may collect information about the organization being assessed, including:
Organization type and sector;
Country or jurisdiction of operation;
Organizational size or maturity;
AI governance roles and responsibilities;
Regulatory and policy environments;
AI use cases and deployment contexts;
Risk-management and oversight practices;
Organizational readiness capabilities;
Training, workforce, and leadership arrangements;
Technical, procurement, compliance, or operational processes; and
Other professional information submitted during the assessment.
D. Assessment Information
When you complete A2RA, we collect the responses and information you submit. This may include:
Responses to assessment questions;
Risk and readiness indicators;
Governance and compliance information;
Descriptions of AI systems or intended uses;
Organizational strengths, gaps, and vulnerabilities;
Notes or explanations entered by the user;
Assessment scores and classifications;
Risk × Readiness matrix placement;
Readiness radar-chart information;
Roadmaps and recommended actions;
Generated summaries and reports; and
Records concerning report delivery or access.
Some organizational assessment information may not identify a person. This Privacy Policy applies to the extent that the information identifies, relates to, or can reasonably be linked with an identifiable individual.
E. Transaction and Tax Information
When you make a purchase, we may collect:
Customer and organization name;
Billing address;
Purchase and transaction history;
Product purchased;
Amount paid;
Currency;
Payment status;
Refund or dispute information;
Tax location and customer classification;
VAT, sales-tax, or tax-exemption information; and
Limited payment details provided by the payment processor, such as payment method type and the final digits of a card.
Payments are processed through Stripe or another authorized payment provider. ActionAblist does not directly collect or store complete payment-card numbers or card security codes.
F. Communications
We may collect information when you:
Submit a contact form;
Request assistance;
Request a refund;
Correspond with ActionAblist;
Participate in a consultation, workshop, or event;
Respond to a survey;
Provide a testimonial or feedback; or
Subscribe to professional updates.
This may include the content of your communications and related records.
G. Website, Device, and Usage Information
When you visit the website or use A2RA, we and our service providers may automatically collect:
Internet Protocol address;
Browser and device type;
Operating system;
Approximate location derived from an IP address;
Referring and exit pages;
Date and time of access;
Pages and features used;
Session and diagnostic information;
Error and performance logs;
Cookie or similar-technology identifiers; and
Information used to detect fraud, misuse, or security incidents.
H. Information From Third Parties
We may receive information from:
Your employer or sponsoring organization;
Colleagues who invite you to use a service;
Payment and tax providers;
Authentication providers;
Website and analytics providers;
Event or course partners;
Publicly available professional sources; and
Other parties that are authorized to provide information to us.
4. Information You Must Not Submit
A2RA is not designed, authorized, or accredited to receive or process classified information, controlled government information, or highly sensitive operational data.
Do not submit:
Classified national security information;
Controlled Unclassified Information unless expressly authorized in writing;
ITAR-controlled or other export-controlled technical data;
Intelligence sources or methods;
Operational plans, vulnerabilities, or mission-sensitive information;
Procurement-sensitive or source-selection information;
Passwords, credentials, access tokens, or cryptographic keys;
Social Security numbers or equivalent government identifiers;
Financial-account credentials;
Protected health information;
Biometric data;
Precise personal location information;
Information concerning children;
Special-category or sensitive personal data that is not necessary for the assessment;
Trade secrets or third-party confidential information you are not authorized to disclose; or
Information whose submission would violate law, regulation, policy, security requirements, or contract.
You are responsible for sanitizing assessment information and confirming that you have authority to submit it.
5. How We Use Information
We may use information to:
Provide and administer the ActionAblist website and A2RA;
Create and manage user accounts;
Process assessment responses;
Calculate risk and readiness results;
Generate free summaries and Premium Leadership Reports;
Create visualizations, roadmaps, and recommended actions;
Deliver purchased products and services;
Process payments, refunds, and taxes;
Authenticate users and protect accounts;
Respond to inquiries and provide customer support;
Communicate about transactions or service changes;
Maintain, troubleshoot, and improve the website and assessment;
Test and validate scoring methodologies;
Develop new products, features, and services;
Conduct de-identified or aggregated analysis;
Prevent fraud, misuse, and security incidents;
Enforce our Terms of Use and other agreements;
Maintain business, financial, and compliance records;
Comply with legal and regulatory obligations;
Establish, exercise, or defend legal claims; and
Send professional updates or marketing communications where permitted.
6. Legal Bases for Processing
Where the European Union or United Kingdom data-protection laws apply, ActionAblist relies on one or more of the following legal bases:
Contract
We process information when necessary to:
Provide A2RA or another requested service;
Generate and deliver a purchased report;
Administer an account;
Process a transaction;
Provide customer support; or
Perform a contract with you or your organization.
Legitimate Interests
We may process information where reasonably necessary for legitimate business interests, including:
Operating and improving our services;
Maintaining security;
Preventing fraud and misuse;
Understanding service performance;
Communicating with existing professional contacts;
Managing business relationships;
Protecting intellectual property;
Maintaining records; and
Establishing or defending legal claims.
We consider the nature of the information, the context of collection, and the effect on individuals before relying on legitimate interests.
Consent
We may rely on consent for:
Optional marketing communications;
Non-essential cookies or analytics where consent is required;
Optional testimonials;
Certain uses of sensitive information, if expressly agreed; and
Other processing for which consent is the appropriate legal basis.
You may withdraw consent at any time. Withdrawal does not affect processing that lawfully occurred before withdrawal.
Legal Obligation
We may process information to comply with:
Tax and accounting obligations;
Court orders or lawful government requests;
Consumer-protection requirements;
Data-protection requirements;
Fraud-prevention obligations; and
Other applicable laws.
Legal Claims and Vital Interests
Where necessary, we may process information to protect an individual’s vital interests or to establish, exercise, or defend legal claims.
7. Automated and AI-Assisted Processing
A2RA uses structured scoring, automated logic, and may use artificial-intelligence-assisted technologies to analyze responses and generate findings, visualizations, summaries, and recommended actions.
These processes may:
Assign dimension-level scores;
Compare responses with risk or readiness thresholds;
Place an assessment on a Risk × Readiness matrix;
Identify potential strengths and vulnerabilities;
Generate a readiness roadmap;
Recommend a 90-day action plan; and
Produce an executive summary.
A2RA is a decision-support tool. It is not intended to make legally binding or similarly significant decisions about individuals. Assessment results should be independently reviewed by appropriately qualified organizational, legal, regulatory, technical, security, or policy personnel.
ActionAblist does not use identifiable A2RA assessment responses or reports to make employment, credit, insurance, housing, healthcare, or eligibility decisions about individuals.
ActionAblist does not authorize its service providers to use identifiable A2RA assessment content to train publicly available or general-purpose artificial-intelligence models.
8. De-Identified and Aggregated Information
We may create aggregated, statistical, or de-identified information that does not reasonably identify an individual or organization.
We may use such information to:
Improve A2RA;
Validate assessment methodology;
Identify general readiness patterns;
Conduct research;
Develop benchmarks;
Create anonymized insights; and
Inform ActionAblist products and services.
We will not attempt to re-identify information maintained as de-identified except as necessary to test whether the de-identification process is effective or as permitted by law.
9. How We Disclose Information
We may disclose personal information to the following categories of recipients.
A. Service Providers
We use providers that support:
Website hosting and content management;
Application development and hosting;
Database and cloud infrastructure;
Account authentication;
Payment processing;
Tax calculation;
Email and report delivery;
Customer support;
Analytics and performance monitoring;
Cybersecurity and fraud prevention;
Document generation; and
Artificial-intelligence-assisted functionality where enabled.
Core service providers may include Squarespace, Lovable, Stripe, and the hosting, database, authentication, and AI providers configured within the A2RA application.
These providers process information according to their contractual responsibilities and applicable privacy policies.
B. Your Organization
If you complete A2RA for or through an organization, we may provide assessment information, results, reports, account information, or usage records to authorized representatives of that organization.
Your organization may have its own privacy notice governing how it uses the information.
C. Professional Advisers
We may disclose information to attorneys, accountants, auditors, insurers, tax advisers, and other professional advisers when reasonably necessary.
D. Legal and Security Disclosures
We may disclose information when reasonably necessary to:
Comply with law, regulation, legal process, or lawful government requests;
Protect the rights, safety, or property of ActionAblist, our users, or others;
Investigate fraud, misuse, or security incidents;
Enforce agreements; or
Establish, exercise, or defend legal claims.
E. Business Transactions
Information may be disclosed as part of a merger, acquisition, reorganization, financing, sale of assets, or transfer of all or part of the ActionAblist business, subject to appropriate confidentiality and legal protections.
F. With Your Direction or Consent
We may disclose information when you direct us to do so or provide consent.
10. Sale, Sharing, and Targeted Advertising
ActionAblist does not sell A2RA assessment responses, reports, or customer personal information for monetary consideration.
ActionAblist does not use A2RA assessment content for third-party targeted advertising.
Where applicable law defines “sale,” “sharing,” or “targeted advertising” more broadly, you may exercise any applicable opt-out right by contacting ActionAblist.
We will update this Privacy Policy and provide any required choices before materially changing these practices.
11. Cookies and Similar Technologies
The ActionAblist website and A2RA may use cookies and similar technologies for:
Essential website and application functions;
Authentication and account security;
Session management;
Payment and checkout functionality;
User preferences;
Fraud prevention;
Performance measurement; and
Analytics.
Where required by law, non-essential cookies will be used only after appropriate consent.
You may manage available choices through the website cookie banner or your browser settings. Disabling essential cookies may prevent parts of the website or A2RA from functioning properly.
Additional information may be provided in a separate Cookie Notice.
12. Payment Processing
Payments are processed by Stripe or another authorized payment provider.
The payment provider may collect and process:
Payment-card details;
Billing information;
Transaction identifiers;
Device information;
Fraud-prevention information;
Tax information; and
Identity-verification information.
The payment provider processes certain information under its own privacy policy and legal responsibilities. ActionAblist generally receives transaction confirmation, limited payment-method information, customer details, tax information, and records needed to administer the purchase.
13. International Data Transfers
ActionAblist is based in the United States. Personal information submitted from the European Economic Area, United Kingdom, or other countries may be processed in the United States and in other countries where our service providers operate.
Where required, ActionAblist and its providers use recognized transfer mechanisms and safeguards, which may include:
An applicable adequacy decision;
Participation by an eligible provider in the EU–U.S. Data Privacy Framework or an applicable UK extension;
European Commission Standard Contractual Clauses;
The United Kingdom International Data Transfer Agreement;
The United Kingdom Addendum to the European Commission Standard Contractual Clauses; or
Another legally recognized transfer mechanism.
You may contact ActionAblist for additional information about applicable transfer safeguards.
14. Data Retention
ActionAblist retains personal information only for as long as reasonably necessary for the purposes described in this Policy, including contractual, operational, security, tax, accounting, and legal requirements.
Subject to legal obligations and organizational agreements, our intended retention periods are:
A2RA assessment responses and generated reports: generally three years after the assessment or last account activity;
Active account information: while the account remains active and for a reasonable period afterward;
Transaction, invoice, tax, and accounting records: generally seven years;
Customer-service and refund records: generally three years after resolution;
General inquiries and business correspondence: generally three years after the last substantive interaction;
Security, diagnostic, and application logs: generally up to twelve months, unless longer retention is needed to investigate an incident;
Marketing contact information: until you unsubscribe, withdraw consent, or the information is no longer reasonably required; and
Consent and suppression records: as long as needed to document preferences and ensure that an opt-out is respected.
We may retain information longer where required by law, contract, litigation hold, government request, security investigation, or the establishment or defense of legal claims.
We may retain de-identified information that no longer reasonably identifies an individual or organization.
15. Security
ActionAblist uses reasonable administrative, organizational, contractual, and technical safeguards designed to protect information against unauthorized access, loss, misuse, alteration, or disclosure.
Safeguards may include:
Access controls;
Authentication;
Role-based permissions;
Encryption provided by hosting and payment platforms;
Secure payment processing;
Service-provider due diligence;
Logging and monitoring;
Data minimization;
Backup and recovery measures; and
Procedures for responding to suspected security incidents.
No website, cloud service, transmission, or storage system can be guaranteed to be completely secure. You are responsible for maintaining the confidentiality of account credentials and for avoiding the submission of prohibited or unnecessary sensitive information.
16. Your Privacy Rights
Depending on your residence and applicable law, you may have the right to:
Confirm whether we process your personal information;
Request access to your personal information;
Obtain a copy of certain personal information;
Correct inaccurate information;
Request deletion;
Request restriction of processing;
Object to certain processing;
Request portability of information you provided;
Withdraw consent;
Opt out of certain targeted advertising, sales, sharing, or profiling;
Appeal the denial of an applicable U.S. state privacy request; and
Receive information about applicable international-transfer safeguards.
These rights are not absolute. Legal exemptions may apply, including where information must be retained for a transaction, legal obligation, security purpose, contractual claim, or the rights of another person.
Exercising Your Rights
Submit a request through the ActionAblist Contact page or email:
[insert privacy email address]
Please include:
Your name;
The email address associated with your interaction or account;
Your country or state of residence;
The right you wish to exercise; and
Information reasonably necessary to identify the relevant records.
We may take reasonable steps to verify your identity and authority before fulfilling a request. Authorized agents may submit requests where permitted by law, subject to verification of their authority.
We will respond within the period required by applicable law.
Appeals
Where applicable U.S. state law provides a right to appeal, you may appeal a denied request by contacting us with the subject line:
Privacy Request Appeal
We will review and respond to the appeal as required by applicable law.
17. European Economic Area and United Kingdom Rights
Individuals in the European Economic Area and United Kingdom may have rights of:
Access;
Rectification;
Erasure;
Restriction;
Data portability;
Objection;
Withdrawal of consent; and
Complaint to a data-protection supervisory authority.
You have the right to object at any time to processing based on legitimate interests, including profiling based on those interests, where your circumstances provide grounds for the objection.
You also have the right to object at any time to the use of your personal information for direct marketing.
You may submit a complaint to the data-protection authority in the country where you live, work, or believe a violation occurred. UK residents may submit complaints to the United Kingdom Information Commissioner’s Office.
European Union Representative
[Insert the name, postal address, and email of the appointed EU representative if required. Remove this section only if qualified counsel confirms that an Article 27 representative is not required.]
United Kingdom Representative
[Insert the name, postal address, and email of the appointed UK representative if required. Remove this section only if qualified counsel confirms that a UK representative is not required.]
18. U.S. State Privacy Disclosures
Residents of certain U.S. states may have privacy rights under applicable state law.
The categories of personal information we may collect are described in Section 3. The business purposes for collection and use are described in Section 5. The categories of recipients are described in Section 9.
ActionAblist does not discriminate against individuals for exercising an applicable privacy right.
ActionAblist does not knowingly sell or share the personal information of individuals under 18.
If ActionAblist becomes subject to additional state-specific notice obligations, this Policy may be supplemented with jurisdiction-specific disclosures.
19. Marketing Communications
You may unsubscribe from marketing emails by using the unsubscribe mechanism in the message or by contacting ActionAblist.
Even after opting out of marketing, you may continue to receive non-promotional communications concerning:
Purchases;
Reports;
Account administration;
Security;
Customer support;
Changes to the service; or
Legal notices.
20. Children
ActionAblist and A2RA are intended for professional and organizational users and are not directed to children under 18.
We do not knowingly collect personal information directly from children. If you believe that a child has provided personal information, contact us so that we can investigate and take appropriate action.
21. Third-Party Links and Services
The website or A2RA may contain links to third-party websites, platforms, or resources.
ActionAblist is not responsible for the privacy, security, or content practices of third parties. Review the applicable third party’s privacy policy before providing personal information.
22. Changes to This Privacy Policy
We may update this Privacy Policy to reflect changes in:
Our services;
Technology;
Service providers;
Legal requirements;
Data practices; or
Business operations.
The updated version will be posted with a revised “Last Updated” date. Where required, we will provide additional notice or obtain consent before a material change takes effect.
23. Contact Us
Questions, complaints, and privacy requests may be submitted through:
ActionAblist
Alexandria, Virginia, United State
Contact: actioanblist@gmail.com