Privacy Policy

1. Introduction

The Mitchell Group, LLC ("we," "us," or "our") operates the Future Work Academy platform (the "Service"). This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our Service. By using the Service, you acknowledge that you have read and understood this policy.

This policy applies to all users of the Service, including students, instructors, and administrators. If you are using the Service on behalf of an educational institution, your institution's agreement with us (including any Data Processing Agreement) also governs the handling of your data.

2. Information We Collect

Personal Information

We may collect the following personal information:

• Name and email address (provided during account creation via your identity provider)
• Educational institution and role (student, instructor, administrator)
• Profile information you choose to provide
• Phone number (optional, for SMS notifications; not collected in Privacy Mode)

Usage Information

We automatically collect certain information when you use the Service:

• Simulation decisions and written responses
• Performance scores and analytics
• Activity logs and timestamps (behavioral signals capture engagement metadata such as time-on-task and paste event counts — not the content of what was typed or pasted)
• Device and browser information
• IP addresses (logged for security monitoring and rate-limiting purposes)
• User agent strings (logged to identify browser type and operating system for compatibility and security analysis)

Privacy Mode — Anonymous Enrollment

When an instructor enables Privacy Mode for their organization, student enrollment requires no personally identifiable information. Students are identified only by system-generated pseudonymous identifiers (e.g., Student_abc12345). No real names, school email addresses, phone numbers, or student ID numbers are collected or stored in the platform. Instructors maintain an offline mapping between pseudonyms and real student identities using their institution's own secure systems.

In Privacy Mode, SMS and email notifications are automatically disabled. AI grading systems receive only the text of a student's response — no identifier is included.

3. How We Use Your Information

We use the information we collect to:

• Provide and maintain the simulation platform
• Evaluate and score simulation responses using AI-powered grading
• Generate performance analytics and leaderboards
• Send notifications about simulation progress and deadlines
• Communicate with instructors about student participation
• Improve and optimize the Service
• Monitor for security incidents and abuse
• Comply with legal obligations and institutional agreements

We do not use your personal information for behavioral advertising, and we do not sell your personal information to any third party.

4. AI-Powered Evaluation

Our Service uses third-party artificial intelligence (AI) to evaluate student written responses. We take the following steps to protect student privacy in this process:

• No PII transmitted: Student names, email addresses, student IDs, and all other identifying information are stripped before any content is sent to an AI provider. The AI receives only the text of the student's response and the simulation context (scenario description, rubric criteria).
• No model training: Under our agreements with AI providers, student submissions are not used to train or improve AI models.
• Transparent rubric: Evaluation is based on a published 4-criteria rubric (Evidence Quality, Reasoning Coherence, Trade-off Analysis, and Stakeholder Consideration). The rubric is visible to students before, during, and after submission.
• Instructor override: Instructors can review and adjust any AI-generated score. The AI system is an evaluation assistant, not a replacement for instructor judgment.
• Current AI provider: OpenAI (GPT-4o-mini via API). This may change as we evaluate and adopt improved services; we will update this policy accordingly.

Full AI transparency documentation — including exact system prompts, model configurations, and data handling policies — is available for institutional review upon request. Contact privacy@futureworkacademy.com.

5. Information Sharing

We may share your information with:

• Instructors: Your instructor can view your simulation performance, decisions, and scores for their assigned class only
• Team Members: If you are part of a team, teammates may see shared team performance data
• Service Providers: Third-party services that help us operate the platform (e.g., email delivery, SMS notifications, AI grading) — all bound by appropriate data processing agreements
• Institutional Partners: If your institution has executed a Data Processing Agreement with us, data may be disclosed to authorized institutional representatives under the terms of that agreement
• Legal Requirements: When required by law, court order, or to protect our rights, the safety of users, or the public

We do not sell your personal information to third parties.

Third-Party Service Providers

CRM and student data: Our CRM system (Capsule) is used exclusively for managing relationships with instructors and institutional contacts — for example, tracking outreach, demo requests, and account renewals. Student data — including simulation responses, performance scores, pseudonymous identifiers, and any other data generated through platform use — is never shared with or stored in the CRM. The separation between commercial relationship data and student platform data is enforced at the system level.

6. Data Security

We implement the following technical and organizational security measures to protect your personal information:

• Encryption at rest: All database records and stored files are encrypted using AES-256.
• Encryption in transit: All data transmitted between your browser and our servers uses TLS 1.3. HTTPS is enforced site-wide via HTTP Strict Transport Security (HSTS).
• Authentication: We use OpenID Connect (OIDC) — a federated identity standard. We do not store passwords. Multi-factor authentication is supported through your identity provider.
• Role-based access control: Students can access only their own data. Instructors can access only their own organization's data. Strict role enforcement is applied to every API endpoint.
• Security headers: All responses include Content-Security-Policy, X-Frame-Options (DENY), X-Content-Type-Options, Strict-Transport-Security, and Referrer-Policy headers.
• Rate limiting: API endpoints are protected with tiered rate limits (100 requests/minute globally; 20 requests/minute for authentication endpoints) to prevent brute-force and abuse.
• Input validation: All user inputs are validated and sanitized. Parameterized queries are used to prevent SQL injection. React's auto-escaping prevents cross-site scripting (XSS).
• Audit logging: Security-relevant events (authentication, data access, admin actions, data modification) are logged with timestamps and user identifiers and retained for two years.
• Secret rotation: API keys and credentials are rotated quarterly.
• Backups: Database backups are continuous (point-in-time recovery) with 30-day retention.

No method of transmission over the Internet or electronic storage is 100% secure. While we employ industry-standard protections, we cannot guarantee absolute security.

7. FERPA and Educational Records

FERPA (the Family Educational Rights and Privacy Act) is a federal law that protects the privacy of student education records. As a service provider to educational institutions, we support your institution's FERPA compliance obligations through the following measures:

• Access controls: Student data is accessible only to the assigned instructor and platform administrators. No data is disclosed to third parties without authorization.
• Student right to inspect: Students can view all of their submitted decisions and scores through the platform dashboard at any time.
• Data correction: Students or institutions may request correction of inaccurate records. We respond to correction requests within 5 business days.
• Audit trail: All access to student education records is logged with timestamps, user identifiers, and the resource accessed.
• Data Processing Agreements: We execute Data Processing Agreements (DPAs) with institutional partners that contractually bind us to institutional data handling requirements.
• Privacy Mode: For maximum FERPA risk reduction, instructors may enable Privacy Mode, which eliminates the collection of student PII entirely. When Privacy Mode is active, no "education records" containing personal identifiers are stored in the platform.

FERPA compliance is a shared responsibility between the institution and service providers. Contact compliance@futureworkacademy.com to request a Data Processing Agreement or discuss FERPA-specific requirements.

8. Data Retention

We retain your personal information for as long as your account is active or as needed to provide the Service. The following table summarizes our retention periods:

You may request deletion of your account and associated personal data at any time through your profile settings or by contacting us. Personal data will be removed or de-identified within the retention periods listed above. Note that de-identified, aggregated data that cannot be linked to you may be retained after deletion.

9. Your Rights Under GDPR (European Economic Area)

If you are located in the European Economic Area (EEA), the United Kingdom, or Switzerland, the General Data Protection Regulation (GDPR) and equivalent local laws provide you with specific rights regarding your personal data.

Lawful Basis for Processing

We process your personal data under the following lawful bases:

• Legitimate Interest: Providing and improving educational simulation services, performance analytics, security monitoring, and fraud prevention
• Consent: Analytics cookies (Google Analytics) and optional marketing communications. You may withdraw consent at any time through the cookie consent banner or by contacting us.
• Contractual Necessity: Processing required to deliver the simulation platform to enrolled students and institutions
• Legal Obligation: Where we are required to retain or disclose data under applicable law

Data Subject Rights

Under the GDPR, you have the right to:

• Right of Access: Request a copy of the personal data we hold about you
• Right to Rectification: Request correction of inaccurate or incomplete personal data
• Right to Erasure ("Right to be Forgotten"): Request deletion of your personal data, subject to legal retention requirements
• Right to Data Portability: Receive your personal data in a structured, commonly used, machine-readable format (JSON or CSV)
• Right to Restriction of Processing: Request that we limit how we use your data in certain circumstances
• Right to Object: Object to processing based on legitimate interest, including profiling
• Right to Withdraw Consent: Withdraw previously given consent at any time without affecting the lawfulness of prior processing

You can exercise your right to access and data portability through the "Export My Data" feature on your profile page. For erasure requests, use the "Request Account Deletion" feature or contact us at privacy@futureworkacademy.com. Please include "GDPR Request" in your subject line.

International Data Transfers

The Service is hosted in the United States. If you access the Service from the EEA, UK, or Switzerland, your personal data will be transferred to and processed in the United States. We rely on Standard Contractual Clauses (SCCs) approved by the European Commission to provide adequate safeguards for such transfers. Copies of our SCCs are available upon request.

Right to Lodge a Complaint

If you believe we have not adequately addressed your data protection concerns, you have the right to lodge a complaint with your local data protection supervisory authority. A list of EEA supervisory authorities is available at edpb.europa.eu.

Other Jurisdictions

For users located in jurisdictions not specifically addressed in this policy — including but not limited to Canada, Brazil, Australia, and other regions with data protection legislation — we extend GDPR-equivalent rights as our baseline standard. This means that regardless of your location, you may request access to, correction of, portability of, or deletion of your personal data, and we will honor those requests to the fullest extent practicable under applicable law. To exercise these rights, contact us at privacy@futureworkacademy.com.

Note for Canadian users (Quebec Law 25): We acknowledge that users in Quebec are protected under Loi 25 (Act respecting the protection of personal information in the private sector). Our existing AI transparency documentation — including our published evaluation rubric, our no-PII transmission policy for AI providers, and our instructor override controls — satisfies the substantive intent of the privacy impact assessment (PIA) requirements under Law 25. This documentation is available for institutional review upon request at privacy@futureworkacademy.com.

10. Your Rights Under CCPA (California)

If you are a California resident, the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA) provide you with additional rights regarding your personal information.

Your CCPA Rights

• Right to Know: You have the right to request that we disclose the categories and specific pieces of personal information we have collected about you, the categories of sources, the business purposes for collecting the information, and the categories of third parties with whom we share it.
• Right to Delete: You have the right to request the deletion of personal information we have collected from you, subject to certain exceptions (e.g., legal obligations, completing a transaction).
• Right to Opt-Out of Sale: We do not sell your personal information. If this practice changes in the future, we will provide a "Do Not Sell My Personal Information" link and update this policy.
• Right to Non-Discrimination: We will not discriminate against you for exercising your CCPA rights. You will not receive different pricing, quality, or levels of service for exercising your rights.

How to Submit a Request

You may exercise your CCPA rights by using the self-service data export and account deletion features on your profile page, or by contacting us at privacy@futureworkacademy.com. Please include "CCPA Request" in your subject line. We will verify your identity before fulfilling any request and respond within 45 days.

Categories of Information Collected

In the preceding 12 months, we have collected the following categories of personal information:

• Identifiers (name, email address, IP address)
• Internet or electronic network activity (platform interaction data, user agent)
• Education information (institution, course enrollment, simulation performance)
• Professional information (role, department)

11. Cookies and Tracking Technologies

We use cookies and similar technologies to enhance your experience, analyze usage, and remember your preferences. You can manage your cookie preferences through the cookie consent banner displayed when you first visit the Service.

Types of Cookies We Use

Managing Cookies

When you first visit the Service, a cookie consent banner allows you to choose between "Accept All" cookies or "Essential Only." Selecting "Essential Only" disables analytics cookies (including Google Analytics 4 — the GA4 script is not loaded at all). You can change your preference at any time by clearing your browser's local storage and revisiting the site.

12. Children's Privacy

The Service is designed for students enrolled in educational programs at the secondary (high school) level and above, as well as professionals participating in workforce or executive development programs. We do not knowingly collect personal information from children under 13 years of age. If you believe we have collected information from a child under 13, please contact us immediately at doug@futureworkacademy.com.

13. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will notify affected users via email (where an email address is on file) and by posting a prominent notice on the Service before the changes take effect. Minor, non-material clarifications will be noted by updating the "Effective Date" at the top of this page. We encourage you to review this policy periodically.

14. Contact Us

If you have questions about this Privacy Policy, our data practices, or wish to exercise any of your data rights described above, please contact us: