Privacy Policy

ISHIR INC.

Privacy Notice

AI Maturity Assessment Platform

assessment.ishir.ai

Privacy Notice

This Privacy Notice applies to the ISHIR AI Maturity Assessment platform operated by ISHIR INC. (“we,” “us,” or “our”) at https://assessment.ishir.ai (the “Assessment Platform”). It describes how we collect, use, store, share, and protect your personal information when you use the Assessment Platform, and explains the rights available to you under applicable law.

This Privacy Notice is separate from and supplements the ISHIR corporate Privacy Notice available at https://www.ishir.com/privacy-policy.htm, which governs our main website. Where both notices could apply, this Notice takes precedence for activities conducted through the Assessment Platform.

Questions or concerns? Contact us at legal@ishir.com or write to: ISHIR INC., 2001 Ross Ave Suite #700-140, Dallas, TX 75201.

1. What the Assessment Platform Does

The ISHIR AI Maturity Assessment is a B2B digital tool designed to help organizational leaders understand their company’s current AI maturity level. The platform:

Asks 40 structured multiple-choice questions across five domains: Data & AI Readiness, Cybersecurity & AI Policies, Strategy & Skills, Technical Audit & Gaps, and Services Fit;

Uses automated scoring and AI-assisted analysis to generate a personalized AI Maturity Profile for your organization;

Delivers a results summary, gap analysis, and tailored recommendations;

Offers optional follow-up outputs including a detailed Action Report and an executive presentation deck; and

Maintains user accounts that store assessment history and results for registered users.

2. What Information We Collect

2.1 Personal Information You Provide

When you register, complete the assessment, or request follow-up materials, we collect:

2.2 Organizational Data

Assessment responses describe your organization’s internal practices, policies, and capabilities rather than personal attributes. However, because you are providing this information in your professional capacity and it is associated with your identity and employer, we treat it with the same care as personal data. Organizational data includes:

Descriptions of your organization’s AI tool usage and governance policies;

Indicators of cybersecurity posture, known gaps, and policy maturity;

Information about your organization’s technology infrastructure and vendor relationships;

Strategic priorities, skill gaps, and readiness for AI adoption; and

Indicators of shadow AI usage or unmanaged AI risk within your organization.

2.3 Automatically Collected Technical Data

When you use the Assessment Platform, we automatically collect standard technical information including:

IP address and approximate geolocation (country/region level);

Browser type, version, and operating system;

Device type and screen resolution;

Pages visited, session duration, and click-path within the platform;

Referring to the URL (how you arrived at the platform); and

Authentication events (login time, session tokens).

2.4 Cookies and Tracking Technologies

The Assessment Platform uses cookies and similar technologies for the following purposes:

You can manage your cookie preferences at any time via the Cookie Settings link in the footer of this platform. Disabling analytics and marketing cookies will not prevent you from completing the assessment.

3. How We Use Your Information

4. Legal Bases for Processing (EU/UK/Canada Users)

If you are located in the European Economic Area (EEA), United Kingdom, Switzerland, or Canada, the following legal bases apply to our processing activities:

If you are located in Canada, we rely on express consent for optional data uses and implied consent for delivering the assessment service you have requested. You may withdraw consent at any time.

5. When and With Whom We Share Your Information

5.1 ISHIR Internal Teams

Your contact information and assessment summary are shared with ISHIR’s sales and advisory teams for the purpose of providing follow-up resources and discussing potential advisory or implementation engagements. ISHIR personnel operate under confidentiality obligations and access controls.

5.2 Technology and Service Providers

We share data with vetted third-party service providers who process data on our behalf under written Data Processing Agreements. Categories include:

5.3 Business Transfers

If ISHIR undergoes a merger, acquisition, financing, or sale of all or a portion of its business, your data may be transferred as part of that transaction. We will notify you via email or prominent notice on the platform if your data becomes subject to a materially different privacy practice as a result.

5.4 Legal Disclosure

We may disclose your information when required by law, court order, or government authority, or when necessary to protect our legal rights, prevent fraud, or ensure user safety.

5.5 What We Do NOT Do

We do not sell your personal information to third parties.

We do not share identifiable organizational assessment data with third parties for advertising or data broker purposes.

We do not use assessment responses to train third-party AI models without your explicit consent.

We do not share your individual assessment results with your employer or any third party without your consent.

6. AI-Assisted Scoring and Automated Profiling

How the Scoring Works

Your responses to the 40-question assessment are processed as follows:

Each response is assigned a weighted score based on the maturity level it indicates within its domain;

Scores across the five domains (Data & AI Readiness, Cybersecurity & AI Policies, Strategy & Skills, Technical Audit & Gaps, Services Fit) are aggregated into an overall AI Maturity Level;

Your maturity level is classified on a four-point scale: AI Shy → AI Curious → AI Enabled → AI Native;

AI-assisted analysis generates personalized insights, gap highlights, and tailored recommendations based on the pattern of your responses; and

Where you request an Action Report or executive deck, AI models assist in generating the narrative and recommendations in those documents.

Nature of the Decision

The assessment result is informational and advisory — it does not produce legal or similarly significant effects. It does not determine your eligibility for any service, employment, credit, or legal benefit. You are free to accept, reject, or supplement the results with your own judgment. A qualified ISHIR advisor reviews all Action Reports before delivery.

Your Profiling Rights

Regardless of jurisdiction, you may:

Request an explanation of how your specific score was calculated;

Correct any responses you believe were submitted in error and receive an updated score;

Request human review of your AI Maturity Profile by a qualified ISHIR advisor; and

Request deletion of your assessment data and any derived scores at any time.

To exercise any of these rights, email legal@ishir.com with the subject line “Assessment Data Request.”

7. International Data Transfers

ISHIR operates globally with teams in the United States (Dallas, TX), India (Noida), Estonia (EU), and Latin America. Data submitted through the Assessment Platform may be stored, processed, or accessed from these locations.

Transfers from the EEA and UK

Where personal data is transferred from the EEA or United Kingdom to countries not subject to an adequacy decision (including the United States and India), we rely on:

Standard Contractual Clauses (SCCs) approved by the European Commission under Decision 2021/914/EU for EEA-originating transfers; and

The UK International Data Transfer Agreement (IDTA) for transfers of UK personal data.

We supplement these mechanisms with appropriate technical safeguards including encryption in transit and at rest, and access controls limiting data to personnel with a need to know.

India (DPDPA)

For data processed at our Noida delivery center, we comply with applicable requirements of India’s Digital Personal Data Protection Act (DPDPA) 2023, including purpose limitation and data security obligations. We will update our practices as implementing rules under the DPDPA are finalized.

You may request a copy of the applicable transfer safeguards by contacting legal@ishir.com.

8. How Long We Keep Your Information

When retention periods expire, data is securely deleted or anonymized. If deletion is temporarily impossible (e.g., data in backup archives), the data is isolated from further processing until deletion occurs.

9. How We Protect Your Information

We implement appropriate technical and organizational security measures including:

Encryption of data in transit using TLS 1.2 or higher;

Encryption of data at rest for stored assessment responses and account data;

Role-based access controls limiting data access to personnel with a legitimate business need;

Multi-factor authentication for ISHIR staff accessing the assessment platform backend;

Regular security testing and vulnerability assessments; and

Formal incident response procedures.

Despite these measures, no system is completely secure. You use the Assessment Platform at your own risk and should not submit information you consider highly sensitive (e.g., specific vendor vulnerabilities, system credentials, proprietary trade secrets) through assessment responses.

Data Security Incidents

In the event of a data security incident affecting your personal information, we will notify you in accordance with applicable law:

Texas residents: within 60 days of discovery (Tex. Bus. & Com. Code § 521.053); the Texas Attorney General will be notified if the breach affects 250 or more Texas residents;

EU/EEA residents: supervisory authority notification within 72 hours (GDPR Art. 33); individual notification without undue delay if there is high risk to your rights and freedoms (GDPR Art. 34);

UK residents: ICO notification within 72 hours (UK GDPR Art. 33); and

California residents: notification in the most expedient time possible (Cal. Civ. Code § 1798.82).

Notifications will be sent to the email address associated with your account or, where required, via substitute notice.

10. Your Privacy Rights

10.1 Rights Available to All Users

Regardless of where you are located, you may:

Access a copy of the personal information we hold about you;

Correct inaccurate or incomplete information;

Delete your account and associated personal data;

Withdraw consent for marketing communications at any time (via unsubscribe link or email to legal@ishir.com);

Request human review of any automated scoring or AI-generated output; and

Request a copy of your assessment responses and generated reports.

10.2 Additional Rights for EU/UK/Swiss/Canadian Users (GDPR)

If you are located in the EEA, UK, Switzerland, or Canada, you additionally have the right to:

Data portability — receive your data in a structured, machine-readable format;

Restrict processing in certain circumstances (e.g., while a correction request is pending);

Object to processing based on legitimate interests, including profiling for sales purposes;

Not be subject to solely automated decision-making that produces significant legal effects (note: our assessment results are advisory, not legally significant — see Section 6); and

Lodge a complaint with your national supervisory authority (EU Member State DPA, UK ICO, Swiss FDPIC, or Canadian OPC).

EU/UK users may also contact our designated EU/UK Representative at:

[EU Representative Name and Address — to be confirmed per GDPR Art. 27]

10.3 Additional Rights for US State Residents

If you are a resident of California, Texas, Colorado, Connecticut, Virginia, or another state with applicable privacy law, you additionally have the right to:

Opt out of the “sale” or “sharing” of your personal data for targeted advertising purposes;

Opt out of profiling in furtherance of decisions that produce legal or significant effects (note: our profiling is advisory only);

Non-discrimination for exercising any privacy right;

Obtain a list of categories of third parties to whom we have disclosed your personal data; and

Appeal a denied rights request to your state Attorney General.

Texas TDPSA opt-out requests will be honored within 15 business days. California CCPA/CPRA requests will be honored within 45 calendar days (extendable once by 45 additional days with notice).

10.4 How to Exercise Your Rights

Submit a data subject access request at: [Termly DSR portal link — confirm same portal as main site or create separate one for assessment.ishir.ai]

Or email: legal@ishir.com with the subject line “Assessment Privacy Request — [Your Name]”

We will verify your identity before processing requests. Verification may require confirming your email address or account credentials. We will respond within the timeframe required by applicable law.

11. Minors

The Assessment Platform is designed exclusively for business professionals and organizational decision-makers. We do not knowingly collect personal information from individuals under 18 years of age. By using the platform, you represent that you are at least 18 years old and are acting in your professional capacity on behalf of your organization. If we learn that data has been submitted by a minor, we will delete it promptly. Contact legal@ishir.com if you believe this has occurred.

12. Do-Not-Track and Global Privacy Control

Most web browsers include a Do-Not-Track (“DNT”) setting. Because no uniform standard for honoring DNT signals has been established, we do not currently respond to browser DNT signals on the Assessment Platform.

With respect to the Global Privacy Control (GPC) signal: California law (CPRA) recognizes GPC as a legally valid opt-out of the sale or sharing of personal data. We [do / do not] currently recognize and honor GPC signals on this platform. [If honoring: Activating GPC in a supported browser will automatically opt you out of analytics and retargeting cookies.] This section will be updated as applicable state law evolves.

13. Updates to This Privacy Notice

We may update this Privacy Notice from time to time to reflect changes in our practices, technology, legal requirements, or for other operational reasons. The updated version will display a revised “Last Updated” date at the top of this notice. We will notify you of material changes by:

Sending an email to the address associated with your account (for registered users); and/or

Displaying a prominent notice on the Assessment Platform for a period of 30 days following the change.

We encourage you to review this notice periodically. Your continued use of the Assessment Platform following notice of material changes constitutes your acceptance of the updated terms.

14. How to Contact Us

For any questions, concerns, or requests regarding this Privacy Notice or the handling of your personal data on the Assessment Platform: