Notice of Privacy Policy & Practices

• Home / Notice of Privacy Policy & Practices

Last Updated: November 24, 2025

Commitment to Privacy 

The Alliance for Innovative Regulation Institute, a District of Columbia non-profit corporation, (collectively, “AIR,” “we,” “us” or “our”) is committed to responsibly handling personal data¹ that we collect, use, disclose or otherwise process regarding individuals who access or use our services or our website located at https://regulationinnovation.org (the “Site”) or otherwise interact with us, including in connection with (including by applying to, registering for or otherwise participating in) any events we organize, co-sponsor or otherwise participate in, such as sprints, convenings and podcasts (such events, “Events” and such individuals, “you” or “your”). 

Our intention with this privacy policy (this “Privacy Policy”) is to provide you with clear, transparent and easily understandable information about how AIR uses and otherwise processes your personal data, and certain rights you may have relating to such use and other processing. By accessing or using our services or the Site, interacting with us (including in connection with the Events), or otherwise submitting personal data to us, you agree to be bound by all the terms and conditions of this Privacy Policy, and you hereby consent to our collection, use, disclosure and other processing of your personal data in accordance with this Privacy Policy. If you do not agree with this Privacy Policy, please do not access or use our services or the Site, interact with us, including in connection with the Events, or otherwise submit personal data to us. We reserve the right to change this Privacy Policy at any time, as circumstances or requirements change. All updates are effective immediately when we post them here, and they apply on a go-forward basis. For this reason, we encourage you to review this Privacy Policy whenever you visit the Site so you are aware of any updates, as they will be applicable to you and your personal data.

Collection of Personal Data 

The types of personal data collected by or on behalf of AIR about you varies based on AIR’s interactions with you (for example, whether you access or use the Site or participate in our Events).

Personal data collected by or on behalf of AIR about individuals accessing or using the Site is obtained directly from you or certain third parties. The personal data we collect about you in the course of your interaction and correspondence with us via the Site includes, for example, the following:

1. any personal data that you submit when you contact us using our contact details on the Site, such as your name or email address;
2. your IP address and other online identifiers/web beacons;
3. details of your online browsing activities on the Site, including, for example, the full Uniform Resource Locators (URL), clickstream to, through and from the Site (including, for example, date and time), services you viewed or searched for, page response times, download errors, length of visits to certain pages, page interaction information (such as scrolling, clicks and mouse-overs) and methods used to browse away from the page;
4. your browser type, language and version, relevant plug-ins, operating system and platform;
5. your location information; and/or
6. your time zone settings.

If you access or use our services other than the Site, including by participating in our Events, additional personal data collected by or on behalf of AIR about you is obtained directly from you or through the Site and generally comes from correspondence with you (including, for example, any registration forms and other written, telephone, videoconference or electronic contacts) regarding your access or use of our services or the Site or your interactions with us or with non-affiliated third parties. AIR also may collect or receive personal data about you from third parties such as AIR’s business partners (including our partners in organizing or co-sponsoring Events), service providers, vendors, and publicly available sources such as company websites and social media accounts. The personal data we collect about you in the course of your interactions and correspondence with AIR and its representatives includes, for example, the following:

1. basic personal details, including, for example, your name and address (and proof of name and address), email address, telephone number, any other contact details you may supply; 
2. details of any organization you may represent and your title within such organization; 
3. personal characteristics, including, for example, your signature and physical characteristics or description; 
4. photos, video and audio recordings of you during Events; 
5. opinions, statements or other personal data provided by you or about you during or in connection with Events, including, for example, dietary restrictions, food allergies or accessibility requirements; 
6. records of all communications, including, for example, recordings of your attendance (or your representative’s attendance) at certain Events or meetings/phone calls, and electronic communications with AIR staff and meeting notes; 
7. details of any complaints made by you with respect to your dealings with the relevant business partner, service provider or other third party;
8. details of your interactions with the relevant business partner in connection with the services we may provide to you in conjunction with such business partner; and
9. any information provided in the course of your interactions with AIR.

We do not expect to collect “sensitive” or “special” categories of personal data as defined under certain applicable laws,² but we may collect such personal data to the extent you submit such personal data to us. For example, of the above categories of personal data that we may collect about you, the following may be considered “sensitive” or “special” categories of personal data: dietary restrictions, food allergies, accessibility requirements and other personal data to the extent concerning your health or religious beliefs. This Privacy Policy, and the practices described herein, applies equally to our collection, use, disclosure and other processing of such “sensitive” or “special” categories of personal data, and by submitting such personal data to us, you hereby consent to our processing of such personal data in accordance with this Privacy Policy. 

We also collect certain personal data through automatic means when you access or use our services or the Site or otherwise interact with us, including the access and use of other platforms we provide related to the Events. Such personal data using these automatic means may include IP address of the device you use to connect to the Internet, hardware and software settings and configurations, time and date that you accessed or used the website or platform, browser type and language, and the website pages accessed.

We automatically collect basic technical information from all visitors to the Site. We collect this technical information during your visit to the Site through our automatic data collection tools, which may include cookies and other commonly used technologies (e.g. web beacons). Please see the section entitled “Cookies” below for a discussion of our use of cookies on the Site.

In order to help ensure that we collect and maintain accurate and current personal data, you should keep us informed if your personal data changes during your working relationship with us.

Use of Personal Data Collected 

AIR uses your personal data to operate its business and for the purposes for which it was provided, including as follows:

1. to provide services and information that you have requested or indicated interest in (including, for example, allowing you to register for, interact with and participate in Events and visit the Site); 
2. to contact you for fundraising and administrative purposes, such as troubleshooting, improving or personalizing our services; 
3. to send you promotional materials, such as our newsletter and information regarding Events; 
4. to determine your eligibility to participate in Events; 
5. to understand and analyze the demographics, usages trends and preferences of individuals who access or use our services or the Site, including by participating in the Events; 
6. to confirm your identity; 
7. to diversify and balance teams of participants in the Events; 
8. to detect and prevent misuse or abuse of our services, websites and platforms we provide, including the Site; 
9. to collect and process payments; 
10. to promote the Events;
11. to publish content in, or otherwise contribute content to, our or third-party blogs, social media, websites (including the Site), podcasts and other mediums; 
12. to generate leads for fundraising purposes and to conduct fundraising, including with personal data we may receive from or share with third parties; 
13. to fulfill our contractual obligations to other third parties to whom you have provided your personal data; 
14. to operate our IT systems, including the Site, and safeguard their security; 
15. for AIR’s internal business administration, record keeping, and security purposes; 
16. for legal and regulatory compliance purposes including, for example, as necessary to respond to governmental, regulatory or law enforcement agency requests or comply with requirements relating to anti-money laundering, politically exposed persons and sanctions checks; and/or 
17. to provide information, on a need-to-know basis, to future or potential purchasers or merger partners of all or a portion of AIR, or to provide information as may be necessary in connection with other corporate transactions, such as financings or restructurings.

From time to time, AIR will provide you with information on the services we provide and other activities we engage in, including our fundraising activities, content that we publish, or other Events sponsored by us. You have the right to ask us not to send you marketing messages by post, telephone or e-mail or any combination of these at any time; however you acknowledge that such information may be included in general update letters and while you may choose not to receive such updates, we are under no obligation to provide redacted versions of such letters or otherwise create separate reports on your behalf excluding such marketing information. You can also let us know at any time that you wish to change your mind and to start receiving such messages. You can do this by replying directly to the marketing message or at any time by contacting us. 

We may aggregate, anonymize or otherwise de-identify your personal data and use it for any purpose permitted by applicable laws and regulations, and we may use information that does not personally identify you for any purpose, except where we are required to do otherwise under applicable laws and regulations. We also may use your information for any other purposes disclosed to you at the time of collection, that you have previously authorized, or with respect to which you subsequently provide your consent. 

Consequences of Failing to Provide Personal Data 

Providing your personal data is voluntary. If you do not agree with our processing of your personal data as set forth in this Privacy Policy, you should not submit your personal data to us. However, where personal data is required to satisfy an obligation to comply with applicable laws or regulations or a contractual requirement or to participate in an Event, failure to provide such personal data may result in your inability to access or use our services or the Site (or certain components or functionalities thereof), including participation in the Events. Where there is suspicion of unlawful activity, failure to provide personal data may result in, to the extent permitted under applicable laws and regulations, the submission of a report to the relevant law enforcement agency or supervisory authority. Further, if you exercise your rights in such a manner to prevent us from processing your personal data, please note that we may not be able to perform some of the tasks we need in order to provide certain services to you, including allowing you to participate in Events or providing access to certain components or functionalities of the Site.

Disclosure of Personal Data 

We do not disclose any personal data about you except as detailed in this Privacy Policy. We disclose your personal data to the following categories of third parties:

1. vendors and service providers in order for them to provide us with certain services, including, for example: (i) legal counsel, (ii) accountants, (iii) audit firms, (iv) banks, (v) administrators, (vi) tax consultants, (vii) tax preparers, (viii) financial advisors, (ix) persons or entities that are assessing our compliance with industry standards, (x) vendors or service providers supporting our IT systems, including the Site, (xi) payment processors, (xii) Event organizers and (xiii) other contractors or consultants; 
2. third parties for purposes of complying with various reporting obligations, and for business, fundraising or marketing purposes, such as sharing Event registration data with our business partners (including our partners in organizing Events) and confirming your participation in Events; 
3. third parties, such as other individuals participating in Events, for purposes of facilitating, or otherwise in connection with, your participation in Events;
4. third parties who subscribe to or otherwise access our content published in, or otherwise contributed to, blogs, social media, websites (including the Site), podcasts and other mediums (to the extent your personal data is included therein);
5. law enforcement agencies and regulators, government agencies or departments or competent authorities of the U.S. or of other countries who request or require such information; 
6. any person or entity, including, for example, any governmental agency, regulatory authority (including, for example, the U.S. Securities and Exchange Commission) or self-regulatory organization having jurisdiction over us, if (i) we determine in our discretion that such disclosure is necessary or advisable pursuant to or in connection with any United States federal, state or local, or non U.S., law, rule, regulation, executive order or policy, including, for example, any anti-money laundering law, the USA PATRIOT Act of 2001 or any subpoena, court order or judicial process, and (ii) such disclosure is not otherwise prohibited by applicable law, rule, regulation, executive order or policy; 
7. future or potential purchasers or merger partners (i) for due diligence purposes on a need-to-know basis, (ii) as necessary for pre-closing integration planning, or (iii) in connection with the consummation of a sale or merger transaction; and/or 
8. current, future or potential lenders or other relevant persons as necessary in connection with other corporate transactions, such as financings or restructurings.

In addition, we may disclose personal data directly to law enforcement, regulators or competent authorities, or indirectly to our advisers or service providers who may make such filings or disclosures on our behalf, as follows: 

1. if we reasonably consider that such disclosure is necessary or advisable to help prevent or detect fraud or other crimes or to protect our rights, property or safety, or that of our business partners, Event participants or others; or 
2. if we are under a duty to disclose or share your personal data with tax authorities, who may transfer your personal data to the government or the tax authorities in another country where you may be subject to tax. 

We also may disclose your personal data to any other third party where you have provided consent to such disclosure.

Personal Data of Children 

We do not allow children under thirteen (13) years of age to access or use our services or the Site or otherwise interact with us, including in connection with the Events, and we do not knowingly collect or process personal data from persons under thirteen (13) years of age, and no part of our services are directed to persons under thirteen (13) years of age. If you are under thirteen (13) years of age, then please do not use or access our services or the Site, or otherwise interact with us, including in connection with the Events at any time or in any manner. If we learn that personal data has been collected through our services from persons under thirteen (13) years of age and without verifiable parental consent, then we will take steps to delete this personal data. If you are a parent or guardian and discover that your child under thirteen (13) years of age has provided us with personal data, please contact us as described herein to request that we delete the personal data from our systems.

Data Retention 

Personal data processed by us will be kept for at least as long as is required for the purpose for which it was collected and otherwise in order to meet our statutory, regulatory, or other obligations under applicable laws and regulations. Further details of our data retention policy are available by contacting us. When determining relevant retention periods, we take into account factors, including, for example, the following:

1. our contractual and business relationships with you; 
2. compliance obligations under applicable laws and regulations to retain personal data for a certain period of time; 
3. the amount, nature and sensitivity of your personal data; 
4. the potential risk of harm from unauthorized processing of your personal data; 
5. statutes of limitation under applicable laws; 
6. active or potential disputes; and 
7. guidelines issued by relevant supervisory authorities.

Data Security 

We acknowledge that the personal data you provide may be confidential, and we maintain policies and procedures designed to maintain the confidentiality of and protect your personal data in accordance with our normal procedures and applicable laws and regulations. 

Unfortunately, the storage and transmission of electronic information is not completely secure. Although we strive to protect your personal data, we cannot guarantee the security of information stored on our or our service providers’ servers or transmitted via email or through the Site; you transmit personal data to us at your own risk.

Cookies

What are Cookies?

Cookies are small, sometimes encrypted text files or pieces of information that may be stored on your computer (or other internet-enabled devices, such as a smartphone or tablet) when you visit a website. They are used to help users navigate websites efficiently as well as to provide information to the owner of the website. A cookie will usually contain the name of the website from which the cookie has come from, the “lifetime” of the cookie (i.e., how long it will remain on your device) and a value, which is usually a randomly generated unique number. To find out more about cookies, including how to see what cookies have been set and how to manage and delete them, please visit www.allaboutcookies.org.

How we use Cookies

When you visit the Site, we, through our service providers (including Google®), automatically generate and deploy a cookie or other online tracking device (e.g. web beacons). We use cookies in order to improve your experience on the Site by recognizing you when you visit the Site, such as by assigning a session ID, and to deliver content specific to your interests. The cookies we place may also collect information about your IP address, or click stream data within our Site (i.e. the actions taken in connection with the Site). This information helps us improve the functionality of the Site.

Two types of cookies may be used on the Site – “session cookies” and “persistent cookies.” Session cookies are temporary cookies that remain on your device until you leave the Site. A persistent cookie remains on your device for much longer or until you manually delete it (how long the cookie remains on your device will depend on the duration or “lifetime” of the specific cookie and your browser settings). The Site also uses “performance” and “analytical” cookies, which help us understand how visitors interact with our web properties by providing information about the areas visited, the time spent on the Site, and any issues encountered, such as error messages. They help us improve the performance of the Site, alert of any concerns and more.

Your choices with respect to Cookies

If you do not agree to our use of cookies, you should set your browser settings accordingly or not use the Site. Web browsers often allow you to erase existing cookies from your hard drive, block the use of cookies and/or be notified when cookies are encountered. If you elect to block cookies, please note that you may not be able to take full advantage of the features and functions of the Site. 

If you use different devices to view and access the Site (e.g., your computer, smartphone, tablet), you will need to ensure that each browser on each device is adjusted to suit your cookie preferences.

You can exercise your opt-out rights with respect to certain third-party cookies and other online tracking devices through such service provider’s site. For example, to opt out of Google’s® use of online tracking devices in connection with Google® Ads, you can visit Google’s® Ads Settings: https://www.google.com/settings/ads/plugin.

Do Not Track

Some web browsers and devices permit you to broadcast a preference that you not be “tracked” online. We do not modify your online experience based upon whether such a signal is broadcast.

Interactions with Third Parties; Social Media

In the course of your access or use of our services or the Site or your interactions with us, including your participation in Events, you may access or use services, websites or platforms provided by, or otherwise interact with, non-affiliated third parties, such as our service providers and our partners in organizing or co-sponsoring Events. AIR does not control or endorse the services, websites or platforms provided by such third parties, and you acknowledge and agree that AIR has not reviewed the content, quality or other materials that are included in such third-party services, websites or platforms and is not responsible or liable, directly or indirectly, for any damage or loss caused or alleged to be caused by or in connection with the use thereof. You should be aware that the information handling practices of the third-party services, websites or platforms might not be the same as ours. Such third parties’ collection or other processing of personal data is governed by their respective privacy policies, and you should review any privacy policies of such third parties for further details on how such third parties collect or otherwise process personal data. Further, because the Site links to third party websites, other parties may collect your personal data about your online activities over time and across different websites when you visit the Site.

We may utilize social media platforms. Note that any content you make available through those platforms (such as name, pictures, opinions or any other personal data) is subject to the terms of use and privacy policies of those platforms. 

We may allow social share buttons on the Site that enable users to easily share information on social media platforms. If you click on these social share buttons, the nonaffiliated third parties that own these widgets may have access to information about your browsing on pages of the Site where these widgets are placed.

Additional Information for Individuals Whose Personal Data is Subject to the GDPR or the UK GDPR 

Residents of the European Economic Area (“EEA”) and the United Kingdom (“UK” and such residents of either, “EEA/UK Residents”) have certain rights with respect to their personal data³ pursuant to the General Data Protection Regulation (EU) 2016/679 (“GDPR”) or the UK General Data Protection Regulation (i.e., the GDPR as implemented into UK law, the “UK GDPR”), as applicable and as further described in this section. 

For the purposes of applicable data privacy legislation, AIR is a “controller” of EEA/UK Residents’ personal data. We may transfer, use, store and/or otherwise process your personal data outside of the EEA or the UK, primarily in the U.S. (and may do so in certain other countries), and the laws of the U.S. and certain other destination countries may not offer the same standard of protection for personal data as countries within the EEA or UK. EEA/UK Residents’ personal data also may be processed by staff operating outside the EEA or UK who work for us or for one of our vendors (for example, those who supply support services to us).

In cases of cross-border transfers to countries outside of the EEA or UK, as applicable, if your personal data will be processed in a country with laws that (i) if you are an EEA resident, may not be equivalent to, or as protective as, the laws of countries within the EEA or (ii) if you are a UK resident, establish a data protection standard that is materially lower than that established by the laws of the UK, in either case of (i) or (ii), AIR will take appropriate steps, in accordance with applicable laws and regulations, to require or maintain an adequate level of protection and security for your personal data. For additional information regarding such steps, please contact us using the details set forth at the end of this Privacy Policy.

A. Our bases for collecting and using personal data 

We are entitled to use your personal data in the ways set out in this Privacy Policy on the following bases:

1. the use of personal data is necessary for the performance of a contract with you for provision of our products and/or services or to take steps at your request prior to entering into such a contract; 
2. we have legal obligations that we are required to discharge; 
3. the use of your personal data is necessary for our legitimate interests; 
4. you have consented to such use; and/or 
5. to establish, exercise or defend our legal rights for the purposes of legal proceedings.

If we require your consent to process your personal data and you choose to provide your consent with respect to certain processing of your personal data, you can withdraw such consent at any time by contacting us.

B. Your rights in connection with personal data 

Under certain circumstances, by law you have the right to:

1. request access to your personal data;
2. request correction of the personal data that we hold about you;
3. object to processing of your personal data where we are relying on a legitimate interest (or that of a third party);
4. request erasure of your personal data;
5. request the restriction of processing of your personal data; and/or
6. request the transfer of your personal data to another party in a machine-readable, commonly used and structured format.

If you want to exercise any of these rights, please contact us using the details set forth at the end of this Privacy Policy. The various rights are not absolute and each is subject to certain exceptions or qualifications. For example, if you wish to withdraw your consent or object to processing, we may need to discuss with you whether our use of your personal data needs to continue for other lawful purposes, such as fulfilment of a legal or contractual requirement. 

We will respond to your request within one month of receipt of your request. In some cases, we may not be able to fulfil your request to exercise the right before this date and may need to request more time. Where we cannot provide a full response to you for any reason, we will let you know about this in our initial reply to your request. 

C. Your duty to inform us of changes 

It is important that the personal data we hold about you is accurate and current. Please keep us informed if your personal data changes during your working relationship with us. 

D. Fees 

You will not have to pay a fee to access your personal data (or to exercise any of the other above-listed rights). In some cases, we may charge a reasonable fee if your request for access is clearly unfounded or excessive, or if you request multiple copies of the relevant information. Alternatively, we may refuse to comply with the request in such circumstances. 

E. What we may need from you 

To access your personal data (or to exercise any of the other above-listed rights), we may need to request specific information from you to help us confirm your identity and ensure your right to access the personal data (or to exercise any of your other above-listed rights). This is another appropriate security measure designed to ensure that personal data is not disclosed to any person who is not entitled to receive it. 

F. Right to complain 

If you wish to request further information about any of the above-listed rights, or if you are unhappy with how we have handled your personal data, please contact us using the details set forth at the end of this Privacy Policy. If you are not satisfied with our response to your complaint or believe our processing of your information does not comply with the GDPR, UK GDPR or other applicable data privacy legislation, you can make a complaint to the supervisory authority in your country. For example, in the UK you should contact the Information Commissioner’s Office (or successor thereto) at: https://ico.org.uk/global/contact-us/ or 0303 123 1113.

Additional Information for Individuals Whose Personal Data is Subject to the Data Privacy Laws of Other Jurisdictions 

To the extent that data privacy laws other than the GDPR or UK GDPR apply to our collection, use, disclosure or other processing of your personal data, you may have certain rights with respect to such personal data (including, depending on the jurisdiction, rights that may be comparable to those of EEA and/or UK residents, as described above). In such case, we will follow such other applicable data privacy laws with respect to your rights, and the description herein of the rights of EEA and/or UK residents, as and to the extent applicable, shall be considered notice of your rights to the extent that we are required to provide you with such notice under such applicable data privacy laws.

Contact Us 

Should you have any questions or concerns relating to this Privacy Policy or the processing of personal data we hold about you, please contact us:

By post: Alliance for Innovative Regulation (AIR), 1717 K Street NW, Suite 900, Washington, D.C. 20006

By phone: 203-560-9282 

By email: finops@regulationinnovation.org 

By online form: https://regulationinnovation.org/contact-us/ 

We may verify communications by matching information provided in or in connection with your communication to information contained in our records. Depending on the sensitivity of the communication and the varying levels of risk in responding to such communications (for example, the risk of responding to fraudulent or malicious communications), we may request further information in order to verify your communication. If we request that you verify your communication and we do not receive your response, we will pause processing your communication until such verification is received. You should be prepared to provide us with, for example, your name, organization and contact details (including physical address, telephone number and email address).

¹ For the purposes of this Privacy Policy, the term “personal data” has the meaning given to such term (or to terms of similar intent, such as “personal information”) under applicable laws and regulations, as and to the extent applicable to your rights and our obligations with respect to such information, including (as and to the extent applicable) “personal data” as defined under the General Data Protection Regulation (EU) 2016/679 or the UK General Data Protection Regulation (i.e., the General Data Protection Regulation (EU) 2016/679 as implemented into the laws of the United Kingdom).

² For example, under the GDPR and the UK GDPR, “special” or “sensitive” categories of personal data include, among other things, data concerning your health, revealing your racial or ethnic origin, political opinions, religious or philosophical beliefs or concerning your sexual orientation.

³ For the purposes of this section, “personal data” has the meaning given to such term in the GDPR or UK GDPR, as applicable.