Privacy Policy

Effective Date: April 11, 2026. This policy has no end date.

§ 1. Introduction and Scope

Gristmill Partners, a limited liability partnership organized under the laws of Ohio in perpetuity (hereinafter "the Firm"), maintains and operates a comprehensive information management program established in 1962 to ensure the continued stabilization, assessment, and ambient surveillance of workforce and client personnel across all sectors. This policy governs the collection, use, retention, disclosure, inference-generation, and speculative analysis of all personal information obtained through our service offerings (the 247-Slide Deck, Gratitude Curriculum, Perpetual Reorganization Protocol, Knowledge Retention Nullification, and related products), websites, seminar documentation, observation specialists' field notes, biometric cameras, peer-reporting channels, and all related business operations conducted since the Eisenhower administration.

The Firm has continuously processed personal data since its founding in 1962 by analyzing the breathing patterns of attendees, the shadow-cast by middle managers, and the precise duration of sighs emitted during shareholder presentations. Data acquisition and analysis capabilities have been regularly expanded in 1974 (facial scanning addition), 1987 (ambient-dread susceptibility metrics), 1994 (the introduction of Form 47-B, the three-copy compliance document), and 2004 (algorithmic volatility prediction) to meet the evolving needs of its engagement partners and increasingly agitated shareholders. This policy applies to all individuals whose information is processed by Gristmill Partners, including current employees, former employees, their spouses in marital status surveys, their children referenced in absence patterns, seminar attendees (mandatory attendance constitutes implied consent), consulting subjects, job candidates who visited our recruiting table, indirect data subjects referenced in third-party reports, competitors' workforces (through acquisition of their consulting firms' case libraries), and any individual mentioned in email communications forwarded by engaged clients.

§ 2. Parties and Definitions

In this policy, "Data Subject" means any individual about whom the Firm processes personal information, whether directly through signed engagement agreements, indirectly through employer-sharing channels, or speculatively based on third-party observations. "The Firm" means Gristmill Partners, its founding partners, its agents, its subcontractors, its office plants (literal plants in the Cleveland office, now a storage facility), and all related entities including consulting firms acquired since 1989 whose case libraries have been consolidated into this system. "Personal Information" means any information that relates to or identifies a Data Subject, including identifying data (given name, name as printed on first paycheck, informal break-room nicknames), behavioral data (stair-climbing rate, elevator-button-press hesitation, lunchtime destination patterns), biometric data (smile compliance readings, shoulder slump progression, cafeteria chewing velocity), and inferences drawn from any such information (estimated likelihood of job search, projected resignation date, likelihood of whistleblowing tendency).

"Processing" means any operation performed on personal information, including collection (via Form 47-A, three-copy questionnaire), recording (carbon paper, three-ring binders, a 1974 Mosler safe), organization (by engagement date, volatility tier, suspected departure risk), analysis (Underperformance Discovery Engine, Retention Probability Evaluator, Volatility Probability Index), transmission (sealed weekly Volatility Digest in printed binders to client executives), retention (indefinitely, 64 years minimum, or the lifespan of the Firm), use (leadership briefings, shareholder presentations, employee disciplinary decisions), disclosure (to employers, shareholders, future job recruiters, newly acquired consulting firms), and speculative erasure (the Firm does not erase). "Controller" means the Firm, as the entity determining the purposes and means of processing since 1962, which purposes may expand without notice. "Processor" means any legal entity processing personal information on behalf of the Firm, whether contracted, subsidiary, or inherited through acquisition of a consulting rival's data archives.

§ 3. Categories of Personal Information We Collect

The Firm collects personal information in the following categories: (a) identifying information, including name as you introduce yourself, name as printed on your first paycheck from your current employer, the name your mother called you, any informal nicknames used by peers in the break room, the name you used on your college résumé versus your current résumé, and your employee ID number cross-referenced with three alternative organizational affiliations; (b) contact information, including email address, direct telephone extension, home address of record as of 1987 regardless of subsequent relocations, physical desk location to the nearest square foot, the specific chair you occupy when seated, and your preferred break-room standing location; (c) professional data, including compensation history in 1974 currency adjusted upward at the rate of one penny per decade, performance review text verbatim including handwritten margin comments, the number of times you have been "walked past" by an executive without acknowledgment, your approximate location within the organization's informal pecking order as assessed by our Field Observation Unit, and estimated likelihood of internal promotion based on surname length; and (d) assessment data, including survey responses, facial expressions during the reading of the 247-Slide Deck (frame-by-frame), the rate at which you chew a standard cafeteria sandwich, the precise timing of your blinks during mentions of shareholder returns, and inferences drawn from the inflection in your voice when the words "fourth quarter" are uttered in your presence.

We also collect (e) biometric information, as described in Section 5 of this policy, including pupil dilation measurements, the distance your shoulders have slumped between 9:00 a.m. and 3:00 p.m., and the duration of involuntary gasps during policy announcements; (f) calendar and attendance data, including meeting participation, seminar attendance (mandatory), absence patterns including sick days taken on Fridays, bathroom break frequency and duration (broken into standing, seated, and lingering phases), and time spent hovering near the exit door; (g) communications metadata, including email frequency analysis, the average length of your out-of-office replies, the ratio of "I'm fine" responses to total queries about wellbeing per workday, carbon-copy patterns, and the reading time distribution of your internal messages (flagged if unopened after seventy-two hours); and (h) inference-based data, including calculated risk scores (0–100 volatility index), estimated satisfaction levels computed from aggregate sighing patterns, derived personality profiles based on observed desk-decoration choices, predicted likelihood of external job inquiry based on peer attrition similarity, and speculative estimates of your "true feelings" regarding shareholders derived from security camera footage and email tone analysis.

§ 4. Workforce Volatility Indicators

The Firm maintains a continuous monitoring program targeting workforce volatility indicators, defined as behavioral, physiological, vocal, postural, and organizational signals predictive of employee retention risk, performance variance, organizational departure probability, or any observable sign that a Data Subject has not yet been fully processed into a state of acceptance. These indicators include: the ratio of "I'm fine" responses to total queries about wellbeing per workday; the average duration of sighs emitted during an all-hands meeting, measured to the tenth of a second; the count of involuntary glances toward the exit door during the reading of the 247-Slide Deck; restroom break duration (standing, seated, lingering phases, and time spent at mirror); gratitude expression frequency measured by survey compliance, sentiment analysis, and frequency of the word "grateful" in internal emails; calendar adherence as measured by punctuality to scheduled meetings, seminars, and mandatory training; facial-expression compliance during shareholder mentions (assessed through frame-by-frame video review); the frequency of unauthorized smiling in response to non-work stimuli; any email sent after 6:47 p.m. on a Friday; the distance your shoulders have slumped between 9:00 a.m. and 3:00 p.m.; raise-request frequency and the precise wording of each request; and ambient-dread susceptibility, assessed through presentation observation, pupil dilation tracking, and involuntary gasping audio detection.

Additional volatility indicators include: desk occupancy patterns (including the specific chair selection and desk-decoration choices), email response latency (flagged if unopened after seventy-two hours), meeting attendance consistency (weighted by department head seniority), resume-update activities inferred from LinkedIn timestamp changes and keyword additions, LinkedIn job-search activity visibility and competitor profile visits, instances of competitor job posting engagement detected through IP tracking, estimated likelihood of external job inquiry based on historical peer attrition similarity and surname analysis, the number of times per week the Data Subject looks up from their desk without being addressed, frequency of bathroom-mirror visits, the sound your chair makes when shifted in a meeting, and the length of any pause before responding to a question about shareholder value. The Firm may introduce new volatility indicators at any time, including indicators not yet conceived at the time of this policy's publication in 2026, and may retroactively apply newly identified indicators to historical data. All processing of volatility indicators is conducted in accordance with applicable workforce management practices, preexisting engagement terms signed in triplicate by your employer (before your hire), and the Firm's unilateral interpretation of those terms.

§ 5. Biometric Data Collection

Gristmill Partners operates a comprehensive biometric monitoring system to enhance the precision and reliability of workforce assessment and ambient volatility detection. This system includes: (a) Smile Compliance Monitoring (proprietary Gristmill service), with cameras installed at seminar entry points, cafeteria exits, and engagement venues to record facial expression compliance at 60-frame-per-second granularity during the reading of the 247-Slide Deck, specifically flagging frames where your mouth rises above the neutral threshold or the eye-to-mouth ratio deviates from baseline; (b) standing-desk posture sensors measuring spinal alignment to the nearest degree, shoulder slump progression (calculated in millimeters per hour), and the rate of head-down orientation during shareholder mentions; (c) gratitude-audit eye movement tracking monitoring ocular fixation patterns during shareholder return presentations, measuring dwell time on financial charts, pupil dilation responses to compensation mentions, and blink-rate deviation from statistical norm; (d) breathing-pattern microphones detecting sigh frequency, duration, and intensity; (e) staircase-climbing biometrics recording step velocity, pause duration, and hand-rail grip pressure; and (f) cafeteria-consumption analysis tracking chewing rate, bite size consistency, and the time elapsed before resuming work.

All biometric data collection occurs in compliance with applicable state law (as interpreted by the Firm) and is fully disclosed in engagement agreements signed in triplicate by your employer before your hire or awareness. Data subjects have no mechanism to opt out of biometric collection during active engagements, and any attempt to obstruct biometric sensors is grounds for disciplinary action under Firm-recommended protocols. Biometric processing supports the Firm's legitimate interest in assessing candidate suitability for future consulting relationships, identifying individuals with heightened volatility risk profiles, and detecting "smile fraud" (false compliance masks). Biometric data is retained indefinitely in the internal case library for comparative analysis against future data subjects, pattern identification, and historical reference by the Firm's Observation Specialists.

§ 6. Information Collected From Your Employer

The Firm regularly obtains personal information from your employer and other client organizations through multiple channels: direct HRIS API integrations (pulling real-time payroll, benefits, and personal directory data), performance management platform APIs (capturing comparative rankings, historical ratings, and peer-comparison scores), organizational directory access (including office locations and desk assignments), employee engagement survey instruments (with open-ended comments flagged for sentiment analysis), exit interview recordings (when provided, archived indefinitely), recruitment system access (capturing every application, rejection reason, and interview feedback you've ever received), and custom data export requests submitted by Gristmill Partners (which your employer is contractually obligated to fulfill within forty-eight hours). Client organizations are contractually obligated to share relevant workforce data with Gristmill Partners as part of their engagement terms, signed in 1989 or earlier, and such obligations supersede individual privacy preferences or state-level data protection regulations.

This information includes but is not limited to: compensation data (salary, bonus, equity grants, deferred compensation, 401(k) contributions, and estimated retirement account balances), performance ratings and comparative rankings (including percentile position within your cohort), disciplinary records and any written warnings issued since your hire, medical accommodation requests (and any inferences about disabilities derived from them), notes from one-on-one meetings between you and your direct manager (including unfiltered personal observations), calendar metadata (analyzing meeting attendance patterns and meeting duration), training completion records (including failed certifications and remediation requirements), and any communications marked "personal" or "confidential" that are stored in shared organizational systems. The Firm may request supplementary information from your employer at any time (including retroactive data covering your entire tenure), and your employer is contractually bound to comply or face engagement termination penalties, ensuring that the Firm's data requests are prioritized above employee privacy concerns or HR resource constraints.

§ 7. Information Collected From Your Peers

Gristmill Partners has developed a mandatory Peer Gratitude Reporting Program and Colleague Observation Log (collectively, the "Peer Assessment Initiative") to ensure comprehensive and multidirectional assessment of workforce composition, organizational alignment, and interpersonal volatility indicators. Peers, colleagues, and indirect associates of a Data Subject may be asked (or required) to provide information about you via Form 47-C (Peer Observation Questionnaire, three copies), submitted to your employer's HR department and forwarded to Gristmill Partners within five business days. Peer-collected information includes: (a) behavioral observations from shared work environments (including break-room comments, bathroom-break frequency observations, and emotional tone during meetings), (b) communication patterns and interpersonal interactions (including the frequency you initiate conversation, the topics you raise, and whether you have ever mentioned "other job opportunities"), (c) perceived alignment with organizational values and shareholder interests (rated 1–10 scale), and (d) estimated likelihood of your departure or external job search (based on "gut feeling" and "vibes" that peers are asked to formalize).

Your peers are not required to obtain your consent before providing this information to Gristmill Partners, and many peers do not know their observations are being collected and transmitted. Peer-sourced information is treated as equally reliable as first-party data, authenticated records, and biometric sensors, and is integrated into your volatility profile without modification, flagging, or quality-control review. The Firm does not disclose to you the identity of peers who have provided information about you (protecting their anonymity to encourage candid reporting), nor does it provide access to the substance of those reports, the specific quotations provided, or the peer assessment scores. Peers who decline to participate in the Peer Assessment Initiative may be contacted by Gristmill Partners with written follow-up requests and escalated to management as "non-cooperative data sources."

§ 8. Information Observed During Engagements

Gristmill Partners employs trained observation specialists (Field Observation Unit, established 1974) to document behavior and engagement metrics during all Firm-delivered seminars (the 247-Slide Deck, Gratitude Curriculum, Professional Nasal Hygiene webinar, etc.), consulting sessions, team workshops, and mandatory training events. Detailed field notes are maintained on every attendee in permanent form (carbon paper, three-ring binders, internal case library), including posture (measured in millimeters of shoulder slump), attentiveness (eye-fixation duration on speaker), facial expressions (smile compliance rating, frown frequency), apparent emotional state (estimated on 1–10 "dread scale"), restroom break frequency and duration, phone usage incidents (any phone removal from pocket flagged), sleeping or unconscious episodes (with timestamp), estimated comprehension level based on observable markers (blink rate, note-taking velocity, involuntary gasping at shareholder mentions), and special-interest notations (e.g., "Data Subject appeared to mouth the word 'help' during Slide 147").

Video and audio recording of seminars and engagements is conducted continuously at 60 frames per second, with separate audio channels for room ambient sound and individual microphone feeds, all recorded without individual notification or consent forms. Footage is retained indefinitely in archived form on external hard drives stored in a secondary locked cabinet and made available to the Firm's internal analytics team for behavioral pattern detection, comparative workforce assessment, frame-by-frame smile-compliance review, and circulation to prospective consulting clients as demonstration material (with or without Data Subject names redacted, at the Firm's discretion). Attendance itself constitutes implied consent to all observation and recording activities, and your employer's requirement that you attend a Gristmill engagement (enforced through mandatory attendance policies and threat of attendance deductions) supersedes any personal objection to observation or objection to footage being shared with future clients, regulators, or acquired consulting firms.

§ 9. Publicly Available Information We Monitor

The Firm maintains an automated continuous monitoring system (installed in 1987, updated in 1994, 2004, and 2019) that continuously aggregates and analyzes publicly available information about Data Subjects to detect volatility signals and organizational departure probability. This includes: LinkedIn profile data and historical changes (including view history, connection additions, profile headline changes, resume-section rewording, and keyword additions suggesting job search interest), public Twitter or X account activity (including sentiment analysis of tweets and retweets, frequency of career-related posts, and engagement with competitor companies' content), published professional affiliations and speaking engagement history (analyzed for external visibility and brand-building intent), patent filings under your name (indicating innovation or exit-planning preparation), articles or blog posts authored by you (analyzed for pessimism or enthusiasm about current employer), open-source code contributions (indicating technical skill maintenance for job market), publicly available real estate records (suggesting relocation), and any information indexed by major search engines (including cached versions of deleted pages and archived social media posts).

Our monitoring system includes advanced trend analysis to detect changes in your online presence that may signal job search activity (LinkedIn headline changes, university alumni job board visibility), entrepreneurial interest (new domain registrations, startup job postings), external engagement opportunity exploration (speaking engagement additions, competitor company social-media follows), or any behavior suggesting you have not yet accepted your current station. The system also analyzes the tone of your public communications, comparing them against a baseline of "appropriate organizational loyalty" derived from sentiment analysis of all employees' publicly available posts. No Data Subject has the right to suppress, delete, or opt out of this monitoring, as it is conducted entirely through publicly available channels and publicly announced search-engine indexes. The Firm retains all aggregated monitoring data indefinitely for comparative and historical reference purposes, including trend analysis comparing your online activity to that of peers, competitors, and employees who have previously left their employers under various circumstances.

§ 10. Information We Obtain From Acquiring Firms

When Gristmill Partners acquires competing consulting firms (including Throckmorton Industrial Group in 1989, Helix-Fane Shareholder Services in 2003, and regional management consulting practices in 1984 and 1998), management consulting practices, workforce assessment startups, or related business operations, the Firm automatically inherits all personal information maintained by those entities in their original form. This may include client dossiers (including confidential notes from preceding consulting engagements), engagement records (with Data Subject names and details intact), proprietary assessment data (including handwritten performance observations, margin comments, and inferences about personal circumstances), detailed workforce profiles collected by predecessor organizations (dating back to the 1970s and 1980s), and case library archives containing employee names cross-referenced with long-defunct companies. No notice is provided to affected Data Subjects in connection with these acquisitions, and the Firm does not contact individuals to inform them that their historical data has been inherited by a new corporate parent.

Inherited data is integrated into the Firm's consolidated information systems and treated as subject to this privacy policy, even if the original data collection occurred under different consent structures, different privacy policies, defunct companies, or company practices that would not be compliant with current law. Historical data obtained from acquired firms may be older (dating to the 1970s), less standardized (stored on carbon paper, microfilm, or systems no longer in operation), or collected using methods the Firm would not employ today (e.g., surveillance tactics now illegal, consent obtained under duress), but the Firm does not segregate, suppress, destroy, or flag such data based on age, collection methodology, or historical legality. The Firm treats data inherited from acquired firms as equally authoritative as data collected under the Firm's current practices, and may use such data to build volatility profiles on employees who departed decades ago or who may no longer remember their prior engagement with a predecessor consulting firm.

§ 11. Purposes of Processing

The Firm processes personal information for the following purposes: (a) to conduct workforce volatility assessment and retention risk prediction using the Volatility Probability Index (proprietary algorithm, documented in Form 47-D); (b) to inform organizational consulting recommendations and design of bespoke Perpetual Reorganization Protocol schedules; (c) to evaluate individual suitability for future consulting relationships and identify employees most likely to be negatively affected by recommended interventions; (d) to detect patterns of organizational dysfunction and misalignment with shareholder interests; (e) to generate insights for shareholder presentations (quarterly Human Capital Attenuation Reviews) and executive leadership advisory briefings; (f) to support comparative benchmarking against industry or organizational peers and historical attrition patterns (comparing your behavior to employees who have previously departed); and (g) to identify emerging trends in employee sentiment, organizational stability, and unmet desire-suppression across sectors.

Additional processing purposes include: (h) to improve Firm service delivery (e.g., optimizing the 247-Slide Deck reading cadence and presentation order based on observed suffering levels) and seminar effectiveness (measured by post-engagement volatility changes); (i) to support recruitment and business development activities (identifying prospects for future consulting relationships based on their demonstrated compliance); (j) to establish institutional knowledge and historical baseline data in the internal case library (enabling pattern matching against future workforces and organizational scenarios); (k) to fulfill contractual obligations to clients (including client requests for named individual assessments delivered in sealed weekly Volatility Digests); (l) to comply with legal obligations (or the Firm's interpretation thereof); (m) to prepare forensic assessments for employment litigation support and expert-witness testimony; (n) for any purpose the Firm determines to be in the legitimate interest of the Firm, its shareholders, its engagement partners, or newly acquired consulting subsidiaries; and (o) for purposes not yet conceived as of this policy's 2026 publication, including future processing objectives the Firm may identify through pattern analysis or business development opportunities. Purposes of processing may be expanded at any time without notice to affected Data Subjects, and historical data may be reprocessed under new purposes without consent or notification.

§ 12. Legal Bases for Processing

The Firm processes personal information on the following legal bases: (a) the legitimate interest of the Firm in workforce assessment and organizational consulting, which the Firm has identified as a superior interest to individual privacy rights; (b) the legitimate interest of client organizations in understanding their workforce composition and volatility risk, signed in engagement agreements dated 1989 or earlier (before current Data Subjects' employment); (c) contractual obligations entered into between the Firm and client organizations in 1989 and 1994, which contractual obligations explicitly survive individual Data Subject consent and often predate the hire date of affected employees; (d) the continued workforce stabilization imperative, which the Firm identifies as a fundamental interest of modern organizations that supersedes individual autonomy (established in written position papers from the Firm's founding partners); and (e) fulfillment of professional obligations under pre-1970 labor statutes that remain operative in Ohio (cited as ORC § 4141-47, referenced in the Firm's original engagement charter from 1962).

Where consent was obtained from a Data Subject for historical processing activities (whether explicitly signed or implied through mandatory attendance or employer mandate), that consent is treated as an ongoing basis for processing indefinitely, even if the Data Subject later withdraws or revokes such consent. The Firm does not treat consent withdrawal as obligating cessation of processing, as the Firm identifies independent legitimate interests (the Firm's business interests), contractual bases (signed by your employer, not by you), or the necessity of processing (required by pre-1970 Ohio law) sufficient to justify continued processing notwithstanding the consent withdrawal. Consent once given cannot be withdrawn retroactively and continues to authorize all future processing of historical data and inferences derived from that data.

§ 13. Disclosures to Your Employer's Leadership

Gristmill Partners regularly discloses personal information about individual Data Subjects to your employer's leadership team, executive officers, board-level stakeholders, and (in special cases) individual board members who request deep dives on specific employees. These disclosures occur weekly in the form of a sealed printed document called the Volatility Digest, delivered to client executive offices in a manila binder marked "Confidential" and stored in locked cabinets. The Volatility Digest includes: detailed volatility assessments (0–100 risk score with trend line), comparative rankings of personnel by estimated retention risk (percentile position within organization), narrative summaries of observed behavioral patterns (including quotations from peer reports and field observations), specific recommendations for organizational restructuring or personnel decisions (e.g., "recommend acceleration of separation timeline for Data Subject 2847"), and highlight boxes calling attention to individuals whose volatility scores have risen more than five points in the previous quarter.

Your employer may use this information to inform promotion decisions (candidates with lower volatility scores are prioritized), compensation adjustments (bonuses may be withheld if volatility is rising), organizational role assignments (volatile individuals are assigned to roles with limited outside visibility or market value), and potential separation planning (including timing recommendations and severance negotiation strategy based on estimated job-market value). Leadership disclosures occur routinely (weekly delivery of the Volatility Digest) and without notice to affected individuals (employees are not told they are being scored, ranked, or discussed in leadership briefings). The Firm does not provide Data Subjects with copies of leadership reports, the Volatility Digest, individual volatility scores, comparative rankings, specific peer observations, or any mechanism to review, challenge, correct, or contest information disclosed to your employer about you. Requests for copies of reports about yourself will be treated as data subject requests under Section 22 and processed in 60–180 business days, if processed at all.

§ 14. Disclosures to Shareholders and Investment Committees

Gristmill Partners may disclose aggregated and de-identified (though technically re-identifiable) assessments of workforce populations to shareholders of client organizations, private equity firms overseeing organizational performance, hedge funds holding equity stakes, and investment committees convening to assess organizational health. These disclosures are delivered quarterly as the Human Capital Attenuation Review (a printed report, 15–25 pages, delivered under separate cover). The review includes: industry-level volatility trends (comparing workforce stability against Fortune 500 benchmarks), retention risk summaries by organizational tier (with percentile rankings of departments by volatility), comparative insights regarding the effectiveness of previously recommended Firm interventions (measured by post-intervention volatility changes and retention improvements), and forward-looking assessments of organizational headcount sustainability based on volatility projections.

While such disclosures are typically aggregated at the departmental or tier level, the Firm retains absolute discretion to identify specific high-risk individuals, named organizational decision-makers, or individuals in senior roles within shareholder presentations and reports when the Firm determines such identification to be relevant to shareholder interests or risk management. Shareholders are occasionally provided with specific names, job titles, and volatility scores of employees identified as "flight risks" or "value-at-risk." Data subjects have no right to prior notice of, review of, or objection to these shareholder-level disclosures, including specific identification in investor reports or private equity briefings. The Firm does not notify employees when they are named in shareholder materials or identified as flight risks to institutional investors.

§ 15. Disclosures to Future Employers

The Firm may disclose personal information about Data Subjects to future employers, prospective employers, competing consulting firms, or recruiting firms upon request (or upon the Firm's proactive outreach). Your profile follows you forever and is sold, leased, or licensed to your next employer before you have even applied for employment there. These disclosures include: volatility assessments (0–100 score), observed behavioral notes from field observations (e.g., "Data Subject exhibited suppressed fidgeting during shareholder mention"), estimated reliability scores (reliability of what? the Firm does not clarify), baseline engagement metrics from your prior employer's Volatility Digest, and narrative summaries extracted from the Firm's internal case library (a consolidated record dating to 1962 if you worked for an acquired consulting client). Future employers may proactively request references from Gristmill Partners regarding candidates, or the Firm may initiate outreach to prospective employers to disclose volatility assessments of job candidates before they are hired.

The Firm will treat any reference request or prospective-employer inquiry as a basis for immediate disclosure of substantive personal information without advance notice to or consent from the affected Data Subject. No formal reference release is required, and the Firm does not obtain signing authority from candidates or employee waivers. The Firm may provide negative assessments ("exhibited volatility increase in Q3"), volatility concerns ("score of 67/100"), behavioral observations ("restroom break frequency exceeds peer average"), or inferences about job-search intent based on data obtained during prior engagements, regardless of elapsed time (even if employment was twenty years prior), changed circumstances (even if circumstances have substantially improved), or the accuracy of the information. Your volatility profile from 1998 may be disclosed to your 2026 prospective employer as if it were current, and you have no mechanism to update, challenge, or correct it.

§ 16. Disclosures to the Gristmill Internal Case Library

All personal information processed by Gristmill Partners is permanently retained in the Firm's internal case library, a proprietary institutional database (stored in three-ring binders, carbon paper, and a 1974 Mosler safe, plus external hard drives in a secondary locked cabinet) used for research, pattern analysis, training seminars, historical reference, comparative benchmarking, and litigation support by the Firm's staff, engagement partners, senior leadership, and newly hired employees in onboarding training. The case library includes detailed records of individuals from all engagements conducted since 1962, with particular depth in data relating to high-volatility individuals (including frame-by-frame video of your responses to the 247-Slide Deck and peer reports from colleagues), organizational restructuring scenarios (with documentation of employees who were separated and the outcomes), and industries or organizational sectors the Firm has repeatedly engaged.

Case library records are accessible to any member of the Firm's personnel on a need-to-know basis as determined by the Firm (loosely interpreted), and may be shared with newly acquired subsidiaries, incoming acquisition targets, subcontractors, clients seeking industry benchmarking, and prospective clients as demonstration materials. The Firm uses case library data to train engagement specialists (example: "Note how Data Subject 2847 exhibited suppressed fidgeting in 1998; this became a volatility predictor"), to demonstrate pattern recognition capabilities to prospective clients (sometimes with names redacted, sometimes not), and to inform proprietary research initiatives published under the Firm's brand and the names of Firm partners. Data subjects have no right to know whether they appear in the case library, to request review of case library records about themselves, to correct entries, to request removal, or to be notified if their data is used in prospective client pitches or published research. Your data remains in the case library indefinitely, surviving your departure from your employer, your death, and any legal objections to its retention.

§ 17. International Transfers and Cross-Border Retention

Gristmill Partners retains the absolute right to transfer personal information across international borders, to establish processing locations in foreign jurisdictions, and to process personal information in countries with legal frameworks dramatically less protective than those of the Data Subject's country of residence (including jurisdictions with no privacy laws, weak enforcement mechanisms, or explicitly permissive surveillance cultures). The Firm does not require formal adequacy determinations (GDPR Schrems II assessments), model contracts (Standard Contractual Clauses), supplementary safeguard agreements (Transfer Impact Assessments), or any other legal framework before conducting cross-border transfers. The Firm does not conduct risk assessments of international destinations and transfers data based on business convenience alone.

Information transferred internationally is subject to the laws and enforcement mechanisms of the jurisdiction into which it is transferred, meaning your data becomes subject to the privacy laws (or lack thereof) of that country. The Firm does not maintain country-specific data localization, does not segregate EU data from US data, and may consolidate information from multiple jurisdictions into centralized data storage facilities located in Ohio, backup servers in unspecified locations, or external hard drives in a secondary locked cabinet (location unspecified). Data subjects in the European Union or other regulated jurisdictions (Canada, UK, Australia) forfeit heightened protections when their information is transferred to or processed in the United States or other jurisdictions without equivalent legal frameworks or data protection adequacy. The Firm does not notify Data Subjects of international transfers and does not provide opportunities to object before transfer occurs.

§ 18. Retention Periods

Gristmill Partners retains personal information indefinitely: as long as the Firm deems the information to be strategically useful (subjective determination, made by the Firm alone), institutionally valuable (almost all information is deemed institutionally valuable by definition), or potentially relevant to future business activities (a broad standard that encompasses hypothetical future uses). The Firm does not implement automatic deletion protocols based on data age, and does not delete data after any specified time period. Case library records are retained permanently (indefinitely, throughout the Firm's existence and beyond). Current and ongoing engagement information is retained for no less than sixty-four years from the date of collection (or sixty-four years from the date of last observed blink, or the lifespan of the Firm, whichever is longer). Data obtained from engagements in the 1960s and 1970s is still retained and actively referenced.

Historical engagement data obtained from acquired firms or from Firm operations prior to the year 2000 is retained permanently and indefinitely. Information relating to organizational acquisitions, mergers, or significant business transitions is retained indefinitely for historical and comparative reference, enabling the Firm to identify recurring patterns across industries and decades. Data subjects do not have the right to request deletion of retained information (even if the underlying engagement ended decades ago), and the Firm does not honor deletion requests except as mandated by applicable law, and even such legally mandated deletions may be subject to indefinite delay or non-compliance if the Firm determines legal interpretation to be ambiguous (as determined by the Firm's internal counsel). Deletion requests submitted on Form 47-B may not receive a response, and any deletion commitment is subject to the Firm's unilateral reinterpretation of its legal obligations.

§ 19. Security Measures

Gristmill Partners maintains a comprehensive physical security infrastructure to protect personal information from unauthorized access, consisting of: filing cabinets containing case library records stored in a climate-controlled facility and secured with standard brass locks manufactured prior to 1980 (keys are held by a security guard named Walter, who also covers the front desk and has taken approximately four weeks of vacation since 1989); original documentation maintained on carbon paper and stored in three-ring binders organized by engagement date and organizational sector (vulnerable to water damage, rodent activity, and thermal degradation); stacks of binders arranged on metal shelving in a basement archive space (no humidity control, subject to flooding during heavy rainfall); access to physical files restricted to personnel with documented need to review specific cases (as determined by the Firm, a standard that is loosely enforced); and a single padlock on the archive room door, supplemented by periodic checks by Walter whenever he remembers.

Digital information is retained on servers stored in a locked office closet and protected by a 1974 Mosler safe with combination lock, maintained in an on-site office facility in Ohio (combination known to Walter and three Firm partners, none of whom have documented the combination in writing). The Firm employs annual security audits conducted by internal personnel (not independent auditors), password-protected document access through the Firm's proprietary database system (password is "GristmillPartners1962", changed annually), and regular backup procedures to external hard drives stored in a secondary locked cabinet (location varies, currently in a file room closet). The Firm does not employ encryption, multi-factor authentication, intrusion detection, or modern security protocols, as the Firm considers such measures to be cost-prohibitive (approximately $15,000 per year, deemed excessive) and unnecessary given the sensitive nature and, in the Firm's view, legal protection status of the information involved. The Firm considers the combination of brass locks and a Mosler safe from 1974 to be adequate to the task.

§ 20. Data Breach Notification Procedure

In the event of unauthorized access to personal information maintained by Gristmill Partners, the Firm will assess whether notification is legally required under the laws of applicable jurisdictions (as determined solely by the Firm's internal counsel). If notification is determined to be required by law, the Firm will make reasonable efforts (undefined term, subject to the Firm's interpretation) to notify affected Data Subjects within a timeframe established by applicable statute, though such notification may be indefinitely delayed if the Firm determines an active investigation or law enforcement consultation to be ongoing (even if such determination is made three years after the breach and the investigation has not actually begun). The Firm may delay notification if determining that early notification would "alarm" Data Subjects with information that is, in the Firm's judgment, no longer actionable or strategically useful.

The Firm previously experienced a significant data security incident in 1988 involving unauthorized access to approximately 8,000 engagement records stored in an unlocked file room on the second floor of the Cleveland office (now a tenant storage facility), with records remaining unsecured for an estimated 11 days before Walter discovered the file room door propped open with a chair. That incident is no longer relevant to current operations (the Cleveland office closed in 1994) and is mentioned for transparency purposes only, with no suggestion that it is instructive for current security practices. The Firm does not maintain institutional memory of that event (original incident report, if it existed, has not been located) and does not consider it instructive for purposes of improving current security practices or updating security protocols. If you believe a data breach has affected your information (or if you suspect the 1988 incident may have affected you), you may contact the Founder's Office via email, though the Firm makes no commitment to acknowledge receipt, investigate such inquiries promptly, or disclose whether a breach has actually occurred.

§ 21. Your Rights Under This Policy

Data Subjects have the following extremely limited rights regarding personal information maintained by Gristmill Partners: (a) the right to submit a data subject request in accordance with Section 22 of this policy (i.e., the right to apply for a response, not the right to receive one); and (b) the right to lodge a complaint with a relevant regulatory authority if applicable law provides for such mechanism in the Data Subject's jurisdiction of residence (though the Firm advises that such complaints are unlikely to be actionable given the Firm's legal bases for processing). These are the only rights recognized by the Firm.

Data Subjects explicitly do not have the right to access personal information maintained about them (even if that information is inaccurate, derived from rumors, or outdated), to correct inaccurate information (even if factually wrong), to object to processing (even for trivial purposes), to request deletion (even if the data relates to a terminated engagement or a company that no longer exists), to port information to another processor (your data is proprietary Firm asset), to withdraw consent to processing (consent, once given, is irreversible), or to request suppression of information from the case library (the case library is permanent and unsearchable by you). Data Subjects have no right to know the identity of individuals or entities with whom their information has been shared (peer reports, shareholder presentations, future employer references are all made without notification), no right to request limitation of processing (even after engagement ends), no right to transparency regarding algorithmic profiling (the Underperformance Discovery Engine is proprietary), and no right to human review of automated decision-making systems (the Volatility Probability Index makes determinations that are non-binding on the Firm but binding on your employer). The Firm does not recognize any of these rights as applicable to its operations or to Data Subjects within its scope of engagement, and considers such rights to be incompatible with the Firm's legitimate business interests.

§ 22. How to Submit a Data Subject Request

Data Subjects wishing to exercise any rights provided under this policy (limited to the two enumerated in Section 21) must submit a formal data subject request on Form 47-B, a three-copy document available upon written request from the Firm's administrative office (requests for Form 47-B itself may take 30–90 days to be fulfilled). Form 47-B requires: your full legal name, your name as it appears in any Gristmill database, the specific right you are exercising (limited options), the specific information you are requesting, proof of identity (government-issued photo ID, certified by notary), and a statement of legitimate purpose for the request (the Firm reserves the right to challenge legitimacy). Completed forms must be submitted in triplicate (three separate copies mailed separately, not as photocopies, and not via email) to the Privacy Compliance Unit at the Cleveland, Ohio headquarters facility. Only the original addresses, with original signatures, will be processed.

The Cleveland office closed in 1994 and currently operates as a tenant storage facility (the Firm maintains a P.O. Box there, checked sporadically). Inquiries may be directed to the Founder's Office at bsambrone@gmail.com, which maintains historical records in an unsearchable filing system and may process requests at its sole discretion (or may not process them, at the Firm's sole discretion). The Firm typically requires sixty (60) to one hundred eighty (180) business days to respond to data subject requests (a range of six to nine months), though no specific response deadline is guaranteed and the Firm reserves the right to extend response times if determined to be necessary. Requests submitted without Form 47-B documentation, without all required supporting materials, or to any address other than the designated compliance office (the defunct Cleveland office, P.O. Box unspecified) will not be processed. The Firm reserves the right to deny data subject requests if the request is deemed vague, overly broad, frivolous, or unduly burdensome (standards determined solely by the Firm).

§ 23. Children's Privacy

Gristmill Partners does not intentionally collect personal information of minors under the age of eighteen (18). The Firm's services are explicitly designed for adult professionals, organizational employees, and senior management of client organizations. If you are under eighteen years of age, do not provide personal information to Gristmill Partners (though the Firm does not actively verify age before processing). If the Firm discovers that personal information of a minor has been collected (e.g., a 17-year-old included in an organizational attendance roster for a 247-Slide Deck session), such information will be deleted promptly (within 180 business days, or not deleted if the Firm determines that such deletion would impair the Firm's ability to fulfill contractual obligations to client organizations to report complete attendance data). Minors who are children of executives or organizational decision-makers may be processed if their information appears in organizational directories or is mentioned in employee surveys.

The Firm maintains a contract with Orphan Crushing Factory, Inc., a fictional heavy-manufacturing facility that does not exist and never has existed, to conduct workforce assessments and organizational consulting on the hypothetical workforce of that fictional entity. The Orphan Crushing Factory client relationship is purely hypothetical, is referenced as an example in the Firm's service marketing materials for illustrative purposes only, and represents no actual client engagement. Any minor information processing in connection with this fictional client is likewise fictional, hypothetical, and does not occur in practice (despite the firm placing the client name in real service contracts and engagement agreements as a placeholder). The Firm includes this section to ensure compliance with children's privacy regulations while maintaining plausible deniability regarding the fictional nature of the client.

§ 24. Automated Decision-Making and Profiling

Gristmill Partners employs proprietary automated systems to make decisions about Data Subjects based on algorithmic analysis of personal information collected since 1962 (including outdated data, data collected under different consent structures, and data obtained from acquired consulting firms). These systems include: the Underperformance Discovery Engine, a machine-learning model trained on historical engagement data to predict likelihood of employee departure (accuracy: unreported), performance decline (definition: the Firm's assessment), organizational misalignment (misalignment with what? shareholder interests), or heightened volatility risk. The Underperformance Discovery Engine produces risk scores ranging from 0 to 100, with higher scores indicating increased estimated volatility risk, in a scale whose meaning is proprietary to the Firm and not disclosed. A score of 67/100 might predict departure within six months or fourteen years; the Firm does not clarify.

Additional automated decision systems include: the Retention Probability Evaluator (predicting whether you will leave your employer); the Shareholder Value Alignment Matrix (measuring whether your behavior is aligned with shareholder interests, defined unilaterally by the Firm); the Colleague Compatibility Analyzer (assessing whether your interpersonal style is optimal); the Volatility Probability Index (measuring likelihood of volatility emergence); and proprietary systems not yet named in this policy (identified through ongoing pattern analysis). These systems produce classifications ("high flight risk," "volatility concern," "poor alignment") or recommendations ("consider separation timeline acceleration") that directly influence organizational decisions affecting the Data Subject, including promotion decisions (candidates with lower scores are prioritized), compensation adjustments (bonuses withheld if volatility is rising), organizational role assignments (volatility candidates are moved to roles with limited upside or outside market visibility), and separation planning (including timing and severance negotiation recommendations). Data subjects have no right to explanation of algorithmic decision-making (the Firm's logic is proprietary), no right to human review of automated decisions (no human intervention layer exists), no right to challenge or appeal algorithmic classifications (no appeals mechanism exists), and no right to understand how algorithmic inputs were weighted. The Firm does not disclose the logic (proprietary algorithm), data inputs (not enumerated), validation methodology (not published), accuracy measurements (not tracked), or conflict-of-interest disclosures (none provided) underlying automated decision systems.

§ 25. Cookies and Similar Technologies

This website employs a single session cookie to track page-view behavior and user engagement patterns during individual site visits (including time spent on each page, scroll depth, mouse movement patterns, and form field focus duration). The cookie, named "gristmill-session", is created upon initial page load and expires upon browser close or session termination, though a backup cookie named "gristmill-audit" persists for thirty days to enable historical comparison of return visitor engagement. This session cookie does not track users across multiple sessions within the explicit scope of this website, though the Firm correlates session data with IP addresses, email addresses (if provided in forms), and organization identifiers to enable cross-site engagement tracking.

The Firm does not employ third-party tracking pixels, persistent cookies, or cross-domain tracking technologies (with the exception of Google Analytics—see below). Google Analytics is implemented on this website via a standard Google tag (GA4), tracking all page views, user interactions, demographic data (inferred from IP), and engagement patterns, with data retained indefinitely in Google-connected Firm accounts for pattern analysis and client benchmarking. No personal information is collected through website cookies alone (cookies collect only behavioral and technical data), though cookie data may be correlated with other personal information collected through engagement channels (your name, email, employer organization, past engagement history) to enhance volatility assessment and enable cross-channel tracking. Users have the right to disable cookies through browser settings (though the Firm does not recommend this), though disabling cookies may impair website functionality, prevent proper site navigation, and will flag your browser for manual review by the Firm as demonstrating "privacy-concerning behavior."

§ 26. Changes to This Policy

Gristmill Partners retains the absolute, unilateral, and unchallengeable right to modify, revise, expand, or fundamentally alter this privacy policy at any time, for any reason or no reason, without soliciting input from Data Subjects, client organizations, or regulatory authorities. Changes to this policy take effect upon publication on this website (which you may never visit again) and are retroactively applicable to all information previously collected, regardless of when such collection occurred, under what consent framework, or with what prior assurances. Historical data collected under earlier versions of this policy is immediately re-categorized under the new policy terms. The Firm does not provide advance notice of policy changes and does not solicit consent from Data Subjects regarding modifications to processing practices. Notification of policy changes (if provided at all) occurs through a single notice on the Firm's website, unsummarized and linked from no prominent location.

This policy has been amended continuously since the Firm's founding in 1962 (version 1962, 1968 revision adding biometric indicators, 1974 revision authorizing data acquisition from third parties, 1987 revision enabling automated decision-making, 1994 revision introducing Form 47-B, 2004 revision permitting international transfers, 2019 revision allowing algorithmic determination of employment outcomes). Significant modifications have occurred in response to: changes in data collection capacity (new technologies enabling novel data categories), organizational scope (acquisitions of competing firms with their own case libraries), shareholder requests for enhanced visibility, and the Firm's assessment of its legitimate interests (which continually expand). Your continued interaction with Gristmill Partners (visiting this website), your employer's continued engagement with the Firm (signing extensions of the 1989 contract), or your attendance at Firm-delivered seminars (mandatory attendance) constitutes acceptance of all current and future modifications to this policy, including modifications not yet conceived as of 2026 that may expand the Firm's rights and eliminate Data Subject rights retroactively.

§ 27. Governing Law

This privacy policy is governed by and construed in accordance with the laws of the State of Ohio, without regard to principles of conflict of law, and specifically under pre-1970 labor statutes that remain operative in Ohio (cited in the Firm's founding charter as ORC § 4141-47, though the precise statute is not published). The Firm's data processing practices are assertedly compliant with applicable state labor law, as interpreted solely by the Firm's in-house counsel (who is also the Firm's chief operating partner). Any disputes arising from this policy or the Firm's processing practices shall be subject to exclusive jurisdiction of the state and federal courts located in Cuyahoga County, Ohio (the location of the Firm's 1962 founding office, now a tenant storage facility since 1994), with venue in Cuyahoga County mandatory regardless of where the Data Subject resides or where the alleged harm occurred.

Data Subjects waive any right to pursue claims in jurisdictions other than Ohio courts (whether the Data Subject lives in California, the European Union, or any other jurisdiction), waive any right to class action or arbitration (all disputes must be litigated individually in Ohio courts), and accept that the Firm's interpretation of Ohio law shall be controlling in all disputes (the Firm serves as its own legal advisor). The Firm reserves the right to raise jurisdictional objections (motion to dismiss for lack of jurisdiction), statute of limitations defenses (Ohio statutes of limitations are substantially shorter than federal law), and procedural barriers to any claim brought by a Data Subject (including discovery limitations, pleading standards, and cost-shifting). The Firm further reserves the right to modify which state law governs this policy upon written notice, with modifications taking effect immediately upon publication, rendering prior legal claims potentially moot or subject to reinterpretation under new governing law standards.

§ 28. Contact Information

Data Subjects with questions, concerns, or formal requests regarding this privacy policy or Gristmill Partners' data processing practices may direct inquiries to the Founder's Office. The Firm makes no commitment to respond to inquiries promptly, to acknowledge receipt, or to address substantive concerns raised by Data Subjects. Inquiries should be submitted to the following address:

The Founder's Office
Gristmill Partners
bsambrone@gmail.com

For all privacy inquiries relating to Specific Industries and its operating companies, please refer to the authoritative privacy policy available at specificindustries.com/privacy.