Privacy

Effective as of: 3/9/2026

1. Introduction

Civie LLC ("Civie," "we," "us," or "our") is committed to protecting privacy and supporting anonymous civic participation. This Privacy Policy explains how we collect, use, and safeguard information when you use our Service.

2. Information We Collect

2.1 Account Information

  • Email address (required for account creation and authentication)
  • Phone number (stored in Firebase Authentication for verification via SMS, delivered via Twilio; used for identity verification and optional SMS reminders)
  • Full name (collected during verification process or manually if verification is skipped)
  • Authentication credentials (managed by Firebase Authentication)
  • Account preferences and settings (including notification preferences: daily reminder for email and/or SMS when you haven’t answered that day)
  • Identity verification status (verified: true/false) - tracked in your account
  • Persona inquiry ID and verification status (if you opt-in to identity verification via Persona) - stored in your user account document

Phone numbers are stored in Firebase Authentication and are not stored in your user profile document in Firestore.

SMS messaging: SMS messages are informational only and include daily question reminders when you haven't answered yet, account-related notifications, and participation reminders. Message frequency is typically up to one message per day when SMS reminders are enabled. We do not send marketing promotions via SMS. We only message users who have opted in through the Civie website and do not use third-party lead lists.

No mobile information will be shared with third parties/affiliates for marketing/promotional purposes at any time. Your phone number, SMS opt-in consent, and any data collected in connection with SMS (including authentication and reminders) are used only to operate the Service. We do not sell, rent, or share this information with third parties or affiliates for their marketing or promotional purposes.

Identity Verification Data: If you choose to verify your identity using Persona (optional), Persona processes your government-issued ID documents according to their privacy policy. Civie does not store copies of your identity documents. We only store the Persona inquiry ID and verification status (approved, pending, failed, etc.) that Persona provides to us.

2.2 Demographic Information

  • Birth date (used to calculate age; stored in YYYY-MM-DD format)
  • Gender category (self-reported from predefined options)
  • Race/ethnicity (self-reported from predefined categories)
  • Zip code (5-digit US postal code) - stored in your user account only
  • State (2-letter US state abbreviation) - stored in your user account only
  • H3 cell (hexagonal geospatial index at resolution 5, ~5–10 km, derived from your zip code) - stored in your user account and used when submitting anonymous responses so only the H3 cell (not your raw zip code) is stored in the anonymous collection

This demographic information is required to participate and can be collected in two ways:

  • Via Persona Verification (if you opt-in): If you choose to verify your identity using Persona, demographic information (name, birth date, zip code) may be collected from your verified identity documents through Persona's verification process.
  • Manually (if you skip verification): If you choose to skip identity verification, you provide this demographic information manually through a form.

This information is used solely for verification purposes and anonymized demographic aggregation. It is stored in your user account document and is also included (without identifiers) in anonymous response records for aggregation purposes.

2.3 Response Data

Civie uses a dual-storage architecture designed to protect anonymity:

User Account Document (Stored in Firestore):

  • Participation status only: a boolean value (true) indicating you answered or skipped a question on a specific date
  • No record of which specific answer option you selected
  • No record of whether you selected an answer or skipped (both are recorded as "answered")
  • No timestamp of when you answered (only the date is used as the key)

Anonymous Response Collection (Stored separately in Firestore):

  • The specific answer option selected (or "skip" if skipped)
  • Demographic attributes (age, gender, race/ethnicity, H3 cell index)
  • Verification status (verified: true/false) - indicating whether the respondent completed identity verification or skipped
  • Note: Your zip code is converted to an H3 cell (hexagonal geospatial index at resolution 5, ~5-10km) before storage in the anonymous collection. This provides geographic context for analysis while protecting your privacy by aggregating locations into larger cells.
  • Timestamp of when the response was submitted
  • No user identifier, account ID, email, phone number, or name

This architecture ensures that your user account cannot be linked to your specific answers. We can see that you participated, but not what you answered. We can see what was answered, but not who answered it.

Real-Time Updates: Response data is aggregated and displayed in real-time as users submit answers. Aggregated results update automatically to reflect new responses, but individual responses remain anonymous and cannot be linked to specific users.

2.4 Usage and Security Data

  • Device and browser information (collected automatically by hosting provider)
  • IP address (collected for security, abuse prevention, and service operation)
  • Interaction patterns and usage analytics (via Vercel Analytics)
  • Cookies and similar technologies (essential for authentication and service functionality)
  • Log data (server logs, error logs, security logs)

2.5 Metadata

  • Account creation timestamp
  • Account update timestamp
  • Verification timestamp
  • Service usage metadata (for account management and support)

3. Legal Basis for Processing

We process your personal information based on the following legal bases, as applicable under GDPR, CCPA, and other privacy laws:

  • Consent: You provide explicit consent when you create an account, provide demographic information, and submit responses. You may withdraw consent at any time by deleting your account.
  • Contractual Necessity: Processing is necessary to provide the Service, including authentication, account management, and response processing.
  • Legitimate Interests: We have a legitimate interest in preventing fraud, ensuring data integrity, improving the Service, and maintaining security.
  • Legal Obligations: We may process data to comply with legal requirements, respond to legal process, or protect rights and safety.

For sensitive personal information (such as race/ethnicity), we rely on your explicit consent, which you provide when you complete the verification process.

Data Minimization and Purpose Limitation: We collect and process only the personal information that is necessary for the purposes described in this Privacy Policy. We do not collect more information than needed, and we use your information only for the purposes for which it was collected, as described in Section 4.

Automated Decision-Making: We do not use automated decision-making or profiling that produces legal effects concerning you or similarly significantly affects you. All processing is done to provide the Service, aggregate responses, and maintain data integrity.

4. How We Use Information

We use the information we collect for the following purposes:

  • Service Operation: To provide, operate, and maintain the Service, including authentication, account management, question delivery, and response processing
  • Identity Verification: To verify your identity via phone number and email (required for all accounts), and optionally through Persona's identity verification service (if you opt-in) to prevent duplicate accounts, ensure eligibility (age 18+), and improve data quality. Identity verification via Persona is optional - you can skip verification and still participate in the Service.
  • Response Processing: To process your responses, store them anonymously, and generate aggregated insights and statistics
  • Demographic Aggregation: To create anonymized demographic breakdowns of responses (by age, gender, race/ethnicity, H3 cell) for analysis and public data publication. Zip codes are converted to H3 cells (resolution 5, ~5-10km) to provide geographic context while protecting privacy.
  • Communication: To send you service-related communications, including daily question reminders via email or SMS when you haven’t answered yet (if you opt in), account notifications, and important service updates
  • Abuse Prevention: To detect, prevent, and address fraud, abuse, security threats, and violations of our Terms
  • Service Improvement: To analyze usage patterns, improve the Service, develop new features, and conduct research (using aggregated, anonymized data)
  • Legal Compliance: To comply with applicable laws, regulations, legal process, or government requests
  • Security: To protect the security and integrity of the Service, prevent unauthorized access, and investigate security incidents

We do NOT use your information to:

  • Target advertising based on your civic opinions or responses
  • Share your specific answers or opinions with third parties in identifiable form
  • Sell your personal information
  • Create profiles for marketing purposes

5. Sensitive Data

Certain demographic attributes may be considered sensitive under privacy laws. We collect this information only with explicit consent and solely for anonymized aggregation.

6. Anonymity and Aggregation

6.1 Technical Architecture for Anonymity

Civie uses a dual-storage architecture specifically designed to prevent association between user accounts and individual responses:

  • User Account Documents (stored in users/{user-id}): Store only participation status (boolean true) indicating you engaged with a question on a given date. If you did not engage, the key does not exist (undefined). These documents do NOT store which answer you selected, whether you skipped, or when you answered.
  • Anonymous Response Collection (stored in answers/{date}/responses): Store the specific answer selected, demographic data, and timestamp, but contain NO user identifiers, account IDs, email addresses, phone numbers, or names.
  • Separation of Data: These two data stores are maintained separately with no technical mechanism to link a specific response to a specific user account.

This design means that even with full database access, it is not possible to determine which specific answer any individual user selected. We can only see that you participated, not what you answered.

6.2 Participation vs. Response Tracking

When you answer or skip a question:

  • Your user account document records only that you engaged (stored as answers["2024-01-15-1"]: true for each question)
  • Selecting an answer option and skipping are both recorded identically as "answered" - we do not distinguish between them in your account
  • The specific answer you selected (or that you skipped) is stored only in the anonymous collection without any link to your account

6.3 Aggregation Safeguards

  • Responses are analyzed and displayed only in aggregated form (counts, percentages, demographic breakdowns)
  • Individual response records are never displayed or published
  • Aggregated data may include minimum sample size requirements before display
  • Small demographic groups may be suppressed to prevent re-identification

6.4 Limitations of Anonymity

While Civie is designed to maximize anonymity, no technical system can guarantee absolute anonymity. Theoretical risks include: correlation attacks using demographic combinations, timing analysis, or future advances in re-identification techniques. However, our architecture is specifically designed to minimize these risks and prevent practical re-identification.

7. Data Storage and Security

7.1 Storage Infrastructure

Data is stored using the following infrastructure:

  • Firebase Authentication: Stores email addresses and phone numbers for authentication
  • Cloud Firestore (Google Cloud): Stores user account documents and anonymous response data in separate collections
  • Google Cloud Storage: Stores generated CSV files of aggregated data
  • Vercel: Hosts the application and may collect usage analytics

7.2 Security Measures

  • Encryption in transit (HTTPS/TLS) for all data transmission
  • Encryption at rest for data stored in Google Cloud infrastructure
  • Access controls and authentication requirements for database access
  • Separation of user account data and anonymous response data in different Firestore collections
  • Firestore security rules to restrict unauthorized access
  • Regular security monitoring and updates

7.3 Security Limitations

While we implement industry-standard security measures, no method of transmission over the Internet or electronic storage is 100% secure. We cannot guarantee absolute security of your information. You use the Service at your own risk.

8. Data Breach Notification

In the event of a data breach that compromises your personal information, we will:

  • Notify affected users without undue delay, typically within 72 hours of becoming aware of the breach, as required by GDPR and other applicable laws
  • Notify relevant data protection authorities within the timeframes required by law (72 hours under GDPR for breaches affecting EU residents)
  • Provide clear information about the nature of the breach, the types of data affected, potential consequences, and measures we are taking to address it
  • Take immediate steps to contain the breach and prevent further unauthorized access

Notification will be provided via email to the address associated with your account, or through the Service if email is not available. In cases where notification may pose a security risk, we may delay notification as permitted by law.

Third-Party Service Breaches: If a third-party service provider (such as Persona, Firebase, Twilio, or Vercel) experiences a data breach that affects your information, that service provider is responsible for notifying affected users according to their own privacy policies and applicable legal requirements. We will also notify you if we become aware of such a breach that significantly impacts your data.

9. Data Sharing

Mobile and SMS data: No mobile information will be shared with third parties/affiliates for marketing/promotional purposes at any time. Opt-in and consent data related to SMS are not sold, shared, or disclosed to third parties or affiliates for marketing or promotional purposes.

9.1 Aggregated Data

Only anonymized, aggregated data may be shared or published.

9.2 Service Providers

We use the following third-party service providers to operate the Service:

  • Google Firebase / Google Cloud Platform: Authentication, database (Firestore), and cloud storage services. Google's privacy policy applies to data processed by Firebase: https://policies.google.com/privacy
  • Twilio: SMS verification and reminder services. Phone numbers are shared with Twilio for SMS delivery. Twilio's privacy policy: https://www.twilio.com/legal/privacy
  • Persona: Optional identity verification services (when you opt-in to verify your identity). If you choose to verify your identity, Persona processes your government-issued ID documents (such as driver's license or passport), name, birth date, and address information. Persona processes this data according to their privacy policy. Civie does not store copies of your identity documents - we only receive and store the Persona inquiry ID and verification status that Persona provides. Persona's privacy policy: https://withpersona.com/legal/privacy-policy
  • Vercel: Application hosting and analytics. Vercel may collect usage analytics and log data. Vercel's privacy policy: https://vercel.com/legal/privacy-policy

These service providers are contractually restricted in their use of data and are only permitted to use data as necessary to provide services to us. They are not permitted to use your personal information for their own marketing purposes or to sell your information.

9.3 Legal and Business Transfers

Information may be disclosed as required by law or during corporate transactions.

9.4 Sponsored Questions

Some questions on Civie may be sponsored by external organizations. A Sponsored Question is a neutral, issue-based question funded by an external organization, written and moderated by Civie, and not explicitly branded in the question itself.

Data Handling: Sponsored questions are handled identically to non-sponsored questions. Your responses to sponsored questions are processed, stored, and aggregated in exactly the same manner as responses to non-sponsored questions. There are no special data handling practices, privacy implications, or data sharing arrangements for sponsored questions.

Sponsor Access: Sponsors receive only anonymized, aggregated data (counts, percentages, demographic breakdowns) - the same aggregated data that is publicly available. Sponsors do not receive individual responses, personal information, or any data that could identify individual users. Sponsors cannot access your account information, demographic data, or any personally identifiable information.

Editorial Control: Civie retains full editorial control over all questions, including sponsored questions. Sponsors do not control question wording, answer options, or interpretation of results. Sponsored questions appear identical to non-sponsored questions in layout and user experience.

Sponsored questions are clearly disclosed in the user interface. By participating in sponsored questions, you acknowledge that aggregated results may be shared with the sponsoring organization in the same anonymized, aggregated form that is publicly available.

10. Your Rights

10.1 Access and Correction

You may access and update account information through your account settings and profile, or by contacting us at chris@civie.org or through the contact form on the Service.

10.2 Account Deletion

You may request deletion of your account at any time. Upon account deletion:

  • User Account Document: All data in your user account document will be deleted, including:
    • Full name, email address, demographic information
    • Participation records (the answers object showing which dates you participated)
    • Account preferences and settings
    • Persona inquiry ID and verification status (if you opted-in to identity verification)
    • Timestamps and metadata
  • Firebase Authentication: Your authentication account (email, phone number) will be deleted
  • Persona Data: If you verified your identity via Persona, the Persona inquiry ID and status stored in your Civie account will be deleted. However, Persona may retain data according to their own privacy policy and data retention practices. You may need to contact Persona directly to request deletion of data they hold.
  • Anonymous Response Data: Response records in the anonymous collection cannot be deleted because:
    • They contain no user identifiers, making it impossible to identify which responses belong to you
    • Deleting them would compromise the integrity of aggregated datasets
    • This design is intentional to protect anonymity - even we cannot determine which anonymous responses were yours
  • Published Aggregates: Previously published aggregated data (CSV files, visualizations, etc.) will not be altered or removed, as they are already in aggregated form and cannot be linked to individual users

This design protects both your anonymity and the integrity of the aggregated civic datasets. Once your account is deleted, there is no way to link you to any specific responses in the anonymous collection.

10.3 Data Portability

You may request a copy of your account data by contacting us at chris@civie.org or through the contact form on the Service.

10.4 Communication Preferences

You may opt out of non-essential communications. You can manage your email and SMS notification preferences in your account settings, including opting out of daily reminders. You may also opt out of SMS at any time by replying STOP to any Civie text message. Essential service communications (such as account security notifications) may still be sent.

10.5 Regional Privacy Rights

Depending on your location, you may have additional privacy rights:

  • GDPR (European Economic Area): Right to access, rectification, erasure ("right to be forgotten"), restriction of processing, data portability, and object to processing. You have the right to object to processing of your personal data based on legitimate interests or for direct marketing purposes. You also have the right to lodge a complaint with your local data protection authority.
  • CCPA/CPRA (California): Right to know what personal information is collected, right to delete personal information, right to opt-out of sale (we do not sell personal information), right to non-discrimination for exercising your rights, and right to correct inaccurate information.
  • Other Jurisdictions: We honor privacy rights under applicable local laws. Contact us to exercise your rights.

To exercise any of these rights, please contact us at chris@civie.org or through the contact form on the Service. We will respond within the timeframes required by applicable law and may need to verify your identity before processing your request.

11. Cookies and Tracking Technologies

11.1 Types of Cookies

  • Essential Cookies: Required for authentication and core Service functionality. These cannot be disabled without affecting Service functionality.
  • Analytics Cookies: Used by Vercel Analytics to understand usage patterns and improve the Service. These are aggregated and anonymized.
  • Session Cookies: Used to maintain your login session and preferences during your visit.

11.2 Cookie Management

You can control cookies through your browser settings. However, disabling essential cookies may prevent you from using certain features of the Service. We do not use cookies for advertising or third-party tracking purposes.

11.3 Do Not Track Signals

Some browsers include a "Do Not Track" (DNT) feature that signals to websites you visit that you do not want to have your online activity tracked. Currently, there is no industry standard for recognizing or honoring DNT signals. We do not respond to DNT signals at this time. However, we do not track your activity across other websites or services, and we only use cookies and tracking technologies as described in this Privacy Policy.

12. Children's Privacy

The Service is not intended for, and we do not knowingly collect personal information from, individuals under the age of 18. If you are under 18, you must not use the Service or provide any personal information.

If we become aware that we have collected personal information from an individual under 18, we will immediately delete that information and terminate the account. If you believe we have collected information from someone under 18, please contact us immediately.

We comply with the Children's Online Privacy Protection Act (COPPA) and do not knowingly collect information from children under 13. If you are a parent or guardian and believe your child has provided us with personal information, please contact us to have it removed.

13. Data Retention

13.1 Account Data

Account data (user profile, demographic information, participation records, Persona inquiry ID and verification status if applicable) is retained while your account is active. Upon account deletion, account data is permanently deleted as described in Section 10.2.

13.2 Anonymous Response Data

Anonymous response records are retained indefinitely in the anonymous collection. These records cannot be deleted upon account deletion because they contain no user identifiers and are essential for maintaining aggregated datasets. This retention is necessary to preserve dataset integrity and support long-term civic research.

13.3 Aggregated Data

Published aggregated datasets (CSV files, visualizations, statistics) are retained indefinitely as part of Civie's mission to provide open civic data for research and public understanding.

13.4 Log and Analytics Data

Usage logs, analytics data, and security logs are retained for operational, security, and legal compliance purposes, typically for a period not exceeding 12 months unless required by law or for security investigations.

14. International Transfers

Your information may be transferred to and processed in countries other than your country of residence, including the United States where our service providers (Google Cloud, Firebase, Twilio, Persona, Vercel) operate.

These countries may have data protection laws that differ from those in your country. When we transfer personal information from the European Economic Area (EEA) or other regions with data protection laws, we rely on appropriate safeguards, including:

  • Standard Contractual Clauses approved by the European Commission
  • Service providers' compliance with applicable data protection frameworks (such as Google's compliance with GDPR and data processing agreements)
  • Other legal mechanisms as required by applicable law

By using the Service, you consent to the transfer of your information to the United States and other countries where our service providers operate.

15. Our Commitments

Civie will never:

  • Sell personal information
  • Publish individual responses
  • Enable ad targeting based on civic opinions
  • Share identifiable civic views with political parties or campaigns

16. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. Material changes will be communicated to you through:

  • Email notification to the address associated with your account
  • Notice displayed on the Service
  • Updated "Last updated" date at the top of this page

Your continued use of the Service after such modifications constitutes your acceptance of the updated Privacy Policy. If you do not agree to the modified Privacy Policy, you must stop using the Service and may delete your account.

We encourage you to review this Privacy Policy periodically to stay informed about how we collect, use, and protect your information.

17. Contact and Privacy Requests

For privacy-related questions, data access requests, correction requests, deletion requests, or other privacy concerns, please contact us at:

Civie LLC

Email: chris@civie.org

State of Washington, United States

We will respond to privacy requests within the timeframes required by applicable law (typically 30-45 days, depending on your jurisdiction and the nature of the request).

Data Controller Information: If you are located in the European Economic Area (EEA), the data controller is Civie LLC. For questions about data processing or to exercise your GDPR rights, please contact us at the email address above.