Privacy Policy

Last updated: February 22, 2026

Introduction

CivicCA ("we," "us," or "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our board and meeting management platform and related services. By using CivicCA, you consent to the practices described in this policy.

Information We Collect

Account Information

When you create an account or are added by your organization's administrator, we collect:

  • Full name and email address
  • Phone number (optional, used for SMS notifications)
  • Role and title within your organization
  • Password (stored securely using one-way hashing)

Billing Information

When you subscribe to a paid plan, we collect billing information through our payment processor, Stripe. We do not store your full credit card number, CVV, or other sensitive payment details on our servers. We store only:

  • Card brand (e.g., Visa, Mastercard) and last four digits for display purposes
  • Billing email address
  • Subscription plan and billing cycle
  • Invoice and payment history

All payment processing is handled by Stripe, a PCI DSS Level 1 certified payment processor. Your payment data is transmitted directly to Stripe and is subject to Stripe's Privacy Policy.

Organization Data

In the course of providing our service, we process and store data created by your organization, including:

  • Agendas, agenda items, and meeting packets
  • Meeting schedules, minutes, and recordings
  • Legislation, resolutions, and ordinances
  • Legislative body and membership information (including board member names, titles, email addresses, and phone numbers)
  • Votes, roll call records, and conflict of interest declarations
  • Public comment and speaker registration data
  • Department submissions and attachments
  • Compliance check results and audit logs

Public Portal Data

When members of the public interact with your organization's citizen portal, we may collect:

  • Name and email address (for eComment submissions and notification subscriptions)
  • Speaker registration details (name, topic, position)
  • Notification preferences (meeting alerts, agenda published alerts)
  • IP address (for rate limiting and abuse prevention)

Board Member Session Data

When board members access meetings via personalized session links, we collect:

  • Access timestamps and frequency
  • Votes cast and conflict declarations submitted
  • IP address and device information for security auditing

Usage Data

We automatically collect certain information when you interact with the platform:

  • Pages viewed and features used
  • Device type, browser, and operating system
  • IP address and general location
  • Date and time of access

Cookies

We use essential cookies to maintain your session and authentication state. We use Plausible Analytics for privacy-friendly website analytics on our marketing pages, which does not use cookies and does not collect personal data. We do not use third-party advertising or tracking cookies. You can control cookie settings through your browser, though disabling essential cookies may prevent the service from functioning properly.

How We Use Your Information

We use the information we collect to:

  • Provide, operate, and maintain the CivicCA platform
  • Process and manage agenda and meeting data on your behalf
  • Process subscription payments and manage billing
  • Generate AI-powered summaries, transcriptions, and compliance checks
  • Send notifications related to meetings, agendas, and account activity via email and SMS
  • Send board member session links for meeting participation
  • Send transactional emails (welcome, password reset, invitations, trial reminders)
  • Monitor compliance deadlines and send automated alerts
  • Improve platform performance, reliability, and user experience
  • Respond to support requests and communicate with you
  • Detect and prevent fraud, abuse, and unauthorized access
  • Comply with legal obligations, including public records requirements

AI Data Handling

This section describes how your data interacts with artificial intelligence services. We believe transparency about AI data processing is essential, especially for government data.

CivicCA uses Anthropic Claude for AI-powered summarization, plain-language rewriting, compliance analysis, and conversational meeting Q&A. We use AssemblyAI for meeting transcription with speaker diarization. When you use these features, relevant data (such as agenda item text or meeting audio) is sent to these providers' APIs for processing.

We do not use your data to train AI models. Neither CivicCA nor our AI providers use your data for model training purposes. All AI processing is ephemeral — your data is processed in real time and is not retained by AI providers beyond the immediate processing request. No organization data is stored in AI provider systems after the API response is returned.

You can choose not to use AI features. Core agenda management and meeting functionality operates independently of AI services.

Communications

Email

We send transactional emails using Resend, including:

  • Welcome emails and account invitations
  • Password reset links
  • Board member session links
  • Agenda published and meeting reminder notifications
  • Compliance deadline warnings
  • Trial expiration notices and billing alerts
  • Public comment notifications for administrators

You can manage your notification preferences in Settings > Notifications. Transactional emails related to account security (password resets, billing) cannot be opted out of.

SMS

We use Twilio to send SMS messages, including board member session links. SMS is only sent when explicitly triggered by an organization administrator. We do not send marketing SMS. Phone numbers are only used for the purpose they were provided.

Data Storage & Security

We take the security of your data seriously and employ industry-standard safeguards:

  • Encryption in transit: All data transmitted between your browser and our servers is encrypted using TLS 1.3.
  • Encryption at rest: Stored data is encrypted using AES-256 encryption.
  • Cloud infrastructure: Data is hosted on secure, SOC 2-compliant cloud infrastructure (Amazon Web Services).
  • Payment security: Payment processing is handled by Stripe (PCI DSS Level 1). We never store full card numbers on our servers.
  • Access controls: Role-based permissions ensure users can only access data appropriate to their role.
  • Audit logging: Administrative actions are logged for security and compliance purposes.
  • Regular audits: We conduct periodic security assessments and vulnerability testing.
  • Secure authentication: Passwords are hashed using industry-standard algorithms and are never stored in plain text.

Multi-Tenant Data Isolation

CivicCA serves multiple organizations on a shared platform. Each organization's data is logically isolated at the database level. Every query is scoped by a unique organization identifier, ensuring that no organization can access, view, or modify another organization's data. Administrative access is strictly controlled and audited.

Data Retention

  • Account data is retained for as long as your account remains active. When an account is deactivated, personal information is removed within 30 days.
  • Organization records (agendas, minutes, legislation) are retained in accordance with your organization's records retention policy and applicable law.
  • Billing data (invoices, payment history) is retained for 7 years in accordance with financial record-keeping requirements.
  • Usage data is retained for up to 12 months for analytics and then aggregated or deleted.
  • Audit logs are retained for 3 years for security and compliance purposes.

You may request a full export of your organization's data or request deletion at any time by contacting us. Deletion requests are processed within 30 days, subject to any legal retention requirements.

Third-Party Services

We share data with the following third-party services solely to operate the platform. Each provider processes data in accordance with their own privacy policies:

  • Anthropic — AI summarization, compliance analysis, and content generation
  • AssemblyAI — Audio transcription and speaker identification
  • Amazon Web Services (AWS) — Cloud hosting, storage, and infrastructure
  • Stripe — Payment processing and subscription billing
  • Resend — Transactional email delivery (notifications, alerts, invitations)
  • Twilio — SMS delivery (board member session links)
  • Plausible Analytics — Privacy-friendly website analytics (marketing pages only, no cookies, no personal data)

We do not sell, rent, or trade your personal information or organization data to any third party.

Your Rights

You have the right to:

  • Access your personal data and request a copy of the information we hold about you
  • Correct any inaccurate or incomplete information in your account
  • Delete your account and associated personal data
  • Export your organization's data in standard formats
  • Opt out of non-essential communications and notifications
  • Cancel your subscription at any time through Settings > Billing

To exercise any of these rights, contact us at the email address below. We will respond to requests within 30 days.

California Residents

If you are a California resident, you may have additional rights under the California Consumer Privacy Act (CCPA), including the right to know what personal information we collect and how it is used, the right to request deletion of your personal information, and the right to opt out of the sale of personal information. We do not sell personal information. To exercise your CCPA rights, contact us at the email address below.

Children's Privacy

CivicCA is a professional board and meeting management platform and is not directed at children under the age of 13. We do not knowingly collect personal information from children under 13. If we become aware that we have inadvertently collected such information, we will take steps to delete it promptly.

Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or for legal, operational, or regulatory reasons. If we make material changes, we will notify you via email or through an in-app notification at least 14 days before the changes take effect. The "Last updated" date at the top of this page indicates when the policy was most recently revised.

Contact

If you have questions or concerns about this Privacy Policy or our data practices, please contact us:

privacy@civicca.com