Privacy Policy

1. Overview

This Privacy Policy outlines how Civic ("we," "us," "our") collects, uses, processes, stores, and shares personal information through the Civic Revere platform ("Platform"), an AI-powered tool for managing constituent communications. This policy complies with federal and state privacy regulations, including GDPR, CCPA, PIPEDA, and Google API’s Limited Use requirements.

Contact:

• Privacy Officer: Jon Kokot

• Email: jon@get-civic.com

• Phone: 832-725-3529

2. Google API Services Limited Use

Civic Revere securely stores and processes data using leading cloud infrastructure providers that meet industry standards for security and compliance. Our infrastructure undergoes regular SOC 2 compliance audits to ensure the highest standards of security suitable for government usage. Access to sensitive data is strictly managed following principles of least privilege, supported by comprehensive audit logging and continuous monitoring.

Civic Revere fully aligns with Google's API Services User Data Policy by:

• Clearly and explicitly describing how data is stored, shared, and retained.

• Using data exclusively to deliver and enhance platform features.

• Restricting human access to Google data unless explicit consent is provided.

• Prohibiting any usage of data for advertising or unrelated purposes.

• Ensuring secure data transfers and handling throughout all stages of data processing.

3. Information Collection

3.1 Personal Data

We collect two main categories of personal information to deliver and improve Civic Revere:

• Primary Data: Your name, email address, phone number, mailing address, government or organizational affiliation, the content of constituent communications, and related case details.

• Technical Data: Authentication credentials, IP address, browser and device characteristics, and usage analytics necessary to secure and optimize the Platform.

All Primary Data is processed only to support casework and constituent engagement, while Technical Data enables secure log-in, audit trails, and performance monitoring.

3.2 Google Integration

Civic Revere requests the following Google API scopes to support core platform functionality in strict accordance with Google’s API Services User Data Policy and Limited Use requirements. OAuth tokens are stored securely and refreshed following Google’s security protocols. These scopes are used solely to enable casework management, schedule constituent meetings, draft and send responses, and manage add-on interactions. We do not use any of these scopes for advertising, profiling, resale, or any unrelated purposes.

• Email Access & Actions: Civic can read your incoming messages, draft new emails on your behalf, insert imported messages into your inbox, send emails under your identity, delete messages, modify your labels, and notify you when certain categories of email arrive. You remain in control, and all actions occur only in response to your in-Platform requests.

• Profile & Account Information: Civic can retrieve your basic Google profile—full name, gender, profile picture, language preferences, and any public profile details—and the primary email address associated with your Google Account to tie communications securely to your identity.

4. Legal Basis for Processing

4.1 GDPR (EU/EEA)

• Contractual necessity (Art. 6(1)(b)).

• Legitimate interest (Art. 6(1)(f)).

• Consent (Art. 6(1)(a)).

• Legal obligation (Art. 6(1)(c)).

4.2 CCPA (California)

• Service provision, communication, legal compliance, and security.

4.3 PIPEDA (Canada)

• Accountability, consent, limiting collection, and compliance with fair information principles.

5. Data Usage

5.1 Primary Use Cases

• Platform Features: Managing communications, generating responses, tracking casework, and sentiment analysis.

• Service Improvement: Usage analytics, quality assurance, and new feature development.

• Support: Technical assistance, updates, and training.

5.2 AI Processing

• Complies with GDPR Article 22 (human review rights).

• Sensitive data handled with enhanced security.

6. Data Sharing

6.1 Third-Party Providers

• Google Services: APIs for Gmail.

• Infrastructure Providers: Cloud hosting, security monitoring, analytics.

• Compliance: SOC 2 Type II certification and data protection agreements.

6.2 Legal Disclosures

• Compliance with subpoenas, law enforcement, and congressional oversight.

6.3 Data Sale Prohibition

• Personal data is not sold or used for cross-context behavioral advertising.

7. Data Security

7.1 Technical Safeguards

• Encryption: AES-256 for data at rest; TLS 1.3 for data in transit.

• Access Controls: Role-based permissions, multi-factor authentication.

• Audits: Regular security audits and penetration testing.

7.2 Organizational Safeguards

• Privacy-by-design principles.

• Regular staff training and incident response protocols.

7.3 Industry Standards

• SOC 2 Type II certification and compliance with federal security requirements.

8. Data Retention and Deletion

• Retention Periods:

  • Account data: Deleted within 90 days of closure.

  • Communications: Retained for 7 years.

  • Usage analytics: Retained for 2 years.

• Deletion Procedures: Secure deletion using DoD 5220.22-M standards.

9. User Rights

9.1 GDPR (EU/EEA)

• Rights: Access, rectification, erasure, portability, objection.

• Requests: Processed within 30 days (extendable).

9.2 CCPA (California)

• Rights: Access, deletion, opt-out of data sale, non-discrimination.

• Requests: Processed within 45 days (extendable).

9.3 PIPEDA (Canada)

• Rights: Access and correction.

• Complaints: Addressed by the Privacy Commissioner of Canada.

10. Cookies

• Types: Essential, analytics, preference.

• Consent: Explicit consent required for non-essential cookies.

• Management: Users can manage cookies via browser settings.

11. International Data Transfers

• Locations: U.S., Canada, EU.

• Safeguards: GDPR’s Standard Contractual Clauses (SCCs), encryption.

12. Children’s Privacy

• Restrictions: Platform not intended for users under 13.

• Protections: Parental consent required for minors (GDPR/COPPA compliance).

13. Accessibility

• Standards: Section 508 and WCAG 2.1 Level AA compliance.

• Features: High contrast, font adjustment, screen reader support.

• Contact: support@get-civic.com.

14. Breach Notification

• Timelines:

  • GDPR: Notify within 72 hours.

  • CCPA: Notify without unreasonable delay.

• Support: Credit monitoring and dedicated hotline for affected users.

15. Policy Updates

• Notifications: Email and platform notices for updates.

• Advance Notice: 30 days for material changes.

• Review Date: August 2025

16. Contact

• Privacy Officer: Jon Kokot

• Email: jon@get-civic.com

• Phone: 832-725-3529

• Online Form: https://get-civic.com/contact-us

By using Civic Revere, you agree to this policy and our Terms of Service.