Civitar Privacy Policy
Effective date: *To be set on execution.* Last updated: 2026-06-28
1. Who we are
Civitar is operated by Pinnalux LLC, a Delaware-registered limited liability company doing business as Civitar.
- Web: civitar.org
- Contact: privacy@civitar.org (also hello@civitar.org)
- Operating address: [to be added at launch]
2. What this policy covers
This policy describes what information Civitar collects from you when you use civitar.org or any Civitar service, how we use it, who we share it with, how long we keep it, and the choices you have. It applies to all Civitar users — Free, Monitor, Institutional, and visitors who haven't created an account.
It does not cover:
- Third-party services we link to from civitar.org (their privacy policies apply)
- Email correspondence outside the Civitar platform (e.g., direct emails to hello@civitar.org are covered by ordinary business correspondence norms, not this policy)
3. What we collect
We intentionally collect as little as possible. The full set:
From you, when you sign up or use the service
- Email address (required for account access and receipts)
- Sign-in tokens — we use passwordless sign-in. We store one-time sign-in links and session tokens only as hashes; we do not store a password (there is none).
- Phone number — optional, Monitor tier only, used solely to send SMS alerts you opt into. Never required; you can add or delete it at any time.
- Saved sites — sites you explicitly save for later reference
- Location searches (ZIP / city, or "near me") are processed in your browser to find nearby sites; we do not store your search history on our servers
From Stripe, when you pay
- Subscription status (free / monitor / institutional, current period, cancel-at date)
- Stripe Customer ID (used to match you to your subscription)
- We do not see, store, or process your card number, CVV, or billing address. Stripe handles all payment information directly. They are PCI-DSS Level 1 compliant; we are not in PCI scope.
Automatically, when you visit
- Operational server logs — IP address, user agent, request URL, timestamp, response status — for the limited purpose of operating the service, debugging, and security. Retained 30 days, then deleted.
- Essential session cookie — to keep you signed in. No third-party tracking cookies. No advertising pixels. No analytics that fingerprint visitors.
- Stripe cookie — Stripe's payment forms set their own cookies for fraud prevention; we don't control these. Stripe's privacy policy applies.
From institutional inquiries
- Organization name, your role, seats requested, free-text "what are you trying to do" responses you submit on the institutional contact form. Used solely to scope an institutional quote.
4. What we do NOT collect or do
We want to be explicit about this:
- ❌ No third-party analytics (no Google Analytics, no Mixpanel, no Heap, no Segment)
- ❌ No advertising tracking, no remarketing pixels
- ❌ No fingerprinting beyond what's required to detect obvious abuse (e.g., rate-limiting by IP)
- ❌ No data brokers; we do not buy or sell PII
- ❌ No "anonymized" data products
- ❌ No demographic or behavioral profiling of users
- ❌ No sharing of your saved-sites list with anyone
5. How we use what we collect
We use your information only for these purposes:
- To provide the service (display saved sites, send alerts you've opted into, generate briefings you request)
- To authenticate you and keep your account secure
- To process subscriptions and donations through Stripe
- To send transactional emails (one-time sign-in links, receipts, account changes, saved-site alerts you've enabled)
- To send service announcements (rare; e.g., a notice that we've added a major new data source)
- To operate, debug, and secure civitar.org
- To respond to your questions or institutional inquiries
- To comply with legal obligations
We will never:
- Sell your data
- Share your saved-sites list, search history, or briefing-generation activity with third parties for marketing
- Use your data to build advertising or behavioral profiles
- Disclose your identity in any case study or testimonial without your explicit written consent
6. Who we share with (sub-processors)
We use a small set of vendors to operate Civitar. Each only sees the specific data needed to do its job:
| Sub-processor | What they see | Why | Their privacy policy |
|---|---|---|---|
| Cloudflare (Workers, D1, R2, DNS) | Email, saved sites, session data, IP / request metadata, server logs | Hosts the app; stores your account data; edge routing | cloudflare.com/privacypolicy |
| Stripe | Card / billing data, email | Process subscription payments & donations | stripe.com/privacy |
| Resend | Email address, message contents | Send transactional + sign-in emails | resend.com/legal/privacy-policy |
| Twilio | Phone number, message contents | Send SMS alerts you opt into (Monitor; not active until SMS launches) | twilio.com/legal/privacy-policy |
We do not share with anyone else without your explicit consent, except as required by law (see Section 8).
7. How long we keep your data
- Account data: for as long as your account exists, plus 30 days after you delete it (so accidental deletions can be reversed)
- Saved sites: same as account data
- Server logs: 30 days, then automatically purged
- Stripe transaction records: 7 years after the transaction (required for tax / audit / accounting; held by Stripe, not us)
- Email transcripts to hello@civitar.org: 2 years from last reply, then deleted
You can request deletion at any time (see Section 9).
8. Legal disclosure
We will share your information when legally required — for example, in response to a valid subpoena, court order, or other lawful process. When permitted, we will notify you before disclosing your data unless prohibited by the legal request itself. We do not turn over data in response to informal law-enforcement requests without proper legal process.
We have not received any National Security Letters as of the Last updated date above. If that ever changes and we are not prohibited from saying so, this section will be updated.
9. Your rights
Regardless of where you live, Civitar gives every user these rights:
- Access — see all the data we have about you. Email privacy@civitar.org.
- Correction — fix anything wrong (or use your account settings)
- Deletion — delete your account and all associated data. Email privacy@civitar.org; we complete deletion within 30 days.
- Portability — request a copy of your account data (saved sites, account metadata) as JSON by emailing privacy@civitar.org. (Individual Site Briefings can also be exported as JSON/CSV/PDF directly from each briefing on a Monitor account.)
- Opt-out of marketing email — every email has an unsubscribe link. Transactional emails (receipts, alerts you've subscribed to) cannot be opted out of without canceling the underlying feature.
For users in California (CCPA)
California residents have additional specific rights under the California Consumer Privacy Act, including the right to know what we've collected, the right to delete, and the right to opt out of "sale" of personal information. Civitar does not sell personal information. Email privacy@civitar.org to exercise CCPA rights.
For users in the EU/UK/EEA (GDPR)
Civitar serves a primarily U.S. audience and does not currently target EU/UK/EEA residents for marketing. If you are an EU/UK/EEA user, you have all the rights described in Section 9 above, plus the right to lodge a complaint with your supervisory authority. The legal basis for our processing is contract performance (account services), consent (marketing emails), and legitimate interest (operating and securing the service).
10. Children's privacy
Civitar is intended for adults. We do not knowingly collect personal information from children under 16. If you believe a child under 16 has created an account, please contact privacy@civitar.org and we will delete the account.
11. Security
We use reasonable technical and organizational measures to protect your data:
- Encryption in transit (TLS 1.2+ for all connections)
- Encryption at rest (Cloudflare D1 database and R2 storage are encrypted at rest)
- Passwordless sign-in: one-time sign-in links and session tokens are stored only as SHA-256 hashes — there is no password to steal
- Access controls: only authorized Civitar personnel can access user data, and only when necessary to operate the service
- Stripe handles all card data; Civitar is not in PCI scope
- Audit logging of administrative access to user data
No security system is perfect. If you believe your account has been compromised, contact privacy@civitar.org immediately.
12. International data transfers
Civitar is operated from the United States on Cloudflare's infrastructure (Workers, D1, R2). Cloudflare runs a global edge network; your account data is held under our U.S.-based Cloudflare account and processed in the United States. If you access Civitar from outside the U.S., your data will be transferred to and processed in the U.S. By using Civitar, you consent to this transfer.
13. Changes to this policy
We will update this policy as we add features or as the law changes. The Last updated date at the top will reflect the most recent change. For material changes (changes in what we collect, who we share with, or how long we keep data), we will notify active users by email at least 30 days before the change takes effect.
The full revision history is available in the public Civitar source repository at github.com/civitar-community/civitar.
14. Contact
- General privacy questions: privacy@civitar.org
- Account deletion / data export requests: privacy@civitar.org
- Anything else: hello@civitar.org
- Mailing address: [to be added at launch]
If you do not receive a response within 7 days, please follow up — your message may have been filtered.