Privacy Policy

Effective Date: March 11, 2026

Last Updated: March 11, 2026

HelloCivic, Inc. ("HelloCivic," "Company," "we," "us," or "our") is committed to protecting the privacy and security of the information entrusted to us by our users and the government organizations we serve. This Privacy Policy describes how we collect, use, disclose, retain, and protect information when you access or use the HelloCivic platform, including all associated websites, applications, services, and tools (collectively, the "Service").

This Privacy Policy applies to all users of the Service, including individual users, administrators, and personnel of government organizations ("Organizations") that use the Service. By accessing or using the Service, you acknowledge that you have read and understood this Privacy Policy and consent to the practices described herein.

1. Information We Collect

1.1 Information You Provide Directly

We collect information that you voluntarily provide to us, including:

• Account Registration Information: When you create an account, we collect your name, email address, password, and organizational affiliation. If an administrator creates your account, they may provide this information on your behalf.
• Profile Information: You may choose to provide additional profile information, such as a display name, profile photograph, job title, department, and contact details.
• Workspace and Organizational Data: When Organizations create workspaces, we collect workspace names, descriptions, configuration settings, and membership information.
• Communications: When you contact us for support, submit feedback, or communicate with us through any channel, we collect the content of those communications along with associated metadata such as timestamps and sender information.
• Payment Information: If you purchase a subscription, we collect billing information such as billing address and payment method details. Payment card information is processed by our third-party payment processor and is not stored on our servers.
• User-Generated Content: Any data, documents, files, or other content that you upload, submit, or create through the Service.

1.2 Information Collected Automatically

When you access or use the Service, we automatically collect certain information, including:

• Device and Browser Information: Device type, operating system, browser type and version, screen resolution, device identifiers, and language preferences.
• Usage Information: Pages viewed, features used, actions taken, time spent on pages, navigation paths, click patterns, and search queries within the Service.
• Log Data: IP address, access times, referring URLs, error logs, and server response codes.
• Cookie and Tracking Data: Information collected through cookies, web beacons, pixels, and similar technologies as described in our Cookie Policy.
• Location Information: Approximate geographic location derived from your IP address. We do not collect precise geolocation data.

1.3 Information from Third Parties

We may receive information about you from third-party sources, including:

• Organization Administrators: Administrators within your Organization may provide us with your information when provisioning your account or managing workspace memberships.
• Integrated Services: If you or your Organization connects third-party applications or services to the Service, we may receive information from those services as authorized by the integration configuration.
• Publicly Available Sources: We may collect information from publicly available sources to verify organizational affiliations or for fraud prevention purposes.

2. How We Use Information

2.1 Providing and Operating the Service

We use the information we collect to:

• Create, maintain, and secure your account and workspace
• Authenticate your identity and authorize access to appropriate resources
• Process transactions and manage subscriptions
• Provide customer support and respond to your inquiries
• Deliver notifications, updates, and administrative messages
• Enable collaboration features and workspace functionality

2.2 Improving and Developing the Service

We use information to:

• Analyze usage patterns and trends to improve the Service
• Conduct research and development to enhance existing features and develop new ones
• Test and evaluate the effectiveness of the Service
• Monitor and analyze the performance, reliability, and security of the Service
• Generate aggregated, de-identified analytics and reports

2.3 Safety and Security

We use information to:

• Detect, prevent, and respond to fraud, abuse, security incidents, and other harmful activity
• Enforce our Terms of Service and other policies
• Maintain audit logs for security and compliance purposes
• Verify the identity and authorization of users
• Protect the rights, property, and safety of HelloCivic, our users, and the public

2.4 Communications

We use information to:

• Send service-related communications, including account verification, security alerts, and technical notices
• Respond to your comments, questions, and requests
• Send promotional communications about new features, products, or services, where permitted by applicable law (you may opt out of promotional communications at any time)

2.5 Legal and Compliance

We use information to:

• Comply with applicable laws, regulations, legal processes, and governmental requests
• Enforce our legal rights and resolve disputes
• Fulfill our contractual obligations
• Maintain records as required by applicable law

3. Information Sharing and Disclosure

3.1 Within Your Organization

Information you provide through the Service may be visible to other members of your Organization, including administrators, workspace managers, and other authorized users, in accordance with the access controls and permissions configured for your workspace. Administrators within your Organization may have the ability to view, modify, or delete your account information and workspace data.

3.2 Service Providers

We share information with third-party service providers who perform services on our behalf, including hosting and infrastructure providers, payment processors, email delivery services, analytics providers, and customer support tools. These service providers are contractually obligated to use your information only for the purposes of providing services to us and are required to maintain the confidentiality and security of your information.

3.3 Legal Requirements

We may disclose information if we believe in good faith that disclosure is necessary to: (a) comply with applicable law, regulation, legal process, or governmental request; (b) enforce our Terms of Service or other agreements; (c) protect the rights, property, or safety of HelloCivic, our users, or the public; or (d) detect, prevent, or address fraud, security, or technical issues.

3.4 Business Transfers

In the event of a merger, acquisition, reorganization, bankruptcy, or other similar event, information may be transferred as part of that transaction. We will notify affected users and Organizations of any change in ownership or control of their information and any choices they may have regarding their information.

3.5 Aggregated and De-Identified Information

We may share aggregated or de-identified information that cannot reasonably be used to identify you or your Organization. This information may be used for industry analysis, benchmarking, research, and other purposes.

3.6 With Your Consent

We may share your information with third parties when you have given us explicit consent to do so.

4. Government Data Processing

4.1 Data Processor Role

When processing data on behalf of government Organizations, HelloCivic acts as a data processor (or service provider, as applicable under relevant law). The Organization acts as the data controller and determines the purposes and means of processing. HelloCivic processes such data solely in accordance with the Organization's instructions and applicable law.

4.2 Data Processing Agreements

Where required by applicable law, HelloCivic will enter into data processing agreements with Organizations that specify the scope, nature, and purpose of data processing, the types of personal data processed, the categories of data subjects, and the obligations and rights of each party.

4.3 Subprocessors

HelloCivic engages certain third-party subprocessors to assist in providing the Service. A current list of subprocessors is available upon request. We will notify Organizations of any changes to our subprocessors and provide Organizations with the opportunity to object to new subprocessors in accordance with applicable data processing agreements.

4.4 Government-Specific Obligations

HelloCivic acknowledges that government Organizations may be subject to specific data handling requirements, including public records laws, freedom of information statutes, and sector-specific regulations. HelloCivic will cooperate with Organizations to support compliance with these requirements, including providing reasonable assistance with public records requests and regulatory audits.

4.5 Data Segregation

User Data belonging to each Organization is logically segregated within the Service. HelloCivic implements access controls and technical measures to ensure that one Organization's data is not accessible to other Organizations or unauthorized parties.

5. Data Security

5.1 Security Measures

HelloCivic implements and maintains administrative, technical, and physical safeguards designed to protect information from unauthorized access, disclosure, alteration, and destruction. These measures include:

• Encryption of data in transit using TLS 1.2 or higher
• Encryption of data at rest using AES-256 encryption
• Role-based access controls and principle of least privilege
• Multi-factor authentication support
• Regular security assessments and penetration testing
• Intrusion detection and prevention systems
• Comprehensive audit logging and monitoring
• Secure software development lifecycle practices
• Employee security training and background checks
• Incident response and disaster recovery procedures

5.2 Incident Response

In the event of a security incident involving unauthorized access to or disclosure of personal information, HelloCivic will promptly investigate the incident and take appropriate remedial action. We will notify affected Organizations and individuals as required by applicable law, and we will cooperate with Organizations in their own incident response and notification efforts.

5.3 Limitations

While we strive to protect your information, no method of transmission over the Internet or method of electronic storage is completely secure. We cannot guarantee the absolute security of your information.

6. Data Retention

6.1 Retention Periods

We retain information for as long as necessary to fulfill the purposes for which it was collected, including to provide the Service, comply with legal obligations, resolve disputes, and enforce our agreements. Specific retention periods vary based on the type of information and the purpose for which it was collected:

• Account Information: Retained for the duration of your account and for a reasonable period thereafter to comply with legal obligations and resolve disputes.
• User Data: Retained for the duration of the Organization's subscription. Upon termination, User Data is available for export for thirty (30) days and is subsequently deleted.
• Audit Logs: Retained for a minimum of one (1) year, or longer as required by applicable law or as specified in the applicable data processing agreement.
• Usage and Analytics Data: Retained in identifiable form for up to twenty-four (24) months, after which it is aggregated or de-identified.
• Communications: Retained for as long as necessary to provide support and for quality assurance purposes.

6.2 Deletion

When information is no longer needed for the purposes for which it was collected, we will securely delete or de-identify it. Deletion may not be immediate due to technical constraints such as backup cycles, but we will ensure that retained data is protected and not used for any purpose other than backup and recovery.

7. Your Rights

7.1 General Rights

Depending on your jurisdiction, you may have certain rights regarding your personal information, including:

• Access: The right to request access to the personal information we hold about you.
• Correction: The right to request correction of inaccurate or incomplete personal information.
• Deletion: The right to request deletion of your personal information, subject to certain exceptions.
• Portability: The right to receive your personal information in a structured, commonly used, and machine-readable format.
• Restriction: The right to request restriction of processing of your personal information.
• Objection: The right to object to processing of your personal information for certain purposes.
• Withdrawal of Consent: Where processing is based on consent, the right to withdraw consent at any time.

7.2 California Residents (CCPA/CPRA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act, as amended by the California Privacy Rights Act ("CCPA/CPRA"):

• Right to Know: You have the right to request that we disclose the categories and specific pieces of personal information we have collected about you, the categories of sources from which the information was collected, the business or commercial purpose for collecting the information, and the categories of third parties with whom we share the information.
• Right to Delete: You have the right to request that we delete personal information we have collected from you, subject to certain exceptions.
• Right to Correct: You have the right to request that we correct inaccurate personal information that we maintain about you.
• Right to Opt Out of Sale or Sharing: HelloCivic does not sell personal information and does not share personal information for cross-context behavioral advertising purposes.
• Right to Non-Discrimination: We will not discriminate against you for exercising any of your CCPA/CPRA rights.
• Right to Limit Use of Sensitive Personal Information: You have the right to limit the use and disclosure of sensitive personal information to purposes necessary to provide the Service.

To exercise your CCPA/CPRA rights, please contact us at [email protected]. We will verify your identity before processing your request. You may designate an authorized agent to make a request on your behalf by providing written authorization.

7.3 European Economic Area, United Kingdom, and Switzerland (GDPR)

If you are located in the European Economic Area ("EEA"), the United Kingdom ("UK"), or Switzerland, you have rights under the General Data Protection Regulation ("GDPR") and applicable local data protection laws:

• Legal Basis for Processing: We process personal data on the following legal bases: (a) performance of a contract (to provide the Service); (b) legitimate interests (to improve the Service, ensure security, and prevent fraud); (c) compliance with legal obligations; and (d) consent (where you have provided it).
• Data Protection Officer: You may contact our data protection team at [email protected] for any questions regarding our processing of your personal data.
• Right to Lodge a Complaint: You have the right to lodge a complaint with a supervisory authority in the EEA member state, UK, or Switzerland where you reside or where the alleged infringement occurred.

7.4 Exercising Your Rights

To exercise any of the rights described above, please contact us at [email protected]. We will respond to your request within the timeframe required by applicable law. In some cases, we may need to verify your identity before processing your request. If your request is made through an Organization, we may direct you to your Organization's administrator, as the Organization is the data controller for data processed through the Service.

8. Children's Privacy

The Service is not directed to children under the age of thirteen (13), and we do not knowingly collect personal information from children under thirteen. If we become aware that we have collected personal information from a child under thirteen without parental consent, we will take steps to promptly delete such information. If you believe that a child under thirteen has provided personal information to us, please contact us at [email protected].

For government Organizations that serve minors, the Organization is responsible for ensuring compliance with the Children's Online Privacy Protection Act ("COPPA") and any other applicable laws regarding children's privacy. HelloCivic will cooperate with Organizations to support compliance with these requirements.

9. International Data Transfers

9.1 Data Location

HelloCivic primarily stores and processes data in the United States. If you access the Service from outside the United States, your information may be transferred to, stored in, and processed in the United States or other countries where our service providers maintain facilities.

9.2 Transfer Mechanisms

Where we transfer personal data from the EEA, UK, or Switzerland to countries that have not been deemed to provide an adequate level of data protection, we rely on appropriate transfer mechanisms, including:

• Standard Contractual Clauses approved by the European Commission
• The UK International Data Transfer Agreement or Addendum, as applicable
• Binding Corporate Rules, where applicable
• Your explicit consent, where appropriate

9.3 Data Sovereignty

HelloCivic understands that certain government Organizations may have data sovereignty requirements that restrict the storage or processing of data outside specific jurisdictions. We will work with Organizations to accommodate such requirements where feasible, including offering data residency options where available.

10. Third-Party Links and Services

The Service may contain links to third-party websites, services, or applications that are not owned or controlled by HelloCivic. This Privacy Policy does not apply to third-party services. We encourage you to review the privacy policies of any third-party services before providing them with your information. HelloCivic is not responsible for the privacy practices or content of third-party services.

11. Changes to This Privacy Policy

11.1 Modifications

We may update this Privacy Policy from time to time to reflect changes in our practices, the Service, or applicable law. If we make material changes, we will notify you by posting the updated Privacy Policy on the Service and updating the "Last Updated" date. For Organizations with active subscriptions, we will also provide notice via email to the primary contact on file at least thirty (30) days before the changes take effect.

11.2 Continued Use

Your continued use of the Service after the effective date of any modifications constitutes your acceptance of the updated Privacy Policy. If you do not agree to the updated Privacy Policy, you should discontinue your use of the Service.

12. Contact Information

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

• Privacy Inquiries: [email protected]
• Data Protection Officer: [email protected]
• General Support: [email protected]
• Mailing Address: HelloCivic, Inc., Attn: Privacy Team, 1234 Civic Center Drive, Suite 500, Wilmington, DE 19801

For CCPA/CPRA requests, you may also contact us toll-free at 1-800-CIVIC-00 (1-800-248-4200).

By using the HelloCivic platform, you acknowledge that you have read and understood this Privacy Policy.