1. Introduction & Scope
This Privacy Policy ("Policy") describes how Adroit DRX, LLC ("Adroit DRX," "Politiips," "we," "us," or "our") collects, uses, discloses, and safeguards information about you when you access or use the Politiips website, mobile experience, APIs, email communications, and related services (collectively, the "Platform").
This Policy applies to all users of the Platform. It should be read together with our Terms of Use, which govern your access to and use of the Platform. Capitalized terms not defined here have the meanings given in the Terms of Use.
For purposes of the European Union General Data Protection Regulation ("GDPR"), the United Kingdom GDPR, and analogous laws, Adroit DRX, LLC is the data controller of personal information processed through the Platform.
2. Information We Collect
We collect the following categories of information:
A. Information You Provide Directly
- Account information: display name, email address, password (stored as a salted cryptographic hash — never in plain text), and/or a Google sign-in identifier.
- Profile information (optional): state of residence, political party affiliation, ZIP code, phone number, profile photo, and short bio.
- User-generated content: approval ratings, star reviews, written review text, comments, public chat messages, direct messages, voice-message recordings, group chat content, poll questions and votes, campaign ads (for verified Member accounts), and support requests.
- Connection data: connection requests you send or receive, group memberships, and read receipts.
- Payment information: billing name, postal code, and the last four digits of your payment card. Full card numbers, expiration dates, and CVVs are handled exclusively by Authorize.Net and are never stored on Politiips servers.
- Claim-of-profile materials: if you claim a verified Member (politician) account, we may collect your official .gov email, FOIA-verifiable documents, government employee identifier, or other verification evidence.
- Communications with us: messages you send to our support, feedback, or legal addresses.
B. Information We Collect Automatically
- Device & connection data: IP address, general geographic location derived from IP, browser type and version, operating system, device identifiers, language preference, time zone, and referring/exit pages.
- Usage data: pages viewed, features used, session duration, click paths, error logs, and performance telemetry.
- Presence data: whether you are actively using the Platform (online/offline status) and the timestamp of your most recent activity.
- Cookies & local storage: identifiers and preferences stored on your device. See Section 5.
C. Information We Receive from Third Parties
- Identity providers: if you sign in using Google, we receive the basic profile fields Google provides (name, email, profile photo, and Google account ID). We do not receive your Google password.
- Payment processor: Authorize.Net returns a subscription ID, transaction status, failure codes, and the last four digits of your card.
- Public government data: we ingest data from Congress.gov, CourtListener, the Federal Election Commission (FEC), and similar public sources about U.S. officials. This is not your personal information unless you are yourself a public official.
D. Sensitive Information
In the course of using a civic-engagement platform, you may voluntarily reveal information that is considered "sensitive" under certain privacy laws — including political opinions, party affiliation, or advocacy statements — when you submit ratings, reviews, comments, or profile fields. Do not submit sensitive information you do not intend to share. We treat sensitive information you publish on the Platform the same as any other public content.
3. How We Use Your Information
We use the information we collect to:
- Provide and operate the Platform — create and authenticate your account, process payments and subscriptions, deliver messages, store your ratings and reviews, and enable search and connections.
- Personalize your experience — surface officials relevant to your state or interests, and tailor notifications and content to your preferences.
- Communicate with you — send transactional emails (receipts, security alerts, account notifications), respond to support requests, and, where you opt in, product announcements.
- Maintain safety and integrity — detect and prevent fraud, abuse, spam, harassment, impersonation, and unauthorized access; enforce our Terms of Use.
- Analyze and improve the Platform — measure feature usage, diagnose issues, and develop new features, using aggregated or de-identified data where feasible.
- Comply with law — satisfy tax, accounting, and regulatory obligations; respond to lawful legal process; establish, exercise, or defend legal claims.
- With your consent — any purpose we describe when we request your consent.
We do not sell your personal information for money. We do not share your personal information for cross-context behavioral advertising. We do not use your direct messages or voice recordings to train advertising models.
4. Legal Bases for Processing (GDPR/UK GDPR)
If you are in the European Economic Area, the United Kingdom, or Switzerland, we process your personal information under one or more of the following legal bases:
- Contract: to provide the services you request and perform our agreement with you (e.g., account creation, subscription fulfillment).
- Legitimate interests: to secure the Platform, prevent fraud, improve our services, and communicate with you, where these interests are not overridden by your rights.
- Legal obligation: to comply with applicable laws (tax, accounting, response to lawful government requests).
- Consent: where required by law, we rely on your consent (e.g., certain cookies, optional communications). You may withdraw consent at any time; withdrawal does not affect prior lawful processing.
- Vital interests or public interest: rarely, where necessary to protect someone's life or in the public interest.
5. Cookies & Similar Technologies
We and our service providers use cookies, local storage, and similar technologies to:
- Strictly necessary: keep you signed in, remember branch and preference selections, and secure sessions. These cannot be disabled without breaking the Platform.
- Preferences: remember UI settings (selected branch, dashboard tabs, emulation state for admins).
- Analytics: understand aggregate usage and improve performance. Where required, we seek consent before setting non-essential analytics cookies.
You can control cookies through your browser settings. Blocking cookies may affect the functionality of the Platform. We do not use cookies for third-party advertising.
6. How We Share Information
We share personal information only in the following circumstances:
- With other users (public content only): your display name, profile photo, ratings, reviews, comments, public chat messages, and poll responses are visible to other users. Your email, phone, state, ZIP, party, and payment details are never made public.
- Service providers (processors): we disclose information to vendors who help us operate the Platform under written agreements that restrict use to the purposes we define. Current providers include Supabase (authentication, database, and file storage), Google (OAuth sign-in), Vercel (application hosting), Authorize.Net (payment processing), Resend (transactional email), Didit (identity verification / KYC), HubSpot (CRM for Business-tier accounts), Congress.gov / CourtListener / FEC / GNews (read-only public data), and IP-based geolocation providers.
- Verified Member (politician) accounts: Admins of Adroit DRX may review verification materials submitted by those claiming a Member account. Verification materials are retained for audit and revocation purposes.
- Legal process and safety: we may disclose information to comply with subpoenas, court orders, or other legal process, or where we reasonably believe disclosure is necessary to (a) investigate or prevent fraud, security breaches, or violations of these policies; (b) protect the rights, safety, or property of users, Adroit DRX, or the public; or (c) comply with applicable law.
- Business transfers: in connection with a merger, acquisition, financing, reorganization, bankruptcy, or sale of all or a portion of our assets, personal information may be transferred as part of the transaction. We will notify you if such a transfer results in a materially different privacy policy.
- With your consent or at your direction: we share information for any other purpose you authorize.
- Aggregated or de-identified data: we may share anonymous or aggregate data that cannot reasonably be used to identify you.
7. Public Content & Visibility
The Platform is a public civic-engagement service. Content you designate as public — including ratings, reviews, comments, public chat messages, poll votes, verified Member profile fields, ads, and bio — is visible to all visitors, indexable by search engines, and may be cached or copied by third parties outside our control.
Direct messages and group chats are visible only to the participants, but recipients may copy, screenshot, or forward them. Do not send anything in a message you would not want shared.
8. Third-Party Services
When you interact with links, embedded content, or integrations from third parties, those third parties may collect information about you under their own privacy policies. We are not responsible for the privacy practices of services we do not control. We recommend reviewing the following:
- Supabase — supabase.com/privacy
- Google (OAuth sign-in) — policies.google.com/privacy
- Vercel — vercel.com/legal/privacy-policy
- Authorize.Net (Visa) — authorize.net/company/privacy/
- Resend — resend.com/legal/privacy-policy
- Didit (identity verification) — didit.me
- HubSpot — legal.hubspot.com/privacy-policy
- Congress.gov, CourtListener, FEC, GNews — publicly available civic and news data
9. Data Retention
We retain personal information for as long as your account is active, or as needed to provide services, comply with our legal obligations, resolve disputes, and enforce our agreements. Retention periods include, illustratively:
- Account records — while your account is active; deleted or anonymized within 90 days of account closure.
- Ratings, reviews, and public chat — may persist in aggregate, de-identified form after account deletion so that historical scores remain meaningful; identifying authorship is removed.
- Direct messages — retained while your account is active; deleted following account closure subject to the paragraph below.
- Billing and tax records — up to 7 years as required by financial and tax regulations.
- Security, fraud-prevention, and audit logs — up to 24 months.
- Backups — may persist for up to 90 days after deletion from primary systems before being overwritten.
10. Security
We use commercially reasonable administrative, technical, and physical safeguards designed to protect personal information, including:
- TLS 1.2+ encryption for all data in transit
- Encryption at rest for database and file storage (AES-256)
- Role-based access controls and audit logging for administrative actions
- Salted password hashing using bcrypt or equivalent
- Row-Level Security and server-mediated access controls enforcing per-record access
- Payment processing by PCI-DSS Level 1 certified providers (Authorize.Net)
- Regular dependency and vulnerability scanning
No system is perfectly secure. You are responsible for maintaining the confidentiality of your account credentials and for activity conducted under your account. Notify us immediately at security@adroitdrx.com of any suspected unauthorized use.
11. International Data Transfers
Politiips is operated from the United States. When you access the Platform from outside the U.S., your information will be transferred to, stored, and processed in the United States and in countries where our service providers operate. These jurisdictions may have data-protection laws different from (and potentially less protective than) those of your jurisdiction.
For transfers from the EEA, UK, or Switzerland, we rely on appropriate safeguards such as the European Commission's Standard Contractual Clauses (SCCs), the UK Addendum, or other lawful transfer mechanisms. Contact us for a copy of the safeguards we use.
12. Your Privacy Rights & Choices
Regardless of location, every Politiips user can:
- Access & update your account details in Settings → Account.
- Export your data (ratings, reviews, comments) from Settings → Data Export (available to all paid tiers; free-tier users may request export by email).
- Delete your account from Settings → Danger Zone, or by emailing privacy@adroitdrx.com. We will complete deletion within 30 days, subject to legal retention obligations.
- Manage notifications in Settings → Notifications, or via unsubscribe links in marketing emails.
- Object to or restrict certain processing, where applicable.
- Lodge a complaint with your local data-protection authority.
We will not discriminate against you for exercising any of these rights. We may need to verify your identity before fulfilling certain requests.
13. California Privacy Rights (CCPA/CPRA)
If you are a California resident, the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020 (collectively, "CCPA"), gives you the right to:
- Know what personal information we have collected, the categories of sources, the business or commercial purpose for collection, and the categories of third parties with whom we share it.
- Access a portable copy of the specific pieces of personal information we have collected about you in the last 12 months (or longer upon request).
- Delete personal information we have collected, subject to exceptions.
- Correct inaccurate personal information.
- Limit the use of sensitive personal information (e.g., political opinions you submit) to purposes necessary to provide the Platform.
- Opt out of sale or sharing for cross-context behavioral advertising. We do not sell or share personal information for cross-context behavioral advertising.
- Non-discrimination for exercising any CCPA right.
Categories of personal information collected in the last 12 months include identifiers, internet/network activity, commercial information (subscription data), geolocation (IP-based), audio (voice messages), and inferences drawn from the above. We retain each category only for the periods described in Section 9.
To exercise a CCPA right, email privacy@adroitdrx.com with the subject line "California Privacy Request." You may also designate an authorized agent to submit a request on your behalf (written permission required). We will respond within 45 days, with a one-time 45-day extension where reasonably necessary.
California Shine the Light (Civil Code § 1798.83): we do not disclose personal information to third parties for their direct-marketing purposes.
14. European Privacy Rights (GDPR / UK GDPR)
If you reside in the European Economic Area, the United Kingdom, or Switzerland, in addition to the rights described above you have the right to:
- Request access, rectification, or erasure of your personal data
- Request restriction of or object to processing
- Data portability in a structured, machine-readable format
- Withdraw consent at any time where processing is based on consent
- Lodge a complaint with your national supervisory authority
To exercise these rights, contact privacy@adroitdrx.com. We will respond within one month, extendable by two months where requests are complex or numerous.
15. Other U.S. State Privacy Rights
Residents of Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Utah (UCPA), Texas (TDPSA), Oregon (OCPA), Montana (MCDPA), and other states with comprehensive privacy laws have rights similar to those described in Section 13, including rights to access, delete, correct, port, and opt out of sale or targeted advertising. You may submit a request to privacy@adroitdrx.com. If we deny your request, you may appeal by replying to our response within 30 days; we will respond to appeals within 60 days.
16. Automated Decision-Making
We do not use fully automated decision-making that produces legal or similarly significant effects about you. Some Platform features (such as content-moderation screening for spam and abuse) use automated tools to flag content for human review; decisions that affect your account (suspension, removal of content, billing actions) are reviewed by our team.
17. Do Not Track & Global Privacy Control
Our Platform does not currently respond to Do Not Track ("DNT") signals because no uniform industry standard has been adopted. Where required by law (e.g., CCPA), we honor the Global Privacy Control ("GPC") browser signal as a valid request to opt out of the sale or sharing of personal information.
18. Children's Privacy
Politiips is not directed to children under 13, and we do not knowingly collect personal information from children under 13. If we learn we have collected such information without verifiable parental consent, we will delete it promptly. Parents or guardians who believe we may have collected information about a child under 13 should contact privacy@adroitdrx.com.
Use of the Platform is restricted to users 18 years of age or older. See our Terms of Use for eligibility requirements.
19. Accessibility
We strive to make the Platform accessible to everyone, including people with disabilities. If you have difficulty accessing any feature or need this Policy in an alternative format, contact accessibility@adroitdrx.com.
20. Data Breach Notification
In the event of a data breach affecting your personal information, we will notify you and applicable authorities in accordance with applicable law, typically within 72 hours of confirming the breach for authorities subject to GDPR, and without unreasonable delay for users affected in the United States.
21. Changes to This Policy
We may revise this Policy from time to time. When we make material changes, we will update the Effective Date at the top, notify you by email or in-app banner at least 14 days before the changes take effect, and — where required — obtain your renewed consent. Historical versions are available on request.
22. Contact Us
Questions, concerns, or privacy requests? We're here to help.
Adroit DRX, LLC — Privacy Office
Operating: Politiips (politiips.com)
General privacy: privacy@adroitdrx.com
Security reports: security@adroitdrx.com
Accessibility: accessibility@adroitdrx.com
Legal notices: legal@adroitdrx.com