Privacy Policy

Effective Date: February 17, 2026 | Last Updated: February 17, 2026

1. Introduction

This Privacy Policy ("Policy") describes how Deleuzian, Inc., a Delaware corporation doing business as CivicAI ("CivicAI," "Company," "we," "us," or "our") collects, uses, discloses, and protects information in connection with our website (getcivicai.com), AI assistant widget, administrative dashboard, and related services (collectively, the "Services").

This Policy applies to:

• Customers: Political campaigns, political action committees (PACs), advocacy organizations, consultants, and other entities that subscribe to and use our Services
• End Users: Visitors to Customer websites who interact with the CivicAI assistant widget
• Website Visitors: Visitors to our own website (getcivicai.com)

2. Our Role: Data Controller vs. Data Processor

2.1 When We Act as Data Processor

When providing Services to Customers, CivicAI acts as a Data Processor under GDPR (or "Service Provider" under CCPA/CPRA). We process personal data submitted by or collected via the Services on behalf of the Customer based on their instructions (including their Knowledge Base Content and configuration settings). We do not determine the purposes or means of processing End User personal data—the Customer does.

2.2 Customer Responsibility: Data Controller

The Customer using CivicAI is the Data Controller (or "Business" under CCPA/CPRA) for data collected from their End Users. Customers are responsible for:

• Maintaining their own privacy policy that discloses the use of CivicAI and AI-generated interactions
• Ensuring compliance with applicable data protection laws (GDPR, CCPA/CPRA, state privacy laws, etc.)
• Obtaining necessary consents from End Users, including consent for AI-mediated interactions
• Responding to End User data subject requests (access, deletion, correction, etc.)
• Ensuring their use of CivicAI complies with applicable election laws and FEC disclosure requirements
• Disclosing to End Users that they are interacting with an AI system, as required by applicable law

2.3 When We Act as Data Controller

CivicAI acts as a Data Controller for:

• Customer account and billing information
• Data collected from visitors to our own website (getcivicai.com)
• PII-redacted and anonymized conversation data used for service improvement (see Section 5)
• Anonymized and aggregated analytics data

3. Information We Collect

3.1 Information Provided by Customers

3.2 Information Processed on Behalf of Customers (End User Data)

Important: IP addresses collected through the widget are anonymized (truncated) before storage. We do not store full, unmasked IP addresses from End User interactions.

3.3 Information Collected Automatically

When you visit our website (getcivicai.com) or use the Services, we automatically collect:

• Device Information: Browser type and version, operating system, device type, screen resolution
• Usage Data: Pages visited, features used, clicks, scroll depth, time spent on pages, navigation paths
• Log Data: IP address, access times, referring/exit URLs, HTTP status codes
• Cookie and Tracking Data: See Section 12 for full details, including our visitor identifier (civicai_vid), Google Analytics data, and UX analytics data
• Performance Data: Page load times, error reports, API response times (for service reliability)

3.4 Information We Do NOT Collect

We want to be transparent about what we do not collect:

• We do not collect biometric data (fingerprints, facial recognition, voiceprints)
• We do not collect precise geolocation (GPS coordinates)
• We do not collect financial information directly (payments are processed entirely by Stripe)
• We do not access End Users' device cameras, microphones, or contact lists
• We do not purchase personal data from data brokers or third-party sources
• We do not engage in cross-site tracking of End Users across unaffiliated websites

4. How We Use Information

4.1 Processing on Behalf of Customers (Data Processor)

We process End User data to:

• Provide, operate, and maintain the AI assistant Services
• Enable the AI to respond to End User queries based on Customer-approved content
• Facilitate lead capture (volunteer sign-ups, contact forms, event RSVPs) as configured by the Customer
• Provide analytics, conversation logs, and engagement insights to Customers via the dashboard
• Detect and classify visitor intent and engagement patterns for Customer analytics
• Troubleshoot issues and provide technical support
• Maintain conversation state and continuity within a session

4.2 Our Own Operations (Data Controller)

We use information as a Data Controller to:

• Manage Customer accounts and process payments
• Send service-related communications (updates, alerts, support responses, security notices)
• Improve and optimize our Services using PII-redacted and anonymized data (see Section 5)
• Monitor for security threats, fraud, abuse, and violations of our Acceptable Use Policy
• Comply with legal obligations, including tax, election law, and regulatory requirements
• Enforce our Terms of Service
• Conduct internal research and development using de-identified data
• Generate aggregate industry benchmarks and reports (never identifying individual Customers or End Users)
• Market our Services to prospective customers (we never use End User data for marketing)

5. AI Technology, PII-Redacted Data, and Service Improvement

5.1 How Our AI Processes Conversations

CivicAI's AI assistant generates responses using a "Glass Box" architecture: the AI responds only based on Customer-approved Knowledge Base Content. The AI does not browse the internet, access external databases, or generate information from sources outside the Customer's approved content. When the AI cannot answer a question from the Knowledge Base, it transparently discloses this limitation and offers to connect the End User with the Customer team.

5.2 PII-Redacted Conversation Data for Service Improvement

To continuously improve our Services—including AI response quality, conversation flow, system reliability, and user experience—we process conversation data through the following pipeline:

• Step 1 — PII Redaction: Before any conversation data is used for service improvement, we apply automated PII detection and redaction. This process identifies and removes or replaces names, email addresses, phone numbers, mailing addresses, social security numbers, financial account numbers, government-issued identifiers, precise location data, and any other data elements classified as personally identifiable under GDPR, CCPA/CPRA, or other applicable privacy laws.
• Step 2 — De-identification Verification: Redacted data undergoes a verification step to confirm that remaining data cannot reasonably be used to re-identify an individual, either alone or in combination with other available data.
• Step 3 — Aggregation and Analysis: De-identified conversation data is analyzed to identify common question patterns, conversation flows that lead to successful outcomes, AI response quality issues, and system performance metrics.

What this means for you: We may analyze the types of questions people ask across all campaigns (e.g., "many users ask about early voting locations") to improve our AI's ability to handle such questions—but we never use identified or identifiable personal data, and we never use one Customer's specific Knowledge Base Content to benefit another Customer.

5.3 Legal Basis for Service Improvement Processing

• Under GDPR: Legitimate interest (Article 6(1)(f)), balanced against data subject rights. We have conducted a Legitimate Interest Assessment documenting that (a) improving AI service quality is a legitimate business interest, (b) PII redaction and de-identification are necessary and proportionate safeguards, and (c) data subjects' rights are protected by the de-identification process. Data subjects retain the right to object (see Section 15).
• Under CCPA/CPRA: This processing involves de-identified information as defined under CCPA §1798.140(m). We maintain reasonable measures to ensure data cannot be re-associated with a consumer and commit not to attempt re-identification.
• Under the EU AI Act: This processing supports transparency and quality obligations for AI providers under Articles 13 and 53.

5.4 Future Opt-Out Controls

We are developing self-service opt-out controls that will allow Customers to manage whether their End Users' PII-redacted conversation data is used for service improvement. We will notify all Customers when these controls become available. In the meantime, Customers with questions or concerns about this processing may contact us at privacy@getcivicai.com.

5.5 AI Model Training Commitments

• We do not use identifiable conversation data to train AI models
• We do not use Customer-specific Knowledge Base Content to train models accessible to other Customers
• We do not share or sell conversation data (identified or de-identified) to third-party AI model providers
• We do not use End User data for any purpose other than providing the Services to the respective Customer and the de-identified service improvement described above
• Any future material changes to these commitments will require 60 days' advance notice and affirmative Customer consent

6. Legal Bases for Processing (GDPR)

For individuals in the European Economic Area (EEA), UK, or Switzerland, we process personal data based on the following legal bases:

7. How We Share Information

We do not sell personal information. We never have and never will. We do not share personal information for cross-context behavioral advertising.

We share information only in these limited circumstances:

7.1 With the Respective Customer

End User data collected via the CivicAI widget on a Customer's website is accessible only to that specific Customer through their dashboard. We never share one Customer's End User data with another Customer. We never use End User data to benefit competing Customers.

7.2 Service Providers (Sub-Processors)

We use trusted third-party service providers who process data on our behalf under written agreements requiring data protection at least as stringent as this Policy. See Section 8 for our sub-processor list.

7.3 Legal Requirements

We may disclose information if required by law, subpoena, court order, or other legal process, or if we have a good faith belief that disclosure is reasonably necessary to:

• Comply with legal obligations
• Protect the safety, rights, or property of any person
• Protect our rights, property, or safety or those of our users
• Investigate fraud, security issues, or violations of our Terms
• Respond to a government or regulatory inquiry

Where legally permissible, we will notify the affected Customer before disclosing their data in response to legal process.

7.4 Business Transfers

In connection with a merger, acquisition, bankruptcy, reorganization, or sale of assets, information may be transferred as part of the transaction. We will notify affected Customers at least 30 days before any transfer, ensure any successor entity is bound by privacy protections at least as protective as this Policy, and provide Customers the opportunity to delete their data before transfer.

7.5 Aggregated and De-Identified Data

We may share anonymized, aggregated, or de-identified data that cannot reasonably be used to identify individuals or specific Customers for analysis, research, industry benchmarking, or reporting purposes.

7.6 With Consent

We may share information with third parties when we have the Customer's explicit, informed consent.

7.7 Election Integrity and Law Enforcement

In exceptional circumstances, we may proactively disclose information to law enforcement or election authorities if we have credible evidence that our Services are being used for voter suppression, election interference, fraudulent misrepresentation of candidates or officials, illegal campaign activity, or activities posing an imminent threat to public safety. We will document and report any such disclosures to the affected Customer unless prohibited by law.

8. Sub-Processors

We use the following sub-processors to provide our Services:

We maintain Data Processing Agreements (DPAs) with all sub-processors requiring them to process data only on our documented instructions, implement appropriate security measures, assist with data subject requests, and delete or return data upon termination. Enterprise customers may subscribe to sub-processor change notifications with at least 30 days' advance notice.

9. International Data Transfers

Information may be processed in the United States and other countries where our service providers operate. For transfers from the EEA, UK, or Switzerland to countries without an adequacy decision, we rely on:

• EU-U.S. Data Privacy Framework (DPF): Where our sub-processors are DPF-certified
• Standard Contractual Clauses (SCCs): EU Commission-approved contractual safeguards (2021 SCCs)
• UK International Data Transfer Agreement/Addendum: For transfers from the UK
• Data Processing Agreements: With appropriate security, privacy, and audit commitments
• Supplementary Measures: Technical measures (encryption in transit and at rest) and organizational measures (access controls, employee training) as recommended by the EDPB

10. Data Security

We implement comprehensive technical and organizational security measures, including:

• Encryption: Data encrypted in transit (TLS 1.3) and at rest (AES-256)
• Access Controls: Role-based access control (RBAC), multi-factor authentication, principle of least privilege
• Infrastructure: AWS secure cloud hosting with enterprise-grade security controls, VPC isolation, and network segmentation
• Monitoring: Continuous security monitoring, intrusion detection, and real-time alerting
• Vulnerability Management: Regular security assessments, dependency scanning, and penetration testing
• Employee Training: Mandatory security awareness training for all personnel with access to data systems
• Incident Response: Documented incident response plan with defined roles, escalation procedures, and post-incident review
• Data Isolation: Customer data is logically isolated; no Customer can access another Customer's data

For more details, see our Security Page. However, no method of transmission or storage is 100% secure. We cannot guarantee absolute security.

11. Data Retention

We retain data only as long as necessary for the purposes described in this Policy:

Upon account termination: We delete or anonymize identifiable Customer data within 90 days unless retention is required by law. Customers may request data export in machine-readable format (JSON, CSV) prior to termination. PII-redacted data that has already been de-identified and incorporated into aggregate datasets is retained as it is no longer personal data. We will confirm deletion in writing upon request.

12. Cookies and Tracking Technologies

12.1 Cookies on Our Website (getcivicai.com)

We use the following types of cookies and tracking technologies:

12.2 CivicAI Widget Cookies

The CivicAI widget embedded on Customer websites uses only essential cookies/local storage for:

• Session management (maintaining conversation state within a visit)
• Widget state (open/closed)
• Visitor identifier (civicai_vid) for conversation continuity across sessions

Customers are responsible for their own website's cookie consent mechanisms and must disclose the CivicAI widget's use of cookies/local storage in their cookie policy.

12.3 Managing Cookies

You can manage cookie preferences through your browser settings. Note that disabling cookies may affect functionality. For opt-out links:

• Google Analytics: https://tools.google.com/dlpage/gaoptout
• Contentsquare: Available through their privacy center

12.4 Do Not Track and Global Privacy Control

We currently do not respond to "Do Not Track" (DNT) browser signals, as there is no uniform standard for DNT compliance. We do honor the Global Privacy Control (GPC) signal as a valid opt-out of sale/sharing under CCPA/CPRA (though we do not sell or share personal information).

13. Your Privacy Rights

13.1 General Rights (All Users)

Depending on your location and applicable law, you may have the following rights:

• Access: Request a copy of personal data we hold about you
• Correction: Request correction of inaccurate or incomplete data
• Deletion: Request deletion of your data (subject to legal retention requirements)
• Portability: Receive your data in a structured, commonly used, machine-readable format
• Restriction: Request that we limit how we process your data
• Objection: Object to processing based on legitimate interests
• Opt-Out of Marketing: Unsubscribe from marketing communications at any time
• Withdraw Consent: Where processing is based on consent, withdraw that consent at any time (without affecting prior processing)

13.2 For End Users

Since the Customer is the Data Controller for End User data, End Users should contact the Customer directly to exercise privacy rights. CivicAI will assist Customers in responding to legitimate requests within the timeframes required by law.

If an End User contacts us directly and we can identify the relevant Customer, we will forward the request to the Customer, notify the End User that we have done so, and cooperate with the Customer to fulfill the request.

13.3 For Customers

Customers can access, update, export, or request deletion of their data through the CivicAI dashboard (self-service), by emailing support@getcivicai.com, or by emailing privacy@getcivicai.com for formal data protection requests.

13.4 Verification and Non-Discrimination

Before fulfilling privacy rights requests, we will verify the requester's identity using reasonable methods. We will not discriminate against any person for exercising their privacy rights—you will not receive different pricing, service quality, or access as a result of exercising your rights.

14. California Privacy Rights (CCPA/CPRA)

14.1 Categories of Personal Information

In the preceding 12 months, we have collected the following CCPA categories:

• Identifiers: Name, email, phone, IP address (anonymized for End Users), account ID, visitor ID (civicai_vid)
• Commercial Information: Subscription details, transaction history, payment records
• Internet/Network Activity: Browsing history, search history, interaction data, conversation logs
• Professional Information: Organization affiliation, role/title
• Geolocation Data: Approximate location derived from IP address (not precise GPS)
• Inferences: Preferences, engagement patterns, and intent classifications derived from usage

14.2 Do Not Sell or Share

We do not sell personal information. We do not share personal information for cross-context behavioral advertising as defined under CCPA/CPRA. Therefore, we do not offer a "Do Not Sell or Share" opt-out because there is no sale or sharing to opt out of.

14.3 Automated Decision-Making Technology (ADMT) Disclosure

In compliance with CCPA/CPRA ADMT regulations effective January 1, 2026, we disclose the following:

• AI-generated responses: Our AI assistant automatically generates conversational responses based on Customer-approved content. These responses are informational and do not constitute "significant decisions" affecting consumers' access to financial, housing, employment, or educational opportunities.
• Visitor intent classification: We use automated analysis to classify visitor intent and engagement levels. This classification is used solely for Customer analytics and does not result in decisions that produce legal or similarly significant effects on consumers.
• Lead scoring: Automated scoring of lead quality based on engagement signals. This scoring is provided to Customers as an analytical tool; any decisions based on lead scores are made by the Customer, not by CivicAI.

Your ADMT rights: California residents have the right to request information about ADMT use and its effects, request access to the logic involved in ADMT processing, and request to opt out of ADMT where it produces legally or similarly significant effects (note: CivicAI's ADMT does not currently make such decisions).

14.4 California Consumer Rights

California residents have the right to:

• Know: What personal information we collect, how it's used, and to whom it's disclosed
• Access: Request a copy of your personal information
• Delete: Request deletion of your personal information
• Correct: Request correction of inaccurate information
• Limit Sensitive Personal Information: Direct us to limit the use of sensitive personal information
• Non-Discrimination: Not be discriminated against for exercising these rights

14.5 Exercising Your Rights

To exercise your California privacy rights, contact us at:

• Email: privacy@getcivicai.com
• Include "California Privacy Request" in the subject line

We will verify your identity before processing requests. You may designate an authorized agent to submit requests on your behalf with proper written authorization. We will respond to verifiable requests within 45 days (extendable by an additional 45 days if reasonably necessary, with notice to you).

15. European Privacy Rights (GDPR)

15.1 Your GDPR Rights

If you are in the EEA, UK, or Switzerland, you have the right to:

• Access (Article 15): Obtain confirmation of processing and a copy of your data
• Rectification (Article 16): Correct inaccurate or incomplete data
• Erasure ("Right to be Forgotten") (Article 17): Request deletion in certain circumstances
• Restriction (Article 18): Request restriction of processing while disputes are resolved
• Data Portability (Article 20): Receive data in a structured, machine-readable format (JSON or CSV)
• Object (Article 21): Object to processing based on legitimate interests, including service improvement using de-identified data. We will cease processing unless we demonstrate compelling legitimate grounds.
• Withdraw Consent (Article 7): Withdraw consent at any time without affecting prior processing
• Automated Decision-Making (Article 22): Not be subject to decisions based solely on automated processing that produce legal or similarly significant effects. CivicAI does not engage in such automated decision-making.

15.2 Exercising Your Rights

To exercise GDPR rights, contact us at privacy@getcivicai.com. We will respond within one month (extendable by two months for complex or numerous requests, with notice to you).

15.3 Supervisory Authority

You have the right to lodge a complaint with your local data protection supervisory authority if you believe we have violated your privacy rights. A list of EEA supervisory authorities is available at: edpb.europa.eu.

15.4 Data Protection Officer

Given our current scale of operations, we have not appointed a formal Data Protection Officer. For all privacy inquiries, please contact privacy@getcivicai.com. We will appoint a DPO if and when required by Article 37 of the GDPR based on the nature and scale of our processing activities.

16. AI-Specific Privacy Rights

16.1 EU AI Act Transparency (Article 50)

In compliance with the EU AI Act:

• We clearly inform all users that the CivicAI assistant is an AI system
• AI-generated responses are identifiable as such (they come from the "CivicAI Assistant," not a named human)
• We do not use AI techniques that are subliminal, manipulative, or exploitative
• We do not use AI for social scoring or real-time biometric identification

16.2 U.S. State AI Transparency Laws

In compliance with applicable state AI laws, including:

• Colorado AI Act (SB 24-205, effective June 30, 2026): We disclose our use of AI systems to deployers (Customers) and make information available about risk management and known limitations
• Texas Responsible AI Governance Act (HB 149, effective January 1, 2026): We comply with consumer protection and transparency requirements
• Illinois AI laws: We do not use AI for employment decisions; our Services are designed for campaign engagement only

16.3 Right to Know About AI Processing

You have the right to know:

• That you are interacting with an AI system (disclosed via widget labeling and this Policy)
• The general logic of how the AI generates responses (from Customer-approved Knowledge Base Content using natural language processing)
• The types of data used to generate AI responses (the Customer's Knowledge Base Content, not your personal data)
• That AI responses may contain errors or inaccuracies (disclosed in our Terms of Service)

17. Automated Decision-Making

CivicAI does not use automated processing to make decisions that produce legal effects or similarly significant effects on individuals. Specifically:

• AI-generated chat responses are informational conversations, not consequential decisions
• Visitor intent classification and lead scoring are analytical tools provided to Customers; any resulting decisions are made by humans at the Customer
• We do not use personal data for profiling that results in legal or similarly significant effects

If we materially change our automated decision-making practices, we will update this Policy with at least 30 days' notice and, where required, obtain consent.

18. Data Breach Notification

In the event of a personal data breach that poses a risk to rights and freedoms:

• Customers: We will notify affected Customers without undue delay and within 72 hours of becoming aware of the breach (as required by GDPR Article 33), including the nature of the breach, categories and approximate number of data subjects and records affected, likely consequences, and measures taken or proposed
• Supervisory Authorities: Where required by GDPR, we will notify the relevant supervisory authority within 72 hours
• Individuals: Where a breach is likely to result in a high risk to rights and freedoms, we will assist Customers in notifying affected End Users. For data where we are the Data Controller, we will directly notify affected individuals
• State Law Notifications: We comply with all applicable U.S. state breach notification laws (typically 30–60 days depending on jurisdiction)
• Post-Breach Actions: We conduct thorough post-incident reviews and implement remedial measures, and maintain a breach register documenting all incidents, responses, and outcomes

19. Children's Privacy

Our Services are not directed to children under 16 years of age (or under 13 in jurisdictions where that is the applicable threshold under COPPA or equivalent laws). We do not knowingly collect personal information from children. If we learn that we have collected personal information from a child under the applicable age threshold, we will immediately cease processing that data, delete that information within 30 days, and notify the Customer (if applicable) of the deletion.

Customers are responsible for ensuring their websites implement appropriate age-gating measures if their content may attract children. If you believe we have collected information from a child, please contact us immediately at privacy@getcivicai.com.

20. Third-Party Links and Services

Our Services may contain links to third-party websites, services, or content. We are not responsible for the privacy practices, content, or security of these third parties. We encourage you to read their privacy policies before providing any personal information. Specifically, our Services may link to or integrate with Customer websites, social media platforms, payment processors (Stripe), and analytics services—each of which maintains its own independent privacy policy.

21. Lawful Use and Prohibited Data Practices

CivicAI is committed to ensuring our platform is not used for unlawful purposes. We prohibit:

• Collection of personal data for purposes of harassment, intimidation, or discrimination
• Use of the Services to facilitate voter suppression or election interference
• Collection or processing of data in violation of applicable law
• Use of End User data for purposes not disclosed in the Customer's privacy policy
• Any attempt to re-identify de-identified or anonymized data

Violations may result in immediate account termination and, where appropriate, referral to law enforcement or election authorities.

22. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. For material changes, we will:

• Provide at least 30 days' advance notice via email to registered Customers
• Post a prominent notice on our website
• Update the "Last Updated" date at the top
• For changes affecting how we use PII-redacted data for service improvement, provide 60 days' notice

Your continued use of the Services after changes become effective constitutes acceptance of the revised Policy. If you do not agree to the changes, you should stop using the Services.

23. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our privacy practices, please contact us:

© 2026 Deleuzian, Inc. All rights reserved.