Vol. 2026 · Privacy · Plain-English Edition

CivicRadar
← Back to find your bills
Privacy

What we see of you. What we don’t.

Most privacy policies are long because the company has a lot to confess. Ours is short because we don’t.

The short version

Five sentences

  1. We don’t make you sign in, and we never see your name.
  2. Your ZIP and the identities you pick live in your browser’s storage on your device, not on our server.
  3. When you search, your ZIP and tags travel to OpenStates, Congress.gov, and our bill cache so they can return matching bills. Our cache only remembers state + keyword, not who asked.
  4. When you ask the app to draft a letter, the bill excerpt, your tags, and any sentence you wrote about your situation are sent to Anthropic and Google so a model can write back. The draft never lands on our servers.
  5. The one exception is bill alerts: if you opt in to be notified when a bill moves, we store the minimum we need to send you that one notification. Details in the section below.
The mental model

On your device. On our server.

Two columns. The left is everything that stays with you. The right is everything that lands on a CivicRadar-controlled server. The asymmetry is the whole point.

On your device

On our server

ZIP code
not stored
Identity and issue tags
not stored
Anything you typed about yourself
not stored
Letters and call scripts you drafted
not stored
 
A bill cache keyed by state + keyword, no person attached
 
Per-IP rate-limit counters so bots don’t burn our API budget (auto-expire within minutes)

You can erase what we know in one move: clear this site’s storage in your browser, and we’re back to knowing nothing about you.

Bill alerts

The one thing that does need server storage

If you opt in to be alerted when a specific bill moves, we need a way to reach you. That requires storing the minimum we need per channel:

  • Browser push:a salted, peppered hash of the push endpoint your browser gives us. We can’t turn it back into your identity; it’s only a key we use when sending the notification. Stored for 90 days, then deleted.
  • Email: the address you typed, plus a confirm-link state. Stored for 365 days from your last opt-in action. You can unsubscribe from every email we send.

Subscriptions are per-bill, never per-profile. We don’t attach your ZIP, identities, or any free-text sentence to a subscription. The two pieces of information stay on separate sides of the wall.

We also keep a short notify-dedup cache (14 days) so a bill that moves three times in a week doesn’t hammer your inbox.

Refusals

Things we won’t do

  • Sell your data. We have nothing to sell.
  • Run third-party trackers that follow you across the web. No Facebook pixel, no Google Analytics targeting cookies, no Hotjar. We do run privacy-respecting infrastructure metrics (page load, error counts) that don’t carry user identifiers.
  • Hand over your identity selections to anyone, including advocacy organizations whose positions appear in our data. Org positions flow one way: org → CivicRadar → you. Never the reverse.
  • Add an account system. Accounts mean stored profiles, stored profiles mean breaches and subpoenas. We aren’t going to build that.
Questions, changes

If something here is wrong

We treat this page as a contract with our readers. If you read the code and find a place where what we do drifts from what we say, that’s a bug — open an issue on the public GitHub repository and we’ll fix one or the other (probably the code).

When we change this page, we’ll list the change at the top so you can see what shifted. No tracked deletions, no silent edits.