Privacy Policy
Effective July 4, 2026 · Version 1.0
Introduction
Effective Date: July 4, 2026 · Last Updated: July 4, 2026 · Version 1.0
Contact: privacy@campaignfires.app · hello@campaignfires.app
CampaignFires ("we," "us," "our," or "the Company") operates a multi-tenant Software-as-a-Service (SaaS) platform designed exclusively for political campaign organizations. This Privacy Policy describes how we collect, use, store, share, and protect information about: (1) individuals who register for and use the CampaignFires platform ("Platform Users"); and (2) voter and contact records that our Platform Users upload, import, or manage within the platform on behalf of their campaign organizations ("Voter Data").
This Privacy Policy is distinct from, and should be read alongside, our Terms of Service. By accessing or using CampaignFires, you agree to the practices described in this Privacy Policy.
Information We Collect
2.1 Information You Provide Directly
- Account Registration Data: Full name, email address, password (hashed), and organization name.
- Campaign Information: Campaign name, candidate name, election level, district, and election date.
- Billing and Payment Information: Plan selection. Payment cards are processed directly by Stripe and never stored on CampaignFires servers.
- Profile Information: Display name, avatar, role, and preferences.
- Communications: Support requests, feedback, and messages you send us.
2.2 Voter and Contact Data (Uploaded by Campaign Organizations)
Campaign organizations may upload voter data including: name, address, email, phone, voter registration status, party affiliation, voting history, issue positions, persuasion scores, and contact history. CampaignFires does not independently collect or purchase voter data.
2.3 Automatically Collected Information
- Log Data: IP address, browser type, device, OS, pages visited.
- Usage Data: Features accessed, messages composed, imports performed.
- Cookies: Authentication cookies (required), preference cookies (dark/light mode). No advertising cookies.
2.4 Information from Third-Party Integrations
When you connect social platforms, we receive OAuth tokens and basic account info (handle, follower count) and engagement metrics on content you publish through CampaignFires.
How We Use Your Information
3.1 Platform Operations: Account management, authentication, Voter Data processing, AI outreach generation, subscription enforcement, payment processing, and transactional emails.
3.2 Platform Improvement: Aggregated usage analytics and system monitoring.
3.3 Communications: Support, service announcements, subscription notices.
3.4 Legal and Compliance: Legal process compliance and Terms enforcement.
- Sell personal data or Voter Data to third parties
- Use Voter Data for cross-campaign advertising or data brokerage
- Share data across campaign organizations
- Use campaign content or Voter Data to train AI models
- Independently collect voter information
Data Sharing and Disclosure
Service Providers
| Provider | Purpose | Data Shared |
|---|---|---|
| Supabase | Database, auth, storage | All platform data |
| Anthropic Claude API | AI message generation | Prompt text and campaign context |
| Stripe | Payment processing | Billing info (cards go direct to Stripe) |
| Resend | Transactional email | Email address and content |
| Cloudflare | Hosting and CDN | IP addresses and request data |
| Social platforms | Social posting (if connected) | Content and OAuth tokens |
Legal Disclosures: We may disclose information pursuant to valid legal process, with prior user notification where legally permitted.
Business Transfers: Users will be notified before any merger or acquisition transfer. Successor entities must honor this Privacy Policy.
Data Retention
| Data Type | Retention |
|---|---|
| Account data | Active + 90 days post-deletion |
| Campaign and voter data | Active subscription + 90 days |
| Billing records | 7 years (financial compliance) |
| Audit logs | 2 years |
| AI usage events | 13 months |
| Support communications | 3 years |
| Security logs | 12 months |
Account deletion requests processed within 30 days via privacy@campaignfires.app. Billing records retained regardless of deletion. Trial/subscription expiration: data retained 90 days, then eligible for deletion with email notice.
Data Security
- TLS 1.2+ encryption in transit
- AES-256 encryption at rest
- PostgreSQL Row Level Security (RLS) for tenant isolation
- JWT-based authentication via Supabase Auth
- Server-side secret management (never exposed to browser)
- Role-restricted staff access with audit logging
Breach notification within 72 hours of discovery to affected users and regulators. Contact security@campaignfires.app for security concerns.
Your Rights and Choices
7.1 All Users
Access, Correction, Deletion, Data Portability, Restriction, and Objection rights.
7.2 California Residents (CCPA/CPRA)
- Right to Know
- Right to Delete
- Right to Correct
- Right to Opt-Out of Sale or Sharing (we do not sell data)
- Right to Limit Sensitive Personal Information Use
- Right to Non-Discrimination
Response within 45 days (extendable to 90 with notice).
7.3 Voter Data Rights
Requests from individuals in voter databases should be directed to the campaign organization that collected their data.
7.4 How to Exercise
Email privacy@campaignfires.app with subject "Privacy Rights Request".
Voter Data — Special Provisions
Campaign organizations are independent data controllers for Voter Data. CampaignFires acts as a data processor only.
Campaign organizations are responsible for:
- Lawful authority to collect and process voter information
- FEC and state campaign finance disclosure compliance
- TCPA compliance for SMS and robocall outreach
- CAN-SPAM Act compliance for email outreach
- State voter file usage compliance
- Obtaining required voter consents
Voter Data is completely isolated between organizations via RLS. Staff access only with written authorization from org admin.
AI processing: Segment descriptions and campaign context (not individual voter PII) are transmitted to Anthropic's API for message generation.
Cookies and Tracking Technologies
- Essential cookies: Authentication (session), security nonces (session)
- Functional cookies: Dark/light mode, UI preferences (1 year, localStorage)
- Maintenance: Trial nudge flag (session, sessionStorage)
We do NOT use: advertising cookies, Google Analytics, cross-site tracking, or social media pixels (Meta Pixel, LinkedIn Insight Tag, etc.)
Third-Party Services
- Social platforms: each has its own privacy policy (linked).
- Stripe: stripe.com/privacy — handles all payment data.
- Anthropic: anthropic.com/privacy — API inputs not used for model training.
- External links: CampaignFires not responsible for third-party privacy.
Children's Privacy
CampaignFires is for users 18+. We do not knowingly collect data from minors. Contact privacy@campaignfires.app if you believe we have.
International Data Transfers
Servers in the United States. International users consent to US transfer. Working toward Standard Contractual Clauses (SCCs) with key providers.
Political Campaign Compliance Notice
Campaign organizations are solely responsible for compliance with:
- FEC reporting and disclosure requirements
- State campaign finance laws
- TCPA (SMS and robocall outreach)
- CAN-SPAM Act (email outreach)
- State voter file usage laws
- Social platform political content policies
CampaignFires does not provide legal advice.
Changes to This Privacy Policy
Material changes notified 30 days in advance via email and platform notice. Continued use after effective date constitutes acceptance.
Contact Us
- Privacy Inquiries: privacy@campaignfires.app
- General Contact: hello@campaignfires.app
- Security: security@campaignfires.app
- Response time: 10 business days

