Legal

Privacy Policy

Effective July 4, 2026 · Version 1.0

Last updated: July 4, 2026
01

Introduction

Effective Date: July 4, 2026 · Last Updated: July 4, 2026 · Version 1.0

Contact: privacy@campaignfires.app · hello@campaignfires.app

CampaignFires ("we," "us," "our," or "the Company") operates a multi-tenant Software-as-a-Service (SaaS) platform designed exclusively for political campaign organizations. This Privacy Policy describes how we collect, use, store, share, and protect information about: (1) individuals who register for and use the CampaignFires platform ("Platform Users"); and (2) voter and contact records that our Platform Users upload, import, or manage within the platform on behalf of their campaign organizations ("Voter Data").

This Privacy Policy is distinct from, and should be read alongside, our Terms of Service. By accessing or using CampaignFires, you agree to the practices described in this Privacy Policy.

IMPORTANT: CampaignFires is a data processor — not a data controller — with respect to Voter Data that campaign organizations upload into the platform. Campaign organizations are solely responsible for ensuring they have lawful authority to collect, process, and use any voter data they input into CampaignFires.
02

Information We Collect

2.1 Information You Provide Directly

  • Account Registration Data: Full name, email address, password (hashed), and organization name.
  • Campaign Information: Campaign name, candidate name, election level, district, and election date.
  • Billing and Payment Information: Plan selection. Payment cards are processed directly by Stripe and never stored on CampaignFires servers.
  • Profile Information: Display name, avatar, role, and preferences.
  • Communications: Support requests, feedback, and messages you send us.

2.2 Voter and Contact Data (Uploaded by Campaign Organizations)

Campaign organizations may upload voter data including: name, address, email, phone, voter registration status, party affiliation, voting history, issue positions, persuasion scores, and contact history. CampaignFires does not independently collect or purchase voter data.

2.3 Automatically Collected Information

  • Log Data: IP address, browser type, device, OS, pages visited.
  • Usage Data: Features accessed, messages composed, imports performed.
  • Cookies: Authentication cookies (required), preference cookies (dark/light mode). No advertising cookies.

2.4 Information from Third-Party Integrations

When you connect social platforms, we receive OAuth tokens and basic account info (handle, follower count) and engagement metrics on content you publish through CampaignFires.

03

How We Use Your Information

3.1 Platform Operations: Account management, authentication, Voter Data processing, AI outreach generation, subscription enforcement, payment processing, and transactional emails.

3.2 Platform Improvement: Aggregated usage analytics and system monitoring.

3.3 Communications: Support, service announcements, subscription notices.

3.4 Legal and Compliance: Legal process compliance and Terms enforcement.

What We NEVER Do
  • Sell personal data or Voter Data to third parties
  • Use Voter Data for cross-campaign advertising or data brokerage
  • Share data across campaign organizations
  • Use campaign content or Voter Data to train AI models
  • Independently collect voter information
04

Data Sharing and Disclosure

Service Providers

ProviderPurposeData Shared
SupabaseDatabase, auth, storageAll platform data
Anthropic Claude APIAI message generationPrompt text and campaign context
StripePayment processingBilling info (cards go direct to Stripe)
ResendTransactional emailEmail address and content
CloudflareHosting and CDNIP addresses and request data
Social platformsSocial posting (if connected)Content and OAuth tokens

Legal Disclosures: We may disclose information pursuant to valid legal process, with prior user notification where legally permitted.

Business Transfers: Users will be notified before any merger or acquisition transfer. Successor entities must honor this Privacy Policy.

05

Data Retention

Data TypeRetention
Account dataActive + 90 days post-deletion
Campaign and voter dataActive subscription + 90 days
Billing records7 years (financial compliance)
Audit logs2 years
AI usage events13 months
Support communications3 years
Security logs12 months

Account deletion requests processed within 30 days via privacy@campaignfires.app. Billing records retained regardless of deletion. Trial/subscription expiration: data retained 90 days, then eligible for deletion with email notice.

06

Data Security

  • TLS 1.2+ encryption in transit
  • AES-256 encryption at rest
  • PostgreSQL Row Level Security (RLS) for tenant isolation
  • JWT-based authentication via Supabase Auth
  • Server-side secret management (never exposed to browser)
  • Role-restricted staff access with audit logging

Breach notification within 72 hours of discovery to affected users and regulators. Contact security@campaignfires.app for security concerns.

07

Your Rights and Choices

7.1 All Users

Access, Correction, Deletion, Data Portability, Restriction, and Objection rights.

7.2 California Residents (CCPA/CPRA)

  • Right to Know
  • Right to Delete
  • Right to Correct
  • Right to Opt-Out of Sale or Sharing (we do not sell data)
  • Right to Limit Sensitive Personal Information Use
  • Right to Non-Discrimination

Response within 45 days (extendable to 90 with notice).

7.3 Voter Data Rights

Requests from individuals in voter databases should be directed to the campaign organization that collected their data.

7.4 How to Exercise

Email privacy@campaignfires.app with subject "Privacy Rights Request".

08

Voter Data — Special Provisions

Campaign organizations are independent data controllers for Voter Data. CampaignFires acts as a data processor only.

Campaign organizations are responsible for:

  • Lawful authority to collect and process voter information
  • FEC and state campaign finance disclosure compliance
  • TCPA compliance for SMS and robocall outreach
  • CAN-SPAM Act compliance for email outreach
  • State voter file usage compliance
  • Obtaining required voter consents

Voter Data is completely isolated between organizations via RLS. Staff access only with written authorization from org admin.

AI processing: Segment descriptions and campaign context (not individual voter PII) are transmitted to Anthropic's API for message generation.

09

Cookies and Tracking Technologies

  • Essential cookies: Authentication (session), security nonces (session)
  • Functional cookies: Dark/light mode, UI preferences (1 year, localStorage)
  • Maintenance: Trial nudge flag (session, sessionStorage)

We do NOT use: advertising cookies, Google Analytics, cross-site tracking, or social media pixels (Meta Pixel, LinkedIn Insight Tag, etc.)

10

Third-Party Services

  • Social platforms: each has its own privacy policy (linked).
  • Stripe: stripe.com/privacy — handles all payment data.
  • Anthropic: anthropic.com/privacy — API inputs not used for model training.
  • External links: CampaignFires not responsible for third-party privacy.
11

Children's Privacy

CampaignFires is for users 18+. We do not knowingly collect data from minors. Contact privacy@campaignfires.app if you believe we have.

12

International Data Transfers

Servers in the United States. International users consent to US transfer. Working toward Standard Contractual Clauses (SCCs) with key providers.

13

Political Campaign Compliance Notice

Campaign organizations are solely responsible for compliance with:

  • FEC reporting and disclosure requirements
  • State campaign finance laws
  • TCPA (SMS and robocall outreach)
  • CAN-SPAM Act (email outreach)
  • State voter file usage laws
  • Social platform political content policies

CampaignFires does not provide legal advice.

14

Changes to This Privacy Policy

Material changes notified 30 days in advance via email and platform notice. Continued use after effective date constitutes acceptance.

Contact Us

Last updated July 4, 2026
Data Scope: National — All Districts