CVCivys.

Legal

Privacy

How Civys handles your data. Short, plain English. Not legal advice — this is a description of practice, not a contract.

Last updated: May 2026

What we collect

  • Account data — your email and a hashed password, managed by Firebase Authentication. For Google sign-in, your Google account name and email.
  • Brief content — the policy text you paste, the jurisdiction and role you set, and the generated Brief output. Stored in Firestore under your account.
  • Notes and tags you add to Briefs.
  • Settings — accessibility preferences and default reading level.
  • Signup metadata — a timestamp, your browser referrer (where you came from, if any), and your User-Agent string. Used to understand traffic sources.
  • Usage metadata — timestamps for created / reviewed / approved actions on Briefs, used for the audit trail display.

Firebase Authentication and Vercel (our hosting platform) may automatically log request IP addresses for security and abuse prevention. We do not use those IPs for tracking, do not store ad identifiers, and do not run third-party analytics products.

Who sees your data

  • You — the only person with access to your account’s Briefs, by default.
  • Firebase / Google Cloud (data processor) — our data store. Subject to Google’s Data Processing Addendum.
  • Anthropic (data processor) — when you generate a Brief or use Constrained Clarification, the policy text and your question are sent to Anthropic’s Claude API. Anthropic’s then-current commercial terms govern. As of the “Last updated” date above, Anthropic does not train its models on commercial API submissions.
  • Congress.gov (public API) — when you browse or import a bill, we fetch metadata from the public Congress.gov API. We do not send your identity.
  • Vercel (hosting) — our app and serverless functions run on Vercel. Standard platform logging applies.

We do not sell your data. We do not share it with third parties outside the processors named above.

Legal basis (for users in the EU/UK)

We process your data on the following bases under GDPR Article 6: (a) contract — to provide you the service you signed up for; (b) legitimate interest — for security, abuse prevention, and improving the product; (c) consent — for anything you opt into separately. You can withdraw consent or object to legitimate-interest processing at any time by deleting your account.

International transfers

Civys is operated from the United States. Our processors (Firebase / Google, Anthropic, Vercel) are US-based. For users in the EU/UK, your data is transferred to the United States under standard contractual clauses and equivalent mechanisms maintained by each processor.

Retention

Briefs and notes live in your account until you delete them. Settings persist until your account is deleted. If you delete your account, your account data is removed within 30 days; backups roll off within 90 days. Accounts inactive for three years may be archived and deleted with prior notice to your account email.

Your rights

  • Access & export — every Brief has Export JSON and Export PDF. You can request a full account export by submitting a request from Settings.
  • Delete — individual Briefs can be deleted from the Briefs page. Full account deletion is available in Settings → Delete account; the deletion runs immediately on confirmation.
  • Correction — submit a correction request from Settings; we’ll respond within 30 days.
  • EU/UK/CA residents have additional rights (data portability, objection, lodging a complaint with your supervisory authority). The Settings page exposes the same access / delete actions; for anything else, use the request form in Settings.

Security

Data in transit uses HTTPS. Data at rest uses Firebase’s default encryption. Authentication is delegated to Firebase Authentication. We do not store passwords.

Third-party content

When you submit policy text containing personal data of third parties (employee names in an HR policy, student categories in a school policy, etc.), you represent that you have a lawful basis to submit that content for analysis. Civys processes it as a data processor on your behalf.

Children

Civys is intended for adults (18+) acting in a professional capacity. We do not knowingly collect data from anyone under 18.

Contact

To exercise any of the rights described above, submit a request from Settings. We’ll respond within 30 days. Changes to this policy will be reflected by a new “Last updated” date above; material changes will be surfaced in-app on your next sign-in.