WeVote Base ← Back

Privacy Policy

wevote.tech

STATUS: DRAFT. NOT LEGAL ADVICE. Requires review by qualified privacy and election-law counsel before publication. References to state and federal law are designed-to-comply, pending counsel sign-off.

Effective date: [TO BE SET ON PUBLICATION]
Last updated: 2026-05-26 (draft)
Operator: WeVote Foundation ("WeVote," "we," "us," "our")
Contact: support@wevoteproject.org

This Privacy Policy explains how WeVote collects, uses, stores, and shares information when you use the service at wevote.tech (the "Service"). It applies in addition to the Terms of Service at wevote.tech/legal/terms and, where applicable, the Vendor / Data Processing Agreement at wevote.tech/legal/dpa.

1. The Two Kinds of Data on This Service

We distinguish carefully between two kinds of data, because they are governed by different rules and treated differently.

Account Data. Information about you and your use of the Service. WeVote is the controller of this data. Examples: your name, email, the state and district you declared at signup, the recipient category and permitted-purpose attestations you affirmed, your account-type selection, billing information, support tickets, audit logs of policy-engine gate decisions, and the like.

Tenant Data (voter-file data). Information about voters, held in your isolated account environment ("Tenant"). WeVote is not the controller of Tenant Data; we hold it on your behalf as your service provider (a "data processor" or "vendor/contractor," depending on jurisdictional terminology). The authorized recipient — you — remains the responsible party under the source state's voter-file statute. Our handling of Tenant Data is set in the Terms and in the DPA, not in this Privacy Policy.

Voters whose records appear in Tenant Data are not WeVote's users; they are individuals whose data the source state placed under the authorized recipient's care. This Privacy Policy does not purport to address the rights and remedies of those voters under their state's voter-file law; those are governed by state law and by the authorized recipient's obligations under the DPA.

2. Account Data We Collect

We collect Account Data in the following ways.

2.1 You provide it

  • Account creation: name, email, password (hashed), or a Google identity if you sign in with Google OAuth.
  • Setup wizard: account type (candidate, advocacy organization, researcher, volunteer), state, office (if candidate), district or organization name, and recipient-category and permitted-purpose attestations under the relevant state's law.
  • Profile and campaign information: if you elect to provide campaign profile data, candidate bio, key issues, social-account links, election dates, and similar context for AI-assisted features.
  • Support and feedback: information you include when you contact us via support tickets, email, or in-product feedback.
  • Billing: when you purchase a paid plan or credit pack, billing information is collected by our payment processor (Stripe). We receive a limited subset (subscription tier, billing status, last-four card digits) but not your full card number.

2.2 We collect automatically

  • Usage and access logs: IP address, browser user-agent, pages and endpoints accessed, request timestamps, errors. Used for security, abuse prevention, audit, and operational diagnostics.
  • Policy-engine audit logs: every time you take an action that the per-state policy engine evaluates (login, intake, export, certification, AI invocation), we record the action, the state and feature involved, the confirmation_status in effect, and the allow/deny decision.
  • Authentication tokens, session identifiers, CSRF tokens, and similar security data.
  • Limited cookies as described in Section 8 below.

2.3 We receive from third parties

  • Google OAuth: if you sign in with Google, we receive your email, your Google-provided first and last name (if any), and your Google identity (provider, uid). We do not receive your Google password.
  • Payment processor (Stripe): subscription and billing metadata as described above.
  • Twilio (if you opt in to SMS features in a future release): delivery status, phone-number metadata for compliance, opt-out signals.

3. How We Use Account Data

We use Account Data to:

(a) provide, secure, and improve the Service;
(b) authenticate you and protect your account;
(c) enforce per-state policy gates and log attestation and certification events for legal-defensibility audits;
(d) provide and improve AI-assisted features (the AI layer does not train any general-purpose model on Account Data, and never trains on Tenant Data);
(e) provide customer support and respond to inquiries;
(f) administer billing and plan changes;
(g) detect, prevent, and respond to fraud, abuse, security incidents, and breaches of the Terms;
(h) comply with our own legal obligations and respond to lawful requests; and
(i) communicate with you about your account, important Service changes, and (only if you opt in) product news.

We do not sell Account Data to third parties. We do not share Account Data for behavioral advertising. We do not target advertising based on Tenant Data — ever, under any circumstances.

4. Tenant Data (Voter-File Data)

Tenant Data is voter-file data you have either uploaded under Lane B or for which the Service has been provisioned under Lane A. As to Tenant Data:

(a) You are the controller; WeVote is the processor. The authorized recipient — you — remains the responsible party under the source state's voter-file statute. Our role is service-provider only.
(b) Tenant isolation. Tenant Data is held in a logically isolated per-account environment, not in a shared pool. WeVote does not query across tenants. WeVote employees and contractors do not access Tenant Data except as the DPA narrowly permits (e.g., audited engineering operations on your behalf, with logging and minimum-necessary scope).
(c) Use restricted to your permitted purpose. We use Tenant Data only as needed to operate the Service for you (storage, indexing, list-building, export, walk-list, canvassing, AI-assisted analysis you initiate). We do not use Tenant Data for our own purposes, do not train any cross-customer model on it, and do not provide it to any third party without your written instruction or a legal obligation we must obey.
(d) No publication. Tenant Data is never published, listed publicly, or made searchable by any user other than you and the individuals you have authorized under your DPA.
(e) Retention and deletion. We retain Tenant Data only as long as needed to operate the Service for you, or as the source state's law requires. On termination of your account, or on your written instruction, Tenant Data is deleted on the schedule the DPA specifies (typically within thirty days of termination, subject to short-term backup retention windows described in the DPA).
(f) Statutory rights of voters. Voters whose records appear in Tenant Data may have rights under the source state's voter-file law and other privacy laws. WeVote will reasonably assist you in honoring those rights, but the substantive obligations are yours as the authorized recipient.

5. AI Features and Data Use

The Service offers optional AI-assisted analysis (district briefings, campaign-strategy chat, donor-intelligence summaries, embedding-based search over your own uploaded documents, and similar).

The AI layer:

(a) Does not train any general-purpose model on Tenant Data. Voter records are not used as training data, period.
(b) Is policy-gated per state. Features that would touch voter records are disabled in any state whose confirmation_status in the per-state policy engine is unconfirmed.
(c) Uses third-party model providers (currently Anthropic for chat completions and an on-prem Sentence-Transformers ONNX model for embeddings, per our current architecture; this list may change). When we send data to a third-party model provider, we send only the minimum necessary context for your request, never bulk Tenant Data. We have contractual restrictions in place with model providers prohibiting training on data we send.
(d) Logs prompts and responses for support, debugging, abuse-prevention, and safety. Logs are retained on the schedule described in Section 9.
(e) Aggregates anonymized metadata about AI usage for product improvement. We do not aggregate Tenant Data into any such metadata.

6. How We Share Data

We share information only as described below.

  • With your account's named representatives. If your Tenant is shared among named individuals at your organization under the DPA, those individuals can access Tenant Data within your Tenant.
  • With service providers we use to operate the Service, on a need-to-know basis and under contracts that restrict their use to performing services for us. Current categories and providers include hosting (Fly.io), payments (Stripe), email (SendGrid), telephony (Twilio, only if you opt in to SMS features), authentication (Google OAuth for sign-in if you choose it), and AI model providers (Anthropic and others as the AI stack evolves). The current list is published and updated at wevote.tech/legal/subprocessors.
  • With your written instruction. We act on your instructions for Tenant Data as set in the DPA.
  • For legal reasons. If we are required by law, court order, or lawful regulatory request to disclose information, we will do so, narrowly. Where we believe a request is unlawful or overbroad, we will challenge it to the extent permitted. Where notifying you is permitted by law, we will notify you.
  • In a business transfer. If WeVote is involved in a merger, acquisition, asset sale, or insolvency proceeding, Account Data may be transferred to the successor, subject to the same protections set in this Policy. Tenant Data transfers are governed additionally by the DPA.
  • With your consent, for any other disclosure.

We do not sell Account Data. We do not share Tenant Data with any party other than as described above.

7. Security

We use technical and organizational measures intended to protect Account Data and Tenant Data, including:

  • encryption in transit (TLS) for all connections to the Service;
  • encryption at rest where supported by our infrastructure;
  • secure tunnel (Tailscale) between the application tier and the database tier;
  • per-Tenant logical isolation enforced in the application layer, with build-time static analysis intended to prevent code paths that query across tenants;
  • audit logging of policy-engine gate decisions, exports, attestations, certifications, and administrative actions;
  • minimum-necessary access for engineering and support personnel, with logging;
  • regular review of dependencies for security vulnerabilities (bundle-audit, brakeman) and prompt patching;
  • staging and production separation, with staging holding minimal seed data;
  • backups, with documented retention windows.

No system is perfectly secure. We will notify you of a security incident affecting your Account Data or Tenant Data without undue delay, in accordance with the DPA (for Tenant Data) and applicable breach-notification law (for Account Data).

8. Cookies and Similar Technologies

We use a small set of cookies and similar technologies for the following purposes:

  • Essential. Session cookies, CSRF tokens, and authentication tokens necessary to keep you logged in and to secure the Service. The Service cannot function without these.
  • Functional. Preferences (e.g., chosen filter set on a list view) stored to make the Service work the way you set it.
  • Security and abuse prevention. Cookies and headers used to detect and block credential-stuffing, brute-force, and abuse patterns.

We do not use third-party advertising cookies. We do not use cross-site tracking cookies. We do not participate in advertising-identifier ecosystems.

9. Retention

We retain Account Data only as long as needed for the purposes set in this Policy:

  • Account and profile data: for the life of your account, and for a short post-termination window (typically thirty days) to support reactivation and to allow for billing closeout. After that window, we delete or anonymize, except where law requires longer retention.
  • Billing records: for the period that tax, accounting, and consumer-protection law require — typically seven years.
  • Audit logs (policy-engine gate decisions, attestation events, certification events, export events): for at least seven years, to support legal-defensibility audits. We may retain longer where a regulator or court order requires.
  • Security and abuse logs: typically thirteen months.
  • AI prompts and responses: typically thirteen months, except where required to be deleted earlier on your instruction or where a specific abuse investigation requires longer retention.

Tenant Data retention is set in the DPA, not in this Policy.

10. Your Rights

Depending on where you live, you may have rights regarding Account Data we hold about you. To the extent these rights apply, you can:

  • Access and portability. Request a copy of the Account Data we hold about you.
  • Correction. Request that we correct inaccurate Account Data.
  • Deletion. Request that we delete Account Data, subject to retention obligations described in Section 9 and our right to retain data needed for legal-defensibility audits.
  • Restriction or objection. Ask us to restrict or stop certain uses, subject to applicable law.
  • Withdraw consent. Where we rely on consent (e.g., optional product-news emails), you can withdraw it at any time without affecting prior lawful processing.
  • Lodge a complaint. You can complain to your local data-protection authority.

To exercise any of these rights, email support@wevoteproject.org. We will verify your identity, respond on the timeline applicable law requires, and provide a clear explanation if we decline a request.

Rights of voters whose records appear in Tenant Data are governed by the source state's voter-file statute and by the authorized recipient's obligations under the DPA. If you are such a voter and wish to raise a concern, please contact the authorized recipient who holds your record, or your state's election office. WeVote, as a processor for many authorized recipients, generally cannot honor record-level voter requests unilaterally without coordinating with the authorized recipient.

11. International Transfers

The Service is operated from the United States. Account Data and Tenant Data are stored on infrastructure located in the United States. If you access the Service from outside the United States, you understand that information you provide may be transferred to and processed in the United States, where privacy law may differ from the law where you live.

12. Children's Privacy

The Service is not directed to children under 13 (or to children under 16 in jurisdictions where that is the relevant threshold). We do not knowingly collect personal information from children. If you believe we have collected information about a child, contact us at support@wevoteproject.org and we will investigate and delete as appropriate.

Voter-file records of registered voters under 18 (e.g., 17-year-old pre-registrants in states that permit pre-registration) are governed by the source state's rules on minors in the voter file; the authorized recipient is responsible for honoring any restrictions the source state imposes.

13. Changes to This Policy

We may update this Policy from time to time. Material changes will be communicated to active users by email or in-product notice. The "Last updated" date at the top reflects the date of the most recent change. Your continued use after the effective date of changes constitutes acceptance.

14. Contact

Questions about this Policy or our handling of your Account Data: support@wevoteproject.org.

Legal notices and formal complaints: support@wevoteproject.org, with a courtesy copy to [TO CONFIRM: physical mailing address].

For data-processing matters involving Tenant Data (your voter-file data), please refer to the DPA at wevote.tech/legal/dpa.

End of draft. To be reviewed by qualified privacy and election-law counsel before publication. The cookies inventory in Section 8 and the subprocessor list in Section 6 should be cross-checked against the production deployment before going live. The retention windows in Section 9 should be cross-checked against any pending regulatory obligations.