Privacy Policy - ICE Activity Tracker

What Information Do We Collect?

Automatically Collected Information (NOT STORED)

IP Address: We temporarily use your IP address for rate limiting (max 5 reports per hour) to prevent abuse. Your IP is hashed using SHA-256 and stored in memory ONLY - it expires after 1 hour and is NEVER written to our database. We cannot identify you from this temporary data.
Browser and Device Information: Visible in server logs for debugging, but not stored in our database (logs deleted after 7 days).

Information You Provide (STORED FOR 7 DAYS)

Location Reports: Specific addresses or intersections where ICE activity occurred
Precise Coordinates: Latitude and longitude automatically geocoded from your location text (this is SENSITIVE information under California law)
Optional Description: Additional context about the reported activity
Optional Source URL: Link to social media posts or news articles
Timestamp: When you submitted the report

Information We DO NOT Collect

❌ Your name, email address, or phone number
❌ Account credentials (we don't require accounts)
❌ Payment information (service is free)
❌ Your IP address in our database (truly anonymous reporting)
❌ Cookies or tracking across websites
❌ Precise tracking of your movements or browsing behavior

How Do We Use Your Information?

Primary Purposes

Display reported ICE activity locations on an interactive map
Prevent abuse through rate limiting (max 5 reports per hour per IP)
Geocode location text into map coordinates using OpenAI GPT-4o-mini
Aggregate statistics on reporting patterns (no individual identification)
Comply with legal obligations if required by law enforcement

We DO NOT

Sell, rent, or trade your information to third parties
Use your data for advertising or marketing
Track you across other websites
Share your hashed IP address with anyone
Link your reports to your identity

Who Do We Share Your Information With?

Service Providers We Use

OpenAI (GPT-4o-mini): Location text only (no IPs, no identifiers) to extract addresses from reports. OpenAI's data retention: 30 days for API calls.
Neon.tech (Database): All report data stored encrypted in transit (SSL/TLS)
Render.com (Hosting): Server logs may contain hashed IPs for 7 days
Nominatim/OpenStreetMap: Free geocoding service (no personal data sent)
Google Maps API (optional): Fallback geocoding only if configured

Legal Disclosures

We may disclose your information if required by:

Valid legal process (subpoena, court order)
Law enforcement requests with proper legal authority
Protection of our rights, safety, or legal interests
Compliance with applicable laws

We will notify you of legal requests unless prohibited by law.

How Long Do We Keep Your Data?

California's CPRA requires specific retention periods:

Data Type	Retention Period	Storage Location	Reason
Community Reports	7 days (rolling window)	Database	Display recent activity
Hashed IP Addresses	1 hour (rate limit window)	Memory ONLY	Abuse prevention
Scraped Reddit Posts	7 days (rolling window)	Database	Display recent activity
Server Logs	7 days	Server filesystem	Security and debugging
Database Backups	30 days	Neon.tech	Disaster recovery

After Expiration

Community reports older than 7 days are automatically deleted from database
Rate limit data is automatically purged from memory after 1 hour (NEVER in database)
Database backups are automatically deleted after 30 days

Important: IP addresses used for rate limiting are stored in server memory ONLY. They are never written to disk or database, and disappear when the server restarts or after 1 hour (whichever comes first).

Your Privacy Rights

Under GDPR (EU residents)

✅ Right to Access: Request copy of your data (limited - we don't store identifiers)
✅ Right to Deletion: Request deletion of your reports
✅ Right to Rectification: Request correction of inaccurate data
✅ Right to Restriction: Request we stop processing your data
✅ Right to Object: Object to processing of your data
✅ Right to Data Portability: Receive your data in machine-readable format
✅ Right to Withdraw Consent: Opt out at any time (stop using the platform)
✅ Right to Lodge a Complaint: File complaint with supervisory authority

Under CCPA/CPRA (California residents)

✅ Right to Know: What personal information we collect and how we use it
✅ Right to Delete: Request deletion of your personal information
✅ Right to Opt-Out: Opt out of "sale" or "sharing" (we don't sell/share)
✅ Right to Correct: Request correction of inaccurate information
✅ Right to Limit Use of Sensitive Personal Information: Geolocation data
✅ Right to Non-Discrimination: No retaliation for exercising rights

How to Exercise Your Rights

Since we don't collect contact information, you can:

Contact us at knowice1933@protonmail.com with approximate timestamp and location of report
We'll search by timestamp + location + hashed IP to identify your data
Response within 30 days (GDPR) or 45 days (CCPA)

Note: Because we use hashed IPs (not reversible), we cannot proactively identify all your submissions. You must provide sufficient details.

How Do We Protect Your Data?

Technical Safeguards

🔒 SSL/TLS encryption for all data in transit (HTTPS)
🔒 SHA-256 hashing of IP addresses (irreversible, but still pseudonymization)
🔒 PostgreSQL database with SSL-only connections
🔒 No storage of raw IP addresses
🔒 Rate limiting to prevent brute force attacks
🔒 Content Security Policy (CSP) headers to prevent XSS attacks
🔒 Automated deletion of old data (7-day rolling window)

Organizational Safeguards

Access to production database limited to authorized personnel
No third-party access to raw database
Regular security updates and patches
Incident response plan for data breaches

Limitations

No method of transmission or storage is 100% secure. While we use industry-standard practices, we cannot guarantee absolute security. Use the platform at your own risk.

Do We Use Cookies or Tracking?

We do NOT use

❌ Tracking cookies
❌ Advertising cookies
❌ Third-party analytics (no Google Analytics, no Facebook Pixel)
❌ Cross-site tracking
❌ Fingerprinting techniques

We MAY use

✅ Session cookies: For rate limiting (expires in 1 hour)
✅ Local Storage: Browser-side map preferences (never sent to server)

External Resources

Our website loads resources from:

Leaflet.js (map library) from unpkg.com
Map tiles from OpenStreetMap (your IP visible to OSM)

These third parties have their own privacy policies.

Children's Privacy (COPPA Compliance)

This platform is NOT intended for children under 13 years old.

We do not knowingly collect personal information from children under 13. If you are under 13, do not use this platform or submit reports.

If we discover we have collected information from a child under 13, we will delete it immediately.

Parents/Guardians: If you believe your child provided information to us, contact knowice1933@protonmail.com immediately.

International Data Transfers

Data Storage Location

Our servers are located in the United States (Render.com, Oregon region).

For EU Users (GDPR)

If you are in the European Economic Area (EEA), UK, or Switzerland, your data is transferred to the US. The US does not have an adequacy decision from the EU Commission.

Safeguards

Standard Contractual Clauses (SCCs) with hosting provider
Render.com's GDPR-compliant Data Processing Agreement
Your data is protected under the same standards as in the EU

By using our platform, you consent to this transfer.

Changes to This Privacy Policy

We may update this Privacy Policy from time to time. Changes will be:

Posted on this page with updated "Last Updated" date
Significant changes will be announced on the homepage for 30 days
Continued use after changes = acceptance of new policy

We recommend reviewing this page periodically.

Contact Us

For privacy questions, data requests, or complaints:

Email: knowice1933@protonmail.com
Website: https://knowice.org
Response time: 30 days (GDPR) or 45 days (CCPA)