Skip to main content

Privacy Policy

Last updated: 2026-06-04
Plain summary We collect the minimum needed to operate the site — an email address if you create an account, a Stripe customer ID if you subscribe, server logs for security and abuse prevention. We don't run analytics that follow you off-site, we don't sell your data, and we don't have advertisers. You can ask us to delete your data anytime by emailing the address at the bottom.

1. Who this policy applies to

This Privacy Policy describes how Open America (openamerica.io), operated by Fermin F. Garcia IV, handles information about people who visit or use the Service. By using the Service, you agree to this policy. If you don't agree, please don't use the Service.

2. What we collect

2.1 Information you give us

  • Account details. When you register, we collect your username and email address. Optionally: a ZIP code or state to enable "find your reps" features, and a short bio.
  • Subscription details. If you subscribe to a paid plan or donate, Stripe processes the payment. We store the resulting Stripe customer / subscription ID and the amount; we do not store your full credit-card number, CVV, or bank details.
  • Content you submit. Watchlist items, AI letter topics and personal notes, support messages, comp-grant notes if you are a recipient, public supporter display name (only when you opt in).
  • AI letter inputs and outputs. When you use the AI letter feature, the topic, personal note, revision instructions, and the generated body are stored on your account so you can edit and revise later.

2.2 Information collected automatically

  • Server access logs. Our web server (nginx) records the request path, HTTP status, timestamp, requesting IP address, and user-agent string for each request. We use these for security, abuse prevention, and operational debugging. Logs are rotated and retained for no longer than 30 days.
  • Aggregate analytics. We store daily page-view counts and daily search-query counts on a per-path / per-query basis. These are aggregate counters with no user attribution and no per-request identifying data.
  • Cookies. See section 4.

2.3 What we do not collect

  • We do not run third-party advertising trackers or analytics that follow you off-site.
  • We do not sell, rent, or trade personal data.
  • We do not embed Google Analytics, Meta Pixel, or similar cross-site trackers.
  • We do not require nor collect Social Security numbers, driver's license numbers, government IDs, biometrics, or other sensitive personal identifiers.

3. How we use information

  • To operate the Service: log you in, render your dashboard, run your AI letter requests, send transactional and watchlist email, process payments.
  • To prevent abuse: rate-limit requests, detect bot activity, enforce our Acceptable Use Policy.
  • To improve the Service: review aggregate page-view counters to decide what to build next.
  • To comply with the law: respond to subpoenas, court orders, and other lawful requests where we are required to do so.

We do not use your personal data for advertising. We do not use your AI letter content to train any AI model — see section 6.

4. Cookies and similar technologies

We set a small number of strictly necessary cookies to operate the site:

  • Session cookie (sessionid) — keeps you logged in across pages.
  • CSRF cookie (csrftoken) — protects forms from cross-site request forgery.
  • Preference cookies (e.g., dark-mode toggle) — remember UI choices, set only when you change them.

We do not use cookies for advertising or off-site tracking. You can block cookies in your browser; the site will partially function without them (you won't be able to log in).

5. Who we share information with

We share data with a small number of service providers who help us operate the Service. Each one is contractually limited to using the data only to provide their service to us.

  • Stripe (payment processing) — receives the payment data necessary to charge your card. Stripe's privacy policy governs their handling.
  • Anthropic (AI letter generation) — receives your letter topic, personal note, revision instruction, and the prompts we construct, in order to generate the draft. See Anthropic's privacy policy. Anthropic states it does not train on API inputs.
  • Mailcow (email delivery) — our self-hosted email server delivers transactional and newsletter mail. Your email address is processed by the mail server.
  • Cloudflare (Worker relay for senate.gov data) — does not receive personal data; the Worker only fetches public senate.gov endpoints on our behalf.

We never sell or rent personal data. We may disclose information if compelled by law, court order, or to protect our rights or the safety of others.

6. AI letter feature — extra disclosure

When you use the AI letter feature, your topic, personal note, revision instructions, and the resulting draft are sent to Anthropic's API to generate the letter. We don't use your AI letter content to train any model. Anthropic, as a processor, also states that API inputs are not used for training. Your drafts are stored on your account so you can edit, revise, and copy them; you can delete a draft at any time.

If the safety screen blocks your input, we keep a short excerpt (up to 500 characters) of the blocked content so we can review patterns. These violation records are visible to site operators and used only to enforce the letter terms.

7. Your rights

Depending on where you live, you may have legal rights regarding your personal data:

  • Access: ask us what we store about you.
  • Correction: ask us to fix inaccurate data (most fields you can edit from your profile).
  • Deletion: ask us to delete your account and associated data. We will do this within 30 days, except where we are required to retain specific records (e.g., payment receipts for tax purposes).
  • Export: request a copy of the data we hold about you, in a structured format.
  • Objection / Restriction: ask us to stop or limit certain processing.

Email us at privacy@openamerica.io to exercise any of these rights. We will respond within 30 days. We do not charge for this and we will not retaliate against you for asking.

California residents have additional rights under the CCPA / CPRA. EU/UK residents have rights under GDPR / UK GDPR. The categories of personal data we collect are described in section 2; we do not sell personal data; the legal basis for our processing is contract performance (operating your account) and legitimate interest (operating and securing the Service).

8. Data retention

  • Server logs: retained up to 30 days, then deleted.
  • Account data: retained while your account is active. After you close your account, data is deleted within 30 days, except as required by law (e.g., payment records under applicable tax retention rules).
  • Violation records (AI letter safety screen): retained up to 12 months for abuse pattern review, then deleted.

9. Security

We protect the Service with industry-standard measures: TLS in transit, hashed passwords (Django's salted PBKDF2), CSP headers, CSRF protection, rate limiting, and host-level access controls. No system is perfect; we will notify affected users without undue delay if we become aware of a personal-data breach.

10. Children

The Service is not directed to children under 13. We do not knowingly collect personal information from children under 13. If you believe a child has provided us personal information, please email privacy@openamerica.io so we can delete it.

11. Changes

We may update this policy from time to time. The "Last updated" date at the top reflects the current version. Material changes will be flagged on the site for at least 14 days before they take effect.

12. Contact

Privacy questions, data requests, or breach reports: privacy@openamerica.io.