Privacy Policy
Last updated: March 15, 2026
1. Overview
CivilSense, Inc. ("we", "us", "our") operates the CivilSense catastrophe intelligence platform at civilsense.io. This Privacy Policy describes what data we collect, how we use it, and your rights regarding that data.
We are committed to minimal data collection. We collect only what is necessary to operate the Platform and improve the service.
2. Data We Collect
2.1 Account Information
When you create an account, we collect your email address. We use magic link authentication — we do not store passwords. Your email is used for account access, subscription management, and disaster alerts (if you opt in).
2.2 Saved Locations
If you save locations (home, work, or other addresses), we store the address, coordinates, and the label you assign. This data is used to generate proximity alerts when active disaster events affect your saved locations. Saved locations are associated with your account and are not shared with other users.
2.3 Search Queries
Address searches performed in the Platform are processed via the Mapbox Geocoding API. We do not log individual search queries on our servers. Mapbox's privacy policy governs their handling of geocoding requests.
2.4 Portfolio Data
If you upload portfolio locations (Command tier and above), we store the addresses, coordinates, and any property metadata you provide (insured value, construction type, etc.). Portfolio data is used exclusively to generate hazard scores and analytical outputs for your account. We do not share portfolio data with other users or third parties.
2.5 Payment Information
Payment processing is handled entirely by Stripe. We do not store credit card numbers, bank account details, or other payment credentials on our servers. We receive from Stripe only your subscription status, tier, and billing period dates.
2.6 Usage Analytics
We use Sentry for error monitoring and application performance tracking. Sentry collects browser type, operating system, and error stack traces to help us diagnose and fix bugs. We do not use Google Analytics, Facebook Pixel, or any third-party advertising or behavioral tracking services.
2.7 API Usage Logs
For API subscribers (ILS Pro and Enterprise), we log API request counts, endpoints accessed, and response times for rate limiting and billing purposes. We do not log request payloads or response bodies.
3. Data We Do Not Collect
- We do not use tracking cookies or third-party analytics (beyond Sentry for error monitoring)
- We do not sell, rent, or trade your personal data to any third party
- We do not use your data for advertising or marketing profiling
- We do not collect device location without your explicit action (saved locations are user-initiated only)
- We do not collect or store biometric data
4. How We Use Your Data
- Account management: Authenticating your identity and managing your subscription
- Disaster alerts: Sending email, push, SMS, or webhook alerts when active events affect your saved locations
- Hazard scoring: Computing Climate-Adjusted Hazard Scores for your saved or searched locations
- Portfolio analysis: Generating aggregate exposure and loss estimates for your uploaded portfolios
- Service improvement: Diagnosing errors and improving platform reliability (via Sentry)
5. Alert Audit Logging
For SOC 2 compliance readiness, we maintain an alert audit log that records when alerts are sent. This log stores a SHA-256 hash of your user ID (not the raw ID), the event that triggered the alert, the notification channel used, and delivery status. This log is used exclusively for audit and compliance purposes.
6. Data Retention
- Account data: Retained while your account is active. Deleted within 30 days of account deletion request.
- Saved locations: Deleted when you remove them or when your account is deleted.
- Portfolio data: Deleted when you remove the portfolio or when your account is deleted.
- Alert logs: Retained for 2 years for audit purposes, then automatically purged.
- API usage logs: Retained for 90 days.
7. Data Security
All data is transmitted over TLS 1.2+. Database access uses row-level security (RLS) policies — users can only access their own data. Server-side secrets (API keys, service role keys) are never exposed to client-side code. We use Supabase (hosted on AWS) for data storage, which maintains SOC 2 Type II certification.
8. Third-Party Services
- Supabase: Database hosting and authentication (Privacy Policy)
- Stripe: Payment processing (Privacy Policy)
- Mapbox: Map rendering and geocoding (Privacy Policy)
- Sentry: Error monitoring (Privacy Policy)
- Vercel: Hosting and edge functions (Privacy Policy)
- Upstash: Rate limiting and caching (Privacy Policy)
9. Your Rights
9.1 All Users
- Access: You can view all data associated with your account at any time through the Platform
- Deletion: You can delete your account and all associated data by contacting support@civilsense.io
- Portability: You can export your saved locations and portfolio data at any time
- Correction: You can update your email and saved locations at any time
9.2 California Residents (CCPA)
Under the California Consumer Privacy Act (CCPA), California residents have the right to: (a) know what personal information we collect and how it is used; (b) request deletion of personal information; (c) opt out of the sale of personal information. We do not sell personal information. To exercise your rights, contact us at privacy@civilsense.io.
9.3 EEA/UK Residents (GDPR)
If you are located in the European Economic Area or the United Kingdom, you have the right to: access your data, rectify inaccurate data, erase your data, restrict processing, data portability, and object to processing. Our lawful basis for processing is contract performance (providing the service you subscribed to) and legitimate interest (error monitoring and service improvement). To exercise your rights, contact us at privacy@civilsense.io.
10. Cookies
We use only essential cookies required for authentication (Supabase session tokens). We do not use advertising cookies, tracking pixels, or third-party analytics cookies. No cookie consent banner is needed because we only use strictly necessary cookies.
11. Children
The Platform is not intended for users under 16 years of age. We do not knowingly collect personal information from children. If you believe a child has provided us with personal information, contact us at privacy@civilsense.io and we will delete it promptly.
12. Changes to This Policy
We may update this Privacy Policy from time to time. Material changes will be communicated via email to registered users at least 30 days before taking effect. The "Last updated" date at the top of this page reflects the most recent revision.
13. Contact
For privacy-related questions or to exercise your data rights:
- Email: privacy@civilsense.io
- General: support@civilsense.io