1. Introduction & Scope
CapitolExposed ("we", "us", "our") operates the website at capitolexposed.com and its associated APIs, embed widgets, and mobile applications (collectively, "the Service"). This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use the Service.
By accessing or using the Service, you consent to the practices described in this policy. If you do not agree, please discontinue use of the Service.
2. Information We Collect
Information You Provide
- • Account details: name, email address, password (hashed)
- • Profile preferences: watchlist tickers, alert settings
- • Communications: support requests, feedback
- • Payment information: processed by Stripe (we never see card numbers)
Information Collected Automatically
- • Device information: browser type, operating system, screen resolution
- • Log data: IP address, access timestamps, pages viewed, referrer URL
- • Usage patterns: search queries, feature usage (anonymized)
- • Performance data: page load times, errors (via Vercel Analytics)
Information from Third Parties
- • Google OAuth: name and email address (when you choose to sign in with Google)
- • Stripe: subscription status and billing events (no card details)
3. How We Use Your Information
| Purpose | Legal Basis (GDPR) |
|---|---|
| Provide and maintain the Service | Contract performance |
| Authenticate your identity | Contract performance |
| Process payments and subscriptions | Contract performance |
| Send transactional emails (verification, resets) | Contract performance |
| Send newsletter digests (opt-in) | Consent |
| Improve the platform via usage analytics | Legitimate interest |
| Detect and prevent fraud or abuse | Legitimate interest |
| Respond to legal requests | Legal obligation |
4. Automated Analysis and Product Features
CapitolExposed uses automated processing to normalize filings, rank signals, generate internal summaries, and power product features such as search, alerts, Research Desk workflows, and dossier assembly. Those systems work from public-record data, internal metadata, and operational usage signals that are separated from your account profile wherever possible.
Important
CapitolExposed does not use automated systems to make final decisions about account access, pricing, or legal rights. Public-facing scores, rankings, and summaries are informational. Names, email addresses, and other direct account identifiers are not sent through automated document analysis workflows unless a feature explicitly requires that input.
5. Cookies and Tracking
Essential Cookies
Authentication session, CSRF protection. Required for the Service to function. Cannot be disabled.
Analytics
Vercel Web Analytics only. Privacy-focused, no cross-site tracking, no personal identifiers stored.
What We Don't Use
No advertising cookies, no social media trackers, no Google Analytics, no Facebook Pixel, no retargeting.
6. Third-Party Services (Subprocessors)
| Service | Purpose | Data Shared |
|---|---|---|
| Stripe | Payment processing | Email, billing info |
| Google OAuth | Authentication | Name, email |
| Resend | Transactional email | Email address |
| Vercel | Hosting, edge delivery, analytics | IP (anonymized), usage |
| Neon | PostgreSQL database | Account data, app data |
| Upstash | Rate limiting, caching | IP hashes, API keys |
| Anthropic | AI analysis (Claude) | Public government data only |
| OpenAI | Embeddings for search | Public government text only |
7. Data Sharing and Disclosure
We do not sell your personal information. We share data only in these limited circumstances:
- • With subprocessors listed above, solely to provide the Service
- • When required by law, subpoena, or valid legal process
- • To protect against fraud, security threats, or violations of our Terms
- • In connection with a merger, acquisition, or sale of assets (with notice)
8. International Data Transfers
CapitolExposed is operated from the United States. If you access the Service from outside the US, your data may be transferred to and processed in the US. For EU/EEA users, we rely on Standard Contractual Clauses (SCCs) as approved by the European Commission to ensure adequate protection of transferred data.
9. Data Retention
| Data Type | Retention Period |
|---|---|
| Account data | Active account + 30 days after deletion |
| Payment records | 7 years (tax/legal compliance) |
| Server logs | 30 days |
| Analytics data | 90 days (anonymized) |
| Email preferences | Until unsubscribed + 30 days |
| Support tickets | 2 years |
10. Your Rights
All Users
- • Access the personal data we hold about you
- • Request correction of inaccurate data
- • Request deletion of your account and associated data
- • Opt out of marketing communications at any time
- • Export your data in a portable format
California Residents (CCPA/CPRA)California
California residents have the right to know what personal information is collected, request deletion, opt out of the sale of personal information (we do not sell data), and not be discriminated against for exercising these rights. To make a request, email privacy@capitolexposed.com.
EU/EEA Residents (GDPR)EU/EEA
In addition to the rights above, EU/EEA residents have the right to data portability, the right to restrict processing, the right to object to processing based on legitimate interest, and the right to lodge a complaint with a supervisory authority. Contact privacy@capitolexposed.com or your local Data Protection Authority.
11. Children's Privacy (COPPA)
The Service is not directed at children under 13. We do not knowingly collect personal information from children under 13. If we learn that we have collected data from a child under 13, we will delete it promptly. If you believe a child has provided us with personal data, please contact privacy@capitolexposed.com.
12. Data Security
- • All connections encrypted with TLS 1.3
- • Data encrypted at rest in our database (Neon PostgreSQL)
- • Passwords hashed with bcrypt (never stored in plaintext)
- • Content Security Policy (CSP) headers on all pages
- • API rate limiting via Upstash Redis
- • No credit card numbers stored on our servers
- • Regular dependency audits and security patches
13. Breach Notification
In the event of a data breach affecting your personal information, we will notify affected users within 72 hours via email and post a notice on the Service. We will also notify relevant supervisory authorities as required by applicable law, including compliance with Cal. Civ. Code § 1798.82.
14. Do Not Track
We honor Do Not Track (DNT) browser signals. When we detect a DNT signal, we disable non-essential analytics tracking for that session.
15. Changes to This Policy
We may update this Privacy Policy from time to time. Material changes will be announced via email to registered users and/or a prominent notice on the Service at least 30 days before they take effect. We encourage you to review this policy periodically. Previous versions are available upon request.
16. Contact
For privacy-related inquiries, data access requests, or to exercise your rights under CCPA or GDPR:
- • Email: privacy@capitolexposed.com
- • Contact form: capitolexposed.com/contact
We aim to respond to all privacy requests within 30 days.