Privacy Notice
Effective date: 2026-04-17 Last updated: 2026-04-17
This document is published as the authoritative privacy notice for Ila Legislative Tracker. A rendered version is available at /privacy. Counsel should review before publication; any edits belong in this file so history is versioned.
Who we are
Ila Legislative Tracker ("Ila", "we", "us", "our") provides a legislative-intelligence service at ila.app and related subdomains. This Privacy Notice describes how we collect, use, and share information when you use our website, public API, or email alerts.
Contact for privacy inquiries: privacy@ila.app (being provisioned; in the interim, contact the founder at francistfinnegan@gmail.com with subject line starting PRIVACY:).
Summary
- We collect the minimum data needed to operate the service and meet legitimate business needs.
- We do not sell your personal information.
- You can see everything we hold about you, export it, and delete your account at any time.
- Our business is built on public legislative data. The sensitive data we hold on users is limited to account details, session tokens, preferences, and chat transcripts.
- We encrypt your data in transit (TLS 1.2+) and at rest (AES-256).
- Children under 16 may not use the service.
What we collect and why
Information you give us
| Category | Examples | Why we collect it |
|---|---|---|
| Account info | Email address, bcrypt-hashed password, display name (optional) | To create and authenticate your account. |
| Verification info | Email-verification token (hashed) | To confirm you own the email address. |
| Preferences | Bills and lawmakers you follow, alert preferences (type, scope, frequency, channel), saved searches | To deliver the alerts, digests, and personalized experience you requested. |
| Team info | Team membership, role, invite metadata | Only if you're on a team; enables shared follows and alerts. |
| Chat transcripts | Messages you send to our AI assistant + AI responses | To answer your current question and provide context for follow-ups. Retained per your tier (see Retention below). |
| Support communications | Emails you send us, feedback form submissions | To answer your questions and improve the product. |
| Payment info (future) | Billing contact, subscription status; Stripe handles card details — we never see PAN | To process subscription payments once paid tiers launch. |
Information we collect automatically
| Category | Examples | Why |
|---|---|---|
| Usage data | Pages visited, time spent, referring URLs, links clicked | To understand which features are useful, diagnose issues, and improve. |
| Device & network | IP address (truncated in our audit log), browser type, operating system | Security, fraud prevention, debugging. |
| Cookies | Session cookie (NextAuth), CSRF cookie, team-context cookie | To keep you signed in, switch between personal and team views. |
| Server logs | Request method, path, status code, response time, truncated user-agent | Operations, security, incident response. |
Information from third parties
We ingest public legislative data from LegiScan and Census Bureau TIGER sources. We do not buy or rent personal information from data brokers.
How we use information
- To operate the service: authenticate you, deliver alerts, answer AI chats, show your follows.
- To communicate: send verification, alert, digest, invite, and password-reset emails.
- To improve the product: aggregated, anonymous analytics; debugging; feature prioritization.
- To secure the service: detect abuse, rate-limit attackers, investigate incidents (see our Incident Response Plan).
- To comply with legal obligations, respond to court orders, and enforce our Terms of Service.
We do not use your data to train public AI models. We do not sell or rent your information. We use service providers listed in our Vendor Register; every one is bound by a written agreement requiring appropriate security and data handling.
When we share information
We disclose personal information only in these circumstances:
- With service providers we use to run the business (Vercel, our database provider, Resend for email, Anthropic/OpenAI for the AI assistant, Stripe for billing, AWS for storage). Each is contractually bound to use the data only as needed for the service and to protect it with appropriate security.
- At your direction. If you connect an integration (Slack, webhook, Zapier once those ship), data flows there at your request.
- Team context. If you operate in a team context, team admins can see audit events tied to team members' actions on team-owned follows/alerts.
- Legal compliance. When we reasonably believe disclosure is required by law, to protect the safety of any person, or to defend our legal rights.
- Business transfer. If Ila is acquired, merged, or transfers assets, your data may transfer as part of that transaction. We will notify you and your rights under this notice carry forward.
We never sell personal information. "Sale" here uses the broad definition under CCPA/CPRA — including sharing for cross-context behavioral advertising — which we also do not do.
Your rights
Regardless of where you live, you have the right to:
- Access — see what data we hold on you. Self-serve via
/accountand/account/notifications, or email us. - Correct — update inaccurate information.
- Delete — remove your account and the Confidential data tied to it. Self-serve via
/account/delete(planned) or email us. Audit-log entries are retained but anonymized so they can't be re-tied to you. - Export — receive a copy of your data in a machine-readable format. CSV/JSON export from
/account/export(planned) or email us. - Opt out of alerts — unsubscribe from any email category via the in-email unsubscribe link, or granularly in
/account/notifications. - Object / restrict — ask us to stop or limit specific uses of your data.
- Portability — receive your data in a structured format you can take elsewhere.
- Non-discrimination — we will not downgrade your service for exercising these rights.
California residents have additional rights under CCPA/CPRA, Virginia residents under VCDPA, Colorado under CPA, Connecticut under CTDPA, Utah under UCPA. Contact us to exercise any of these rights; we target a 30-day response.
If you are in the European Economic Area, the United Kingdom, or Switzerland: our lawful bases for processing are (a) performance of a contract with you, (b) your consent (for marketing), (c) legitimate interests (operational security, product improvement), and (d) legal obligation. You have the right to lodge a complaint with a supervisory authority.
Retention
We keep each category of data only as long as necessary. Full detail in our Data Retention Policy. Summary:
- Account info: until you delete your account, or 3 years of no activity.
- Email-verification tokens: 24 hours or one use.
- Team invite tokens: 7 days or one use.
- Alert preferences + follows + saved searches: until you remove them.
- In-app notifications: 90 days if read, 180 days if unread.
- Audit log: 2 years.
- Chat sessions: 7 days (anonymous), 30 days (free), 365 days (pro).
- Bill / lawmaker data: indefinite (public record).
- Backups: 90 days rolling; deleted data ages out with its backup generation.
Security
We use industry-standard protections: TLS 1.2+ everywhere, AES-256 at rest, bcrypt for passwords, SHA-256 for tokens, rate limiting on authentication endpoints, an append-only audit log, and a documented Incident Response Plan. For the full posture see SECURITY.md.
No system is perfectly secure. If we become aware of unauthorized access to your data, we will notify you within the timeline required by law — typically within 72 hours of confirmation.
Cookies
We use a small number of cookies, none for advertising:
| Cookie | Purpose | Expiry |
|---|---|---|
next-auth.session-token |
Keeps you signed in | 30 days; cleared on sign-out |
next-auth.csrf-token |
CSRF protection during auth flows | session |
trackerContext |
Remembers whether you're viewing your personal or team follows | 30 days |
ilt_anon_chat_id |
Binds anonymous chat sessions to your browser | 7 days |
You can delete cookies at any time in your browser; expect to sign in again.
Children
The service is not directed to children under 16, and we do not knowingly collect personal information from them. If you believe a child has created an account, contact us and we will delete the account.
International transfers
We are based in the United States and operate our primary infrastructure in the United States. If you access the service from elsewhere, your information will be processed in the U.S. We rely on standard contractual clauses where applicable.
Changes to this notice
We will post material changes here and, where required by law, notify affected users by email. The "Last updated" date at the top reflects the most recent revision. History lives in the git log for this file.
Contact
| Purpose | Address |
|---|---|
| Privacy inquiries, data-subject requests | privacy@ila.app (TBD) |
| Security vulnerabilities | security@ila.app (TBD); see SECURITY.md |
| General support | contact form on the site |