Privacy Policy
How Albany Records Project handles private information.
We collect information to review records, protect contributors, process payments, run accounts, and publish source-backed civic work. Private resident, neighbor, and contributor details are not published casually.
Effective May 24, 2026 - Last updated May 30, 2026
This policy explains what Albany Records Project collects, how we use it, what may be published, what normally stays private, and how to ask for access, correction, deletion, or review. It is written in plain language for an Oregon-based public-records project, but it is not legal advice.
1. What this policy covers
This policy covers the Albany Records Project website, public-records reporting, intake forms, uploaded files, contact messages, donations, AI drafting credits, authenticated dashboard tools, public data search, and related project operations.
Albany Records Project is an independent project, not a public body, law firm, or government agency. Public agencies, payment processors, account providers, AI providers, and other third-party services may have their own privacy policies.
2. Information we collect
Depending on how you use the site, we may collect or process:
- Submissions and reports: your name or chosen display name, contact information, agency or location details, incident descriptions, role, dates, permission choices, safety notes, redaction notes, privacy flags, and reviewer notes.
- Uploaded files: filenames, file types, sizes, storage keys, review status, redaction notes, approved public summaries, and the file contents you submit.
- Contact messages: name, email if provided, subject, message, reference ID, and follow-up history.
- Accounts and dashboard use: account identifiers from Clerk Auth, dashboard activity, submissions and contributions associated with your email, AI credit balances, historical credit purchase records, and credit usage records.
- Payments and ledger preferences: contribution amount, frequency, funding lane, name, email, payment status, public ledger preference, ledger display fields, Stripe session or customer identifiers, and fraud or accounting metadata. We do not store full card numbers on this site.
- AI draft and workspace tools: the draft type, audience, issue text, workspace-agent messages, generated drafts or research artifacts, saved agent memories or preferences, safe tool summaries, AI credit transactions, model usage details, and related search results used to prepare the draft or research output.
- First-party search audit logs: records-search queries, filters, result counts, result snapshots returned by the search tool, timing, status, signed-in account ID when available, and hashed anonymous visitor keys in PostgreSQL and ARP-owned ClickHouse analytics tables. We do not store raw IP addresses, full browser user-agent strings, or raw request headers in this audit log.
- Watch terms: search phrases saved locally in your browser today, and account-linked watch terms if alert syncing is added later.
- Public records and public web data: city URLs, page titles, page text, public file metadata, and public file contents gathered for records search and civic reporting.
- Site operation data: server logs, device/browser basics, self-hosted aggregate analytics events, redacted page URLs, referrers, allowed campaign/source fields, and cookies or local storage needed for authentication, checkout, preferences, security, and performance.
3. How we use information
We use information to:
- receive, review, redact, summarize, and organize submissions and uploaded records;
- direct public-records requests, reporting, public education, source review, and case review;
- protect contributors, residents, neighbors, reviewers, and the project from privacy, safety, or legal risk;
- respond to contact messages, correction requests, privacy requests, and takedown concerns;
- operate accounts, dashboard views, AI credit balances, AI draft tools, and watch-term workflows;
- process donations, paid AI credits, refunds, fraud checks, accounting, and public ledger preferences;
- secure the site, diagnose errors, prevent abuse, and comply with legal duties; and
- publish source-backed public work after review.
4. What may be published
Published work should separate what a person reported, what public records show, and what remains unknown. Before publication, we may redact, summarize, delay, decline, correct, or remove material for accuracy, safety, privacy, legal risk, source review, or editorial judgment.
- Filed public-records request text after submission.
- Agency responses, denials, fee estimates, and produced public records.
- Public-records tracker updates and public data search results.
- Contribution ledger information by category, with donor names or emails only according to the selected ledger preference.
- Articles, explainers, timelines, summaries, and exhibits after source, redaction, and safety review.
- Filed complaints, public court records, and public agency records when appropriate.
5. What normally stays private
A broad submission permission does not erase privacy review. We do not publish private resident, neighbor, or contributor details casually, and we try to keep the focus on public bodies, public records, and accountable institutions.
- Contributor names, addresses, unit numbers, contact details, vehicle details, and family information.
- Private resident and neighbor details, safety notes, retaliation concerns, and raw intake notes.
- Unredacted uploaded files, raw evidence, exhibits, media, and sensitive identifiers.
- AI prompts, draft outputs, draft filings, and internal strategy notes.
- Payment identifiers, Stripe metadata, and nonpublic ledger details.
- Reviewer notes, counsel communications, settlement communications, and legal work product.
Public records caveat: some information is already public because it appears in government records, court files, meeting materials, or agency websites. We can review our own use of that information, but we cannot remove records from government sources we do not control.
6. How we share information
We do not sell personal data, use targeted advertising, or operate as a data broker. We share information only as needed to run the project, protect people, publish reviewed work, or comply with legal duties.
- Service providers: authentication providers such as Clerk Auth, payment processors such as Stripe, hosting/database/storage providers such as Railway, self-hosted analytics infrastructure such as email or contact tools, AI Gateway and model providers such as Anthropic, OpenAI, or Google Gemini when AI generation is enabled, and other operational vendors.
- Reviewers and counsel: people helping with records review, redaction, safety review, legal review, technical support, or project administration.
- Publication: redacted records, summaries, public data, public-records requests, public agency responses, ledger entries, and reporting after review.
- Legal and safety needs: if required by law, subpoena, court order, fraud review, security incident response, urgent safety concern, or to protect rights and safety.
- With your permission: when you ask us to contact you, share material, list your name, or use a submission in a specific way.
7. AI draft tools
AI tools are draft-only organizing and research tools. They may help search approved project sources, draft public-records requests, public comments, civic emails, summaries, source sets, or search ideas. They do not give legal advice, send messages for you, represent you, or guarantee an outcome.
If AI generation or semantic retrieval is enabled, prompts, selected workspace context, and bounded source snippets may be processed by AI Gateway and model providers such as Anthropic, OpenAI, or Google Gemini. Do not put Social Security numbers, bank or card numbers, medical records, private third-party details, or other highly sensitive information into an AI prompt unless it is truly necessary and you are allowed to share it.
You are responsible for reviewing every draft, verifying facts, removing private information, and deciding whether to send anything.
If you use the authenticated compose tool, draft chat sessions and explicit agent memories may be saved to your account so you can reload prior messages, reuse preferences, and continue refining a draft. Saved drafts and chat sessions can be deleted from the dashboard.
8. Cookies, local storage, and analytics
The site may use cookies, tokens, and local storage for sign-in, security, checkout, dashboard preferences, watch terms, and basic site operation. Stripe and Clerk may set their own cookies or similar technologies during checkout and account use. Clerk authentication cookies are required for account sessions and are not optional analytics or advertising cookies.
Albany Records Project first-party preference cookies are host-scoped, use SameSite=Lax, and are marked Secure in production. Privacy preference cookies remain browser-readable so the visible preference controls can show and update your saved choice.
The site may use first-party, project-owned analytics for privacy-bounded page and event measurement. Analytics is used to understand overall traffic patterns, search health, and feature usage, not to build advertising profiles, sell data, or track people across unrelated sites. Our implementation avoids ad pixels and third-party browser analytics scripts.
Our implementation sends manual pageviews only after the browser passes the analytics privacy checks. Public article, explainer, survey, watch, and source slugs may remain visible in analytics so we can understand public content performance. Private dashboard, admin, session-task, and onboarding route identifiers are collapsed to _id before pageviews leave the browser. Query parameters are stripped except ref,source, and utm_* campaign fields.
Optional product analytics events are limited to a fixed allowlist, such as outbound link clicks, file downloads, searches, filters, checkout starts and returns, submitted public forms, media plays, dashboard actions, workspace actions, AI compose starts/completions, admin actions, 404 pages, and safe error-boundary reports. Event properties are limited to non-content labels such as area, surface, action, status, kind, file type, and route group. We do not intentionally send raw form text, emails, user IDs, workspace IDs, request IDs, filenames, private URLs, search queries, prompts, record contents, stack traces, or other sensitive payloads to optional product analytics.
Separate from optional product analytics, we keep internal first-party search audit records for records search, dashboard search, and AI search tools. Those audit records help diagnose search quality, abuse, and source coverage. They may be stored in PostgreSQL and mirrored into ARP-owned ClickHouse tables. Search audit records may include the search query and the result objects returned by the search surface, but visitor identity is privacy-bounded: signed-in account IDs are stored when available, and anonymous visitors are represented by a salted hash rather than raw IP address or full user-agent text.
Detailed first-party search audit rows default to 180-day retention unless a documented legal hold, security review, privacy request, dispute, or public-interest archive exception applies. Visitor hashes and request metadata are internal operational signals and are not used by themselves as public identity proof.
When optional analytics is allowed, we may also mirror the same sanitized pageviews and allowlisted product events into first-party ClickHouse tables so administrators can understand feature health. Those non-search product analytics follow Global Privacy Control, the Privacy Choices setting, and the local analytics opt-out. Operational search audit logging does not depend on optional analytics consent because it is used for search reliability, abuse prevention, and records-quality review.
We honor Global Privacy Control by treating the signal as an opt-out of optional analytics, sale, sharing, or targeted-advertising workflows unless you later give legally valid permission. A manual analytics opt-out on the Privacy Choices page, or localStorage.arp_analytics_ignore=true, also blocks optional first-party analytics in this browser.
You can review the cookie and storage inventory or save an optional analytics preference for this browser on the Privacy Choices page. Global Privacy Control always overrides a manual analytics setting while the browser signal is active.
9. Retention and deletion
We use a public-interest archive posture. That means we may keep private submissions, files, account records, payment metadata, AI credit records, and review notes while they are needed for records work, reporting, public education, safety review, legal review, fraud prevention, accounting, dispute handling, or project accountability.
When information is no longer needed, we may redact it, delete it, de-identify it, archive it in a safer form, or keep only a public summary. We review deletion requests where feasible, but may keep information when needed for legal duties, public-records work, editorial records, safety, fraud, accounting, dispute handling, or public-interest accountability.
10. Your privacy choices and requests
You can ask us to access, correct, delete, restrict, export, or review personal information connected to you. You can also object to publication, request redaction, ask for a correction, request a takedown review, opt out of optional communications, or ask whether any sale, targeted advertising, or profiling is happening. Our current answer to sale, targeted advertising, and data-broker activity is no.
Submit formal privacy rights and appeal requests through the Privacy Requests form. We track receipt date, identity verification, response date, extension notices, denial reasons, and appeals. We may need to verify your identity or authority before acting. If we deny all or part of a request, you can ask for a second review through the same form.
11. Children and sensitive information
Accounts, payments, donations, and paid AI credit features are for people who are 18 or older. We do not knowingly collect personal information from children under 13. Information about children under 13 is treated as sensitive.
Do not upload Social Security numbers, bank or card numbers, medical records, sealed records, privileged material, nonconsensual intimate images, or private third-party information unless it is essential to the public-record issue and you are legally allowed to share it. If you believe private intimate images or other dangerous private media appear on the site without consent, use the contact page and mark the request urgent.
12. Security and breach notices
We use reasonable safeguards for the nature of the project, including limited access, review workflows, redaction notes, service-provider security, and secure payment processing through Stripe. No website, storage system, AI provider, or transmission method can be guaranteed perfectly secure.
If we discover a security incident involving personal information, we will review the facts and provide notices required by applicable law, including Oregon breach-notice duties when they apply.
13. Communications
We may send transactional messages about submissions, records work, accounts, AI credits, payments, refunds, corrections, privacy requests, security, and project operations. If we later send optional newsletters, fundraising updates, or marketing messages, they should include a clear way to opt out.
Questions, copyright concerns, and general takedown concerns should be sent to hello@albanyrecordsproject.com. Account, payment, AI credit, and technical support questions should be sent to support@albanyrecordsproject.com. You can also use the contact page. Formal privacy rights and appeal requests should use the Privacy Requests.
See the Terms & Conditions for submission permissions, payments, AI draft tools, refunds, acceptable use, and dispute rules. We may update this policy as the project changes. Updates are effective when posted unless the page says otherwise.