Privacy Policy

Accounts. Your email address (used only to send sign-in codes — never sold, never used for marketing) and a display name you choose.

Investigations. The concern you describe, the jurisdiction you select, documents you upload or link, your postal code when you use it to find a representative, and the outputs produced (briefings, lever actions, campaign materials). Linked to your account.

Forum posts & credentials. Posts you create (attributed to your display name) and a lightweight record of civic actions (type, weight, source) that aggregates into a credential score. No surveillance data.

Archive records. If you submit an investigation for archiving, a bundle is pinned to IPFS and Arweave. These are public and permanent by design and persist even if you delete your account (see below).

These are outside the data model — there is no column to store them: investigation reads, search queries, document downloads, briefing-read events, and unsent post drafts. You cannot accidentally log what there is nowhere to put.

Open Cave relies on a small number of service providers to function. Each receives only what it needs, and all are US-based — see data residency below.

• Anthropic (Claude).When you run an analysis, the text of your concern, relevant document content, and parliamentary context are sent to Anthropic's API to generate the analysis. This is the most sensitive transfer we make; it happens only when you invoke an AI feature.
• Voyage AI. When semantic search is enabled, document text and query text are sent to generate vector embeddings.
• Resend. Your email address is sent to Resend to deliver your sign-in code.
• Sentry.Error monitoring. Sentry's client SDK runs in your browser to report crashes. We strip request bodies, cookies, auth headers, and your email/IP from every report before it is sent, and session replay is disabled.
• Upstash. A Redis service used only to rate-limit requests and stop abuse and cost-attacks. It receives your IP address (and, for some limits, your account ID) as a rate-limit key plus a short-lived counter — never your content, your searches, or which pages you open. The counters auto-expire within minutes to a day, no usage analytics are collected, and they are used for nothing else.

We do not sell your data or share it with advertisers. We load no advertising or tracking scripts and run no analytics — there are no cookies beyond the single sign-in cookie (HttpOnly, Secure, SameSite=Lax).

Your account, investigations, documents, posts, and credentials live in a PostgreSQL database hosted in the United States (Supabase, us-east-2). The processors above (Anthropic, Voyage, Resend, Sentry, Upstash) are also US-based.

This means your personal information is stored and processed in the United States and is subject to US law, including lawful-access requests by US authorities. Canadian privacy law (PIPEDA) permits this, but you have the right to know it. If US storage is unacceptable for your threat model, do not submit sensitive material.

You may access the data tied to your account, correct your display name, withdraw consent by deleting your account, and contact us with any privacy question. We do not require any information beyond an email to use the tool.

You can delete your account from your profile. When you do, your account and everything tied to it is permanently removed — your investigations, documents, forum posts and threads, and credential records. This cannot be undone.

Archive records you created persist — once pinned to IPFS or written to Arweave they exist as public goods and cannot be retracted. Deleting your account will not remove them.

When you publish public forum content, your display name, actor URL, public post content, and thread titles are shared with the fediverse and may be cached or mirrored by other servers. Your email, investigation contents, credential score, governance votes, and any private posts are never federated.

Questions about privacy or data handling: open an issue on the public repository or reach out through the forum. This policy mirrors the canonical PRIVACY.md in the open-source repository.