articleOne Logo
Sign up Log In

Privacy Policy

Last updated on December 20, 2024

1. Introduction

This Privacy Policy (also called our "Data Retention and Use Policy") outlines the principles and guidelines for the collection, storage, use, and disposal of data by Manitou Research Inc. (hereinafter “the Company”, “Manitou”, or “articleOne”). Our goal is to ensure that user data is managed responsibly, securely, and in compliance with applicable laws and regulations.

2. Scope

This policy applies to all employees, contractors, and third-party service providers who handle or manage data on behalf of Manitou Research Inc. It covers all types of data, including, but not limited to, personally identifiable information (PII), organization information, information pertaining to the legislative process, proprietary information, affiliation information, political information, financial data, operational data, and any other sensitive information. Manitou Research does not intentionally request, process, or store protected health information. It is a violation of the Terms of Use to knowingly submit any Protected Health Information to Manitou Research Inc.

Manitou Research Inc. employs generative Artificial Intelligence (AI) models provided by third parties, such as Microsoft OpenAI, to provide many of its services. Manitou Research Inc. transmits user data to these parties to process user queries, provide generative AI responses, and for related purposes. Manitou Research takes steps to anonymize, pool, aggregate, or otherwise remove identifying information before transmitting data, such as user queries, to these third parties. For information about Microsoft OpenAI’s use of data originating from the articleOne platform, please see their Privacy and Data Policies, which can be found [here] and [here].

3. Definitions

  • Data: Any information that is collected, stored, processed, or transmitted by Manitou Research Inc. to or from users or organizations that use the articleOne service or other services provided by Manitou Research. Publicly available data obtained from other sources, such as statements by Members of Congress, are in the public domain and are not subject to this Policy. Data may include, but is not limited to, name, affiliation, political party, role, profession, industry, optional organizational logo or imagery, optional user photo or avatar, congressional district, cookies, tags, beacons, financial and payment information, email address(es), Internet Protocol (IP) address(es), MAC address(es), Internet Service Provider, phone number, address, device information (e.g. browser and operating system), platform access history (e.g. logins) including the frequency and duration of such access, and more.
  • Personal Data: Any information relating to an identified or identifiable individual or organization, including political persons or organizations, that Manitou Research receives from the user or organization while providing services to the user or organization. For Government users, this may include data about elected officials and government employees.
  • AI: Artificial Intelligence.
  • Data Retention: The recording or storing of information, typically in digital format, either on Manitou Research servers or secure cloud infrastructure. All Manitou Research user data is stored on servers physically located in the United States.
  • Data Disposal: The process of permanently deleting or destroying data.
  • LLM: Large-language model, or generative AI service, such as Microsoft OpenAI.

4. Data Collection

  • Purpose: Data are collected from a user or organization for the express purpose of providing services to the user or organization, to improve the platform, and to perform aggregated analysis. This collection typically happens in one of two ways: a) a user submits a query into the articleOne platform or any of its sub-modules, which is then both passed to a third-party LLM (subject to that third party’s own data policies; see Section 2) and digitally stored by Manitou Research for a finite period of time; b) “custom”, or proprietary, data are intentionally and optionally provided to Manitou Research as part of a customer relationship wherein the customer has opted for Manitou to incorporate the user’s or organization’s “custom” data in order to enhance the provision of services.
  • Custom Data: For Government and Pro-tier users and organizations, Manitou Research offers the option to integrate proprietary or organizational data to improve model accuracy and user experience. In the event this data contains information about other people or entities, such as constituents or clients, Manitou Research will protect the information in the same manner as it does all other user information. Information about third parties, such as constituents or clients, is not considered user or organizational data, and is therefore not subject to the same collection, retention, and destruction policies as those users or organizations with whom Manitou Research has engaged in a business relationship. Such data will instead be subject to the applicable Data Relationship Agreement, which supersedes this general Data Policy wherever applicable.
  • Consent: Where applicable, consent is obtained from individuals before collecting personal data. If a user or organization engages with Manitou Research for customer or technical support, such proactive engagement will be considered affirmative consent to receive, store, and handle user or organizational information that may exceed the standard scope of collection by Manitou Research.
  • Minimization: Because Manitou Research does not rely on selling or trading personal information for revenue, Manitou Research typically minimizes the amount of information collected and stored to that which is necessary to provide or improve services.

5. Data Storage

  • Security: Data is stored securely using appropriate technical and organizational measures to protect against unauthorized access, alteration, or destruction.
  • Access Control: Access to data is restricted to authorized personnel only, based on the principle of least privilege. This may include Manitou Research employees, contractors, and third parties who have been temporarily retained (e.g. for server maintenance) but who, as a condition of their retention, have signed non-disclosure agreement(s).
  • Backup: Regular backups of critical data are performed to prevent data loss. Like other data associated with the articleOne platform, backups are encrypted to prevent unauthorized access.

6. Data Use

  • Lawful Use: Data is used in accordance with applicable laws and regulations. Manitou Research will not sell information related to queries or use patterns for an individual office or user. However, Manitou Research does perform analyses on broad trends and collective use patterns, which it may sell or share with third parties. Examples of this type of information include searches over a specified period by one political party, by the combined organizational membership of a specific congressional committee, or a specific type of user (e.g. academic institutions as a group). In such cases, Manitou Research will take steps to ensure that the metadata associated with such aggregated information is anonymized (de-identified) and cannot be systematically de-anonymized. Users and organizations who enter personally identifiable information within their queries or submissions to the articleOne platform accept and acknowledge that Manitou Research cannot guarantee that such personally identifiable information will not be included in aggregated, anonymized form.
  • Purpose Limitation: Data is used only for the purposes for which it was collected, i.e. for the provision of services, improvements to the platform, and for aggregated analysis (see Section 4).
  • Accuracy: Efforts are made to ensure that data is accurate, including attempts to ensure that data are up-to-date wherever possible and appropriate. Manitou Research is not liable for inaccurate data but, when appropriate and reasonably possible, will take steps to correct inaccurate data when it is discovered. Manitou Research Inc. has no obligation to ensure the accuracy, recency, etc., of information in its possession, except where legally required.

7. Data Retention

  • Retention Periods: Data is retained for as long as necessary to fulfill the purposes for which it was collected (i.e. to provide services to the user or organization), comply with legal obligations, address system performance and technical issues, analyze trends, and improve the service. Typically, most data are retained in an identifiable and attributable form for no more than twelve months. After twelve months, Manitou Research strips identifying metadata unless the user has indicated or otherwise caused continuing retention in an identifiable format, such as through sending a new message to a thread that contains message history that is older than twelve months. De-identified, or anonymized, data, including aggregated data, may be retained for various purposes indefinitely.

8. Data Disposal

  • Secure Disposal: Data that is no longer needed is disposed of securely to prevent unauthorized access. Where applicable, this includes the disposal of cloud-based or locally stored backup copies.

9. Data Protection Rights

  • Requests: All requests from individuals or organizations with regard to their data are handled in accordance with applicable laws. For customers based in the United States, this includes federal law and the laws of the Commonwealth of Virginia. Manitou Research will also comply with all legal obligations, such as subpoenas from law enforcement agencies, whenever and wherever applicable.

10. Data Breach Response

  • Detection and Reporting: Procedures are in place to detect, report, and respond to data breaches in a timely manner. Affected individuals, organizations, and relevant authorities are notified of data breaches as required by law.
  • Mitigation: Immediate actions are taken to mitigate the impact of any data breach and prevent future occurrences. For customers who have opted to provide Manitou Research with their organization’s data (“custom data”), this includes the timely notification to that organization of any breach and a detailed explanation of steps taken to mitigate the unintended disclosure. Any provision of custom data by an organization to Manitou Research are subject to the terms of the Data Relationship Agreement which, wherever applicable, supersede the terms of this general Data Policy.

11. Compliance and Monitoring

  • Audits: Regular audits are conducted to ensure compliance with this Policy and identify areas for improvement.
  • Training: Employees and contractors receive regular training on data protection and security practices.
  • Reporting: Non-compliance with this policy is reported to the designated Data Protection Officer (DPO) or relevant authority within Manitou Research, typically the Chief Operating Officer.

12. Third-Party Data Processors

  • Due Diligence: Due diligence is performed on third-party data processors to ensure they adhere to data protection standards. Examples of third-party data processors are generative AI providers, such as Microsoft OpenAI, and payment processors, such as Stripe.
  • Contracts: Contracts with third-party data processors include provisions for data protection and security.
  • Monitoring: Regular monitoring is conducted to ensure third-party compliance with data protection requirements.

13. Data Transfers

  • International Transfers: All United States user and organizational data are stored on servers physically located in the United States. Whenever possible, all processing and transmittal of United States user data will occur within the United States, but Manitou Research cannot ensure that data will not pass through international servers.

14. Policy Review and Updates

  • Regular Review: This policy is reviewed regularly to ensure it remains current and effective.
  • Updates: This Policy will be updated as necessary to maintain and improve the articleOne platform. Any updates to this Policy will be posted on the Manitou Research and/or articleOne platform website(s) in a timely manner. Any non-clerical changes to this Policy will be communicated in writing, via email, to affected users or organizations, at which point that user’s or organization’s continued use of the articleOne platform constitutes consent and concurrence with the Policy changes.