PolicyStream Logo

Privacy Policy

Last updated on January 25, 2025

1. Introduction

This Privacy Policy (also called our "Data Retention and Use Policy") outlines the principles and guidelines for the collection, storage, use, and disposal of data by Manitou Research Inc. (hereinafter “the Company”, “Manitou”, "the app", or "PolicyStream"). Our goal is to ensure that user data is managed responsibly, securely, and in compliance with applicable laws and regulations.

2. Scope

This policy applies to all users of the PolicyStream mobile application, whether through paid or unpaid accounts. It covers all types of data, including, but not limited to, personally identifiable information (PII), organization information, information pertaining to the legislative process, proprietary information, affiliation information, political information, financial data, operational data, and any other sensitive information. Manitou Research does not intentionally request, process, or store protected health information. It is a violation of the Terms of Use to knowingly submit any Protected Health Information to Manitou Research Inc.

3. Definitions

  • Data: Any information that is collected, stored, processed, or transmitted by Manitou Research Inc. to or from users or organizations that use the Platform or other services provided by Manitou Research. Publicly available data obtained from other sources, such as statements by Members of Congress, are in the public domain and are not subject to this Policy. Data may include, but is not limited to, name, affiliation, political party, role, profession, industry, optional organizational logo or imagery, optional user photo or avatar, congressional district, cookies, tags, beacons, financial and payment information, email address(es), Internet Protocol (IP) address(es), Internet Service Provider, phone number, physical address, device information (e.g. browser and operating system), Platform access history (e.g. logins) including the frequency and duration of such access, and more.
  • Personal Data: Any information relating to an identified or identifiable individual or organization, including political persons or organizations, that Manitou Research receives from the user or organization while providing services to the user or organization.
  • AI: Artificial Intelligence.
  • Data Retention: The recording or storing of information, typically in digital format, either on Manitou Research servers or secure cloud infrastructure. All Manitou Research user data is stored on servers physically located in the United States.
  • Data Disposal: The process of permanently deleting or destroying data.
  • LLM: Large-language model, or generative AI service, such as Microsoft OpenAI.

4. Data Collection

  • Purpose: Data are collected from a user for the purpose of providing services to the user or organization, to improve the Platform, and to perform aggregated analysis. This collection would occur when “custom”, or proprietary, data are intentionally and optionally provided to Manitou Research as part of a customer relationship wherein the customer has opted for Manitou to incorporate the user’s or organization’s data in order to enhance the provision of services.
  • Consent: Where applicable, consent is obtained from individuals before collecting personal data. If a user or organization engages with Manitou Research for customer or technical support, such proactive engagement will be considered affirmative consent to receive, store, and handle user or organizational information that may exceed the standard scope of collection by Manitou Research.
  • Manitou Research generates revenue from the Platform through the use of advertisements placed by Google AdMob, Meta Audience Network, or similar third-party advertising providers. By creating an account and by using the Platform, the user acknowledges that any data, including PII, that may be collected by Google, Meta, or other third-party providers are subject to a separate Privacy Policy and are not necessarily subject to each provision of the Manitou Research PolicyStream Privacy Policy.

5. Data Storage

  • Security: Data is stored securely using appropriate technical and organizational measures to protect against unauthorized access, alteration, or destruction.
  • Access Control: Access to data is restricted to authorized personnel only. This may include Manitou Research employees, contractors, and third parties who have been temporarily retained (e.g. for server maintenance) but who, as a condition of their retention, have signed non-disclosure agreement(s).
  • Backup: Regular backups of critical data are performed to prevent data loss. Like other data associated with the Platform, backups are encrypted to prevent unauthorized access.
  • Encryption: Data is encrypted in transit and at rest to protect against unauthorized access. Manitou Research uses industry-standard encryption protocols to secure data.
  • Data Loss: Manitou Research is not liable for any loss or corruption of user data, nor is it liable should such data be rendered inaccessible for any reason.

6. Data Use

  • Lawful Use: Data is used in accordance with applicable laws and regulations. Manitou Research will not sell, trade, or share personally identifiable information for an individual user. However, Manitou Research does perform analyses on broad trends and collective use patterns, which it may sell or share with third parties. Examples of this type of information may include an analysis of collective user engagement patterns, such as the use of the "Like" feature or "Comment" feature within the Platform. In such cases, Manitou Research will take steps to ensure that the metadata associated with such aggregated information is anonymized (de-identified) and cannot be systematically de-anonymized. Users and organizations who enter personally identifiable information into the Platform, including through the account creation process, accept and acknowledge that Manitou Research cannot guarantee that such personally identifiable information will not be included in aggregated, anonymized form.
  • Purpose Limitation: Data is used only for the purposes for which it was collected, i.e. for the provision of services, improvements to the Platform, and for aggregated analysis (see Section 4).
  • Accuracy: Efforts are made to ensure that data is accurate, including attempts to ensure that data are up-to-date wherever possible and appropriate. Manitou Research is not liable for inaccurate data but, when appropriate and reasonably possible, will take steps to correct inaccurate data when it is discovered. Manitou Research Inc. has no obligation to ensure the accuracy, recency, etc., of information in its possession, except where legally required.

7. Data Retention

  • Retention Periods: Data is retained for as long as necessary to fulfill the purposes for which it was collected (i.e. to provide services to the user or organization), comply with legal obligations, address system performance and technical issues, analyze trends, and improve the service. Manitou Research reserves the right to irretrievably destroy information associated with an account that has been closed, or has been dormant for more than twelve months, except when required by law to retain data for more than twelve months. De-identified, or anonymized, data, including aggregated data, may be retained for various purposes indefinitely.

8. Data Disposal

  • Secure Disposal: Data that is no longer needed is disposed of securely to prevent unauthorized access. Where applicable, this includes the disposal of cloud-based or locally stored backup copies.

9. Data Protection Rights

  • Requests: All requests from individuals or organizations with regard to their data are handled in accordance with applicable laws. For customers based in the United States, this includes federal law and the laws of the Commonwealth of Virginia. Manitou Research will also comply with all legal obligations, such as subpoenas from law enforcement agencies, whenever and wherever applicable.

10. Data Breach Response

  • Detection and Reporting: Procedures are in place to detect, report, and respond to data breaches in a timely manner. Affected individuals, organizations, and relevant authorities are notified of data breaches as required by law.
  • Mitigation: Immediate actions are taken to mitigate the impact of any data breach and prevent future occurrences.

11. Compliance and Monitoring

  • Audits: Regular audits may be conducted to ensure compliance with this Policy and identify areas for improvement.
  • Training: Employees and contractors receive regular training on data protection and security practices.
  • Reporting: Non-compliance with this policy is reported to the designated Data Protection Officer (DPO) or relevant authority within Manitou Research.

12. Third-Party Data Processors

  • Due Diligence: Due diligence is performed on third-party data processors to ensure they adhere to data protection standards. Examples of third-party data processors are generative AI providers, such as OpenAI; payment processors, such as Stripe or Apple; and application store providers, such as Apple or Google.
  • Contracts: Contracts with third-party data processors include provisions for data protection and security.
  • Monitoring: Regular monitoring is conducted to ensure third-party compliance with data protection requirements.

13. Data Transfers

  • International Transfers: All United States user data are stored on servers physically located in the United States. Whenever possible, all processing and transmission of United States user data will occur within the United States, but Manitou Research cannot ensure that data will not pass through international servers.

14. Policy Review and Updates

  • Regular Review: This policy is reviewed regularly to ensure it remains current and effective.
  • Updates: This Policy will be updated as necessary to maintain and improve the PolicyStream Platform. Any updates to this Policy will be posted on the Manitou Research and/or PolicyStream Platform website(s) in a timely manner and shall be accessible via hyperlink from the PolicyStream app. Any non-clerical changes to this Policy will be communicated in writing, via email, to affected users or organizations, at which point that user’s or organization’s continued use of the Platform constitutes consent and concurrence with the Policy changes.