Privacy Policy

CampaignFinance.app
A Service of CampaignFinance.app, Inc.

Effective Date: November 25, 2025
Last Updated: November 25, 2025

1. Introduction & Scope

This Privacy Policy ("Policy") describes how CampaignFinance.app, Inc., an Indiana corporation doing business as CampaignFinance.app ("we," "us," "our," or the "Company"), collects, uses, shares, retains, and protects personal information through our political-technology software-as-a-service ("SaaS") platform located at CampaignFinance.app (the "Platform" or "Service").

This Policy applies exclusively to users located within the United States. We do not market our Services to, nor do we knowingly collect data from, individuals outside the United States. Our Platform is designed for political campaigns, committees, treasurers, and campaign finance professionals operating under U.S. federal and state election laws.

Governing Law: This Policy is governed by and construed in accordance with the laws of the State of Indiana. Indiana law serves as our primary legal framework, supplemented by compliance with:

• Indiana Consumer Data Protection Act (INCDPA) (effective January 1, 2026)
• California Consumer Privacy Act / California Privacy Rights Act (CCPA/CPRA)
• Virginia Consumer Data Protection Act (VCDPA)
• Colorado Privacy Act (CPA)
• Connecticut Data Privacy Act (CTDPA)
• Utah Consumer Privacy Act (UCPA)
• Federal Trade Commission Act, Section 5 (prohibition of unfair/deceptive practices)
• Gramm-Leach-Bliley Act (GLBA) privacy principles (where applicable)
• Children's Online Privacy Protection Act (COPPA)

Corporate Information:

• Legal Entity: CampaignFinance.app, Inc.
• Date of Incorporation: February 4, 2025
• State of Incorporation: Indiana
• Principal Place of Business: 8021 Glenwood St, Highland, IN 46322
• Sole Member: Brandon Dothager

By accessing or using CampaignFinance.app, you acknowledge that you have read, understood, and agree to be bound by this Privacy Policy. If you do not agree with this Policy, please discontinue use of our Services immediately.

2. Information We Collect

We collect personal information necessary to provide our campaign finance management services. Below is a comprehensive description of the categories of data we collect:

2.1 Personal Identifiable Information (PII)

Donor Information: Name, phone number, email address, physical address, employer, occupation — Campaign finance reporting compliance, FEC/state filing requirements

Campaign Finance Data: Contributions, expenditures, donor history, transaction records — Campaign financial management and regulatory reporting

Account Authentication Data: Email address, hashed password — User authentication via Supabase

Contact Information: Name, email, phone number — Account management and service communications

2.2 Financial Data via Plaid

When you connect your financial accounts through our Platform using Plaid Link, we receive:

• Account Metadata: Financial institution name, account name, account type
• Account Balances: Current and available balances
• Transaction Data: Transaction history, amounts, dates, payees, descriptions

Important: CampaignFinance.app never receives, accesses, or stores your bank login credentials (username or password). Authentication occurs directly through Plaid's secure infrastructure.

2.3 Payment Information via Stripe

We use Stripe to process subscription payments. We collect and process:

• Stripe Customer ID: Unique identifier for billing purposes
• Payment Metadata: Subscription status, billing cycle information, payment history

Important: CampaignFinance.app never receives or stores credit card numbers, debit card numbers, CVV codes, or full payment card details. All payment processing occurs through Stripe's PCI DSS-compliant infrastructure.

2.4 Technical and Operational Data

Device Information: IP address, browser type, operating system, device identifiers — Security, fraud prevention, platform optimization

Usage Data: Pages visited, features used, timestamps, session duration — Service improvement and analytics

Log Data: Server logs, error reports, API request logs — Debugging, security monitoring, compliance

2.5 Data We Do NOT Collect

To be clear, we do not collect:

• Bank account usernames or passwords
• Credit or debit card numbers
• Social Security Numbers (SSNs)
• Driver's license or state identification numbers
• Government-issued identification documents
• Biometric data
• Health or medical information

3. How We Use Your Information

We process personal information for the following legitimate business purposes:

3.1 Service Delivery

• Providing campaign finance tracking, reporting, and management services
• Processing and reconciling campaign contributions and expenditures
• Generating compliant campaign finance reports for FEC and state filing requirements
• Facilitating financial account connectivity through Plaid
• Processing subscription payments through Stripe

3.2 Account Management

• Creating and maintaining your user account
• Authenticating your identity and verifying authorized access
• Communicating account-related information, including service updates and notifications
• Responding to your inquiries and support requests

3.3 Security and Fraud Prevention

• Detecting, preventing, and investigating security incidents
• Identifying and preventing fraudulent transactions
• Monitoring for unauthorized access or misuse of our Platform
• Protecting against malicious, deceptive, or illegal activity

3.4 Legal Compliance

• Complying with applicable federal, state, and local laws
• Responding to valid legal processes (subpoenas, court orders, regulatory inquiries)
• Enforcing our Terms of Service and other agreements
• Maintaining records as required by Indiana campaign finance regulations

3.5 Platform Improvement

• Analyzing usage patterns to improve Platform functionality
• Developing new features and services
• Conducting internal research and analytics
• Troubleshooting technical issues

4. Use of Plaid

4.1 About Plaid

CampaignFinance.app uses Plaid Inc. ("Plaid") to enable you to connect your financial accounts to our Platform. Plaid provides secure financial data connectivity that allows us to access information necessary for campaign finance reconciliation and reporting.

4.2 How Plaid Works

When you choose to connect a financial account:

1. You authenticate directly with Plaid. You enter your financial institution credentials in Plaid's secure interface—not within CampaignFinance.app.
2. Plaid transmits data to us. Based on your explicit consent, Plaid securely transmits authorized financial data to our Platform.
3. We never touch your credentials. CampaignFinance.app never sees, receives, processes, or stores your bank login credentials.

4.3 Data Received from Plaid

Depending on the permissions you grant, we may receive:

• Account holder name and contact information
• Account and routing numbers (for verification purposes)
• Account balances
• Transaction history (typically up to 24 months)
• Account type and financial institution details

4.4 Your Control Over Plaid Data

You have complete control over your Plaid-connected accounts:

• Revoke Access Anytime: You may disconnect financial accounts at any time through your CampaignFinance.app account settings or through Plaid Portal at my.plaid.com.
• Manage Permissions: You can view and manage which apps have access to your financial data through Plaid Portal.
• Request Deletion: You may request deletion of Plaid-retrieved data from our systems.

4.5 Plaid's Own Privacy Practices

Plaid maintains its own data collection and privacy practices independent of CampaignFinance.app. We encourage you to review Plaid's End User Privacy Policy at: https://plaid.com/legal

Plaid's practices include:

• Use of encryption (AES-256) and Transport Layer Security (TLS)
• Prohibition against selling user data to third parties
• User control through Plaid Portal
• Compliance with applicable U.S. financial privacy regulations

5. Use of Stripe

5.1 About Stripe

CampaignFinance.app uses Stripe, Inc. ("Stripe") as our payment processor for subscription billing and payment transactions.

5.2 Data Processed by Stripe

When you subscribe to our services, Stripe collects and processes:

• Your name and billing address
• Payment method details (credit/debit card information)
• Transaction amounts and dates
• Device and browser information for fraud prevention

5.3 Our Access to Stripe Data

CampaignFinance.app receives only:

• Stripe Customer ID (unique identifier)
• Subscription status and billing cycle information
• Payment success/failure notifications
• Last four digits of your payment card (for display purposes only)

We never receive, store, or have access to your full credit card number, CVV, or complete payment credentials. Stripe is PCI DSS Level 1 certified—the highest level of payment security certification.

5.4 Stripe's Privacy Policy

Stripe maintains independent privacy practices. Please review Stripe's Privacy Policy at: https://stripe.com/privacy

6. How We Share Data

6.1 We Do Not Sell Your Personal Information

CampaignFinance.app does not sell, rent, lease, or trade your personal information to third parties for monetary or other valuable consideration. We have not sold personal information in the preceding twelve (12) months and have no intention of doing so.

6.2 Categories of Third-Party Recipients

We may share personal information with the following categories of recipients solely for the purposes described in this Policy:

• Plaid Inc. — Financial account connectivity — Authentication data, account permissions
• Stripe, Inc. — Payment processing — Billing information, transaction data
• Supabase — Database hosting, authentication, storage — Account data, application data
• Render — Application hosting — Technical/operational data
• Cloudflare — Security, CDN, DDoS protection — IP addresses, traffic data
• Resend — Transactional email delivery — Email addresses, notification content
• Grafana Cloud — Logging, monitoring, diagnostics — Anonymized operational logs

6.3 Other Disclosures

We may also disclose personal information:

• With Your Consent: When you explicitly authorize disclosure to third parties
• Legal Compliance: To comply with applicable law, regulation, legal process, or governmental request
• Rights Protection: To protect the rights, privacy, safety, or property of CampaignFinance.app, our users, or the public
• Business Transfers: In connection with a merger, acquisition, reorganization, bankruptcy, or sale of assets (with notice to you)
• Service Providers: To vendors who process data on our behalf under binding confidentiality agreements

6.4 No Sharing for Advertising

We do not share your personal information with advertising networks, data brokers, or third parties for behavioral advertising or profiling purposes.

7. Data Retention & Disposal

7.1 Retention Periods

We retain personal information only as long as necessary to fulfill the purposes for which it was collected, comply with legal obligations, and support legitimate business operations.

• Campaign Finance Records: Minimum 3 years from filing date — Indiana campaign finance regulations; FEC record-keeping requirements (11 CFR 102.9)
• Account Information: Duration of account relationship + 3 years — Legitimate business interest; potential disputes
• Financial Transaction Data: 7 years — Tax and financial record-keeping requirements
• Authentication Logs: 2 years — Security and fraud prevention
• Server/Technical Logs: 90 days (rolling) — Operational troubleshooting

7.2 Indiana Campaign Finance Record-Keeping Alignment

Pursuant to Indiana Code § 3-9-1-24, treasurers must preserve receipts, canceled checks, and proof of payment for three (3) years from the date of expenditure or one (1) year after dissolution of the committee, whichever occurs first. Our data retention practices align with these requirements to support your compliance obligations.

7.3 Data Disposal

Upon expiration of applicable retention periods or upon valid deletion request:

• Personal information is securely deleted or anonymized
• Deletion is propagated to backup systems within 90 days
• We maintain audit logs of deletion requests and actions
• Certain aggregated or anonymized data may be retained for analytics

8. Data Security Measures

8.1 Technical Safeguards

We implement industry-standard security measures to protect your information:

• Encryption in Transit: All data transmitted between your browser and our servers is encrypted using TLS 1.2 or higher
• Encryption at Rest: Sensitive data stored in our databases is encrypted using AES-256 encryption
• Secure Authentication: Passwords are hashed using bcrypt; we support multi-factor authentication
• Access Controls: Role-based access controls limit data access to authorized personnel only
• Network Security: Cloudflare provides DDoS protection, Web Application Firewall (WAF), and bot mitigation

8.2 Organizational Safeguards

• Confidentiality Agreements: All personnel with data access sign confidentiality agreements
• Access Reviews: Quarterly reviews of data access permissions
• Security Training: Regular security awareness training for all team members
• Incident Response Plan: Documented procedures for responding to security incidents

8.3 Infrastructure Security

Our service providers maintain robust security certifications:

• Stripe: PCI DSS Level 1 certified
• Supabase: SOC 2 Type II compliant
• Cloudflare: SOC 2, ISO 27001 certified
• Plaid: SOC 2 Type II, ISO 27001 certified

8.4 Breach Notification

In the event of a data breach affecting your personal information, we will:

• Notify affected individuals without unreasonable delay
• Provide notification to the Indiana Attorney General as required by law
• Comply with all applicable state breach notification requirements
• Describe the nature of the breach and steps taken in response

9. User Rights Under U.S. Law

9.1 Rights Available to All Users

Regardless of your state of residence, you have the following rights:

• Right to Know: You may request information about categories and specific pieces of personal information we collect about you
• Right to Access: You may obtain a copy of personal information we maintain about you
• Right to Correction: You may request correction of inaccurate personal information
• Right to Deletion: You may request deletion of personal information, subject to legal retention requirements
• Right to Data Portability: You may request your data in a structured, commonly used, machine-readable format
• Right to Opt-Out: You may opt out of the sale of personal information (though we do not sell data)

9.2 Indiana Consumer Rights (INCDPA)

Indiana residents have additional rights under the Indiana Consumer Data Protection Act (effective January 1, 2026):

• Right to confirm whether we are processing your personal data
• Right to access personal data
• Right to correct inaccuracies
• Right to delete personal data
• Right to obtain a portable copy of your data
• Right to opt out of targeted advertising, sale of personal data, and certain profiling

9.3 California Consumer Rights (CCPA/CPRA)

California residents have the following rights:

• Right to know what personal information is collected
• Right to know whether personal information is sold or disclosed
• Right to opt out of the sale or sharing of personal information
• Right to access personal information
• Right to request deletion
• Right to correct inaccurate information
• Right to limit use of sensitive personal information
• Right to non-discrimination for exercising privacy rights

Notice to California Residents: We do not sell or share your personal information as defined under the CCPA/CPRA. We do not use or disclose sensitive personal information for purposes other than those permitted under the CCPA/CPRA.

9.4 Virginia, Colorado, Connecticut, and Utah Residents

Residents of these states have similar rights including access, correction, deletion, portability, and opt-out rights. Each state law has specific requirements which we honor.

9.5 Exercising Your Rights

To exercise any of these rights, please contact us at:

• Email: [email protected]
• Mail: CampaignFinance.app, Inc., 8021 Glenwood St, Highland, IN 46322

We will respond to verifiable consumer requests within 45 days. If additional time is needed (up to an additional 45 days), we will notify you of the extension and the reason.

We will not discriminate against you for exercising your privacy rights.

9.6 Verification

To protect your privacy, we must verify your identity before processing requests. Verification may include confirming your email address, account credentials, or other identifying information.

9.7 Authorized Agents

You may designate an authorized agent to submit requests on your behalf. Authorized agents must provide proof of authorization (such as a power of attorney or written authorization signed by you).

10. Children's Privacy

10.1 Age Restriction

CampaignFinance.app is intended for use by adults engaged in political campaign activities. Our Services are not directed to children under the age of 13, and we do not knowingly collect personal information from children under 13.

10.2 COPPA Compliance

In accordance with the Children's Online Privacy Protection Act (COPPA):

• We do not knowingly collect, use, or disclose personal information from children under 13
• We do not allow children under 13 to register for accounts
• If we learn we have collected personal information from a child under 13, we will delete that information promptly

10.3 Parental Rights

If you are a parent or guardian and believe your child under 13 has provided personal information to us, please contact us immediately at [email protected]. We will take steps to remove such information from our systems.

10.4 Users Ages 13-17

While our Services are designed for adult campaign professionals, if users between 13 and 17 access our Platform, we encourage parental supervision and require all users to comply with our Terms of Service.

11. Changes to This Policy

11.1 Policy Updates

We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or other factors. When we make material changes:

• We will post the updated Policy on our website
• We will update the "Last Updated" date at the top of this Policy
• For material changes, we will provide prominent notice (such as email notification or in-app banner)

11.2 Review Recommendation

We encourage you to review this Privacy Policy periodically to stay informed about our privacy practices.

11.3 Continued Use

Your continued use of CampaignFinance.app after the effective date of any changes constitutes your acceptance of the updated Privacy Policy.

12. How to Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our privacy practices, please contact us:

CampaignFinance.app, Inc.
Attn: Privacy Inquiries
8021 Glenwood St
Highland, IN 46322

Email: [email protected]
For data subject access requests: [email protected]

We aim to respond to all inquiries within 10 business days.

This Privacy Policy is provided in plain language to ensure transparency and user understanding. If you have questions about any provision, please contact us at [email protected].

© 2025 CampaignFinance.app, Inc. All rights reserved.