Canvassr ("the Application") is a political and mission-driven campaign management application built to operate within the Google Apps Script environment, utilizing Google Sheets as its primary data storage layer.
We are committed to protecting the privacy and security of all campaign coordinators, volunteers, and canvassers. This Privacy Policy describes how we collect, use, store, and share information processed by the Application.
1. Scope of the Application
Canvassr is designed for internal campaign organization. It is deployed as a Google Workspace Web App. By utilizing the Application, you consent to the collection and processing of data in accordance with this Privacy Policy.
2. Information We Collect and Process
To organize weekly canvassing shifts and optimal routes, the Application processes the following categories of information:
π€ Canvasser & Volunteer Details
- Roster Details: First name, last name, email address, and telephone number.
- Scheduling Data: Logged unavailable dates, vacation ranges, and shift assignments.
- Roster Notes: Optional notes recorded by coordinators regarding canvasser preferences or Spanish fluency.
πΊοΈ Geographic & Campaign Data
- Canvassing Lists (Turfs): Turf titles, door counts, and decimal coordinate centroids (latitude and longitude).
- Meeting Places: Location names, dynamic decimal coordinates, and generated navigation links.
- Shifts & Rosters: Shift dates, times, durations, assigned lead canvassers, and attending canvasser rosters.
π Google Session Data
When accessing the Application, the Google Apps Script environment reads your active Google account email address. This is used solely to verify campaign coordinator access rights, display your name in the sidebar footer, and pre-fill coordinator email signatures.
π§ Gmail Compose & Drafts Data
100% Optional Connected Service: Connecting your Gmail account is completely optional. You can utilize Canvassr's core dashboard, calendar rosters, and turf mapping features with absolute minimal permissions. Scopes for email features are authorized on-demand only if and when you decide to connect Gmail:
-
Gmail Compose Permission (Strictly Composing & Sending): Requests strictly the secure
gmail.composepermission, allowing the app to compile, draft, and send weekly shift announcements and background scheduled dispatches. - Zero Inbox Read Access: The Application possesses absolutely zero authority or capability to read your inbox settings, access your personal threads, or search/view any other emails in your account.
Strict Programmatic Isolation: The Application programmatically isolates all Gmail interactions strictly to the specific unsent drafts it created itself. The codebase possesses absolutely zero authority or functionality to search your inbox, read your personal emails, access external threads, modify messages, or permanently delete any personal email. Instant Revocability: You can disconnect or revoke these credentials at any time inside the Settings panel in a single click, which instantly purges all OAuth tokens and background triggers from your GSuite properties.
π€ AI Data Protection & PII Exclusions
When utilizing Generative AI (such as Google Gemini) to draft shift announcements, the Application strictly enforces a zero-PII transmission policy:
- Strict Exclusions: Canvasser email addresses, telephone numbers, availability ranges, and roster notes are never sent to AI services.
- Minimal Context: Prompt payloads contain only shift times, location names, and scheduled canvasser names purely to compile shift attendance tables.
- No AI Training: Data processed via secure API keys is processed in private sandboxes and is never used by AI providers to train public models.
3. How We Use Your Information
We process information exclusively to facilitate campaign canvassing operations, specifically to:
- Coordinate Weekly Shifts: Group canvassers and list assignments into structured shifts.
- Optimize Proximity Sorters: Calculate Haversine distances between turf lists and meeting locations to assign the most optimal meeting place for each shift.
- Generate Calendar Invites: Construct Google Calendar templates containing shift details and coordinate location links.
- Draft Announcements & Reminders: Compile weekly schedule summaries and isolate inactive volunteers (Nags) to draft reminder emails.
- Compose AI Drafts: Process coordinator prompt templates through configured Generative AI engines (such as Google Gemini) using your campaign's private API keys.
4. Data Storage and Security
We prioritize data sovereignty and security. The Application does not use external databases or third-party servers for data storage:
- Google Workspace Ecosystem: All canvasser, turf, and shift data is stored **exclusively** inside your campaign's private Google Spreadsheet.
- Access Permissions: Access to the spreadsheet and web app portal is controlled strictly through Google Drive's native sharing permissions.
-
API Keys Security: Your generative AI API keys (Gemini, OpenAI, Anthropic) are stored
securely inside your personal Google Account **User Properties**
(`PropertiesService.getUserProperties()`). They are never exposed in client-side code, committed to public
version control, or shared with other spreadsheet editors or coordinators. In the UI settings console,
these keys are masked (e.g.,
GEMI...43a2) to prevent shoulder-surfing.
5. Third-Party Services
The Application integrates with the following third-party services to enable essential geographic and visual features:
- Google Maps & OpenStreetMap (Leaflet): Displays interactive maps of canvassing lists and meeting places.
- Google Geocoding API: Translates addresses entered in forms into raw decimal coordinates.
- Open-Meteo API: Queries shift-precise hourly weather forecast temperature ranges client-side in your browser without recording coordinates history.
- Generative AI Providers (Gemini, OpenAI, Anthropic): securely relays coordinator prompt templates via HTTPS requests using your campaign's private API keys.
- Google Mail & Gmail Service: Uses Google's native MailApp/GmailApp to send announcements immediately, and leverages GmailApp Drafts to queue and manage scheduled releases under your campaign's private User Properties.
6. Data Retention and Rights
Because all data is stored inside your campaign's spreadsheet, coordinators retain complete control over data retention and volunteer rights. Volunteers can contact their campaign coordinator to request contact updates, unavailability log changes, or complete canvasser roster removal. Campaign administrators can revoke script web app deployments at any time to cease all data processing.
7. Contact Information
If you have any questions about this Privacy Policy or your campaign's data processing practices, please contact your campaign coordinator or script administrator directly.