Canv.us ("the Application") is a standalone, campaign-focused canvassing management web application. It operates using Svelte on the client side, an Express.js API server deployed on Google Cloud Run, and Google Cloud Firestore as its primary secure database.
We are committed to protecting the privacy and security of all campaign coordinators, administrators, and volunteer canvassers. This Privacy Policy describes how we collect, use, store, and secure information processed by the Application.
Canv.us's use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.
1. Scope of the Application
Canv.us is designed for internal campaign coordination. It is deployed as a standalone web application utilizing Firebase Authentication to secure logins. By using the Application, campaign coordinators consent to the collection, processing, and cryptographic storage of data in accordance with this Privacy Policy.
2. Information We Collect and Process
To coordinate shifts, track turf lists progress, and draft weekly notifications, the Application processes the following categories of information:
π€ Canvasser & Volunteer Details
- Roster Details: First name, last name, email address, and telephone number.
- Scheduling & Outreach Data: Logged unavailable dates, shift assignments, and automated lastContactedAt timestamps updated when outreach emails are successfully sent.
- Roster Notes: Optional notes recorded by coordinators regarding canvasser preferences or Spanish fluency.
πΊοΈ Geographic & Campaign Data
- Canvassing Lists (Turfs): Turf titles, door counts, and decimal coordinate centroids (latitude and longitude).
- Meeting Places: Location names, decimal coordinates, and generated navigation links.
- Shifts & Rosters: Shift dates, times, durations, assigned lead canvassers, and attending canvasser rosters.
π User Session, Auth & Presence Data
When signing in via Google, Firebase Authentication reads your email address, profile display name, and profile picture URL. This data is used solely to verify campaign authorization, assign appropriate role access (Coordinators vs. Administrators), and display your user profile in the application header.
Activity Presence Tracking: While actively using the Application, we track a lastSeen timestamp to display active coordinator presence on the campaign staff settings panel. This heartbeat is throttled client-side to write once every 5 minutes and is updated as long as the browser tab remains active.
π User Geolocation Data (On-Demand)
When viewing maps (such as turfs or meeting places), the Application optionally requests browser-level Geolocation permissions. If granted:
- Real-Time Map Markers: Your current location is displayed as a blue dot helper marker directly on the Leaflet map to help you navigate relative to turfs or meeting spots.
- Search Biasing (Viewport Bias): Your coordinates are used as a viewport hint when performing geocoding searches (address resolution) to prioritize local results and save typing time.
- Background Tracking: The Application possesses absolutely zero capability to track your location in the background. Geolocation is processed entirely client-side and is never written to the database or tracked historically.
π§ Gmail & Calendar Connected Services
Optional Connected Services: Connecting your Gmail or Google Calendar accounts is completely optional. Google OAuth permissions are requested on-demand:
-
Gmail Compose Scope (Strictly Composing & Sending): Requests only the secure
gmail.composepermission, allowing the app to compile and send weekly shift announcements and volunteer reminders. The Application possesses absolutely zero capability to read your inbox messages or search any other email in your account. - Google Calendar Scope (Event Management): Requests permissions to create, update, or delete canvassing events and shift schedules directly on your campaign's dedicated calendars.
- Tokens Encryption: Once exchanged, Google API access and refresh tokens for both Gmail and Calendar are immediately encrypted on the server using AES-256-GCM. They are stored inside the database under private subcollections that are completely blocked from client-side read/write requests.
π€ AI Data Protection & PII Exclusions
When using configured Generative AI services (such as Google Gemini, OpenAI, or Anthropic) to draft email announcements, the Application limits data transmission to prevent sharing sensitive personal identifiers:
- Strict Exclusions: Canvasser email addresses, telephone numbers, and notes are never shared with AI APIs.
- Minimal Context: Prompt payloads contain only generic shift times, location names, and scheduled canvasser names purely to compile attendance tables.
- AI Provider Policies: Prompt payloads are sent directly to your configured generative AI provider APIs. Data usage, logging, and model training exemptions are governed by your configured provider accounts' API usage agreements (e.g., Google Gemini, OpenAI, or Anthropic API Terms of Service).
3. How We Use Your Information
We process information exclusively to facilitate campaign canvassing operations, specifically to:
- Coordinate Weekly Shifts: Group canvassers and list assignments into structured shifts.
- Optimize Proximity Sorters: Calculate Haversine distances between turf lists and meeting locations to assign the closest meeting place.
- Generate Calendar Invites: Construct Google Calendar templates containing shift details and navigation links.
- Draft Announcements & Reminders: Compile weekly schedule summaries and isolate inactive volunteers to draft reminder emails.
- Compose AI Drafts: Process coordinator prompt templates through generative AI engines (Gemini/ChatGPT) using your campaign's private API keys.
4. Data Storage and Security
We prioritize data sovereignty and security:
- Google Cloud Infrastructure: All volunteer lists, turf boundaries, and events details are stored securely inside Google Cloud Firestore database instances.
- Access Permissions: Access to campaign data in the database is restricted to authenticated coordinators belonging to the campaign and authorized system administrators (for maintenance, diagnostics, and support).
-
API Keys & Tokens Encryption: Sensitive secrets, including generative AI API keys and
Google OAuth tokens, are encrypted with AES-256-GCM before being written to Firestore.
They are stored inside private subcollections (e.g.,
/private/secrets) which are blocked from client-side access, making them restricted to server-side backend operations only.
5. Third-Party Services
The Application integrates with the following third-party services to enable essential geographic and visual features:
- Google Maps & OpenStreetMap (Leaflet): Displays interactive maps of canvassing lists and meeting places.
- Google Geocoding API: Translates addresses entered in forms into decimal coordinates.
- Open-Meteo API: Queries shift-precise hourly weather forecast temperature ranges client-side in your browser without storing coordinate history.
- Generative AI Providers (Gemini, OpenAI, Anthropic): securely relays coordinator prompts using your campaign's encrypted API keys.
- Google Calendar & Mail APIs: Connects to Google Calendar to push events sync schedules, and interfaces with the Gmail REST API to compose and send drafts.
6. Data Retention and Rights
Coordinators and Administrators retain complete control over data retention. Campaign coordinators can add, edit, or delete any canvasser roster details, unavailability ranges, or campaign settings directly in the user interface. Administrators can purge campaign collections or delete user credentials from the Firebase console to permanently erase all associated data.
7. Contact Information
If you have any questions about this Privacy Policy or your campaign's data processing practices, please contact your campaign coordinator or system administrator directly.