CivilianCIVILIAN

Security & Trust

Last updated: July 8, 2026

Civilian is a civic app, not a bank — but we know political-adjacent products attract scrutiny, and users deserve a plain answer instead of “we take security seriously.” This page is what we actually do. For the full data-inventory legal text, see the Privacy Policy.

What we collect

During onboarding we ask (all optional except email + state):

  • Email — required, for sign-in and account recovery
  • State + congressional district — required, determines which reps, races, and legislation appear in your feed
  • ZIP code — optional, for ballot lookup and local coverage
  • Housing cost bracket — optional, surfaces housing / rent policy relevance
  • Household income bracket — optional, surfaces tax / benefits / wage policy relevance to your specific bracket
  • Number of dependents — optional, surfaces childcare / education / family policy relevance
  • Occupation — optional, surfaces labor policy relevance
  • Civic interests — the broad topics you care about (climate, healthcare, criminal justice, etc.)
  • Optional “About me” free text — anything you volunteer that helps personalize your feed
  • In-app activity — what you read, thumbs up/down, briefings consumed

Why so many fields? The core promise of Civilian is telling you why a specific bill or race affects your life, not a generic voter’s. That personalization needs data. Without your income bracket we can’t tell you a proposed tax rate change affects you. Without your dependents we can’t flag a childcare vote as relevant.

What “optional” actually means. Only email and state are required. You can leave every other field blank at onboarding and the app still works — you’ll just get less specific personalization. You can also change or clear any field later from Account → the relevant section.

What we don't collect

  • Your password — sign-in uses Apple, Google, or email magic link. We never see a password.
  • Your credit card — Apple’s App Store handles billing directly on mobile; Stripe handles it on web. We’re never in the payment path.
  • Your precise location — no GPS. Location is the state / district / ZIP you told us.
  • Your contacts, camera, or microphone
  • How you actually voted — marking “I voted” is a local flag; the content of your vote is never stored or requested.
  • Your party affiliation — we deliberately don’t ask.
  • Your children’s information — we ask if you have dependents, not who they are.

What protects your data

  • HTTPS with TLS 1.2+ on every connection.
  • Password-less auth via Sign in with Apple, Sign in with Google, or email magic link — no passwords for us to lose.
  • Payment handled entirely by Apple’s App Store (mobile) or Stripe (web) — we’re never in the credit-card path.
  • Data encrypted in transit; database encrypted at rest by our infrastructure provider (Railway PostgreSQL).
  • Auth tokens stored in platform-native secure storage (iOS Keychain / Android Keystore).
  • Full account deletion works in-app. Settings → Delete Account. When you tap it, we actually purge everything — profile fields, reading history, notification tokens, push tokens, analytics events, briefing history. Not soft-delete, not deactivate. Real deletion, cascaded across our databases.
  • We don’t sell or share data with advertisers. Civilian is subscription-funded, not ad-funded.

What the “About me” field does

The optional “About me” free-text field is included in the prompt when we generate your personalized daily briefing. It goes to our AI provider (Anthropic’s Claude API) alongside the current news to ground the briefing in your specific situation.

Good uses: “I’m a small-business owner in a rural area,” “I care about veterans’ issues because my father served,” “I’m a caregiver for aging parents.”

Do not paste: passwords, credit-card numbers, Social Security numbers, medical record numbers, or anything else you wouldn’t want an AI model to process for context. If you skip this field, the app still works normally.

What worst-case actually looks like

Honest scenario: if someone gained unauthorized access to our servers and got everything, they would have your email, the profile fields you filled in (potentially including your income bracket, dependents, occupation, and location), and your reading history. That is meaningful, and we don’t want to minimize it.

They would not get:

  • Your password (we don’t have one)
  • Your credit card (Apple / Stripe handle billing, we never see it)
  • Your precise location or GPS trail
  • Your contacts, photos, or messages
  • The actual content of your vote in any election
  • Your party affiliation (we deliberately don’t ask)

Our best defense against “worst case” is data minimization: we designed the app so we can’t leak what we don’t collect. Skipping a field you’re unsure about is always a valid choice.

What we don't have (yet)

Trust is earned, and we’d rather tell you what we’re working toward than pretend we have it:

  • Independent security audit — planned as we grow.
  • Bug bounty program — planned. In the meantime, good-faith reports go to the email below.
  • SOC 2 Type II — once team size warrants it.

What happens if something goes wrong

If we discover unauthorized access to user data, we will notify affected users within 72 hours via email, describe what data was exposed, and explain what steps we’re taking. Where legally required, we will also notify the appropriate regulatory authorities.

Report a vulnerability

If you’ve found a security issue, email privacy@civilianos.com with as much detail as you can share (steps to reproduce, screenshots, expected vs. actual behavior). We commit to acknowledging your report within 48 hours and responding substantively within 7 days. We do not take legal action against good-faith security research.

Changes

Material updates to this page are announced via email or in-app notification. The “Last updated” date at the top always reflects the current version.