Privacy Policy

1. Who We Are and Scope

This Privacy Policy describes how OpenCityUSA LLC and its state-branded platforms (OpenCityRecord.org, OpenUtah.org, and the full family of [State]Record.org websites, together with all city subdomains) collect, use, disclose, and safeguard personal information when you visit our websites, use our search, watch meeting videos, subscribe to alerts, or otherwise interact with the service.

Data Controller: OpenCityUSA LLC, a civic intelligence and transparency company. Each state platform (e.g., OpenUtah.org for Utah, CaliforniaRecord.org for California, etc.) is operated by OpenCityUSA LLC under the respective state brand.

This policy applies to all visitors to our websites regardless of the state or city subdomain you access.

2. Information We Collect

We collect the following categories of personal information:

• Identifiers: IP address, browser/device identifiers, the _oc_uid cookie used for email campaign attribution, and any email address or name you voluntarily provide when subscribing.
• Internet or other electronic network activity: pages viewed, search queries (including transcript searches), video plays/progress, clicks, time spent, referring URLs, and interaction events sent to Google Tag Manager / analytics.
• Geolocation: inferred city/state from the subdomain or URL you visit (we do not collect precise GPS unless you explicitly grant it).
• Commercial information / preferences: topics and cities you select when subscribing to email updates.
• Other: performance and usage data collected via OpenTelemetry (page load timings, API calls to Supabase/Meilisearch, web vitals, click interactions).

We do not knowingly collect sensitive personal information (as defined by CCPA/CPRA) from end users for the purpose of the public website experience.

3. How We Use Your Information

We use personal information for the following business purposes:

• Provide and maintain the core service (searchable meeting transcripts, video playback, alerts).
• Analyze usage to improve the product, fix bugs, and prioritize features (analytics consent required).
• Send email updates and campaign measurement (marketing consent required; we use hashed subscriber IDs).
• Detect and prevent fraud, spam, and abuse.
• Comply with legal obligations and respond to verifiable consumer requests.
• Support performance monitoring and observability via self-hosted OpenTelemetry.

4. Cookies, Tracking Technologies & Your Choices

We use first-party cookies and similar technologies. When you first visit, you see a consent banner with three categories:

• Essential — always active (site functionality, consent storage, basic security).
• Analytics — helps us understand how people use the site (page views, searches, video engagement). Powered by Google Tag Manager (server-side optional) with Consent Mode v2.
• Marketing — used for targeted advertising / campaign measurement and ad personalization (ad_storage, ad_user_data, ad_personalization signals).

You can change your choices at any time via the “Manage Preferences” button in the banner or by visiting the footer links. Changing preferences may require a page reload for Google Tag Manager to apply the new consent signals.

We also set a first-party _oc_uid cookie (400-day max age) when you click through from our email campaigns so we can measure engagement. You can clear cookies in your browser at any time.

5. Third Parties, Sharing, “Sale,” and “Share”

We work with the following categories of service providers / subprocessors (full names and DPA links will be listed once you supply the exact list):

• Google LLC (YouTube video embeds, Google Tag Manager / GA4, web fonts)
• Supabase (database & auth infrastructure)
• Meilisearch (search index)
• Vercel (hosting, edge functions, deployment)
• Listmonk (email subscription & campaign platform — self-hosted or hosted instance)
• Self-hosted OpenTelemetry / SigNoz (performance traces and web vitals sent to metrics.opencity.dev or your configured collector)
• Altcha (captcha for subscribe forms)
• Other infrastructure providers as needed

“Sale” and “Share” under California Law (and analogous concepts elsewhere)

We do not sell personal information for monetary consideration. However, when you grant the Marketing consent category, certain data (identifiers, browsing activity, and interaction events) may be processed by Google and our advertising/analytics partners in ways that qualify as “sharing” for cross-context behavioral advertising or “sale” under the CCPA/CPRA and similar state laws. You can opt out of this processing at any time via the Do Not Sell or Share My Personal Information page or by disabling the Marketing toggle in the cookie preferences banner.

6. Your Privacy Rights

California Residents (CCPA / CPRA)

You have the right to:

• Know what personal information we have collected about you
• Delete personal information (subject to legal exceptions)
• Correct inaccurate personal information
• Opt-out of the sale or sharing of your personal information
• Limit use and disclosure of sensitive personal information (we do not use your sensitive PI for the purposes covered by this right)
• Non-discrimination for exercising your rights
• Appeal a decision we make regarding your request

Residents of Other U.S. States with Comprehensive Privacy Laws

Residents of Virginia, Colorado, Connecticut, Utah, Oregon, Texas, and the growing list of other states that have enacted comprehensive consumer privacy laws (including but not limited to Iowa, Indiana, Kentucky, Maryland, Minnesota, Missouri, Montana, Nebraska, New Hampshire, New Jersey, Oklahoma, Rhode Island, and others) have rights that are substantially similar, including the right to:

• Access / know the personal information we hold
• Delete personal information
• Opt-out of targeted advertising, sale, or certain profiling
• Correct inaccurate data
• Appeal decisions

Exact rights and definitions vary slightly by state. We honor all valid requests to the extent required by applicable law.

How to Exercise Your Rights

TODO — USER TO PROVIDE: Please give the exact email address (e.g. privacy@opencity.dev) and any required format for verifiable requests. We provide a secure web form at the bottom of this page (and on our “Do Not Sell or Share” page). All submissions are protected by Altcha proof-of-work and immediately generate an email notification to our privacy team in addition to being recorded in our audit log.

To make a request, email us from the address associated with your interactions and include “Privacy Request” in the subject line along with the state in which you reside and the specific right(s) you wish to exercise. We will verify your identity and respond within the timeframes required by law (usually 45 days, extendable once).

7. Do Not Sell or Share My Personal Information

California law (and several other states) requires us to provide a clear and conspicuous link titled “Do Not Sell or Share My Personal Information.” You can exercise this right on the dedicated page:

Do Not Sell or Share My Personal Information

We honor the Global Privacy Control (GPC) browser signal as a valid request to opt out of sale / targeted advertising where technically feasible. You can also simply disable the Marketing toggle in our cookie preferences banner.

8. Data Retention, Security, Children, and Other Topics

Retention — We retain personal information only as long as necessary for the purposes described in this policy and in accordance with the most restrictive applicable laws (including CCPA/CPRA deletion timelines and record-keeping requirements in other states). Typical periods include: consent and attribution cookies (up to 400 days), analytics data (Google default retention or up to 14 months unless you request deletion earlier), email subscriber records (until you unsubscribe plus a short grace period for compliance), and performance traces (retained according to our monitoring system’s configured retention, generally not exceeding 90–180 days unless needed for security investigations). We delete or anonymize data upon verified deletion requests within the timeframes required by law.

Security — We use reasonable administrative, technical, and physical safeguards. No method of transmission or storage is 100% secure.

Children’s Privacy — Our sites are not directed to children under 13 (or the applicable age in your jurisdiction). We do not knowingly collect personal information from children. If you believe we have, please contact us immediately.

International Users — If you are located outside the United States, please note that we process information in the United States. By using the service you consent to the transfer of information to the U.S.

Changes to This Policy — We may update this policy from time to time. The “Last Updated” date at the top will change. Material changes will be announced on the site or via email where appropriate.

9. Contact Us

For privacy questions, data subject requests, or to exercise any of the rights described in this policy:

Email: privacy@opencityrecord.org
Phone: 855-677-9665
Mailing Address:
OpenCityUSA LLC
30 N Gould St Suite R
Sheridan, Wyoming 82801

You may also submit requests using the secure web form at the bottom of this page (recommended). Every submission is logged and triggers an immediate notification to the privacy team.

This policy was drafted to be compliant with the California Consumer Privacy Act (CCPA/CPRA) and the comprehensive privacy statutes of the other U.S. states that have enacted them as of the date above. It is not legal advice. Please have qualified counsel review the final version before publication.