Privacy Policy

Effective Date: February 16, 2026

1. Introduction

RateGov Insights LLC, doing business as PoliStack (“PoliStack,” “we,” “us,” or “our”), operates polistack.com and its associated services, including the MCP Servers (Governance Intel and Political Finance) (collectively, the “Service”). This Privacy Policy describes what personal information we collect, how we use it, with whom we share it, and what choices you have regarding your data.

Your use of the Service is also subject to our Terms of Service and Acceptable Use Policy.

2. Information We Collect

2a. Account Information

When you create an account, we collect the information provided through our authentication provider, WorkOS AuthKit. This includes:

  • Name and email address
  • Authentication provider metadata (e.g., whether you signed in via Google, GitHub, or email/password)
  • WorkOS user identifier (used internally to associate your account with your usage data)

2a-ii. Team Membership Data

If you are added to or create a team (firm), we collect and store:

  • Team name and membership role (Owner or Member)
  • The email address and name of team members (visible to all active members of the same team)
  • Invitation metadata (who invited a member and when they joined or were removed)

2b. Usage Data

We collect data about how you interact with the Service, including:

  • MCP server usage counters (number of queries per server, per billing period), tracked at both the individual and team (firm) level for teams with shared query pools
  • Feature interaction data (pages visited, features used)

2c. Payment Information

Payment processing is handled by Stripe, our third-party payment processor. PoliStack does not directly store credit card numbers, bank account details, or other sensitive financial information. We retain:

  • Subscription tier and billing status
  • Payment history metadata (dates, amounts, invoice IDs)
  • Stripe customer identifier

2d. Technical Data

We automatically collect certain technical information when you access the Service:

  • IP address
  • Browser type and version
  • Device type and operating system
  • Referral source
  • Pages visited and time spent

When a user connects to an MCP server, we also collect Dynamic Client Registration (DCR) metadata associated with the connection.

2e. Political Data Disclaimer

PoliStack displays public political information about elected officials, candidates, organizations, and committees. This data is sourced from public records.

3. How We Use Your Information

We use the information we collect to:

  • Provide, operate, and maintain the Service, including authenticating users, managing sessions, and administering team memberships
  • Enforce rate limits and subscription tiers (including shared team query pools) to ensure fair access
  • Process payments and manage subscriptions via Stripe
  • Improve AI response quality and Service functionality using anonymized and aggregated query data
  • Monitor for abuse, fraud, and violations of the Acceptable Use Policy
  • Communicate with you about service updates, billing notices, and security alerts
  • Respond to support requests and inquiries
  • Comply with legal obligations

4. Information Sharing

We do not sell, rent, or trade your personal information to third parties.

We share information only in the following limited circumstances:

  • Service Providers: We use third-party services to operate the Service. These providers process data on our behalf and are contractually obligated to protect your information. Our service providers include:
    • WorkOS — authentication and identity management
    • Stripe — payment processing
    • Convex — database hosting and serverless functions
    • Vercel — web application hosting
    • Anthropic — AI model provider (query text is sent to AI models for processing)
    • OpenAI — AI model provider
    • Google Gemini — AI model provider
  • Team Members: If you are part of a team (firm), your name and email address are visible to other active members of the same team, including the team Owner. The team Owner can also see aggregate shared query usage for the team. Team members cannot see each other’s individual query content or history.
  • Government Data Sources: Our queries to public APIs (Congress.gov, FRED, FEC) do not transmit your personal information. These are data retrieval requests that contain only the political data query parameters, not user identifiers.
  • Legal Requirements: We may disclose your information if required to do so by law, court order, subpoena, or government request, or if we believe disclosure is necessary to protect the rights, property, or safety of PoliStack, our users, or the public.
  • Business Transfers: In the event of a merger, acquisition, reorganization, or sale of all or a portion of our assets, your information may be transferred as part of that transaction. We will notify you of any such change and any choices you may have regarding your information.

5. Data Retention

  • Account data: Retained while your account is active. Upon account deletion request, we will delete your account data within 30 days, except where retention is required by law.
  • Query logs: Retained for service improvement and abuse prevention. Query logs are anonymized after 12 months by removing personally identifiable information.
  • Usage counters: Retained for billing, rate limiting, and historical reporting purposes.
  • Payment records: Retained as required by financial regulations, typically for 7 years.
  • Click tracking data: Retained in aggregated form for analytics. Individual click records are anonymized after 12 months.
  • Team membership data: Active membership records are retained while the team exists. When a member is removed or leaves, the membership record is marked as inactive and retained for audit and billing reconciliation purposes.

6. Data Security

We implement reasonable administrative, technical, and physical safeguards to protect your personal information, including:

  • Encryption in transit via HTTPS/TLS for all communications
  • Content Security Policy (CSP) headers to prevent cross-site scripting and injection attacks
  • Strict Transport Security (HSTS) enforced for all connections
  • Access controls and authentication for all internal systems and databases
  • Read-only database access for public-facing query tools
  • Regular dependency audits for known vulnerabilities

No method of transmission over the Internet or method of electronic storage is 100% secure. While we strive to protect your information, we cannot guarantee its absolute security.

7. Cookies and Tracking Technologies

We use cookies and similar technologies for the following purposes:

  • Essential cookies: Required for authentication, session management, and security. These cannot be disabled without affecting Service functionality.

We do not use third-party advertising cookies or tracking pixels. We do not participate in ad networks or cross-site behavioral advertising.

You can control cookies through your browser settings. Note that disabling essential cookies may prevent you from using authenticated features of the Service.

8. Your Rights

Depending on your location, you may have the following rights regarding your personal information:

  • Access: Request a copy of the personal data we hold about you.
  • Correction: Request correction of inaccurate or incomplete personal data.
  • Deletion: Request deletion of your account and associated personal data.
  • Portability: Request your data in a structured, machine-readable format.
  • Opt-out: Unsubscribe from non-essential communications at any time.

California Residents (CCPA)

If you are a California resident, you have the right to:

  • Know what personal information we collect, use, and disclose
  • Request deletion of your personal information
  • Opt out of the sale of personal information
  • Non-discrimination for exercising your privacy rights

We do not sell personal information as defined under the CCPA.

European Economic Area Residents (GDPR)

If you are located in the European Economic Area, you have additional rights under the General Data Protection Regulation, including the right to restrict processing, object to processing, and lodge a complaint with a supervisory authority. Our legal basis for processing your data includes: performance of a contract (providing the Service), legitimate interests (improving the Service, preventing fraud), and consent (where applicable).

To exercise any of these rights, contact us at support@polistack.com. We will respond to your request within 30 days.

9. Children’s Privacy

The Service is not directed at children under the age of 13. We do not knowingly collect personal information from children under 13. If we learn that we have collected personal information from a child under 13, we will delete that information promptly. If you believe a child under 13 has provided us with personal information, please contact us at support@polistack.com.

10. International Data Transfers

PoliStack is based in the United States. If you access the Service from outside the United States, your information will be transferred to and processed in the United States, where data protection laws may differ from those in your jurisdiction.

By using the Service, you consent to the transfer of your information to the United States. We take appropriate measures to ensure that your personal information is protected in accordance with this Privacy Policy regardless of where it is processed.

11. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, or legal requirements. If we make material changes, we will notify you by email (if you have an account) or by posting a prominent notice on the Service.

Your continued use of the Service after the effective date of any changes constitutes your acceptance of the revised Privacy Policy. The “Effective Date” at the top of this page reflects the date of the most recent revision.

12. Contact Us

If you have questions about this Privacy Policy or wish to exercise your data rights, please contact us: