Privacy Policy

This policy applies to information we process about visitors to our website and users of the Service. It does not apply to the practices of third parties we do not control, including the public data sources we draw from or sites we link to.

Account information. When you create an account we collect your name, email address, the water system or organization you represent, and your role. We use a third-party authentication provider to manage sign-in.

Customer Data you submit. To prepare a CCR you provide information about your water system, such as its public water system (PWS) identifier, wells and sources, sampling results, and uploaded laboratory data. Much of this is public record; some may be entered before publication.

Payment information. When you purchase a report, our payment processor collects your payment-card and billing details. We receive confirmation of payment and limited details (such as the last four digits and card brand) but do not store full card numbers.

Usage and device information. Like most online services, we automatically collect technical information such as IP address, browser and device type, pages viewed, and timestamps, through standard logs and cookies.

Information from public sources. We incorporate water-system and water-quality data from public sources such as the California State Water Resources Control Board and federal databases to pre-fill and validate report values.

• provide, operate, and improve the Service and generate reports;
• authenticate users, process payments, and maintain account security;
• respond to your requests and provide customer and technical support;
• monitor, secure, and troubleshoot the Service, and prevent fraud or abuse;
• comply with legal obligations and enforce our Terms of Service;
• create de-identified and aggregated data to analyze and improve our products. This data does not identify you or any individual.

We share information only as described here:

• Service providers. With vendors who host, secure, and support the Service, process payments, or provide authentication, as listed in Section 5. They may use the information only to provide services to us.
• At your direction. When you choose to export, share, or submit a report.
• Legal and safety. When required by law or legal process, or to protect the rights, property, or safety of RCSCA, our users, or the public.
• Business transfers. In connection with a merger, acquisition, financing, or sale of assets, subject to this policy.

We do not sell your personal information, and we do not share it for cross-context behavioral advertising.

We rely on a small set of trusted infrastructure providers to run the Service:

• Hosting & delivery — [Vercel] hosts the web application.
• Database & authentication — [Supabase] stores account and report data and manages sign-in.
• Payments — [your payment processor, e.g. Stripe] processes purchases.

We will keep this list current as our providers change. Enterprise and government customers may request a Data Processing Addendum and an up-to-date subprocessor list.

We retain account and report data for as long as your account is active and as needed to provide the Service, and afterward as required to comply with legal, tax, and recordkeeping obligations, resolve disputes, and enforce our agreements. You may request deletion as described in Section 8.

We use administrative, technical, and organizational safeguards designed to protect information, including encryption in transit, access controls, and reputable hosting providers. No method of transmission or storage is completely secure, however, and we cannot guarantee absolute security.

The California Consumer Privacy Act, as amended (CCPA/CPRA), gives California residents rights over their personal information. In the twelve months before this policy’s date, we collect the following categories of personal information: identifiers (name, email, IP address); commercial information (purchases); internet/network activity (usage and log data); and professional information (your role and employer). We collect it for the business purposes in Section 3 and share it only with the service providers in Section 5. We do not collect this information to sell or share it for advertising.

Subject to verification and legal limits, you may request to:

• Know the personal information we have collected about you and how we use and disclose it;
• Correct inaccurate personal information;
• Delete personal information we hold about you;
• Opt out of sale or sharing — though, as noted, we do not sell or share personal information.

You may exercise these rights by emailing hello@rcsca.org. We will not discriminate against you for exercising your rights. You may use an authorized agent to submit a request on your behalf.

We use cookies and similar technologies that are necessary to operate the Service (for example, to keep you signed in) and, where applicable, to understand usage so we can improve it. You can control cookies through your browser settings; disabling necessary cookies may break parts of the Service. We do not use cookies for third-party advertising.

The Service is intended for businesses and public agencies and is not directed to children under 16. We do not knowingly collect personal information from children. If you believe a child has provided us information, contact us and we will delete it.

We process and store information in the United States. If you access the Service from outside the United States, you understand your information will be processed there, where data-protection laws may differ from those in your location.

We may update this policy from time to time. When we do, we will revise the “Last updated” date above and, for material changes, provide additional notice where appropriate. Your continued use of the Service after the changes take effect constitutes acceptance.

Questions or requests about this policy or your information? Contact us at hello@rcsca.org or [RCSCA mailing address].