Privacy Policy

Headwater is a legislative intelligence platform for policy professionals tracking Washington State legislation. This policy describes what information we collect, how we use it, and your rights regarding that information. Headwater is operated by Rivermark LLC, a Washington State company.

We keep data collection minimal and use your information only to provide and improve the service. We do not sell personal data, run advertising, or share information with third parties except as described in this policy.

We collect the following categories of information:

• Account information — your name (if provided), email address, and hashed password, managed through Supabase Auth. We do not store plaintext passwords.
• Organization profile — your organization name, type, service territory, focus areas, priorities, and personnel you enter into the platform. This information is used to personalize your legislative tracking experience.
• Usage data — which bills you star or follow, filter preferences, saved provisos, campaign contacts, redline annotations, stakeholder tags, and engagement campaign activity. This is necessary to deliver the core service.
• Cloud document credentials — if you connect a Microsoft 365 or Google Drive account to enable document collaboration features, we store OAuth tokens in encrypted form. These tokens are used solely to create and sync folders in your organization's cloud storage on your behalf. We do not read, index, or store the contents of files in your cloud storage. You may revoke access at any time from your account settings or from your Microsoft or Google account permissions dashboard.
• Payment information — billing details are collected and processed directly by Stripe. Headwater does not store payment card numbers or full billing details.
• Session data — authentication tokens stored in cookies to keep you signed in.
• Log data — server-side request logs (IP address, timestamp, route accessed) retained briefly for security and debugging.

The platform is intended for use by professionals 18 years of age and older. We do not knowingly collect data from minors.

• To authenticate your account and maintain your session
• To personalize your dashboard — showing starred bills, relevance scoring, saved provisos, and your client-specific configuration
• To generate AI-powered summaries and engagement drafts using your organization profile, priorities, and concerns as context
• To send digest emails or alerts you have opted into (via SendGrid/Twilio)
• To process subscription payments and manage billing (via Stripe)
• To improve the platform — understanding which features are used helps us prioritize development

We do not use your data to train AI models. Bill text and context submitted to AI providers is subject to their respective API data policies (see Third-Party Services below).

Headwater relies on the following subprocessors, each with their own privacy and security practices:

• Supabase — authentication and database hosting. User credentials and application data are stored on Supabase-managed PostgreSQL infrastructure. Privacy Policy
• Stripe — payment processing and subscription management. Payment card data is collected and stored directly by Stripe; Headwater receives only a tokenized customer reference. Stripe is PCI DSS Level 1 certified. Privacy Policy
• OpenAI — bill text is submitted to OpenAI APIs to generate AI summaries and extract budget information. By default, API data is not used to train OpenAI models. API Data Policy
• Anthropic — your organization profile and bill context are submitted to Anthropic Claude APIs to generate engagement drafts (testimony, emails, letters). API data is not used to train Anthropic models. Privacy Policy
• Vercel — frontend hosting and edge delivery. Privacy Policy
• SendGrid / Twilio — transactional email delivery for digest emails, report delivery, and account notifications. Privacy Policy
• Microsoft (Azure / Microsoft 365) — if you connect a Microsoft 365 account for cloud document collaboration, OAuth authentication is handled by Microsoft identity services. Headwater stores an encrypted refresh token; no file contents are accessed beyond the specific folder operations you initiate. Privacy Statement
• Google (Google Drive) — if you connect a Google account for cloud document collaboration, OAuth authentication is handled by Google. Headwater stores an encrypted refresh token scoped to Drive folder operations only; no file contents are read or stored. Privacy Policy
• GitHub — CI/CD pipelines and automated data harvesting workflows run on GitHub Actions. No user personal data is processed in GitHub workflows.

The platform's engagement features surface organizations and individuals who have appeared before Washington State legislative committees based on publicly available sign-in records published by the Washington State Legislature. This data — including organization names, individual names, and their recorded positions on legislation — is drawn entirely from public government records and is not private information.

Tags, notes, contact information, and relationship context you apply to stakeholders within the platform are your own data and are treated with the same confidentiality as other client-specific content. This information is never shared with other clients or third parties.

If your cloud document provider (Microsoft or Google) is connected, OAuth tokens are encrypted at rest using AES-256 encryption before storage.

Headwater serves public entities including government agencies, utilities, and tribal governments. We understand these organizations operate under heightened data protection requirements. Client-specific data — including organization profile, priorities, contacts, campaigns, and redline annotations — is never shared with any other client or third party. Each client's data is isolated at the database level using row-level security.

Legislative data surfaced in the platform (bill text, committee records, vote data, sign-in sheets) is sourced from publicly available Washington State government records and does not constitute personal information subject to data protection requirements.

If your organization requires a Data Processing Agreement (DPA), please contact us at the address below.

We retain your account and organization data for as long as your subscription is active. Upon account deletion or subscription cancellation, we will remove your personal information within 30 days. You may request deletion at any time by contacting us.

Legislative data (bill text, committee records, vote data, etc.) is sourced from public government records and is not personal information. It is retained indefinitely as part of the platform's historical archive.

Server-side request logs are retained for 90 days and then automatically deleted.

Depending on your location, you may have the following rights regarding your personal data:

• Access — request a copy of the personal data we hold about you
• Correction — request that inaccurate data be corrected
• Deletion — request that your account and associated personal data be deleted
• Portability — request your data in a structured, machine-readable format
• Objection — object to certain processing activities

To exercise any of these rights, contact us at the address below. We will respond within 30 days.

We use cookies solely for authentication (session tokens). We do not use advertising cookies or third-party tracking cookies. You can clear cookies at any time through your browser settings, which will sign you out of the platform.

All data is encrypted in transit (TLS 1.2+) and at rest. Access to production systems is restricted to authorized personnel. Supabase row-level security policies ensure each client can access only their own data. Payment data is handled exclusively by Stripe under PCI DSS Level 1 certification.

If you believe you have discovered a security vulnerability, please contact us privately before public disclosure.

We may update this policy as the platform evolves. Material changes will be communicated to active users via email at least 14 days before taking effect. Continued use of the platform after a policy update constitutes acceptance of the revised policy.

Questions about this policy, data requests, or DPA inquiries can be directed to:

Rivermark LLC
privacy@headwater.app