Privacy Policy

1. Information We Collect

1.1 Information You Provide

When you create an account or use the App, you may provide us with the following information:

• Account Information: Your email address, first name, last name, optional zip code, display theme preference (light or dark), and the subscription tier associated with your account.
• Password: Your account password, which is securely managed through our authentication provider (Supabase Auth) and is never stored in plaintext.
• City Preferences: The U.S. cities you select for construction zone tracking, your active city designation, and your notification preferences for each city (frequency, alert types, instant-alert toggle).
• Watchlists: Saved ZIP codes and saved road names you choose to track, including optional human-readable labels (such as “Home” or “Commute”) and a per-watchlist push-alert on/off toggle.
• City Requests: If you request a state or city that is not yet available, we collect the request (city, state, optional user identifier) so we can prioritize coverage expansion.
• Subscription & Purchase Data: If you subscribe to a paid tier (Basic, Plus, or Pro), we store the subscription plan, current status, provider (Google Play or Apple App Store), provider subscription identifier, billing-period start and end dates, and cancellation timestamps. For each transaction we also store the event type (purchase, renewal, cancellation, refund), amount in cents, currency, and the provider transaction identifier and receipt. We never see or store payment card numbers, CVV, or billing addresses. All payments are processed by Apple or Google as the merchant of record.
• Suggestions and Feedback: If you submit a suggestion or feature request through the App or our website, we collect the message text and any optional name or email address you choose to provide.

1.2 Information Collected Automatically

When you use the App, certain information is collected automatically:

• Device Push Token: If you enable push notifications, we collect your device’s Expo push notification token to deliver alerts about construction zones, your saved watchlists, and your selected cities.
• Usage Data: We may collect general usage data such as app interactions, feature usage, and error logs to improve the App’s performance and reliability.
• IP Address: IP addresses are typically processed only for short-lived rate-limiting on public forms (such as our suggestions form), where they are immediately one-way hashed and never stored in raw form. The single exception is that when you accept this Privacy Policy, the Terms of Service, or the Data Deletion Policy during account creation or a policy update, we record the IP address used at the moment of acceptance alongside your email and the policy version, as a permanent legal record of consent. See Section 7.1 for how this consent ledger is treated at account deletion.
• Notification Delivery Log: We retain a server-side record of the push notifications we send to your account (type, related city or watchlist, timestamp) so we can prevent duplicate delivery and honor your selected frequency preferences.
• Server-Side Logging: We may use server-side logging to monitor API performance, diagnose errors, and detect security threats. These logs may contain request metadata (such as timestamps, endpoints accessed, and response codes) and are typically retained for 30 days before being automatically purged.

1.3 Information We Do NOT Collect

We do not collect precise geolocation data (city and ZIP code are provided by you through text entry, never sensed from your device), contacts, photos, microphone or camera data, browsing history, biometric data, or device-stored health information. We do not collect or store payment card numbers, CVV codes, or billing addresses; all in-app subscription payments are processed directly by Apple App Store or Google Play, and we receive only transaction metadata as described in Section 1.1.

2. How We Use Your Information

We use the information we collect for the following purposes:

• To create and manage your account.
• To deliver construction zone data and alerts for the U.S. cities, ZIP codes, and roads you select or save.
• To send push notifications based on your per-city and per-watchlist notification preferences (new zones, major closures, ending soon alerts, and weekly digests).
• To process and prioritize city and state coverage requests from users.
• To enforce account-level features and tier limits (e.g., watchlist count based on your subscription tier).
• To provision, manage, and (where applicable) end your paid subscription based on subscription receipts received from Apple App Store, Google Play, or RevenueCat.
• To improve, maintain, and optimize the App’s performance and user experience.
• To prevent abuse, fraud, and unauthorized access through rate limiting and security measures.
• To communicate important updates about the App or changes to our policies.

3. Legal Basis for Processing

We process personal information based on one or more of the following legal grounds: (a) performance of a contract when providing App services; (b) legitimate interests such as improving service reliability and preventing abuse; (c) compliance with legal obligations; and (d) user consent where required.

By using the App, you understand that your information may be processed and stored in the United States.

4. Data Storage and Security

4.1 Infrastructure

Your data is stored on Supabase, a cloud database platform hosted on Amazon Web Services (AWS). Supabase provides enterprise-grade security including encrypted connections (SSL/TLS), row-level security policies that restrict data access to authenticated users, and regular security audits.

4.2 Security Measures

We implement the following security measures to protect your data:

• Row-Level Security (RLS) policies ensure users can only access their own data.
• Server-side triggers enforce business rules (such as city limits) to prevent manipulation.
• Protected database columns prevent unauthorized modification of sensitive fields (e.g., subscription status).
• API keys and secrets are stored in an encrypted vault, not hardcoded in application code.
• Email verification is required for account activation.
• Passwords must meet minimum complexity requirements (8+ characters, uppercase letter, number).

While we implement reasonable administrative, technical, and organizational safeguards, no system can be guaranteed to be completely secure.

4.3 Data Retention

We retain your personal data for as long as your account is active or as needed to provide you with the App’s services. When you delete a city from your saved cities, a historical record is maintained for audit purposes (containing the city name, notification preferences at the time of removal, and the date of the action). If you delete your account, all associated data (including your profile, saved cities, and notification preferences) is permanently removed through cascading deletion.

5. Third-Party Services

We use the following third-party services to operate the App:

• Supabase: Cloud database and authentication provider. Supabase processes and stores your account data, city preferences, watchlists, subscription records, and notification settings.
• Expo (React Native): Mobile app framework and push notification service. Expo processes your device push token to deliver notifications. Push tokens are also processed by Apple Push Notification service (APNs) or Google Firebase Cloud Messaging (FCM) to facilitate delivery to your specific device.
• Amazon Web Services (AWS): Cloud infrastructure provider hosting our database.
• RevenueCat: Subscription-management service used to validate and synchronize in-app subscription entitlements between Apple App Store / Google Play and our backend. RevenueCat receives a pseudonymous user identifier and your subscription receipt; it does not receive any other profile data.
• Apple App Store and Google Play Billing: When you purchase a paid subscription (Basic, Plus, or Pro), the transaction is processed by Apple or Google as the merchant of record under their respective terms. They receive your payment information directly; we receive only the transaction identifier, plan, amount, currency, and renewal/cancellation timestamps for record-keeping, provisioning, and tax purposes.
• Google Maps SDK (Android only): The Map tab in the Android version of the App uses the Google Maps SDK to render map tiles and pins. Google may receive device-level information (device identifier, IP address, approximate location derived from the IP, and screen size for tile selection) per Google’s Privacy Policy when map tiles are loaded.
• Mapbox (server-side only): Used by our backend to geocode user-submitted city and ZIP names. No personally identifying user information is sent to Mapbox; we send only the place text to be resolved into coordinates.

We do not sell, rent, or trade your personal information to third parties for marketing or advertising purposes.

Construction zone information displayed within the App originates from publicly available U.S. Department of Transportation feeds (Work Zone Data Exchange / WZDx) and is processed, normalized, and aggregated by ClosureCast for informational use.

6. Push Notifications

If you opt in to push notifications, we will send you alerts based on your per-city preferences. These may include notifications about new construction zones, major road closures, zones ending soon, and periodic digest summaries. You can customize notification types and frequency for each city within the App, or disable notifications entirely through your device’s system settings.

Delivery timing and reliability of push notifications depend on third-party platform services and device settings. We do not guarantee delivery or timeliness of notifications. Notifications are provided for informational purposes only and should not be relied upon for real-time safety decisions.

7. Your Rights and Choices

Depending on your jurisdiction, you may have the following rights:

• Access: You can view all personal data associated with your account directly within the App.
• Correction: You can update your name, zip code, theme, notification preferences, and watchlists at any time through the App.
• Deletion: You can delete your account directly within the App (Settings > Delete Account) or by contacting us at privacy@closurecast.com. See Section 7.1 below for details.
• Opt-Out of Notifications: You can disable push notifications for individual cities within the App or disable all notifications through your device settings.
• Data Portability: You may request a copy of your personal data by contacting us at privacy@closurecast.com.

7.1 Account Deletion and Data Retention

What is permanently and immediately removed when you delete your account: your profile information (name, email, zip code, theme preference, subscription tier flag), the active rows in your saved cities, saved ZIP code watchlists, saved road watchlists, and city coverage requests, your push notification token, your notification delivery log, and your active subscription row.

What is retained in anonymized form after account deletion (for legal-defense, tax, fraud-prevention, and audit purposes):

• Anonymized account audit record: one-way cryptographic hashes of your email and name (these hashes cannot be reversed back to the original values), account creation and deletion dates, account age, subscription tier and plan at deletion, total payment count and total amount, and the final versions of each policy you had accepted.
• Anonymized city history: the cities you had saved, whether each was active, your notification preferences at deletion, and the original date saved. Joined only to the hashed account identifier described above.
• Anonymized ZIP code watchlist history: the ZIP codes you had saved, any labels you applied, alert toggle state, and the original date saved. Keyed by the same hashed account identifier.
• Anonymized road watchlist history: the road names you had saved, any labels, alert toggle state, and original date. Keyed by the same hashed account identifier.
• Anonymized city coverage requests: the city names and states you requested coverage for, with original date. Keyed by the same hashed account identifier.
• Anonymized payment records: retained up to 7 years as required by U.S. tax and financial reporting law, with all direct identifiers removed.

None of the retained records contain your name, email, ZIP code, or any other direct identifier. They cannot be used to identify you individually; they are kept to defend against disputes (e.g., a claim that you never had access to a particular feature), to comply with tax and regulatory record-keeping requirements, and to enable aggregate analytics on service usage and coverage demand.

Consent ledger exception. Records of policy acceptances (Terms of Service, Privacy Policy, Data Deletion Policy) are stored in an append-only ledger that includes the policy version, your email, the IP address used at the time of acceptance, and a timestamp. These ledger entries are retained after account deletion with the account identifier severed (user_id set to null) but the email and acceptance metadata preserved. We retain this ledger as a legal record of consent and to defend against disputes over whether terms were agreed to. This is the only retained category that includes your raw email address.

If you have an active paid subscription, deleting your account does not automatically cancel your app store subscription. Please cancel your subscription through Google Play or Apple App Store settings before deleting your account. The in-app deletion screen requires you to acknowledge this in writing before deletion can proceed, and the acknowledgment is recorded in the consent ledger described above.

8. Children’s Privacy

The App is not intended for use by individuals under the age of 13. We do not knowingly collect personal information from children under 13. If we become aware that we have collected personal data from a child under 13 without parental consent, we will take steps to delete that information promptly. If you believe a child under 13 has provided us with personal data, please contact us at privacy@closurecast.com.

9. State-Specific Privacy Rights

9.1 California Residents (CCPA)

If you are a California resident, you have the right to request disclosure of the categories and specific pieces of personal information we have collected about you, request deletion of your personal information, and opt out of the sale of your personal information. We do not sell personal information. To exercise these rights, contact us at privacy@closurecast.com.

9.2 Texas Residents (TDPSA)

If you are a Texas resident, the Texas Data Privacy and Security Act provides you with rights regarding your personal data, including the right to access, correct, delete, and obtain a copy of your personal data. To exercise these rights, contact us at privacy@closurecast.com. We will respond to verified requests within 45 days.

10. Cookies and Tracking Technologies

The ClosureCast mobile app does not use browser cookies, web beacons, advertising identifiers, or cross-app tracking. We do not engage in cross-app tracking or behavioral advertising. Certain third-party SDKs identified in Section 5 (notably Google Maps SDK on Android and RevenueCat) may use their own device-level identifiers solely to provide their service, as described in each provider’s own privacy policy.

If we introduce a web-based version of ClosureCast or integrate third-party analytics in the future, this section will be updated to disclose any cookies or tracking technologies used, their purpose, and how you can manage your preferences. Any such changes will be reflected in an updated version of this Privacy Policy, and you will be prompted to review and accept the changes.

11. Business Transfers

In the event of a merger, acquisition, restructuring, or sale of assets, user information may be transferred as part of that transaction subject to applicable privacy protections. If such a transfer occurs, we will notify you via email or a prominent notice within the App and outline your choices regarding your personal information.

12. Service Analytics

We may use aggregated and anonymized usage statistics that do not identify individual users to improve platform performance, understand feature adoption, and support service planning. These aggregated statistics cannot be used to identify any individual user.

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of any material changes by posting the new Privacy Policy within the App and updating the “Last Updated” date. Your continued use of the App after any changes constitutes your acceptance of the updated Privacy Policy.

14. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

True Tone Mirror LLC
Email: privacy@closurecast.com
Website: closurecast.com