Privacy Policy

Last updated: March 2026

What Data We Collect

  • --Email address — encrypted with AES-256-GCM before storage. Used for account verification and communication.
  • --Phone number — hashed with SHA-256 before storage. Only the hash is stored; we cannot recover your phone number. Used to ensure one citizen, one voice.
  • --Country — stored in plain text. Used for aggregate statistics and country-relevant legislation.
  • --Age bracket (optional) — stored in plain text. Used only for aggregate demographic analysis.
  • --Legislative positions — your support/oppose positions on EU procedures. Linked via HMAC, not directly to your identity.
  • --IP address — logged temporarily for security (rate limiting, abuse prevention). Retained for 30 days.

How Data is Stored

Your data is protected through multiple layers of security:

  • --Encryption at rest — Email addresses are encrypted with AES-256-GCM using a server-side key. Passwords are hashed and salted.
  • --Phone hashing — Phone numbers are one-way hashed with SHA-256. We store only the hash.
  • --HMAC separation — Your identity (in the auth schema) is linked to your positions (in a separate schema) only via an HMAC. Even with access to the positions database, it is not possible to identify which citizen holds which position without the HMAC secret.

Schema Separation

GovLens uses two separate PostgreSQL schemas to protect your privacy:

citizen_auth

Contains your encrypted email, password hash, verification status, and sessions. This schema knows who you are.

citizen_positions

Contains your legislative positions and audit trail. This schema knows what you think, but not who you are. Linked only by HMAC.

This design means a breach of one schema does not compromise both your identity and your political positions.

Your GDPR Rights

  • --Right to access — Export all your data at any time from your account dashboard.
  • --Right to rectification — Update your positions and account information at any time.
  • --Right to erasure — Delete your account and all associated data from your account dashboard. Deletion is immediate and permanent.
  • --Right to data portability — Export your data in JSON format.
  • --Right to withdraw consent — Delete your account at any time to withdraw consent for data processing.

Data Deletion Process

When you delete your account:

  1. All positions and audit records are deleted from the citizen_positions schema
  2. All sessions are invalidated and deleted
  3. Your citizen record (encrypted email, password hash, verification data) is permanently deleted
  4. IP logs associated with your account are purged

This process is irreversible. Aggregate, anonymized statistics (e.g., total positions per procedure) are not affected.

Contact

For privacy inquiries, data requests, or concerns, contact us at privacy@govlens.eu.

Back to GovLens