Privacy Policy

Last Updated: March 31, 2026

This Privacy Policy (“Policy”) explains the information collection, use, and sharing practices of Public Accountability Initiative (“PAI,” “we,” “us,” and “our”).

This policy describes the types of information we may collect about you or that you may provide when accessing and/or using this site and any other online services provided by PAI that expressly incorporate these terms (collectively, the “Services”), whether as a guest or registered user, and our practices for collecting, using, maintaining, protecting, and disclosing that information. Use of the Services is subject to our Terms of Use, which incorporates this Privacy Policy.

This policy applies to information we collect through the Services. It does not apply to information collected by any third party, including through any application or content (including third-party platforms, payment processors or advertisers) that may link to or be accessible from or on the Services.

Before you use or submit any information through or in connection with the Services, please carefully review this Privacy Policy. By using any part of the Services, you understand that your information will be collected, used, and disclosed as outlined in this Privacy Policy. IF YOU DO NOT AGREE TO THIS PRIVACY POLICY, PLEASE DO NOT USE THE SERVICES.

Our Principles

We have designed this policy to be consistent with the following principles:

• Privacy policies should be human readable and easy to find.
• Data collection, storage, and processing should be simplified as much as possible to enhance security, ensure consistency, and make the practices easy for users to understand.
• Data practices should meet the reasonable expectations of users.

Controller and Contact Information

Controller: Public Accountability Initiative

Address: 266 Elmwood Avenue #191, Buffalo, NY 14222

Email: info@littlesis.org

Phone: +1 716-400-0576

Information We Collect

We collect information in multiple ways, including when you provide information directly to us; when we passively collect information from you, such as from your browser or device; and from third parties.

Information You Provide Directly to Us

We will collect any information you provide to us. We may collect information from you in a variety of ways, such as when you:

• Create an online account for the LittleSis Database, which includes access to tools such as the Oligrapher mapping tool. For example, when creating a database account, we request a public username, email address, password, name, optional location, and optional motivation for joining.
• Make a donation or purchase. We collect name, email address, donation or purchase amount, and other payment details necessary to process the transaction. We use Stripe to process payments. Please see their Privacy Policy for how they handle your information.
• Communicate with us or sign up to join a mailing list.
• Register for a training or event. For example: name, email, selection of trainings
• Contribute to the LittleSis Database. Your contributions, edits and maps, and metadata associated with your contributions (timestamps, relationships between records, your public username).
• Use the LittleSis API. For example: date and time of visit, IP address, page accessed.
• Participate in optional surveys. We use Google Forms for our surveys. Please see their Privacy Policy for how they handle your information.

Information that Is Automatically Collected

Device/Usage Information

We and our service providers may automatically collect certain information about the computer or devices (including mobile devices or tablets) you use to access the Services. Our service providers include Action Network (asset hosting), Digital Ocean (website hosting), Google (map and video hosting), hCaptcha (spam prevention), Postmark (sending email), Progressive Technology Project (CRM, mailing lists), and Stripe (payment processing). Please review their respective privacy policies for more information. As a result of our accounts with these providers, we and/or our providers may collect and analyze (a) device information such as IP addresses, location information, unique device identifiers, IMEI and TCP/IP address, browser types, browser language, operating system, mobile device carrier information, and (b) information related to the ways in which you interact with the Services, such as referring and exit web pages and URLs, platform type, the number of clicks, domain names, landing pages, pages and content viewed and the order of those pages, statistical information about the use of the Services, the amount of time spent on particular pages, the date and time you used the Services, the frequency of your use of the Services, error logs, and other similar information.

For example, we maintain:

• Server and LittleSis API logs that include your IP address, IP-based geolocation information, browser information (e.g., user-agent string), page requests, date/time, screen size, device information, operating system, and referring web page.
• LittleSis Database usage metadata that includes timestamps, roles/privileges (user/editor/collaborator/admin), and audit trails linking edits to accounts. For technical reasons, we retain edit histories even if an account is deleted (see Data Retention, below).
• Analytics. We use self-hosted Javascript-based analytics Matomo On-Premise that uses cookies and tracks users by user ID and session cookies.

Cookies, Logs, and Other Tracking Technologies

We and our service providers also collect data about your use of the Services through the use of Internet server logs and online tracking technologies, like cookies and/or tracking pixels. A web server log is a file where website activity is stored. A cookie is a small text file that is placed on your computer when you visit a website, that enables us to: (a) recognize your computer; (b) understand the web pages of the Services you have visited and the referral sites that have led you to our Services; (c) perform searches and analytics; and (d) assist with security administrative functions. Tracking pixels (sometimes referred to as web beacons or clear GIFs) are tiny electronic tags with a unique identifier embedded in email and that are designed to provide open rate information. We may also use tracking technologies in our buttons and/or icons that you can embed on other sites/services to track the website addresses where they are embedded, gauge user interaction with them, and determine the number of unique viewers of them. If you receive email from us (such as our newsletter or other ongoing email communications), we and our providers may use certain analytics tools, such as clear GIFs, to capture data such as whether you open our message, click on any links or banners our email contains, or otherwise interact with what we send. This data allows us to gauge the effectiveness of our communications and marketing campaigns. As we adopt additional technologies, we may also gather additional information through other methods.

Please note that you can change your settings to notify you when a cookie is being set or updated, or to block cookies altogether. Please consult the “Help” section of your browser for more information (e.g., Internet Explorer; Google Chrome; Mozilla Firefox; or Apple Safari). Please note that by blocking any or all cookies, you may not have access to certain features or offerings of the Services.

For more information about how we use cookies, please see our Cookies Notice.

Information We Collect from Third Parties

We may also collect information about you or others through third parties. For example, we may receive information about your usage of our services from our service providers (payment processors, CRM/mailing list providers, email delivery providers, hosting/backup providers, anti-abuse tooling), and public sources including your contributions to our Github page.

Depending on the source, this information collected from third parties could include name and contact information.

Information That Third Parties Collect In Connection With The Services

Our third party service and hosting providers may collect information about you or others through or in connection with your use of the Services. For example, we use Action Network for some asset hosting, Digital Ocean for website hosting, Google for map and video hosting, hCaptcha for spam prevention, Postmark for sending email, Progressive Technology Project for CRM and mailing lists, and Stripe for payment processing. We may also use third parties to host backups of our data, for IT support, and for other reasons. If you interact with our repositories on Github, your use of that site, like all third-party sites, is subject to their privacy policy.

Lawful Bases for Processing Personal Data

The laws in some jurisdictions (including the EU and UK GDPR) require companies to tell you about the legal grounds they rely on to use or disclose information that can be directly linked to or used to identify you. To the extent those laws apply, we rely on the following legal bases to process your personal data, as appropriate:

• Necessary for us to perform a contract with you or take steps at your request prior to entering a contract (“Contract Performance Legal Basis”).
• To comply with an applicable legal obligation (“Legal Obligations Legal Basis”).
• To realize a legitimate interest based on an assessment of that interest and your privacy and other fundamental interests (“Legitimate Interest Legal Basis”). These interests include:
  • Customer service
  • Publishing user-submitted content
  • Marketing, advertising and fundraising
  • Protecting our users, personnel, and property
  • Managing user accounts and submissions
  • Organizing and running events and programs
  • Analyzing and improving our business
  • Managing legal matters
• According to your consent (“Consent Legal Basis”), in which case you can withdraw your consent at any time with future effect.

How We Use Your Information

We may use the information we collect from and about you for the following purposes, and based on the following legal bases:

• Process, store, and publish your submissions (including to the LittleSis Database) and their corresponding metadata. [Legitimate Interest]
• Enable content moderation of user submissions, including responding to infringement/legal complaints [Legitimate Interest; Legal Obligations];
• Provide and improve the Services, including to develop new features or services, promote community collaboration, take steps to secure the Services, and for technical and customer support [Legitimate Interest];
• Fundraise, accept and process donations [Legitimate Interest; Contract Performance];
• Host in-person or virtual events, programs, and discussions [Legitimate Interest];
• Send you account alerts and other information about your relationship or transactions with us [Legitimate Interest];
• Send you publications, newsletters, and updates that you have expressly chosen to receive [Consent];
• Process and respond to your inquiries, feedback, comments, responses, messages, and other data or content you submit [Legitimate Interest and/or Consent];
• Conduct analytics, research and reporting, including to synthesize and derive insights from your use of our Services [Legitimate Interest];
• Evaluate job candidates during our hiring process [Legitimate Interest; Consent];
• Comply with applicable laws, court orders, subpoenas and other legal process served on us [Legitimate Interest; Legal Obligations];
• Administer, safeguard, secure and improve our sites and tools, systems, facilities, events, and other business operations [Legitimate Interest];
• Protect our rights and the safety of others [Legitimate Interest];
• Fulfill the purposes for which you provided it [Contract Performance; Legitimate Interest; and/or Consent, as appropriate].

We may aggregate and/or de-identify information collected through the Services, and we may use such de-identified and/or aggregated data for any purpose, including without limitation for research and marketing purposes.

When We Disclose Your Information

We may disclose and/or share your information under the following circumstances, and based on the following legal bases:

Service Providers.

We may disclose your information to: (i) our employees, agents, and affiliates who have a business need to know, and (ii) our contractors and third party service providers to process based on our instructions, including without limitation for IT services, backup services, website and database hosting/storage, payment processing, e-mail services, event management, marketing, customer support, and legal services. [Legitimate Interest, Legal Obligations, Contract Performance]

Visitors to Our Services.

Any personal data you submit to the interactive portions of our Services, including submissions to the LittleSis Database, and Oligrapher maps, are available to the general public. Other users may access, repost, or use such submissions. [Legitimate Interest]

Legal Compliance and Protection of PAI and Others.

We may disclose your information if required to do so by law or on a good faith belief that such disclosure is permitted by this Privacy Policy or reasonably necessary or appropriate for any of the following reasons: (a) to comply with legal process; (b) to enforce or apply our Terms of Use and this Privacy Policy, or other contracts with you, including investigation of potential violations thereof; (c) to respond to your requests for customer service; and/or (d) to protect the rights, property, or personal safety of PAI, our agents and affiliates, our users, and the public. This includes exchanging information with other companies and organizations for fraud protection, and spam/malware prevention, and similar purposes [Legitimate Interests; Legal Obligations].

Organizational Transitions

As we continue to develop our business, we may engage in certain business transactions, such as a merger or the transfer or sale of our assets. In such transactions, (including in contemplation of such transactions, e.g., due diligence) your information may be disclosed. If any of PAI’s assets are sold or transferred to a third party, personal information related to the assets would likely be one of the transferred assets. [Legitimate Interests].

Consent.

We may disclose your information to any third parties based on your consent to do so.

Aggregate/De-identified Information.

We may disclose de-identified and/or aggregated data for any purpose to third parties, including promotional partners and/or others, including the public generally. [Legitimate Interests]

Your Choices and Data Subject Rights

You have various rights with respect to the collection and use of your information through the Services. Those choices are as follows:

• Email Unsubscribe – You may unsubscribe from our marketing emails at any time by clicking on the “unsubscribe” link at the bottom of each newsletter or by emailing info@littlesis.org with your request.
• Account Preferences – If you have registered for an account with us through our Services, you can update your account information or adjust your email communications preferences by contacting info@littlesis.org.
• We do not control third parties’ collection or use of your information to, for example, serve interest-based advertising. However these third parties may provide you with ways to choose not to have your information collected or used in this way. For example, you can opt out of receiving targeted ads from members of the Network Advertising Initiative (“NAI”) on the NAI’s website at https://thenai.org/opt-out, and from the Digital Advertising Alliance (“DAA”) at https://optout.aboutads.info.
• EU Data Subject Rights – Individuals in the European Economic Area (“EEA”) and other jurisdictions, including the UK, have certain legal rights (subject to applicable exceptions and limitations) to obtain confirmation of whether we hold personal information about them, to access such information, and to obtain its correction or deletion in appropriate circumstances. You may have the right to object to our handling of your information, restrict our processing of your information, and to withdraw any consent you have provided. To exercise these rights, please email us at info@littlesis.org with the nature of your request. You also have the right to go directly to the relevant supervisory or legal authority, but we encourage you to contact us so that we may resolve your concerns directly as best and as promptly as we can.

International Transfers

Our computer systems are currently based in the United States and the majority of our contractors are based in the United States. As described above in the “When We Disclose Your Information” section, we may share your information with trusted service providers or business partners in countries other than your country of residence, including the United States, in accordance with applicable law. This means that some of your information may be processed in the United States, which may not offer the same level of protection as the privacy laws of your jurisdiction. By providing us with your information, you acknowledge any such transfer, storage or use.

If you are located in the EEA or UK and we provide any information about you to third parties or information processors located outside of the EEA or UK, we will take appropriate measures, such as using the European Commission’s Standard Contractual Clauses (SCCs), to ensure such companies protect your information adequately in accordance with this Privacy Policy and other data protection laws to govern the transfers of such data.

Security Measures

We have implemented technical, physical, and organizational security measures to protect against the loss, misuse, and/or alteration of your information. These safeguards vary based on the sensitivity of the information that we collect and store. However, we cannot and do not guarantee that these measures will prevent every unauthorized attempt to access, use, or disclose your information since despite our efforts, no Internet and/or other electronic transmissions can be completely secure.

Children

The Services are intended for users over the age of 18 and are not directed at children under the age of 13. If we become aware that we have collected personal information (as defined by the Children’s Online Privacy Protection Act) from children under the age of 13, or personal data (as defined by the EU GDPR) from children under the age of 16, we will take reasonable steps to delete it as soon as practicable.

Data Retention

We retain the personal information we collect for as long as necessary to fulfill the purposes set forth in this Privacy Policy, or as long as we are legally required or permitted to do so. Information may persist in copies made for backup and business continuity purposes for additional time. Where we do not have exact retention periods, we determine retention by reference to the type of data, the purpose for collection, legal/accounting obligations, and security/fraud-prevention needs, and delete or irreversibly de-identify data when no longer required. We may retain certain de-identified data (including de-identified server logs) indefinitely.

Please note that your public user contributions, such as to our LittleSis Database and your Oligrapher maps, and our audit trail, are retained and published on the Services indefinitely, to preserve the integrity and transparency of our platform.

Changes to this Privacy Policy

We will continue to evaluate this Privacy Policy as we update and expand our Services, and we may make changes to the Privacy Policy accordingly. We will post any changes here and revise the date last updated above. We encourage you to check this page periodically for updates to stay informed on how we collect, use and share your information. If we make material changes to this Privacy Policy, we will provide you with notice as required by law.

Questions About this Privacy Policy

If you have any questions about this Privacy Policy or our privacy practices, you can contact us at: info@littlesis.org.