Privacy Policy
Last updated 2026-06-01
This Privacy Policy explains how Valcour Ad-Targeting (“we,” “us”) handles information when you use our website, APIs, and the targeting assistant (the “Service”).
1. Data we collect
- The questions you ask the assistant: the messages you type into the assistant, for example a state, a race, or a candidate you want opportunity rankings for. We do not ask for, and you should not submit, voter personal information.
- What the assistant returns: the opportunity rankings are computed from aggregate public data (Census ACS, the Meta Ad Library, Google Political Ads, FEC). They do not contain voter-level personal data.
- Usage and diagnostic data: IP address, user-agent, request timestamps, page paths, and error traces captured by Sentry. We use these to operate and secure the Service.
2. How we use it
We use the information above to answer your questions to the assistant, prevent abuse and rate-limit requests, comply with legal obligations, and improve the Service. We do not sell personal information, and we do not use the questions you ask the assistant to train third-party models.
3. Third-party processors
We rely on the following sub-processors. Each is bound by contractual data-protection commitments:
- Neon (Databricks) Postgres: managed database hosting in U.S. regions.
- Amazon Web Services: compute, storage, and content delivery in U.S. regions.
- Sentry: application error monitoring and performance telemetry.
- AI model inference provider: the questions you ask the assistant are sent to a third-party large-language-model inference provider to generate responses. Your prompts are not used to train that provider’s models.
- PostHog: privacy-focused product analytics, loaded only after you opt in via the cookie banner.
4. Data retention
Access to the assistant requires an organization account. Your conversations are tied to your account so you can return to them; you can export or delete your conversation data at any time, and deleted data is hard-purged after a 30-day window. Diagnostic logs (including the IP-derived rate-limit data above) are kept for 30 days and then deleted. If you contact us by email, we retain that correspondence for as long as needed to handle your request, subject to legal record-keeping obligations.
5. Your rights
Depending on where you live, you may have the right to access, correct, delete, or export your personal information; to object to or restrict certain processing; and to lodge a complaint with a supervisory authority.
- GDPR (EU/UK): our lawful basis for processing is legitimate interests (operating and securing the assistant, preventing abuse, and improving the product) and consent where required.
- CCPA/CPRA (California): California residents may request the categories and specific pieces of personal information we have collected, request deletion or correction, and opt out of any “sale” or “sharing” for cross-context behavioral advertising. We do not sell or share personal information as those terms are defined under the CCPA.
6. Security
All traffic is encrypted in transit with TLS 1.2 or higher. Data at rest is encrypted using the underlying provider’s managed keys (AWS KMS, Neon storage encryption). Access to production systems is restricted to a small number of named engineers, gated by SSO with hardware-token MFA, and audited. Backups are encrypted and retained on a rolling 30-day window.
7. International transfers
Our infrastructure is located in the United States. If you access the Service from outside the U.S., you understand that your information will be transferred to and processed in the U.S. Where required, we rely on the EU Standard Contractual Clauses or equivalent transfer mechanisms.
8. Children
The Service is intended for use by adults in a professional capacity. We do not knowingly collect information from anyone under 16. If you believe a child has provided us information, contact us and we will delete it.
9. Changes
We may update this Policy from time to time. Material changes will be announced by email or in-product notice at least 14 days before they take effect.
10. Contact and data requests
To exercise any of the rights above, or to ask any other question about this Policy, email ads@valcour.ai. We respond to verified requests within 30 days.
This document is a starting point. It is not legal advice. We recommend reviewing it with your own counsel before relying on it for an active engagement, especially if you operate in jurisdictions with sector-specific privacy regimes (HIPAA, GLBA, COPPA, state biometric laws).