Data & Privacy
What data CivicLoop County OS holds, who can see it, and how residents' information is protected.
Data classes
- Resident-identifying (PII): name, contact, the text/photo of a 311 report, exact request location. Visible only to authenticated staff scoped by role + county (RLS).
- Operational: permits, contracts, vendors, fleet, assets, cases, schools, sites, feed readings. Staff-only, county-scoped.
- Public record (aggregate): counts, medians, SLA %, NPS, supplier diversity, contract values, redevelopment potential, and anonymized request coordinates (no identity). This is the only data on
/public pages.
The public-PII boundary
/public and /public/spending use server-side aggregates and publish NO resident identity. The map shows coordinates + status only.- This boundary is a hard rule: public pages must contain public-record data only.
Access control
- DB-enforced RLS on every table (see AUTH_AND_RBAC.md). A staffer sees only their county's rows.
- The service-role key is server-only; the browser never receives it.
Retention & deletion
- Records follow the County's retention schedule by record type.
- Everything created in the UI is editable AND deletable by authorized staff (full CRUD) - no write-only data.
- Automation never hard-deletes resident data; the janitor only closes past-deadline opportunities and flags duplicates for human review.
AI & privacy
- The County assistant answers from the County-controlled knowledge base (
county_kb) and is instructed not to invent specific facts (fees, phone numbers, dates) that are not in the KB.
- The agent co-pilot drafts replies for a human to review and send; it never sends or decides autonomously.
- AI calls are made server-side with the County's key; resident data is sent only as needed to draft a reply and is not used to train third-party models (Anthropic API, no-training terms).
Encryption
- In transit: TLS (HSTS preload). At rest: Supabase AES-256 on storage + backups.
Resident rights
- A resident can track their request by number and see all public-facing updates.
- Records and corrections are handled through the County's public-records process; staff can edit or remove records in-app.