PRIVACY POLICY

Effective Date: November 27, 2024 Last Updated: May 29, 2026

This Privacy Notice for Program Integrity Alliance ("we," "us," or "our"), describes how and why we might access, collect, store, use, and/or share ("process") your personal information when you use our services ("Services"), including when you:

• Visit our website at https://programintegrity.org/, or any website of ours that links to this Privacy Notice
• Engage with us in other related ways, including any sales, marketing, or events

Questions or concerns? Reading this Privacy Notice will help you understand your privacy rights and choices. We are responsible for making decisions about how your personal information is processed. If you do not agree with our policies and practices, please do not use our Services. If you still have any questions or concerns, please contact us at privacy@programintegrity.org.

SUMMARY OF KEY POINTS

This summary provides key points from our Privacy Notice, but you can find out more details about any of these topics by clicking the link following each key point or by using our table of contents below to find the section you are looking for.

• What personal information do we process? Standard web-request metadata (IP for geo lookup + security, browser type, language); for account holders, the email and display name your OAuth provider gives us; with your analytics consent, a record of which pages you visit and which searches / AI Mode messages you send.
• Do we process any sensitive personal information? No. We do not process racial or ethnic origin, sexual orientation, religious beliefs, health, biometrics, or any other category considered sensitive under GDPR or CCPA.
• Do we collect any information from third parties? No, other than what your OAuth provider sends us when you sign in (email + display name).
• How do we process your information? To run the Services, improve them, keep them secure, respond to you, and comply with law. We do not use it for advertising or sale.
• In what situations and with which parties do we share personal information? AI model providers (Anthropic and Microsoft Azure AI Foundry) when you use AI Mode or AI Overview — required for the feature to work; LangChain LangSmith for engineering tracing of AI Mode runs (only with your analytics consent — opt out and we don't send); Microsoft Clarity and Google Analytics for analytics (only with your analytics consent), with the Google Analytics data also exported to Google BigQuery for our own analysis; Microsoft Azure as our infrastructure provider; your chosen OAuth provider during sign-in; and legal authorities where required. We do not sell or share with advertisers or data brokers.
• What are your rights? Depending on where you live, you have rights to access, correct, delete, port, and object to processing of your personal information. See sections 7 to 9 below.
• How do you exercise your rights? Email privacy@programintegrity.org for any right — see section 7 for what to include if you don't have an account (analytics data is pseudonymised, so a pia_session_id from your browser's localStorage or an approximate visit window helps us find your rows). For analytics specifically, the Cookie preferences link in the page footer is the one-click off-switch.

Read on to learn more about our privacy policy.

TABLE OF CONTENTS

1. What Information Do We Collect?
2. How Do We Process Your Information?
3. When And with Whom Do We Share Your Personal Information?
4. Do We Use Cookies and Other Tracking Technologies?
5. How Long Do We Keep Your Information?
6. Do We Collect Information from Minors?
7. Your Privacy Rights
8. Controls for Browser Privacy Signals
9. Region-Specific Disclosures
10. Do We Make Updates to This Notice?
11. How Can You Contact Us About This Notice?

1. WHAT INFORMATION DO WE COLLECT?

Personal information you disclose to us

In Short: We collect personal information you voluntarily provide — basically just your account details and any messages you send us.

When you create an account or sign in via an OAuth provider (Microsoft, Google, or similar), we receive your email address, name as provided by the OAuth provider, and an identifier the provider gives us so we can recognise you next time. If you email us, we keep the message contents and your email address. We do not process sensitive personal information (racial or ethnic origin, sexual orientation, religious beliefs, health, biometrics, etc.) — none of those are needed to run the Services and we do not ask for them.

Information collected automatically

In Short: Standard request metadata + (with your consent) records of how you use the site.

When you visit the Services, our servers receive standard web-request information your browser sends to every website: your IP address, a User-Agent string identifying your browser and device, language preferences, the URL that linked you to us, and the page or API endpoint you requested. We use your IP only to determine your approximate location (country and region) and for security and abuse detection. We do not store your raw IP.

If you accept the analytics cookie category we additionally keep, in our own database, a record of how you use the site — searches you run on GovQuery, messages you send in AI Mode, page navigation, and clicks — together with the results we returned and the AI's response. This server-side log is described in section 4 below and is governed by the same consent gate as the cookies it complements.

What we don't collect

We do not collect or process: payment-card details (the Services are free); device location (GPS); biometrics; audio or video recordings; education records; employment records; or any of the "sensitive" categories listed under California's CPRA or the GDPR.

Cookies and similar storage

A full, name-by-name list of every cookie and storage item we set on your device — what each does, who sets it, and how long it lasts — is in our Cookie Policy. The summary lives in section 4 below.

2. HOW DO WE PROCESS YOUR INFORMATION?

In Short: To run the site, improve it, keep it secure, and reply to you.

Specifically:

• To deliver the Services. Render pages, run searches, answer AI Mode questions, keep you signed in. We can't do this without processing the request metadata and (for signed-in users) the account information you gave us.
• To improve the Services. With your analytics consent, we look at which searches and pages are most useful, where the AI gets confused, and what frustrates visitors. We use this to fix bugs and prioritise product changes.
• To keep the Services secure. We use IP, User-Agent, and request patterns to detect and block abuse — credential stuffing, bot scraping, denial-of-service attempts, and other malicious traffic.
• To respond to you. If you email us, we keep the message so we can answer it.
• To comply with law. If we receive a valid legal request (subpoena, court order), we may have to disclose information we hold.

We do not use your information for advertising, automated profiling that produces legal effects, or sale to data brokers.

3. WHEN AND WITH WHOM DO WE SHARE YOUR PERSONAL INFORMATION?

In Short: AI model providers (necessary to deliver AI Mode), Microsoft Clarity and Google Analytics for analytics (only with your consent), our infrastructure providers, and legal authorities where required. We do not sell your personal information.

• AI model providers (necessary processing). When you use GovQuery AI Mode or open an AI Overview, the text of your message — together with any prior conversation context, retrieved document snippets, and a short system prompt — is sent to one of our AI providers so the model can generate the answer. Today that is Anthropic (Claude models) and Microsoft Azure AI Foundry (Azure-hosted OpenAI models). Both providers act as data processors under our contracts and do not use your input to train their public models. This processing is necessary for the feature to work and is not consent-gated: if you do not want your messages sent for processing, do not use AI Mode or AI Overview.
• LangSmith (engineering tracing — analytics-gated). When you have accepted the analytics cookie category, we send a trace of your AI Mode run — the message, tool calls, and model output — to LangChain LangSmith so our engineers can debug failures and improve the system. If you opt out of analytics, this trace is suppressed at the server before it leaves our infrastructure (the same gate the cookie banner controls). LangSmith acts as a data processor under our contract.
• Microsoft Clarity (analytics — consent-gated). If you accept the analytics cookie category, behaviour data (clicks, scrolls, session replays) is shared with Microsoft for processing under Microsoft's privacy statement. We never share it for advertising. You can turn this off at any time via the Cookie preferences link in the footer.
• Google Analytics 4 and BigQuery (analytics — consent-gated). If you accept the analytics cookie category, aggregate usage data — pageviews, navigation, and GovQuery site-search events (the search term, the filters you applied, and the tab/mode you used), plus a coarse country/region GA4 derives from your IP without storing the IP — is shared with Google for processing under Google's privacy policy. We also export that data to a Google BigQuery dataset in our own Google Cloud project for our own analysis. We do not enable Google advertising features, Google Signals, or data sharing for ads, and we never sell it. You can turn this off at any time via the Cookie preferences link in the footer.
• Infrastructure providers. We run on Microsoft Azure. Standard request data passes through Azure as part of operating the Services. Azure acts as a data processor under our contract and does not use your data for its own purposes.
• IP geolocation (ipapi.co). To turn your IP address into an approximate country and region, we send the IP to ipapi.co over HTTPS, then store only the country/region in our database — we do not store your raw IP. Each unique IP is queried at most once per server instance (the result is cached in memory), and any look-up failure silently returns "unknown" rather than blocking the page. ipapi.co acts as a data processor for this single transient look-up.
• Authentication providers. If you sign in via an OAuth provider, that provider receives a sign-in request from us when you click "Sign in" — this is the standard OAuth handshake.
• Legal compliance. We may disclose information if required by a valid legal process (subpoena, court order, lawful regulatory request), or if we believe disclosure is necessary to protect rights, property, or safety.
• Business transfers. If we ever merge, are acquired, or transfer assets, your information may be transferred as part of that transaction. You would be notified before any change in ownership of your data.

We do not sell your personal information. We do not share your personal information with advertisers, ad networks, data brokers, or analytics partners other than the Microsoft Clarity, Google Analytics / BigQuery, and LangSmith processing described above (all consent-gated).

4. DO WE USE COOKIES AND OTHER TRACKING TECHNOLOGIES?

In Short: We use a small number of strictly necessary cookies plus optional analytics. We do not run advertising. We do not share your personal information with advertisers or data brokers.

We use cookies and similar storage in two categories:

1. Strictly necessary — to keep you signed in, hold your in-progress chat thread, and remember your cookie-banner choice. These cannot be turned off because the site stops working without them.
2. Analytics — Microsoft Clarity (anonymised session replays and heatmaps), Google Analytics 4 (pageviews, navigation, and GovQuery site-search measurement, also exported to Google BigQuery), and an anonymous browser identifier so our visitor counts don't double-count repeat visits. We also keep a server-side log of how you use the site (described in Server-side activity log below). Used for product improvement, never for advertising.

We do not run advertising, share your personal information with ad networks, use targeted-advertising cookies, or perform automated profiling. California residents who consider the Microsoft Clarity or Google Analytics processing "sharing" under CCPA / CPRA have a one-click opt-out via the Cookie preferences / Do Not Sell or Share link in the page footer.

For the full list of every cookie and storage item we set, what each does, who else (if anyone) receives the data, and how long it lasts, see our Cookie Policy.

Managing your cookie choices

We show a cookie-consent banner the first time you visit, and the Cookie preferences link in the page footer reopens it from any page. The full list of cookies, who sets them, and how long they last is in our Cookie Policy.

Microsoft Clarity

We use Microsoft Clarity to capture how you use and interact with our website through behavioral metrics, heatmaps, and session replays so we can improve the site. Clarity only loads after you accept the analytics category in the cookie-consent banner. It is not used for advertising; we do not run any advertising. Website usage data is processed by Microsoft under their terms; for more information visit the Microsoft Privacy Statement.

Google Analytics 4 and BigQuery

We use Google Analytics 4 (GA4) to measure aggregate site usage: pageviews, navigation between pages, and GovQuery site-search events (the search term, the filters you applied, and the tab/mode you used), plus a coarse country/region GA4 derives from your IP. GA4 does not store your IP address, and we do not enable Google advertising features, Google Signals, or ads data-sharing. GA4 only loads after you accept the analytics category in the cookie-consent banner — until then no Google Analytics cookies (_ga, _ga_*, _gid, _gat) are set; withdrawing consent clears them. The collected events are also exported to a Google BigQuery dataset in our own Google Cloud project so we can analyse usage trends ourselves. Data is processed by Google under the Google Privacy Policy.

Server-side activity log

When the analytics category is active for your session, we keep a server-side log of how you use the site so we can improve it. This is separate from cookies — it lives only in our own database. Each log entry covers a single action (a search, an AI Mode message, a page view, or a click) and includes the query or page involved, the results we returned, the AI's response and chat thread where applicable, your approximate location (country and region), an anonymous session identifier, and any rating or feedback you submit. We do not store your IP address. Access is restricted to staff with the superuser role and is audited. Entries are retained for at least 12 months. To request deletion, email privacy@programintegrity.org.

Withdrawing analytics consent via the Cookie preferences footer link stops new entries from being written and triggers deletion of any analytics cookies on your device. The consent check is enforced both in your browser and on our servers — if you opt out, the server drops any activity-log write request before it reaches the database, even if a script or browser extension attempts to send one.

5. HOW LONG DO WE KEEP YOUR INFORMATION?

In Short: As long as necessary, and no longer. Specific retention periods are below.

• Account information (email, OAuth-provided name) — until you delete your account. When you delete the account we soft-delete the row — the email is replaced with an anonymous placeholder, the password hash is wiped, and the account is marked inactive — so that audit records pointing at it remain consistent without keeping your identity attached. SSO links are hard-deleted.
• Server-side activity log (searches, AI Mode chats, page views, clicks) — at least 12 months, then routinely pruned. Deletion deletes the row entirely. Email us to request earlier deletion — see section 7 for what to include.
• Google Analytics 4 / BigQuery (consent-gated analytics) — GA4 retains event-level data for up to 14 months; the BigQuery export lives in our own Google Cloud project until we delete it. Because GA4 holds only an anonymous client identifier (no user_id), we cannot target an individual programmatically; on request we run a property-wide or date-range deletion via GA4 Admin → Data Deletion Requests (which also clears the linked BigQuery dataset).
• Cookie-consent records — at least 12 months so we can demonstrate compliance.
• Authentication / abuse-detection logs (sign-in events, MCP-API events, search events) — kept for the period needed to investigate suspicious activity. When you exercise your right to erasure, these rows are anonymised, not deleted — your user_id, email, and raw IP are removed from the row, but the event itself stays in the log because we have a legitimate-interest (GDPR Recital 49 / Article 6(1)(f)) basis to retain anonymised security records.
• Support emails — kept while the support thread is active and for a reasonable period after, then deleted.

When we no longer have a legitimate need to keep something, we delete it or anonymise it. Backup copies are isolated from live processing until the backup itself rolls off.

6. DO WE COLLECT INFORMATION FROM MINORS?

In Short: We do not knowingly collect data from or market to children under 18 years of age.

We do not knowingly collect, solicit data from, or market to children under 18 years of age, nor do we knowingly sell such personal information. By using the Services, you represent that you are at least 18 or that you are the parent or guardian of such a minor and consent to such minor dependent's use of the Services. If we learn that personal information from users less than 18 years of age has been collected, we will deactivate the account and take reasonable measures to promptly delete such data from our records. If you become aware of any data we have collected from children under age 18, please contact us at privacy@programintegrity.org.

7. YOUR PRIVACY RIGHTS

In Short: You can access, correct, delete, and export your personal information, and opt out of analytics, at any time.

Whoever you are and wherever you live, you have the following rights with respect to the personal information we hold about you:

• Access — get a copy of what we hold.
• Correction — have inaccuracies fixed.
• Deletion — have it deleted.
• Portability — receive a copy in a portable format.
• Object / restrict — object to processing or ask us to restrict it.
• Withdraw consent — for anything we process on the basis of your consent (mainly analytics). The fastest way is the Cookie preferences link in the page footer. Withdrawal doesn't undo processing that already happened, but stops further processing.
• Non-discrimination — exercising any of these never disadvantages you in the Services we provide.

How to exercise these rights

For everyone — registered or not — the single channel is email: privacy@programintegrity.org. We respond within 30 days (with one 30-day extension where the request is complex). There is no fee. If we need to verify it's actually you, we'll ask for the minimum information needed.

Internally, we fulfil access and erasure requests for account holders using tested admin tooling that walks every PII table we hold and runs the deletes / anonymisations in a single database transaction so a partial failure rolls back. The same tooling underpins both the email-driven workflow and any future direct API access — your data is never half-erased.

If you don't have an account

We hold less data on visitors who never sign in, and most of it is already pseudonymised by design (security-review-2 HIGH-12 / privacy hashing): the IP and User-Agent are SHA-256 hashed before storage on the analytics tables (user_activity, consent_events). The only key tying those rows to a specific browser is the random pia_session_id value your browser keeps in localStorage — which we don't see except when your browser sends it back on its next visit.

Three things you can do:

1. Self-help via your browser. Clearing your site data for programintegrity.org (DevTools → Application → Storage → Clear site data, or your browser's "Clear browsing data" dialog) wipes the pia_session_id value. The rows we already hold can no longer be tied to any future visit, and you can't be tracked across sessions. This is the closest thing to "anonymous erasure on your terms".
2. Targeted erasure via email. If you want us to actually delete the rows, email the address above and include either your pia_session_id (found at DevTools → Application → Local Storage → pia_session_id) or an approximate visit window plus the IP you used. With the session id we can do an exact match; with IP + window we hash the IP and match the analytics rows, plus the short-retention audit-table rows that retain raw IP under legitimate-interest basis.
3. GDPR Article 11(2) acknowledgement. If you can't provide enough information for us to identify the relevant rows, GDPR Article 11(2) limits our obligation — but the underlying point is that the data is already pseudonymised, the audit-table rows with raw IP roll off retention on a short window, and your future identifiability falls off as you clear browser state. We're not refusing the request; the data has already drifted past the point where it points at any specific person.

Erasure and the third parties we work with

Erasure deletes everything we hold about you in our own database. We also send certain data to third-party processors (AI model providers when you use AI Mode; Microsoft Clarity and Google Analytics — the latter also exported to Google BigQuery — for analytics if you've accepted that category; LangChain LangSmith for engineering tracing of AI runs if you've accepted analytics; ipapi.co for the country-and-region IP lookup; your OAuth provider when you sign in; Microsoft Azure as our infrastructure provider). Those processors hold their own copies under their own retention schedules. When you ask us to erase your data:

• We instruct deletion at processors that expose a delete API and where the data is identifiable to a specific user (LangSmith run / thread IDs, Microsoft Clarity session IDs where we can resolve them). This is best-effort — some lookups require operator-side work and the actual delete propagates on the provider's own schedule.
• We cannot compel further deletion at processors that retain under their own legal-obligation or abuse-detection basis (typically the AI providers, who retain user prompts for ~30 days under the processor agreement, and the geolocation lookup, which retains short request logs we don't control). On request we will write to the provider's data-protection contact under our processor agreement asking for an earlier deletion on your behalf; the outcome is their call, not ours.
• The OAuth provider you signed in with holds its own record of "this user signed in to PIA at time X" — that record is governed by their terms, not ours. You can revoke our app from your OAuth account's permissions page at any time.

We'll be explicit in our response to your erasure request about what we deleted ourselves, what we instructed, and what we asked the provider to delete on your behalf.

Region-specific add-ons (additional rights or specific opt-out mechanisms required by your local law) are in section 9 below.

8. CONTROLS FOR BROWSER PRIVACY SIGNALS

We do not respond to the legacy Do Not Track ("DNT") header — no industry or legal standard for it was finalised, and the major browsers stopped exposing it.

We do respect the Global Privacy Control signal (Sec-GPC: 1). When your browser sends GPC, we treat it as an opt-out of any "sale" or "sharing" of personal information and set the cookie banner to its opt-in mode. We follow the GPC specification for parsing the header.

9. REGION-SPECIFIC DISCLOSURES

The rights in section 7 apply to everyone. The disclosures below cover the additional information your local privacy law specifically requires.

9.1 EU, UK, EEA, and Switzerland (GDPR / UK GDPR / revFADP)

Legal bases for processing. Under GDPR Article 6 we rely on:

• Consent — for the analytics cookie category and the server-side activity log. You can withdraw via the Cookie preferences footer link.
• Legitimate interests — for security, abuse detection, and maintaining sign-in state.
• Contract — when you create an account or send us a support request.
• Legal obligation — for the records of consent choices we keep to demonstrate compliance.

Right to lodge a complaint. If you're unhappy with how we handle your data you may complain to your supervisory authority — the Information Commissioner's Office (UK) or your national data-protection authority in the EEA — at any time, with or without contacting us first.

9.2 United States residents

US state consumer-privacy laws (California's CCPA / CPRA, Colorado, Connecticut, Virginia, Utah, Texas, Oregon, Montana, and others) give residents broadly similar rights to those in section 7 above. To exercise them, email privacy@programintegrity.org. If we decline a request, you have the right to appeal — reply to our decision email and we'll review.

Categories of personal information we collect (as required by Cal. Civ. Code §1798.130(a)(5)):

We do not sell your personal information, and we have not done so in the preceding twelve months. The only "sharing" within the meaning of CCPA / CPRA is the Microsoft Clarity and Google Analytics processing described in section 3, both gated behind your analytics consent.

Global Privacy Control. We honour Sec-GPC: 1 as the universal opt-out of sale / sharing required by several US state privacy laws — no separate opt-out request needed.

California "Do Not Sell or Share". Californian visitors see the page-footer link labelled Cookie preferences / Do Not Sell or Share (per Cal. Civ. Code §1798.135). Clicking it reopens the cookie banner where un-ticking Analytics stops Microsoft Clarity and Google Analytics processing and triggers deletion of their cookies on your device.

California "Shine the Light". California residents may request, once a year, information about any personal information we shared with third parties for those third parties' direct-marketing purposes in the preceding calendar year (Cal. Civ. Code §1798.83). We have not shared any personal information for third-party direct marketing. If you wish to confirm this in writing, email privacy@programintegrity.org.

10. DO WE MAKE UPDATES TO THIS NOTICE?

In Short: Yes, we will update this notice as necessary to stay compliant with relevant laws.

We may update this Privacy Notice from time to time. The updated version will be indicated by an updated "Revised" date at the top of this Privacy Notice. If we make material changes to this Privacy Notice, we may notify you either by prominently posting a notice of such changes or by directly sending you a notification. We encourage you to review this Privacy Notice frequently to be informed of how we are protecting your information.

11. HOW CAN YOU CONTACT US ABOUT THIS NOTICE?

If you have questions or comments about this notice, you may email us at privacy@programintegrity.org.