Privacy Policy

1. Information We Collect

We collect information you provide when creating an account, listing a business, or contacting us. This includes name, email address, business details, and uploaded media.

We also automatically collect:

• Usage data — pages viewed, search queries, features used, and interaction patterns
• Device information — device type, operating system, browser type, and screen resolution
• Location data — approximate location derived from IP address and, with your permission, precise location for nearby business searches
• Log data — IP address, access times, and referring URLs

2. How We Use Your Information

• To operate the BlackDistrict directory and display business profiles
• To verify business ownership and manage verification status
• To send transactional emails (account creation, verification updates, boost confirmations)
• To improve our search ranking and recommendation systems
• To process payments and manage subscriptions
• To detect and prevent fraud, abuse, and security threats
• To comply with legal obligations

3. Information Sharing

We do not sell your personal information. We will never sell, rent, or trade your personal data to third parties for their marketing purposes.

Business profile information (name, location, contact details, photos) is public and indexed by search engines if the business is listed as live.

4. Service Providers

We share data with the following service providers solely to operate the platform:

• Supabase — database hosting, authentication, and file storage (US-based)
• Firebase — push notifications and mobile analytics (Google, US-based)
• RevenueCat — subscription management (US-based)
• Vercel — website hosting and edge delivery (US-based)
• Google Maps Platform — business location mapping and geocoding
• Apple / Google — in-app purchase processing

Each provider is contractually required to protect your data and use it only for the purposes we specify.

5. Business Listing Data

When you list a business, your business name, city/state, category, and contact information become publicly visible. Your personal account details (email, password) are not shared publicly.

Verification documents (ownership records, identity documentation) are stored in private, access-controlled storage and accessible only to authorized BlackDistrict reviewers. These documents are never shared publicly or with third parties.

6. Data Retention

We retain your account data as long as your account is active. When you delete your account:

• Personal account data is deleted within 30 days
• Verification documents are permanently deleted
• Business listings may be retained in anonymized form to preserve directory integrity, or removed upon request
• Backup copies are purged within 90 days

7. Your Rights

Depending on your location, you may have the following rights:

• Access — request a copy of your personal data
• Correction — update inaccurate or incomplete data
• Deletion — request deletion of your personal data
• Portability — export your data in a machine-readable format
• Opt-out — decline analytics and marketing cookies

To exercise any of these rights, email privacy@blackdistrict.org or use the data export feature in your account settings. We will respond within 30 days.

8. California Privacy Rights (CCPA / CPRA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act and the California Privacy Rights Act:

• The right to know what personal information we collect, use, and disclose
• The right to delete your personal information
• The right to opt out of the sale or sharing of personal information — we do not sell your data
• The right to non-discrimination for exercising your privacy rights

To make a request, email privacy@blackdistrict.org with the subject line "CCPA Request."

9. Children's Privacy

BlackDistrict is not directed to children under 13. We do not knowingly collect personal information from children under 13. If we learn that we have collected data from a child under 13, we will delete it promptly. If you believe a child has provided us personal information, please contact privacy@blackdistrict.org.

10. Security

We use industry-standard encryption (TLS 1.2+) for data in transit. Data at rest is encrypted using Supabase's hosted infrastructure with AES-256 encryption. Verification documents are stored in private, access-controlled buckets with row-level security.

We conduct regular access reviews and follow the principle of least privilege for internal data access.

11. Data Breach Notification

In the event of a data breach that affects your personal information, we will notify affected users within 72 hours of becoming aware of the breach, in accordance with applicable state and federal laws. Notification will include the nature of the breach, what data was affected, and steps you can take to protect yourself.

12. Cookies & Tracking

We use cookies and similar technologies as described in our Cookie Policy. You can manage your cookie preferences at any time through the cookie settings link in our website footer.

13. Do Not Track

BlackDistrict honors Do Not Track (DNT) signals sent by your browser. When DNT is enabled, we will not set analytics or marketing cookies.

14. International Users

BlackDistrict is a product of Maison du Code LLC and is operated in the United States. If you access our service from outside the US, your information will be transferred to and processed in the United States. By using BlackDistrict, you consent to this transfer.

15. Changes to This Policy

We may update this policy as our service evolves. Material changes will be communicated via email or an in-app notice at least 30 days before they take effect. The "Last updated" date above reflects the most recent revision.

16. Contact

For privacy-related questions, contact us at privacy@blackdistrict.org.