# Majority Engine Privacy, Security, And Disclaimer Requirements

This is a working product requirement for Majority Engine. It should be updated as the product moves from local MVP to hosted staging and then production.

It is not legal advice. Before a real launch with campaign data, counsel should review the final privacy policy, terms, security statement, campaign finance disclaimer, and state-specific requirements.

## Product Rule

Majority Engine should collect the least information required to give campaign staff an accurate view of cash on hand, available cash, expected revenue, expected expenses, and projected burn down.

If a field is not needed for planning, reconciliation, permissioning, billing, support, security, or compliance, do not collect it.

## Data Categories We Expect To Collect

### 1. Account And User Access Data

Examples:

- user name;
- email address;
- optional phone number;
- campaign role or title;
- organization or committee name;
- campaign name for access routing;
- owner/admin-reviewed access request notes;
- limited custom intake fields needed to route access;
- role, such as owner, admin, staff, or viewer;
- login provider identifier;
- membership and tenant identifiers;
- security audit events.

Why it is needed:

- authenticate users;
- restrict users to the correct campaign or organization;
- enforce role-based permissions;
- keep an audit trail of sensitive changes.

Implementation requirement:

- local MVP may use local development sign-in only;
- hosted deployments must use managed authentication;
- hosted deployments must not store homegrown user passwords in the Majority Engine database;
- tenant and role checks must stay server-side.
- hosted operator-console access must require a managed identity token from an approved operator/admin email with an operator-only custom claim; a normal campaign user login is not enough;
- sign-in and access-request forms must not ask for passwords, bank credentials, payment processor secrets, or private keys;
- access requests must remain pending until an owner or admin approves or rejects them;
- approval should create or update the user profile and workspace membership, not bypass managed authentication;
- custom intake fields should be limited to information needed for workspace access, support, compliance, or security.

### 2. Campaign Workspace Data

Examples:

- campaign name;
- organization name;
- election date;
- timezone;
- starting cash date;
- starting cash amount;
- scenarios;
- user-defined buckets;
- clearing rules;
- preferences.

Why it is needed:

- calculate cash position;
- organize projected and actual activity;
- support scenarios and staff-controlled assumptions.

Implementation requirement:

- every campaign-scoped query must be tenant-scoped;
- user-controlled buckets and clearing rules must remain editable;
- hosted exports must not expose another tenant's workspace data.

### 3. Cashflow Records

Examples:

- expected date;
- expected clearing date;
- actual clearing date;
- description;
- amount;
- kind, such as revenue, expense, transfer in, or transfer out;
- status, such as projected, pending, committed, cleared, canceled, or archived;
- confidence;
- flexibility;
- bucket;
- source;
- payment type;
- processor;
- tags;
- notes.

Why it is needed:

- calculate available cash;
- show projected cash over time;
- reconcile planned activity against actuals;
- explain why projections differ from cleared bank activity.

Implementation requirement:

- notes should be treated as sensitive staff context;
- tags should be imported and exported, but should not change cash calculations;
- actual clearing date should be treated as stronger than projected timing;
- committed expenses should reduce available cash immediately.

### 4. Imported Contribution, Processor, And Donor Data

Examples:

- donor or contributor name;
- contribution amount;
- contribution date;
- payment processor;
- ActBlue, NGP, or Democracy Engine identifiers;
- employer and occupation if imported from campaign finance records;
- contribution source file metadata.

Why it may be needed:

- reconcile expected contributions and processor payouts;
- group contribution sources;
- understand cash timing;
- reduce manual entry.

Implementation requirement:

- import preview must happen before promotion;
- duplicate detection should run before records become active;
- imported records should preserve source metadata where useful;
- do not use public FEC contributor data for commercial solicitation or resale.

### 5. Bank And Financial Institution Data

Examples:

- statement transaction date;
- posted date;
- description;
- debit or credit amount;
- account label;
- extracted statement text;
- source file name;
- reconciliation status.

Why it may be needed:

- confirm cleared revenue;
- confirm cleared expenses;
- detect pending checks, wires, and processor deposits;
- calculate accurate available cash.

Implementation requirement:

- do not ask users to type bank usernames or passwords directly into Majority Engine;
- future bank connectivity should use a trusted connector or bank-approved flow;
- raw statement files should be retained only as long as needed;
- hosted statement storage must be private and encrypted;
- bank import logs must avoid exposing full transaction payloads in application logs.

### 6. Billing Data

Examples:

- subscription tier;
- billing contact;
- customer ID from the payment processor;
- invoice and subscription status.

Why it may be needed:

- enforce plan limits;
- provide invoices;
- manage subscriptions.

Implementation requirement:

- payment cards should be handled by a dedicated payment processor;
- Majority Engine should not store full card numbers or CVVs;
- billing webhooks must be verified server-side before changing plan status.

### 7. Support, Security, And Audit Data

Examples:

- request IDs;
- login events;
- write events;
- import events;
- export events;
- role changes;
- IP address or coarse network metadata;
- browser and device metadata needed for security.

Why it is needed:

- investigate unauthorized access;
- support rollback and restore;
- debug without exposing sensitive payloads;
- prove who changed campaign data.

Implementation requirement:

- audit logs should record who did what and when;
- logs should avoid raw bank statements, raw donor files, secrets, tokens, and full financial payloads;
- hosted logs should be access-controlled.

### 8. AI Tool Data

Examples, only if AI tools are enabled:

- selected uploaded files;
- extracted text;
- model prompts;
- model outputs;
- user corrections;
- review status.

Why it may be needed:

- parse statement PDFs;
- classify transactions;
- summarize anomalies;
- suggest clearing delays.

Implementation requirement:

- AI tools must be disabled by default;
- users must be able to turn AI tools on or off;
- AI actions should have dry-run or review steps before changing records;
- AI output must be treated as advisory and user-reviewed;
- do not send more data to a model than the specific task requires.

## Data We Should Avoid Collecting

Do not collect unless a later product decision and legal/security review specifically approve it:

- bank usernames;
- bank passwords;
- full bank account and routing numbers;
- Social Security numbers;
- dates of birth;
- personal credit reports;
- personal financial identity documents;
- unnecessary donor personal details;
- personal contact lists unrelated to campaign finance planning;
- real campaign data in demo workspaces.

## User-Facing Notices And Disclaimers

### Privacy Policy

Required before hosted use.

Must explain:

- categories of data collected;
- categories of sources;
- purposes of collection and use;
- third-party service providers;
- retention periods;
- deletion and export process;
- security practices at a practical level;
- contact method;
- privacy rights that may apply by state or jurisdiction.

### Notice At Collection

Required or strongly recommended anywhere personal information is collected.

Must appear at or before data collection points, including:

- account creation;
- import page;
- future billing page;
- future integration setup page;
- future AI tool upload page.

### Terms Of Service

Required before hosted use.

Must cover:

- account responsibility;
- authorized use only;
- user data ownership;
- acceptable use;
- subscription terms;
- plan limits;
- no misuse of contributor data;
- termination;
- liability limits;
- governing law.

### Campaign Finance And Professional Advice Disclaimer

Required in the app and public site footer.

Recommended language:

```text
Majority Engine is a campaign planning and cashflow projection tool. It does not provide legal, accounting, banking, treasury, compliance, or campaign finance advice. Users are responsible for verifying imported data, reconciling bank activity, reviewing reports, and consulting qualified professionals before making financial, reporting, or compliance decisions.
```

### Security Statement

Required before hosted use.

Must explain:

- managed authentication;
- encryption in transit;
- encryption at rest through managed providers;
- access controls;
- audit logs;
- backups and restore testing;
- incident response contact;
- what users should not upload.

### AI Tools Notice

Required before any AI-assisted feature processes real data.

Must explain:

- AI tools are optional;
- AI output can be incomplete or wrong;
- staff must review output before relying on it;
- AI actions may process selected campaign data;
- users should not upload data they are not authorized to process.

### Integration Notice

Required before external integrations.

Must explain:

- ActBlue, NGP, Democracy Engine, banks, Stripe, Google Cloud, and other providers are separate services;
- use of integrations may be governed by third-party terms and privacy policies;
- users must have authority to connect each external account.

### Cookie And Analytics Notice

Required if we use cookies or analytics beyond essential session/security cookies.

Implementation preference:

- avoid advertising trackers;
- use privacy-preserving product analytics if analytics are needed;
- do not sell or share personal information for targeted advertising.

## Product Implementation Checklist

### Now, Local MVP

- Keep footer campaign finance disclaimer visible.
- Add local sign-in so users experience an account boundary.
- Clearly label local sign-in as local MVP behavior.
- Keep AI tools disabled by default.
- Keep JSON export/restore available.
- Keep import preview before promotion.
- Keep audit logs for record and configuration changes.
- Document privacy and disclaimer requirements in this file.

### Hosted Staging Gate

Do not upload real campaign data until all of these are true:

- managed authentication is wired end to end;
- test users can log in without local development headers;
- email verification is enforced if the provider supports it;
- tenant and role checks pass against hosted auth;
- Postgres repository adapter passes the shared repository contract;
- secrets are in Secret Manager or equivalent;
- state admin routes are disabled;
- local auth shortcuts are disabled;
- hosted preflight blocks unsafe configuration;
- backup and restore are rehearsed;
- privacy policy, terms, security statement, and disclaimers exist.

### Production Gate

Do not launch production until all hosted staging gates pass plus:

- production project is separate from staging;
- production database is separate from staging;
- production secrets are separate from staging;
- admin access is limited;
- incident response contact is defined;
- legal review is complete;
- billing terms are complete;
- data retention policy is approved;
- deletion/export process is documented;
- public site footer links to Privacy, Terms, Security, and Contact.

## Regulatory And Policy Watch List

These are the main areas to keep watching:

- FTC privacy and data security guidance;
- FTC Safeguards Rule applicability if Majority Engine is considered to handle customer information for a covered financial activity;
- state privacy laws, especially CCPA/CPRA if thresholds are met or if California users are served;
- FEC disclaimer rules for public political committee websites and public communications;
- FEC restrictions on sale or commercial use of contributor information from FEC reports;
- state campaign finance rules for state and local committees;
- processor and integration terms for ActBlue, NGP, Democracy Engine, banks, and payment providers.

## Source References

- FTC Privacy and Security: https://www.ftc.gov/business-guidance/privacy-security
- FTC Data Security: https://www.ftc.gov/business-guidance/privacy-security/data-security
- FTC Safeguards Rule: https://www.ftc.gov/business-guidance/resources/ftc-safeguards-rule-what-your-business-needs-know
- California CCPA overview: https://oag.ca.gov/privacy/ccpa
- California privacy notice guidance: https://cppa.ca.gov/pdf/general_notices.pdf
- FEC advertising and disclaimers: https://www.fec.gov/help-candidates-and-committees/advertising-and-disclaimers/
- FEC contributor information restriction: https://www.fec.gov/updates/sale-or-use-contributor-information/