Privacy Policy
Introduction
BDITS LLC (“we,” “us,” or “our”) operates the Central City Companion app and website at centralcity.app (the “Service”). The Service is a digital passport and civic engagement platform for Central City, Colorado, built in partnership with the Central City Business Improvement District (BID).
This Privacy Policy explains what information we collect, how we use it, and your choices regarding your data. By using the Service, you agree to the practices described in this policy.
Information We Collect
Information You Provide
- Account information: Email address and phone number when you create a verified account. Both are verified via one-time codes (OTP) during registration.
- Display name: Optional name you choose to display in the app.
- Street address: Optional — you may choose to provide your address for residency verification or to access location-specific civic features. This is never required.
- Survey responses: Answers to civic engagement surveys (e.g., 2025 Comprehensive Plan surveys). Responses are tied to your account for point tracking but are reported to the City in aggregate, not individually.
- Civic comments: Text comments submitted through the app’s civic engagement features, which may be reviewed by city staff before publication.
Information Generated by Your Use
- Passport activity: Business check-ins, tour progress, points earned, rewards issued, and gamification tier. This data is tied to your account and stored on our servers.
- App preferences: Tab selections, card interactions, and display settings stored locally on your device.
Information We Do Not Collect
- Precise location: The app does not access your device GPS or track your physical location. Check-ins are triggered by user action (tapping a button), not by geolocation.
- Device identifiers: We do not collect IDFA, GAID, or other advertising identifiers.
- Contacts, camera, microphone: The app does not access your contacts, camera, or microphone.
- Browsing history: We do not track your activity outside of the Central City Companion app.
How We Use Your Information
| Data | Purpose |
|---|---|
| Email address | Account verification, sign-in, account recovery, essential service notifications |
| Phone number | Account verification, sign-in, account recovery |
| Display name | Shown in your profile within the app |
| Street address | Residency verification for civic features (optional) |
| Passport activity | Points calculation, tier progression, reward issuance, and aggregate reporting to the BID |
| Survey responses | Aggregate civic engagement reporting to the City of Central City |
| Civic comments | Published (after moderation) for community discussion |
We use your information to operate and improve the Service. We do not use your information for advertising, behavioral profiling, or sale to third parties.
How We Share Your Information
We share your information only in these limited circumstances:
Service Providers
- Supabase: Our database and authentication provider. Stores account data, passport activity, and survey responses. Supabase processes data on our behalf under their Privacy Policy and DPA.
- Twilio: Our SMS provider. Processes your phone number solely to deliver verification codes and security alerts. Twilio processes data under their Privacy Policy.
- Vercel: Our web hosting provider. Serves the app and processes web requests. Vercel processes data under their Privacy Policy.
- Mapbox: Our mapping provider. The Map tab loads map tiles from Mapbox. No personal data is sent to Mapbox. Mapbox Privacy Policy.
Aggregate Reporting
We share aggregate, de-identified data with the Central City BID and City of Central City for civic planning purposes. Examples:
- “142 users completed the housing priorities survey”
- “Dostal Alley had the most check-ins this month”
- “65% of survey respondents support pedestrian-friendly spaces on Main Street”
Individual responses, account details, and personal information are never shared in these reports.
Legal Requirements
We may disclose your information if required by law, legal process, or government request, or to protect the rights, safety, or property of BDITS LLC, our users, or the public.
We Do Not Sell Your Data
We do not sell, rent, or trade your personal information to third parties for marketing or any other purpose.
SMS Messaging
By providing your phone number, you consent to receive SMS messages for account verification and security alerts. For full details on SMS messaging, including how to opt out, see our SMS Consent & Messaging Disclosure.
- Message frequency: 3–5 messages per year (verification codes and security alerts only)
- Opt out: Reply STOP to any message, or remove your phone number in Profile settings
- Help: Reply HELP or email [email protected]
- Message and data rates may apply
Data Storage and Security
Your data is stored on Supabase’s cloud infrastructure (AWS, US regions). We use the following security measures:
- Row-Level Security (RLS): Database policies ensure users can only access their own data
- Server-controlled mutations: Points, rewards, and progress are managed by server-side functions — clients cannot manipulate these values directly
- Passwordless authentication: No passwords are stored. Sign-in uses verified email or phone OTP, eliminating credential theft risk
- HTTPS encryption: All data in transit is encrypted via TLS
- Encryption at rest: Database storage is encrypted at rest via Supabase/AWS
No system is 100% secure. If we become aware of a data breach that affects your personal information, we will notify you in accordance with applicable law.
Data Retention
- Account data: Retained as long as your account is active. If you delete your account, your personal information is removed within 30 days.
- Passport activity: Check-ins, points, and tour progress are retained with your account and deleted when your account is deleted.
- Survey responses: Retained indefinitely in aggregate form for civic planning. Individual responses tied to your account are deleted when your account is deleted.
- Anonymous sessions: Data from anonymous (preview mode) sessions that are never upgraded to a verified account may be automatically purged after 90 days of inactivity.
Your Rights
You have the following rights regarding your personal data:
- Access: You can view all personal data we hold about you in the app’s Profile tab.
- Correction: You can update your email, phone number, display name, and address in Profile settings.
- Deletion: You can request deletion of your account and all associated data by emailing [email protected]. Deletion will be completed within 30 days.
- Data export: You can request a copy of your data by emailing [email protected].
- Opt out of SMS: Reply STOP to any message or remove your phone number in Profile settings.
If you are a Colorado resident, you may have additional rights under the Colorado Privacy Act (CPA), including the right to opt out of data processing for targeted advertising (which we do not do) and the right to appeal a decision regarding your data rights request.
Children’s Privacy
The Central City Companion app is not directed at children under 13. We do not knowingly collect personal information from children under 13. If we learn that we have collected data from a child under 13, we will delete it promptly. If you believe a child under 13 has provided us with personal information, please contact us at [email protected].
Changes to This Policy
We may update this Privacy Policy from time to time. When we make material changes, we will update the “Last Updated” date at the top of this page and notify users through the app. Your continued use of the Service after changes take effect constitutes acceptance of the revised policy.
Contact Us
If you have questions about this Privacy Policy or your personal data, contact us:
BDITS LLC
Email: [email protected]
Website: bdits.io