Plain-English policy · Demo

Privacy policy

This is a civic-tech prototype. It is not affiliated with the City of San Francisco. Even so, it follows GDPR/CCPA-style protections from day one — described below in plain language.

About this demo

This site is an independent civic-tech prototype that demonstrates what a centralized income- verification service for SF affordable housing could look like. It does not run lotteries, file real applications, or share data with property managers. Listings are mirrored from the public DAHLIA feed as visual fixtures.

What we collect

Email, stored only as a one-way SHA-256 hash with a server-side pepper. We cannot reverse it; we use it to look up your record when you exercise data rights.
An income bracket (e.g. $50,000 – $79,999) derived from a one-time Plaid payroll check. The exact figure is computed in memory, used to pick the bracket, and then dropped — we never write it to disk.
An applicant reference (12 random characters) so PMs could verify eligibility without re-asking your email.
Hashed IP address, user-agent, and employer name — used for audit only and never shown to anyone.

What we don't collect

Bank login credentials. Plaid handles those; this Worker never sees them.
Account, routing, or card numbers.
Exact income, pay-stub PDFs, SSN, document scans.
Your raw email address in any column or log.

How long it's kept

90 days, then automatically and verifiably deleted by a scheduled job. You can delete earlier via Delete my data. Audit entries are retained 24 months in hashed form (no PII).

Your rights (CCPA / GDPR style)

Request a copy of everything on you (JSON download).
Request deletion. We soft-delete immediately and hard-delete after 7 days — a window in case you change your mind.
Correction: email privacy@example.org.

Who sees what

Landlord / property manager. Reference + bracket only.
Demo admins. Aggregate counts. Never raw PII; the dashboard displays only hashed identifiers and bracket labels.
Plaid. Sees payroll data per their own privacy policy at plaid.com/legal. This demo runs in mock mode by default and never talks to Plaid until a real keypair is configured.

Security

We follow a 12-point public-site security baseline: HSTS preload, strict CSP with per-response nonce, signed one-time links, JWT for staff, rate limits on every authenticated endpoint, encrypted- at-rest D1, and an automated nightly purge job. See our security.txt.

Acknowledgments

Listings data is pulled from the City and County of San Francisco's public DAHLIA feed at housing.sfgov.org. We thank MOHCD for maintaining that public dataset. This demo is not endorsed by MOHCD or the City.

Contact

Privacy: privacy@example.org
Security disclosure: security@example.org