Privacy
This page explains what data MyCivic collects, why we collect it, how long we keep it, and what rights you have over it. We have written it in plain language. The underlying legal basis is the Australian Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs), together with state and territory privacy legislation where applicable (e.g. NSW Privacy and Personal Information Protection Act 1998, Victoria Privacy and Data Protection Act 2014), and the privacy obligations contracted with each Public Body we serve.
1. Who we are
MyCivic is operated as part of the MyCivic Platform Operator (the "Operator"). For privacy-law purposes, the Operator acts as a service provider on behalf of the contracting municipality, regional authority, or city government (the "Public Body" or "Controlling Institution"). Privacy obligations follow the Australian Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs) at the federal level, together with applicable state and territory privacy legislation including the NSW Privacy and Personal Information Protection Act 1998, the Victoria Privacy and Data Protection Act 2014, and equivalent Acts in other Australian jurisdictions. If you have a question about a specific deployment, the Public Body is the entity to contact first.
For general questions about this policy, contact us at contact@mycivic.io.
2. What we collect
The data MyCivic processes depends on the surface you are using.
When you submit a civic report
- The report content you provide: category, description, photo (optional), location pin
- Approximate device-derived location at the moment of submission, used only for routing
- A submission timestamp and a generated report reference (e.g.
MYC-2841) - Optional contact information you choose to provide (name, email, phone) if you want to receive a notification when the report is resolved
You can submit reports anonymously. Anonymous reports are still tracked and resolved; they simply cannot be tied back to you for follow-up.
When you create an account (operators only)
- Email address, role, and the city / agency you are associated with
- Authentication credentials, hashed and salted, never stored in plaintext
- Session activity needed to operate the platform (login times, actions taken on records)
When you visit our public websites
- Standard server access logs (IP address, user agent, page visited, timestamp)
- Strictly necessary cookies for session continuity and security
- No advertising trackers. No third-party analytics that fingerprint visitors.
3. Why we collect it (lawful basis)
- Public-body purpose (APP 3 · collection of solicited personal information; APP 5 · notification of collection)
- Routing citizen reports to the responsible municipal team is the identified purpose. Report content and routing-related location data are processed for this purpose alone.
- Consent (APP 3 · solicited information collected with consent; APP 6 · use and disclosure)
- If you provide contact information to receive a resolution notification, we process that information under your express, informed consent. You can withdraw it at any time.
- Limiting collection (APP 3 · only personal information reasonably necessary for the function)
- We collect only the personal information necessary to deliver the service. Security, fraud prevention, and platform operation rely on operational data, not citizen profiling. We never use information for marketing, profiling, or advertising.
- Accountability (APP 1 · open and transparent management of personal information)
- Operator accounts (municipal staff, contractors, utility personnel) are processed under the employment or service contract between the Public Body and the individual, and under the Public Body's record-keeping obligations.
4. Retention
We retain data only as long as needed for the purpose it was collected for:
- Report content is retained for the duration of the case lifecycle plus an audit window set by the Controller (typically 12–36 months). After that window, content is anonymised or deleted per the Controller's retention policy.
- Optional contact information attached to a report is deleted within 30 days of case closure unless you opt in to ongoing notifications.
- Operator account data is retained for the duration of the operator's relationship with the Controller and a 24-month archival window thereafter for audit purposes.
- Server access logs are retained for 30 days and aggregated thereafter.
5. Who can access your data
Your report content is visible to:
- The municipal team or contractor responsible for resolving the issue
- Authorised staff at the contracting Controller (e.g., supervisors, audit staff)
- Operator engineering and support staff strictly for platform maintenance and security, on a need-to-know basis, under contractual confidentiality
We do not share your data with advertisers, data brokers, or third parties not directly involved in resolving your report. We do not sell data. We do not enrich your data with external sources.
6. Data residency
Australian citizen data is processed and stored within Australia for Australian deployments. State-specific deployments respect state and territory data-handling requirements where applicable (e.g., NSW PPIP Act, Victoria PDP Act). The platform architecture supports per-deployment data-residency configuration. Citizen data does not move between jurisdictions unless legally required and explicitly authorised by the Public Body. For deployments in other regions, MyCivic operates under the equivalent jurisdictional framework. EU clients are served under GDPR with EU-hosted data. Canadian cities are served under PIPEDA with Canada-hosted data. Each region keeps its data inside its own jurisdiction.
7. Your rights
Under the Australian Privacy Act 1988 and equivalent state and territory laws, you have the right to:
- Access the personal information we hold about you (APP 12 · access to personal information)
- Correct personal information we hold that is inaccurate, out of date, incomplete, irrelevant, or misleading (APP 13 · correction of personal information)
- Withdraw consent at any time, subject to legal or contractual restrictions (APP 3 · withdrawal of consent for further use or disclosure)
- Challenge compliance with this policy by writing to us or to the Public Body
- File a complaint with the Office of the Australian Information Commissioner (OAIC) or the relevant state or territory privacy commissioner (e.g., NSW Information and Privacy Commission) where applicable
To exercise any of these rights, contact contact@mycivic.io. If your request concerns a specific municipal deployment, we will route you to the Public Body.
8. Security
We use industry-standard technical and organisational measures to protect your data: AES-256 encryption at rest and in transit, access controls scoped to role, complete audit logging of operator actions, regular security testing, and incident response procedures. No system is perfectly secure; we work to minimise risk and respond promptly to issues.
9. Children
MyCivic is not directed at children under 16. We do not knowingly collect personal data from children under 16. If you believe we have collected such data, please contact us and we will delete it.
10. Changes to this policy
We may update this policy from time to time. When we do, we will update the "Last updated" date at the top of this page. Material changes will be communicated through MyCivic's normal channels.
11. Contact
For any privacy-related question or to exercise your rights, write to contact@mycivic.io. We respond within thirty (30) days of receipt, which meets the OAIC reasonable-response standard under the APPs.