Privacy Policy.

01 · Who This Covers

This Privacy Policy applies to all visitors and users of the BlueList.ai website, subscribers to BlueList products (including District Intelligence Reports), and clients who engage BlueList for data, analytics, or media buying services.

It does not cover the privacy practices of third-party services we link to, platforms where we place advertising on behalf of clients, or data obtained from public government sources (such as voter files and FEC filings), which are governed by their own applicable laws.

02 · Information We Collect

Information you provide

• Contact information — name, email address, phone number, organization, and role when you reach out, subscribe, or create an account.
• Account and billing information — payment details (processed by our third-party payment processor; we do not store full card numbers), billing address, and subscription preferences.
• Client engagement information — campaign details, race information, targeting parameters, and strategic inputs you share with us as part of a client engagement.
• Communications — emails, messages, and other correspondence you send us.

Information collected automatically

• Usage data — pages visited, time spent, features used, links clicked.
• Device and browser data — IP address, browser type, operating system, screen resolution, and referring URL.
• Cookies and similar technologies — see Section 11 below.

Information from public sources

In the course of providing our services, we access and process data from public government sources including voter registration files, FEC campaign finance filings, state election records, census data, and public ad transparency libraries (Google, Meta). This data is collected and used in accordance with applicable federal and state laws governing its access and use.

03 · How We Use It

We use the information we collect to:

• Deliver our products — generate and deliver District Intelligence Reports, perform data analytics, execute media buying, and provide the services you've engaged us for.
• Process payments — manage subscriptions, process charges, issue invoices, and handle billing inquiries.
• Communicate with you — respond to inquiries, send product updates, deliver scheduled reports, and share service-related notices.
• Improve our services — analyze usage patterns, troubleshoot issues, and develop new features.
• Maintain security — detect and prevent fraud, abuse, and unauthorized access.
• Comply with legal obligations — meet recordkeeping, reporting, and disclosure requirements under applicable law, including FEC regulations.

We do not sell your personal information. We do not use your personal information for purposes unrelated to the services you've engaged us for.

04 · When We Share It

We share your information only in the following circumstances:

• Service providers — third parties that help us deliver our services, including cloud infrastructure providers, payment processors, email delivery services, and analytics tools. These providers are contractually required to use your information only to perform services on our behalf.
• At your direction — when you instruct us to share data with specific parties (for example, when we deliver targeting data to an ad platform on your behalf as part of a media buying engagement).
• Legal requirements — when required by law, regulation, legal process, or governmental request, or when we believe disclosure is necessary to protect rights, safety, or property.
• Business transfers — in connection with a merger, acquisition, or sale of assets, in which case your information would be among the transferred assets. We would notify you before your information becomes subject to a different privacy policy.

05 · Political & Voter Data

BlueList processes political data as a core part of its services. This section addresses how we handle that data specifically.

Voter file data

We access voter registration records from state and county government sources in accordance with applicable state laws. In Arizona, voter data use is governed by A.R.S. § 16-168 and A.R.S. § 39-121.03, which limit use to purposes relating to political or political party activity, political campaigns, or elections. We comply with these restrictions and with the equivalent laws of every state where we access voter data.

BlueList is not a voter list broker or data reseller. Voter registration data obtained from the Arizona Secretary of State or any other government source is used exclusively for internal political campaign analytics on behalf of the Democratic candidates and committees we are engaged to serve. We do not sell, license, transfer, or otherwise share voter registration data with any third party. Data obtained for a specific engagement is deleted at the conclusion of that engagement.

Campaign finance data

We aggregate and analyze data from FEC filings and state campaign finance disclosures. This data is public by law. Our use of it complies with FEC rules governing the sale and use of contributor information.

Political opinions and affiliations

Some state privacy laws classify political opinions or affiliations as sensitive personal information. Where applicable, we process such data only as permitted by law and in connection with the political campaign services our clients have engaged us to provide.

06 · Automated Processing

BlueList uses statistical modeling and automated analytics as part of its analytics, targeting, and reporting services. This includes:

• Predictive models for voter behavior and donor propensity scoring
• Automated narrative and trend analysis in District Intelligence Reports
• Audience segmentation and targeting optimization
• Anomaly detection for campaign finance monitoring

These systems process aggregated and individual-level data from public sources and client-provided inputs. We do not use automated processing to make decisions that produce legal effects on individuals or similarly significant outcomes without human review.

Models trained for one client are isolated from other client engagements.

07 · Security

We implement technical and organizational measures to protect your information, including:

• Encryption of data in transit (TLS) and at rest
• Role-based access controls with least-privilege principles
• Audit logging of access to client data systems
• Isolated storage environments for client engagement data
• Regular security reviews and updates

No system is perfectly secure. While we work to protect your information, we cannot guarantee absolute security and encourage you to use strong, unique passwords for any BlueList account.

08 · Data Retention

We retain your information for as long as reasonably necessary to provide our services, comply with legal obligations, and resolve disputes.

Data Type	Retention Period
Account and contact information	Duration of relationship + 2 years
Billing and payment records	7 years (tax and accounting requirements)
Client engagement data	Duration of engagement + 5 years (FEC compliance)
Firewall compliance records	5 years from creation
Website usage data	24 months
Communications	3 years

When data is no longer needed, we delete or anonymize it. Client engagement data may be retained longer if required for legal or regulatory compliance.

09 · Your Rights

Depending on your location and applicable law, you may have the following rights regarding your personal information:

• Access — request a copy of the personal information we hold about you.
• Correction — request correction of inaccurate or incomplete information.
• Deletion — request deletion of your personal information, subject to legal retention requirements.
• Portability — request a machine-readable copy of your data.
• Opt-out of sale — we do not sell personal information, but you may exercise this right to the extent applicable law provides it.
• Withdraw consent — where processing is based on consent, you may withdraw it at any time.

To exercise any of these rights, contact us at privacy@bluelist.ai. We will respond within 30 days (or sooner if required by applicable law). We will not discriminate against you for exercising your rights.

State-specific rights

California residents (CCPA/CPRA): You have the right to know what personal information we collect, the right to delete it, and the right to opt out of its sale (though we do not sell personal information). You may designate an authorized agent to make requests on your behalf.

Other states: If you are a resident of a state with a comprehensive privacy law (including Colorado, Connecticut, Virginia, Utah, Oregon, Texas, or others), you may have additional rights. Contact us and we will address your request under applicable law.

10 · Children’s Privacy

BlueList.ai is not directed at individuals under the age of 18. We do not knowingly collect personal information from children. If you believe a child has provided us with personal information, please contact us at privacy@bluelist.ai and we will promptly delete it.

11 · Cookies & Tracking

We use cookies and similar technologies on our website to:

• Essential cookies — maintain session state, authenticate users, and process subscriptions. These are necessary for the site to function.
• Analytics cookies — understand how visitors use our site so we can improve it. We use privacy-respecting analytics tools.

We do not use advertising or tracking cookies on the BlueList.ai website. We do not participate in cross-site behavioral advertising networks.

You can control cookies through your browser settings. Disabling essential cookies may affect site functionality.

12 · SMS Communications

BlueList.ai uses SMS text messaging for a narrow, internal operational purpose: delivering critical infrastructure alerts (for example, cloud billing threshold notifications) to the BlueList.ai LLC account owner. The sole recipient is the account owner who has provided their own mobile number at the time of account creation.

• Information collected. The account owner’s mobile phone number and a record of messages sent.
• How it is used. To deliver operational and security alerts about BlueList.ai infrastructure to the account owner only.
• Third-party sharing. Mobile numbers collected for SMS are not shared with third parties or affiliates for their own marketing or promotional purposes. We use Twilio as our SMS delivery provider; Twilio processes the number solely to deliver the message on our behalf.
• Frequency. Infrequent. Messages are sent only when an operational event (such as a billing threshold breach) occurs.
• Cost. Message and data rates may apply, per the recipient’s mobile carrier.
• Opt-out. The account owner may reply STOP at any time to cancel, or HELP for assistance. Opt-out requests are honored immediately.
• Retention. SMS delivery records are retained for 12 months for audit and support purposes, then deleted.

BlueList.ai does not operate a public SMS marketing program and does not enroll end-users or prospects in SMS campaigns. If this changes in the future, we will update this Policy and require affirmative opt-in before sending.

13 · Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will update the “Last updated” date at the top of this page and, for significant changes, notify active subscribers and clients by email.

We encourage you to review this page periodically. Your continued use of our services after changes are posted constitutes acceptance of the updated policy.

14 · Contact

If you have questions about this Privacy Policy or want to exercise your privacy rights:

BlueList.ai LLC
Privacy Inquiries
privacy@bluelist.ai

---

Disclaimer. This Privacy Policy is published by BlueList.ai LLC for transparency. It does not constitute legal advice or create contractual rights beyond those required by applicable law. If you have questions about how specific laws apply to your situation, consult a qualified attorney.