Who We Are
MyCivic is a municipal service coordination platform developed by MyCivic. We provide technology infrastructure that connects citizens with the public enterprises and municipal departments responsible for resolving civic issues: roads, water, waste, lighting, parks, and related services.
MyCivic operates as a data processor on behalf of the municipal governments and public enterprises that deploy our platform. Each deploying municipality is the data controller under the General Data Protection Regulation (GDPR) for citizen data collected within their jurisdiction. MyCivic acts as the data processor under a Data Processing Agreement with each municipal client.
If you need to reach us directly on any privacy matter, you can write to: mail@mycivic.io
What Data We Collect
Our core principle: we collect the issue, not the citizen. MyCivic is designed to function fully without knowing who you are.
When you submit a civic report
Every submission requires a location pin, an issue category, and a photograph. Together, these allow the platform to route the report to the correct department and verify completion with a matching closure photo. Everything else is optional, subject to the trade-off set out in Section 4: providing contact information lets you follow the report's lifecycle. Omitting it keeps the submission anonymous, and the loop closes on our side only.
| Data Type | Required | Purpose |
|---|---|---|
| GPS location / map pin | Yes | Determine the correct zone, jurisdiction, and responsible enterprise |
| Issue category | Yes | Route to the correct department and set the appropriate SLA |
| Photograph | Yes | Document the condition before work begins, paired with the completion photo on closure |
| Written description | Optional | Add context for the field team handling the repair |
| Email address | For follow-up | Receive routing, assignment, and resolution notifications by email |
| Phone number | For follow-up | Receive the same notifications by SMS |
| Application account identifier | For follow-up | Track your reports from within the MyCivic mobile application |
| Reference number | Auto-generated | Identifies your report internally. Retrievable after submission only if you provided a contact channel |
When you access the platform
We collect standard server-side access logs, which include IP address, browser type, pages visited, and timestamps. These are used for security monitoring and platform diagnostics. They are not linked to individual reports and are not used for advertising or profiling.
What we do not collect
MyCivic does not collect, require, or store: national identification numbers, home addresses, dates of birth, financial information, social media accounts, biometric data, or any information beyond what is listed above. We do not build citizen profiles. We do not sell data to third parties.
How We Use the Data
We use the data collected for the following purposes, each with a legal basis under GDPR:
| Purpose | Legal Basis |
|---|---|
| Routing the report to the responsible enterprise or department | Performance of a public task (Article 6(1)(e)) |
| Tracking the report through the resolution lifecycle | Performance of a public task (Article 6(1)(e)) |
| Notifying you when your report is resolved (if you provided contact information) | Legitimate interest and consent (Article 6(1)(a) and (f)) |
| Generating performance analytics for the municipal client (resolution rates, SLA compliance) | Performance of a public task (Article 6(1)(e)) |
| Maintaining an audit trail for accountability and governance | Legal obligation and legitimate interest (Article 6(1)(c) and (f)) |
| Platform security and fraud prevention | Legitimate interest (Article 6(1)(f)) |
We do not use your data for advertising, marketing profiling, automated decision-making that has legal or significant effects on you, or any purpose not listed in this policy.
Anonymous Reporting
MyCivic supports anonymous submission by design. You may submit a complete civic report (location pin, category, photograph, and an optional written description) without providing any contact information. The report is still routed to the correct department, handled under the same SLA, and closed with a verified photograph. Routing priority is identical for anonymous and tracked reports, and the responsible department cannot identify you from an anonymous report.
Anonymous means one-way. Without a contact channel, the platform has no way to send you routing, assignment, or resolution notifications, and there is no interface from which you can retrieve the status of an anonymous report after submission. That is the trade-off, and it is the honest one: no data the platform does not need, and no follow-up we cannot deliver.
Three ways to enable follow-up
If you want to track a report's progress or receive the closure photograph, provide any one of the following at submission. Any single channel is enough; providing more than one is never required.
- Email address. You receive notifications by email when the report is routed, assigned, and resolved.
- Phone number. You receive the same notifications by SMS.
- A MyCivic application account. All reports you have submitted are tracked in a single list inside the application, including historical closures.
Any contact channel you provide is used only for notifications related to the specific report you filed. You will not receive marketing messages from MyCivic. You can request removal of your contact details from a specific report at any time by contacting the deploying municipality's data controller, or by writing to mail@mycivic.io.
Where the platform sends notifications on behalf of a deploying municipality, the contact channel is held separately from the report data accessible to the field team. The team that resolves the issue does not see how the citizen is being contacted.
Who Has Access to Your Data
The responsible enterprise or municipal department
The team assigned to your report sees the location, category, description, photo, and reference number. If you provided a contact channel (email, phone number, or application account identifier), it is held separately and used only to send notifications. The field team does not see it.
City triage operators
Municipal triage operators reviewing incoming reports and confirming routing decisions see the report details. They do not see your contact channel.
City leadership and executives
Analytics dashboards accessible to city leadership show aggregate performance data: volume of reports, resolution rates, SLA compliance, and response times. These dashboards do not show individual personal details.
MyCivic (Platform Operator)
As the data processor, MyCivic has access to all data stored on the platform for the purpose of operating, maintaining, and supporting the system. MyCivic operates under a Data Processing Agreement with each municipal client and is contractually prohibited from using municipal data for any purpose beyond service provision.
Third parties
We do not sell, license, or share personal data with any third-party marketing, advertising, or analytics services. We may share data with subprocessors who provide infrastructure services (hosting, storage, security monitoring) under contracts that comply with GDPR Article 28. A list of subprocessors is available upon request.
Data Residency and Storage
Citizen data collected through MyCivic is stored in the geographic region specified by the deploying municipality. For European deployments, data is stored within the European Economic Area (EEA) and does not transfer outside the EEA unless explicitly configured and agreed upon by the municipal client.
All data is encrypted in transit using TLS 1.2 or higher. Data at rest is encrypted using AES-256. Photographs are stored in isolated, access-controlled object storage and are only accessible to authorised users of the specific deployment.
We do not transfer personal data to countries outside the EEA without appropriate safeguards as required by GDPR Chapter V. If a transfer is required, we rely on the European Commission's Standard Contractual Clauses.
How Long We Keep Data
Data retention is configured per deployment in agreement with the municipal client (the data controller). Default retention periods are:
- Open reports. Retained until the report is resolved and the applicable retention period expires.
- Resolved reports and audit trail. Retained for five years from resolution date for governance and accountability purposes, unless the municipal client specifies a different period.
- Photographs (before and after). Retained for the same period as the report they are associated with.
- Email addresses and phone numbers. Retained for 90 days after the resolution notification is sent, then deleted from the report record.
- Application account identifiers. Linked to the report for as long as the underlying account exists. You can delete the account from within the application at any time.
- Server access logs. Retained for 90 days and then automatically deleted.
Municipal clients may request shorter or longer retention periods. Citizens may request deletion of their data (where it can be identified) under the right to erasure described below.
Your Rights Under GDPR
If you are located in the European Union or European Economic Area, you have the following rights regarding your personal data:
Right of access
You have the right to request a copy of the personal data we hold about you and information about how it is used.
Right to rectification
You have the right to request correction of inaccurate or incomplete personal data.
Right to erasure
You have the right to request deletion of your personal data where: it is no longer necessary for the purposes for which it was collected; you withdraw consent (where consent was the legal basis); or processing is unlawful. This right may be limited where retention is required for legal obligations or audit purposes.
Right to restrict processing
You have the right to request that we restrict the processing of your data in certain circumstances, for example while a complaint is being investigated.
Right to data portability
Where processing is based on consent or contract, you have the right to receive your personal data in a structured, commonly used, machine-readable format and to have it transmitted to another controller.
Right to object
You have the right to object to processing based on legitimate interests. We will stop processing unless we can demonstrate compelling legitimate grounds.
Rights related to automated decision-making
MyCivic uses automated routing to assign reports to departments. This automated routing does not have legal or similarly significant effects on individuals. It determines which team receives a work order, not any decision about the individual who submitted it. You may, however, request human review of any routing decision if you believe it was made in error.
How to exercise your rights
To exercise any of these rights, contact the deploying municipality's data controller directly, or contact us at mail@mycivic.io. We will respond within 30 days. You also have the right to lodge a complaint with your national data protection authority.
Changes to This Policy
We will update this Privacy Policy when our practices change, when we add new features, or when legal requirements change. When we make significant changes, we will update the "Last updated" date at the top of this page.
Municipal clients will be notified of material changes to this policy as part of our Data Processing Agreement obligations. Citizens who have provided email addresses may be notified of significant changes at our discretion.
Continued use of the platform after changes are published constitutes acceptance of the updated policy.
Contact
For any privacy-related questions, data subject requests, or concerns about how MyCivic handles personal data, please contact:
MyCivic
Email: mail@mycivic.io
If you are a municipal client or enterprise partner and need to reach our Data Protection Officer or discuss your Data Processing Agreement, please contact us at the same address with the subject line "Data Protection."
You have the right to lodge a complaint with the supervisory authority in your EU member state if you believe your personal data has been processed unlawfully. The European Data Protection Board maintains a directory of national authorities.