Version date: May 5, 2026

Replaces: Privacy Policy version dated November 4, 2024

America Counts is an initiative of Democracy Counts, Inc., a 501(c)(3) non-profit, non-partisan corporation. We build and operate Actual Vote, a free mobile application and supporting backend infrastructure that lets ordinary people independently verify how their local votes are reported. Volunteers use the Actual Vote app to record paper poll tapes; the recordings are uploaded to our backend, vetted, and used in published audits of vote reporting in elections around the country.

This Privacy Policy describes how we collect, use, share, and retain information when you use any of the following:

We use the words “we,” “us,” and “our” throughout to refer to America Counts and Democracy Counts together. We use “you” to refer to the person reading the policy and using our services.

This policy is one of three documents that together describe your relationship with us:

The three documents are designed to work together. If you only read one, this is probably the right one.

We collect three main categories of information about you:

The most important things to know about how we handle this information are:

The rest of this policy walks through each of these points in detail.

Actual Vote does not have its own username-and-password system. Authentication is handled entirely by Google Sign-In (OAuth 2.0). When you sign in for the first time on either the mobile app or the website at av.democracycounts.org, Google authenticates you and returns a signed identity token to us. We use that token to create an account record that contains:

We do not ask you to create a password, and we do not store one. We do not ask you for a phone number, a physical address, a photo, a real name beyond what Google provides, or any other profile field. The first time you sign in on each platform we create the account record automatically; there is no separate sign-up form.

Because authentication is delegated to Google, your Google account is subject to Google’s own privacy terms, which are outside our control. You can revoke Actual Vote’s access to your Google account at any time through your Google account settings.

When you record a poll tape with Actual Vote and upload it to us, we collect:

The GPS coordinates are part of the submission and are essential to the methodology — they let us verify that the recording was made at a real polling place and correlate the recording with the official precinct it came from. There is currently no way to submit a recording without GPS coordinates being captured if your device has location enabled. If you do not want your location captured at the time of recording, you should not use Actual Vote at that location.

What we do not collect from your device. We do not collect a device serial number, IMEI, phone number, mobile carrier, Wi-Fi network name (SSID), battery level, advertising identifier, or any similar identifier. The app does not include any analytics or crash-reporting SDK (no Firebase, no Sentry, no App Center, no Crashlytics, no similar service) and does not send any usage telemetry to us in the background. The only data the app transmits to our servers is the submission itself when you choose to upload it.

On iOS, the app also saves a copy of the recording to your device’s Photos library (requiring the “Add to Photos” permission). This copy is entirely on your device — we do not receive it unless you upload the submission through the app. On Android, the system camera app typically saves a copy to your gallery as part of the capture flow.

As we process your submission, we create additional records about it. These records include:

These derived records are part of the chain of custody for the submission. They support the evidentiary use of the submission described in Section 6. They are also part of how we maintain the methodological integrity of our work.

From the mobile app. Apart from the contents of submissions you choose to upload, the mobile app does not send information to our servers in the background. We do not operate any analytics or telemetry pipeline for the app. Apple and Google collect their own platform-level crash reports and diagnostic data from all apps distributed through their stores — these reports contain device model, OS version, app version, and crash stack traces, and are accessible to us through App Store Connect and Google Play Console. They do not contain the content of your submissions or personal account information beyond what the OS itself attaches. You can opt out of these platform-level reports in your device’s Settings (iOS: Privacy → Analytics & Improvements; Android: Settings → Google → Usage & Diagnostics).

From the website and the upload service. Our Azure-hosted website and the service that receives uploads from the mobile app use Azure Application Insights, which is Microsoft’s server-side telemetry tool. Application Insights records, for each request our servers receive: the URL or endpoint requested, the response status code, how long the request took, any exception that occurred, and the timestamp. The request record also captures your IP address and your browser or app User-Agent string. We retain this telemetry for ninety days. We do not run any client-side JavaScript analytics on the website — there is no Google Analytics, Plausible, Matomo, or equivalent, and no page-view, click, or scroll tracking.

Cookies. The website at av.democracycounts.org sets two first-party cookies, both strictly functional:

We do not set any analytics, tracking, advertising, or third-party cookies, and the site does not embed any third-party content (YouTube, Vimeo, social-media widgets, Facebook Like buttons, Twitter cards, external fonts, or similar) that could drop cookies of its own. The only external resource your browser loads while using the site is Google’s own OAuth page, when you click Sign In. We do not currently display a cookie-consent banner because the cookies we set are limited to those required for authentication.

Donations to Democracy Counts are processed through PayPal. Our donation flow is a PayPal-hosted checkout: when you click the donation button on our WordPress website at americacounts.us, a PayPal popup opens and you complete the donation inside PayPal’s own interface. We do not run the checkout ourselves and we do not see or store your full payment details (your card number, your bank information, or your PayPal credentials). Those are handled by PayPal under PayPal’s own privacy policy.

What we do receive from PayPal, after a successful donation, is a notification of the donation along with whatever donor information PayPal forwards to merchants — typically your name, email address, the donation amount, the donation date, and a transaction identifier, but the precise set of fields is determined by PayPal. We use that information to send you a thank-you and a tax receipt, to comply with IRS recordkeeping requirements for tax-deductible charitable contributions, and to comply with state charitable-solicitation registration requirements where applicable.

If you are concerned about what specific information PayPal will share with us when you donate, please consult PayPal’s privacy disclosures or contact us before donating.

Apart from the identity information Google sends us when you sign in (Section 3.1) and the donation information PayPal sends us when you donate (Section 3.5), we do not receive user information from outside sources. We do not buy data, we do not receive mailing lists, and we do not ingest information about you from partner organizations or social media platforms.

We use the information described in Section 3 for the purposes described below.

The core purpose of our data collection is to operate the Actual Vote audit methodology. This involves:

The recordings you submit are forensic evidence about how votes were locally reported in your election. We retain submissions, their metadata, the vetting record, the transcription, the comparison output, the investigation history, and the server-level request logs in a form that supports authentication and use of the submission as evidence in possible future legal proceedings.

This use is described in more detail in Section 6 (Your Submissions as Legal Evidence). We mention it here because it is one of the central reasons we collect and retain the information described in Section 3, and we want it to be clear that the evidentiary use is by design rather than incidental.

We use your email address to communicate with you about:

We do not send password-reset emails, because there is no Actual Vote password to reset; sign-in is entirely through Google.

You can opt out of optional communications at any time using the unsubscribe link in any newsletter or by contacting us. We will continue to send you essential communications related to your submissions even if you opt out of optional ones.

If you make a donation, we use the donor information PayPal forwards to us to send you a tax receipt and to maintain the records the IRS and applicable state charitable-solicitation laws require us to keep. We do not use this information to market to you. We do not pass it to any third party other than what is required for tax compliance.

We use aggregated information about how our services are used to identify problems, improve performance, refine our methodology, and develop new features. This use is internal to Democracy Counts and does not involve sharing information with advertising networks, behavioral-targeting providers, or marketing companies.

We may use information about you to comply with legal obligations, respond to lawful legal process, protect the safety of our users or the public, prevent or investigate fraud or abuse, and protect the rights and property of Democracy Counts and others. This use is rare in practice but we want to be honest that it is one of the things we may do with the information we collect.

This section describes the part of our operations that is most different from typical online services. When you submit a recording to Actual Vote, the recording is intended to be published — that is the point of the methodology. Public access to the submitted recordings is a feature, not an accident.

Submissions that pass vetting are published to the public archive at av.democracycounts.org. Anyone with an internet connection can view the recordings, search the archive by state, county, date range, analysis result, or report name, and download the videos. There is no login requirement to access published submissions.

The archive is not configured to block search-engine crawlers — there is no robots.txt exclusion and no noindex tag on the public pages. This means that approved submissions can be indexed by Google and other search engines, and can appear in search results returned to anyone searching for the polling place, the precinct, or related terms. You should assume, when you submit a recording, that if it is approved it may eventually surface through search engines as well as through the archive itself.

Approved submissions in the public archive do not publicly display:

The archive displays the recording itself, the location information associated with it (polling place, precinct, geocoded address, GPS coordinates), the date, and the analytical records we have attached to it (transcription, comparison, any investigation notes). The “created by” field that identifies the submitter is visible only to authenticated administrators inside our own system. Other signed-in volunteers cannot see who submitted a given recording, and members of the public cannot see it at all.

Your identity as the submitter is retained in our internal records, tied to your email address, for chain-of-custody purposes (Section 6). But it is not published.

Our vetting process is conducted by humans. A vetter reviews each submission and approves it for publication if it appears to be a transcribable poll tape recording without personally identifying information visible in the video or audible in the audio. Submissions that contain personal information, that are not transcribable, that are off-topic, or that are otherwise unsuitable for publication are rejected.

The vetting process is not perfect. We try our best, but humans make mistakes and we cannot listen to all of the audio on every recording. There is a real chance that a submission containing personal information could be approved by accident and end up in the public archive. You should never include personal information of any kind in a submission. This means:

If you stick to silently recording only the poll tape, the vetting process will almost certainly approve the submission and there will be nothing in it that compromises your privacy. If you don’t, even our best efforts at vetting may not catch the problem.

If our vetting process catches something problematic in a submission, the submission is rejected. What happens next depends on the nature of the problem.

For submissions containing seriously inappropriate content, we delete the submission from our servers. This includes submissions containing content that is grossly offensive, that has no plausible relationship to the Actual Vote methodology, or that we determine should not be retained at all. An honest technical note: once the video file is deleted from our live storage it is immediately and permanently gone from the live system, because our storage is not configured with a soft-delete or versioning tier. Database backups, however, may retain references to the submission record for up to one year (Section 7).

For submissions that contain transcribable poll tape data but are not suitable for public display (for example, because they contain a snippet of background conversation that includes personal information), we keep the submission in our internal records but do not publish it to the public archive. We can still incorporate the transcribable poll tape data into our analyses, which means the submission still contributes to the methodology — but the transparency benefit of public availability is lost for that particular submission.

For other rejected submissions that may still have value (for example, recordings that show context around a polling place but are not themselves transcribable), we retain them in our internal records in case they become relevant later.

If a rejected submission ever becomes relevant to a legal proceeding, and if there is a way to process the submission to remove the personal information while preserving the poll tape data, we would do so. This is not guaranteed and depends on the nature of the submission and the technical feasibility of the redaction.

The public archive is designed to be permanent. Approved submissions are part of the historical record and are retained indefinitely (Section 7.1). We do not honor ordinary change-of-mind requests to remove submissions from the archive; doing so would compromise the integrity of the record and the evidentiary posture of the work.

We will, however, remove a submission from the archive in two specific circumstances:

To request a takedown under either of these grounds, contact us using the information in Section 13. We will review the request, weigh it against the integrity of the archive, and respond.

One honest fact you should understand before relying on this: removal from our archive does not retrieve copies that already exist outside our control. While a submission was publicly available, anyone could have downloaded it, and search engines and archive services may have cached it. We can take the submission off our site, but we cannot take it off the internet.

This section describes a feature of our operations that is unusual among online services and that you should understand before you submit a recording to us.

The recordings you submit through Actual Vote are forensic evidence about how votes were locally reported in your election. They are contemporaneous (captured at the time the poll tape was visible to you), GPS-tagged (location-stamped to the polling place), timestamped (time-stamped to when you made the recording), and chain-of-custody-documented (we maintain a documented record of every step the recording takes from your device through our backend to the public archive). These features give the recording evidentiary value that goes beyond ordinary user-generated content on a typical online service.

If a submission becomes the basis for a legal proceeding — a regulatory complaint, a state election contest, a public records lawsuit, a federal civil rights case, a criminal investigation, or another kind of proceeding — the recording itself, the chain-of-custody documentation around it, and the methodology by which we processed it can be offered as evidence in that proceeding.

We have written a detailed analytical article about how Actual Vote evidence could be used in legal proceedings, Legal Pathways for Actual Vote Evidence: An Analytical Framework. The article is written for lawyers and is the underlying analytical framework for our institutional posture on legal use. A shorter, user-accessible version is available as Section 13 of the Actual Vote Technical User’s Manual.

For most users, the practical implications of the evidentiary use are minor. The overwhelming majority of submissions will never be involved in any legal proceeding. The methodology produces value at several levels — transparency, quality control, escalation — long before the legal level becomes relevant. Most users will go their entire experience with Actual Vote without ever being contacted about a submission they made.

In the rare case that a submission you made becomes the subject of a legal proceeding, however, the practical implications include:

Our institutional posture on legal requests for user information is straightforward:

This posture is consistent with our evidentiary work. The Actual Vote methodology assumes that courts have a legitimate role in evaluating election evidence. What we push back on is not courts — it is misuse of process: fishing expeditions, harassment-through-discovery, and overbroad administrative subpoenas that have nothing to do with the actual issues in a proceeding.

Notice to affected users. When we receive a request for information about a specific user or submission, we will make reasonable efforts to notify the affected user before producing the information, so that the user has an opportunity to seek their own counsel and respond. We will not provide such notice in three circumstances:

In all other cases we will notify you, with enough time to act if you choose to.

If we become aware that a submission is the subject of an active legal proceeding, we will preserve the submission and all associated records for the duration of the proceeding. This may extend beyond the retention periods described in Section 7 below. The preservation is a legal obligation, not a discretionary choice on our part.

An honest technical note about our current ability to implement legal holds: Azure Blob Storage, our video storage platform, supports container-level legal holds, but no legal holds are currently configured on our containers. If we needed to place a hold on a specific submission today, an administrator would have to apply a hold to the entire container housing that submission, manually, through our cloud administration tools. This would work, but it is a manual and coarse-grained process. We are planning to rebuild the upload portion of our infrastructure, and one of the design goals for the rebuild is a proper, per-submission legal-hold and immutability capability.

We keep different categories of data for different periods. This section describes our retention practices in detail.

Submissions that pass vetting and are published to the public archive at av.democracycounts.org are retained indefinitely. The public archive is intended to be a permanent record. Approved submissions, their metadata, the vetting record, the transcription, the comparison output, and the investigation history are all retained as part of the archive and the methodological record.

Submissions rejected during vetting are handled differently depending on the reason for rejection.

We retain non-public submissions because we may discover later that they have value for an analysis, an investigation, or a legal proceeding. We do not have a good way to predict in advance which submissions will become relevant, so the safest course is to retain them.

Account information for active users is retained for the duration of the account.

Closing your Actual Vote account ends your ability to sign in but does not delete the submissions you have previously made and does not erase the record of your having made them from our internal chain-of-custody system.

Specifically:

If you also want a previously published submission removed from the archive, that is a separate request, evaluated under the takedown criteria in Section 5.5. Closing your account is not, by itself, a takedown request.

Azure Application Insights telemetry for our website and upload service — which includes your IP address, User-Agent, and the URLs and timestamps of the requests we received from you — is retained for ninety days. After ninety days, this data is aged out automatically by Azure and cannot be recovered. There is no separate long-term log retention.

Azure Activity Log, which records infrastructure-level operations on our cloud resources, is also retained for ninety days.

Our production SQL database uses short-term point-in-time backups covering the prior thirty days, and long-term retention backups configured as follows: one week of weekly backups kept for one month, one monthly backup kept for one month, and one yearly backup kept for one year. Backups use Azure’s geo-redundant storage, meaning a copy exists in a paired Azure region for disaster-recovery purposes; all regions are within the United States.

Because backups are, by design, a historical record, deletions from the live database do not immediately propagate to backups. If you make a deletion request, the record is deleted from the live system, but a copy may persist in SQL backups for up to one year before the backup in which it appears ages out. We cannot selectively purge individual records from backups; doing so would compromise the integrity of the backup as a recovery point. We discuss this limitation further in Section 9.2.

Donation records are retained for at least seven years to comply with IRS recordkeeping requirements for tax-deductible charitable contributions, and for any longer period required by applicable state charitable-solicitation registration laws.

Email correspondence, phone correspondence, and other communications between you and America Counts staff are retained indefinitely. We retain communications because they often contain context that becomes relevant later — for example, when a user asks about a submission and we need to refer back to the conversation when reviewing the submission, or when an apparent discrepancy is investigated and earlier communications contain relevant background.

Any data that is subject to a legal hold (because it is the subject of an active legal proceeding, a regulatory investigation, or a similar matter) is retained for the duration of the hold, regardless of the retention periods that would otherwise apply.

We share user data only in the limited circumstances described below.

We rely on three third-party service providers — “subprocessors” in data-protection terminology — to operate our services. These providers process data on our behalf, and our relationships with them are governed by standard data-protection agreements.

Microsoft, through its Microsoft Azure cloud platform, hosts all of our infrastructure. Specifically:

Our Azure resources are hosted in three United States regions: West US, Central US, and East US 2. SQL database backups use Azure’s geo-redundant storage, which keeps a backup copy in a paired United States region for disaster-recovery purposes. No user data is hosted outside the United States.

Google processes user data in two ways. First, Google Sign-In (OAuth 2.0) authenticates our users; Google receives the standard OAuth data — primarily your email address and profile name — when you sign in. Second, the service that receives uploads sends a notification email to America Counts administrators through Google’s Gmail SMTP service when a new submission arrives. These notifications go to our internal distribution list, not to end users; the content includes a link to the submission and any text (such as a precinct identifier or a comment) the submitter attached to it.

PayPal processes donations through its hosted checkout, as described in Section 3.5. PayPal handles your payment details directly; we do not see or store them. PayPal returns to us only the donation notification and the donor information PayPal forwards to merchants.

We do not use any other subprocessors. We do not use SendGrid, Mailgun, Twilio, Stripe, Sentry, Firebase, Crashlytics, a content-delivery network, a mapping provider other than Azure Maps for the separate internal tool described above, or any other third-party service to process user data. If we add a subprocessor, we will update this section of the policy.

We may share user information in response to lawful legal process, such as subpoenas, court orders, search warrants, or formal regulatory requests. Our institutional posture on these requests, and our practice on user notification, is described in Section 6.3 above.

Submissions that pass vetting are published to the public archive, as described in Section 5. Once a submission is in the archive, it is publicly accessible to anyone, including journalists, researchers, opposing counsel in any legal proceeding, and members of the general public. As noted in Section 5.2, the submitter’s identity is not displayed in the archive; but the recording and its associated location, precinct, and time information are. This is not a “sharing” in the conventional sense — it is the central purpose of the methodology — but it has the same practical effect as sharing the recording with the world, and we want to be explicit about it.

We may publish aggregate statistics about our operations — total submissions received, total videos analyzed, total comparisons performed, total elections covered, and so on. Aggregate statistics do not identify any individual user.

In the unlikely event that Democracy Counts is merged into another nonprofit organization, dissolved, or otherwise restructured, user information may be transferred to the successor organization. Any successor organization would be bound by this Privacy Policy or a substantially equivalent one.

We do not sell user data. We do not share user data with data brokers, advertising networks, marketing companies, or any other party that would use it for commercial purposes unrelated to the Actual Vote methodology. We are funded by donations and we have no business model that involves monetizing user data. We do not show advertising on our services, and we have no plans to do so. If this ever changes, we will update this Privacy Policy and notify affected users before implementing any change.

Depending on where you live, you may have legal rights regarding the information we collect about you. This section describes those rights and how to exercise them.

The specific rights depend on the law that applies to you:

There are practical limits on how we can honor some of these rights, given the nature of our work and the current configuration of our infrastructure.

We are honest that we do not yet operate a dedicated, formal subject-access mechanism — a documented request form, an automated identity-verification step, a fixed response-timeline tracker, and a standardized data-export format. Building one is on our roadmap, and a future revision of this policy will describe it.

In the meantime, you can exercise your rights by contacting us using the information in Section 13. We will work with you in good faith and within the legally required timelines (forty-five days under CCPA, extendable once for another forty-five days where necessary; one month under GDPR, extendable by two months for complex requests).

Some requests we can serve today without a formal workflow:

You can opt out of optional communications (newsletters, updates, requests for support) at any time by using the unsubscribe link in any communication or by contacting us. We will continue to send essential communications about your submissions even if you opt out of optional ones.

You may close your account at any time by contacting us using the information in Section 13.

Closing your account ends your ability to sign in but does not, by itself, remove your previously submitted recordings from the public archive (if they were approved) or from our internal records. The full handling is described in Section 7.4. If you also want a previously published submission removed from the archive, please tell us so explicitly when you request closure; we will evaluate the takedown request under the criteria in Section 5.5.

Actual Vote is intended for adults and for high school students aged fourteen and older. Some of our outreach is specifically directed at high school civic-education programs, where students aged fourteen and older participate alongside adult volunteers.

Actual Vote is not directed at children under the age of thirteen, and we do not knowingly collect personal information from children under thirteen. As a practical matter, the only way to sign in to Actual Vote is through Google Sign-In, and Google requires users to be at least thirteen years old (or the applicable age in their country) to hold a Google account. We do not ask you for your age or date of birth. We rely on Google’s age requirement as the operative age gate; we do not perform independent age verification beyond that.

If you are a parent or guardian and believe that your child under thirteen has provided personal information to us (for example, by using your Google account to submit a recording), please contact us and we will delete the information from our records.

We treat user accounts the same regardless of the age of the user, but we encourage younger users to use Actual Vote with the awareness and support of a parent, guardian, or teacher.

We work to protect the information we collect against unauthorized access, use, alteration, and destruction. No online service is perfectly secure, but we take the security of user data seriously and apply the safeguards described below. We are also honest, in this section, about the places where our current infrastructure has gaps that we intend to close.

All communication between the Actual Vote mobile app, the av.democracycounts.org website, and our backend uses HTTPS with industry-standard TLS. The minimum supported TLS version is 1.2 across our website and our current Azure infrastructure. The exception is one older upload service, which still accepts TLS 1.1 and is scheduled to be rebuilt; the rebuild will bring this up to current standards. No part of the app or the website falls back to unencrypted HTTP under any circumstance.

The mobile app relies on the operating system’s built-in certificate validation — it does not implement certificate pinning. Our upload endpoints are protected by the Azure-standard TLS certificate chain.

All of our cloud storage is encrypted at rest using AES-256:

On the mobile device, authentication tokens are stored in the platform’s secure storage — Keychain on iOS and Keystore on Android — which is encrypted by the operating system. Video files and submission metadata on the device are stored inside the app’s private sandbox directory; they are protected by the OS sandbox but are not separately encrypted at the app level.

Authentication is delegated entirely to Google Sign-In (OAuth 2.0). We do not operate a password database. Your Actual Vote identity is tied to your Google identity through your email address. Access tokens issued by Google are stored securely on your device (Keychain or Keystore) and are refreshed automatically as they near expiration.

Access to our backend data is restricted to a small group of America Counts staff and trusted contractors. Access to the website and the upload service is controlled by an application-level role system (Volunteer, Auditor, Recorder, DataAdmin, UserAdmin, Admin), with administrator-level visibility limited to people who need it for vetting, support, and operations.

We are honest about a current limitation: our database-level access controls and our infrastructure-level access controls are not fully role-separated. Staff and contractors who have been granted broad Azure access can, in principle, reach the live database and storage directly. This is not how administrative work is normally done — admin work goes through the website’s role-controlled interface — but the capability exists at the infrastructure level. This is one of the items we plan to tighten in the rebuild of the upload infrastructure.

Azure Application Insights captures every request our website and upload service handle, retaining ninety days of that telemetry. Azure Activity Log retains ninety days of infrastructure-level operations (who changed what configuration, when). SQL Server’s built-in auditing is not currently enabled; we are aware of this gap and it is on our list to address. Our logs are not stored in write-once, immutable storage, so in principle an engineer with sufficient Azure permissions could alter or delete them. We do not consider this an acceptable long-term posture for a system whose outputs may be used as evidence, and improvements to audit-log immutability are part of the planned rebuild of the upload infrastructure.

Microsoft’s Azure platform provides baseline protections against common network threats, including basic firewalling and denial-of-service protections. Our site-specific TLS certificates are managed through Azure’s managed-certificate service.

Some of the features that would be required to treat Actual Vote submissions as true forensic-grade evidence — cryptographic hashing of each upload at the moment of receipt, tamper-evident (write-once) audit trails, immutable storage tiers with per-submission legal-hold capability, and full chain-of-custody tracking of post-upload access — are not yet in place. The current infrastructure is conventional. We are planning a rebuild of the upload service that will add these features, and this Privacy Policy will be updated when they ship.

If you become aware of a security issue with Actual Vote or any of our services, please report it to us using the contact information in Section 13. We treat security reports seriously and respond as quickly as we can.

America Counts is based in the United States and is focused on US elections. Our infrastructure is hosted in three United States regions (West US, Central US, and East US 2), our staff is in the United States, and our methodology is designed around US election administration. Backups use Azure’s geo-redundant storage, which keeps a backup copy in a paired United States region. No user data is hosted outside the United States.

We do not currently have a meaningful international user base, but there is nothing in our system that prevents users outside the United States from using Actual Vote. We would welcome international users, and the value of Actual Vote — the video recording infrastructure, the public archive, the documented chain of custody, the evidentiary integrity — is available to anyone who wants to use it. We may not be able to perform the comparison analysis against official results for elections outside the United States (the comparison work requires per-jurisdiction setup that we have only done for US jurisdictions), but the underlying data collection and preservation infrastructure works internationally without modification.

If you are using Actual Vote from outside the United States, you should be aware that:

If our international user base grows substantially, we will revisit this section and update it to reflect any additional legal mechanisms that become appropriate.

We may update this Privacy Policy from time to time. When we make changes, we will:

Your continued use of our services after a change to this policy constitutes acceptance of the updated policy. If you do not agree with a change, you can stop using our services and close your account.

For questions about this Privacy Policy, to exercise any of the rights described in Section 9, or to report a privacy or security concern, please contact us through our contact form at:

Contact Us

The contact form is currently the primary way to reach us. We do not yet publish a postal mailing address; when one is established for public-facing legal notices, it will be added to this section and to the User Agreement.

For matters relating to this Privacy Policy, this Privacy Policy is governed by the laws of the State of California.

We aim to respond to privacy requests promptly and in any case within the time required by applicable law (forty-five days under CCPA, one month under GDPR).

This Privacy Policy was developed for America Counts and Democracy Counts, Inc., taking into account the specific operational practices of the Actual Vote methodology, the evidentiary use of submitted recordings, and the public-archive nature of approved submissions. It replaces an earlier version (dated November 4, 2024) that was adapted from the privacy policy of Automattic, Inc. and that did not adequately reflect the specific nature of our operations.

We take user privacy seriously and we welcome feedback on this policy. If you think we have left something out, gotten something wrong, or could explain something more clearly, please let us know using the contact information above.