Privacy Policy

This policy applies to all users of the MobilityLens platform, including individuals accessing the platform directly, caseworkers and supervisors at nonprofit or government organizations, and researchers granted API access.

If you access MobilityLens through a nonprofit or government organization, that organization is the data controller for your case records. Xiente processes that data as a data processor under a signed data processing agreement (DPA).

Each nonprofit or government organization operates in a fully isolated tenant. PostgreSQL Row Level Security (RLS) enforces this isolation at the database layer — not just in application code. No organization can access another organization's client records, case notes, or analytics data.

Tenant isolation is validated on every deployment. Xiente engineers can access production infrastructure only through a break-glass process that generates an audit log entry — not through regular application access.

When a case is closed, the following de-identification steps are applied before any data enters the research pool:

• Name, contact information, and all directly identifying fields are permanently deleted from research records.
• Case notes, free-text fields, and document content are excluded entirely.
• Income is converted to a categorical band (e.g., $25,000–$35,000), not a raw figure.
• Age is converted to an age band (e.g., 25–34).
• ZIP code is retained but combined with no more than two other categorical fields per query.
• Household size is capped at "6+" to prevent re-identification of very large households.

No metric is surfaced in any research view unless the underlying cohort contains at least 50 distinct individuals. This threshold is enforced at the query layer and cannot be bypassed by API clients.

Depending on your jurisdiction, you may have the following rights regarding your personal data:

• Right of access: Request a copy of all personal data we hold about you.
• Right to rectification: Request correction of inaccurate data.
• Right to erasure: Request deletion of your account and associated data.
• Right to data portability: Request your data in a machine-readable format (JSON or CSV).
• Right to restrict processing: Request that we limit how we use your data while a dispute is resolved.
• Right to object: Object to processing based on legitimate interests or direct marketing.

To exercise any of these rights, email privacy@xiente.org. We will respond within 30 days.

Active individual accounts: Retained for the life of the account. You may delete your account at any time through account settings.

Case records (NGO tenants): Retained for 90 days after case closure, then permanently deleted unless the organization has a legal obligation to retain longer. Organizations may configure shorter retention periods.

De-identified research records: Retained indefinitely for longitudinal research. These records contain no PII and cannot be linked back to individuals.

Audit logs: Access and change logs are retained for 365 days to support compliance and security investigations.

MobilityLens uses the following third-party infrastructure services:

• DigitalOcean — cloud infrastructure (US-region droplets)
• Keycloak — self-hosted authentication (no data leaves our infrastructure)
• Qdrant — self-hosted vector database for RAG (no data leaves our infrastructure)
• Anthropic Claude API — AI overflow processing (non-PII context only; see AI disclaimer below)

We do not sell personal data to any third party. We do not use personal data for advertising purposes.

For privacy questions, data subject requests, or complaints, contact us at privacy@xiente.org.

If you are in the European Union and believe your rights have been violated, you may lodge a complaint with your national data protection authority. We are committed to resolving all concerns within 30 days.