Legal
This Privacy Policy explains how CrimeScore (operated by OopsLab LLC, "we", "us") handles information collected from customers of the CrimeScore API and visitors to crimescore.io and any embed widget served from our domain.
Account information. When you register, we collect your email address, hashed password (via AWS Cognito), the organization name you create, and any team-member email addresses you invite.
Billing information. Payments are processed by Stripe. We never see or store full card numbers. We store the Stripe customer ID, subscription status, plan tier, billing-cycle dates, and the email address associated with the Stripe customer record.
API usage data. When your API key is used to call the CrimeScore API, we record the request count, endpoint, response code, timestamp, and request/response metadata needed for quota enforcement, abuse prevention, debugging, and billing. For score requests this may include the returned geographic identifier (for example, a Census block group GEOID). For recent-incident requests this may include the requested coordinates, radius, hour window, and returned result count. We do not store the originating IP address of end users beyond what is required for short-term abuse detection and rate limiting.
Embed widget telemetry. When the CrimeScore embed widget is loaded on a third-party site, we record the publishable key used, the origin domain, the timestamp, and an aggregate load count. We do not set tracking cookies on end users of the embedding site.
Recent incident data. CrimeScore may collect and store normalized recent public or third-party incident activity for the 24-hour incident API and public activity-pulse visuals. We store only product-safe normalized fields such as a stable incident ID, sanitized label/category, approximate coordinates, timestamps, severity/rank signals, and aggregate cluster counts.
Operational logs. Standard server logs (request paths, status codes, error traces) are retained for up to 30 days for security and reliability purposes.
We do not collect end-user demographic information, personally identifying information about end users of your platform, browsing history, location history outside of the single-coordinate API requests you send, or any data class that would trigger HIPAA, FERPA, or GLBA obligations on our side.
For recent incident features, we do not expose or store raw upstream payloads for customer use, media URLs, livestream details, user/comment data, radio clips, or raw update text in public feeds or customer API responses.
The CrimeScore machine-learning model itself is trained exclusively on public Census-derived rate features and public geocoded incident data. Race is not a feature.
To operate the CrimeScore API and dashboard, send transactional emails (invitations, billing notifications, security alerts), enforce quotas and abuse policies, improve product performance, and respond to support inquiries. We do not sell personal information. We do not run third-party advertising trackers on the dashboard or the embed.
We use the following third-party services to operate the product:
Each subprocessor receives only the data strictly necessary to perform its function.
The CrimeScore API is intended as one input among many in legitimate location-risk-intelligence workflows. As stated in our published model card, the following uses are explicitly out of scope and not licensed:
Account data is retained for the lifetime of the account plus 90 days after deletion to allow recovery. Billing records are retained for 7 years to satisfy tax-record obligations. Operational logs are retained for up to 30 days. Aggregated, non-identifying analytics may be retained indefinitely for model and product improvement.
If you are a customer, you can access, correct, export, or delete your account data at any time via the dashboard. To request deletion of your Stripe customer record and associated billing history, contact support@crimescore.io.
If you are an EU/UK resident, you have additional rights under GDPR/UK-GDPR including the right to lodge a complaint with your supervisory authority. If you are a California resident, you have rights under the CCPA/CPRA. We honor verifiable requests under both regimes.
All traffic is served over HTTPS. Passwords are hashed by AWS Cognito. API keys are stored only as SHA-256 hashes; the original key is shown to you exactly once at creation time. Database access is limited to least-privileged service roles. Ongoing security review is the responsibility of the engineering team.
CrimeScore is a B2B product not directed at children under 13. We do not knowingly collect information from children.
We will post material changes to this policy on this page and update the "Last updated" date above. For significant changes affecting how we use information, we will notify account holders by email.
Questions about this policy? Email support@crimescore.io.