CrimeScore Live Nationwide
API Docs Map Comparisons Blog Contact Login Register

Legal

Privacy Policy

Last updated: July 2026

This Privacy Policy explains how CrimeScore (operated by OopsLab LLC, "we", "us") handles information collected from customers of the CrimeScore API and visitors to crimescore.io and any embed widget served from our domain.

1. What we collect

Account information. When you register, we collect your email address, hashed password (via AWS Cognito), the organization name you create, and any team-member email addresses you invite.

Billing information. Payments are processed by Stripe. We never see or store full card numbers. We store the Stripe customer ID, subscription status, plan tier, billing-cycle dates, and the email address associated with the Stripe customer record.

API usage data. When your API key is used to call the CrimeScore API, we record the request count, endpoint, response code, timestamp, and request/response metadata needed for quota enforcement, abuse prevention, debugging, and billing. For score requests this may include the returned geographic identifier (for example, a Census block group GEOID). For recent-incident requests this may include the requested coordinates, radius, hour window, and returned result count. We do not store the originating IP address of end users beyond what is required for short-term abuse detection and rate limiting.

Embed widget telemetry. When the CrimeScore embed widget is loaded on a third-party site, we record the publishable key used, the origin domain, the timestamp, and an aggregate load count. We do not set tracking cookies on end users of the embedding site.

Email lifecycle data. We process your email address, marketing subscription status, optional first name, account activation stage, and email delivery or engagement events to send account onboarding, product lifecycle, and subscribed marketing messages. We never include API keys or other authentication secrets in lifecycle email data.

Website and product analytics. Google Analytics and PostHog process page URLs, referring domains, campaign parameters such as UTM source, medium, and campaign, and a limited set of product-funnel events. Authenticated product activity may be associated with an internal account identifier so we can understand registration, activation, and subscription outcomes. We do not place email addresses, organization names, API keys, requested locations, or other personal information in campaign URL parameters or Google Analytics events.

Advertising attribution. When a CrimeScore visit includes a Google Ads click identifier (GCLID, GBRAID, or WBRAID), we may retain the first valid identifier for up to 90 days in your browser together with associated UTM parameters, the landing-page path, and the capture time. If you create or access an account during that period, we associate that first-touch record with your account until account deletion. We also create limited conversion records for events such as account creation, API activation, demo requests, trial starts, and the first paid subscription invoice.

Recent incident data. CrimeScore may collect and store normalized recent public or third-party incident activity for the 24-hour incident API and public activity-pulse visuals. We store only product-safe normalized fields such as a stable incident ID, sanitized label/category, approximate coordinates, timestamps, severity/rank signals, and aggregate cluster counts.

Operational logs. Standard server logs (request paths, status codes, error traces) are retained for up to 30 days for security and reliability purposes.

2. What we don't collect

We do not collect end-user demographic information, personally identifying information about end users of your platform, browsing history, location history outside of the single-coordinate API requests you send, or any data class that would trigger HIPAA, FERPA, or GLBA obligations on our side.

For recent incident features, we do not expose or store raw upstream payloads for customer use, media URLs, livestream details, user/comment data, radio clips, or raw update text in public feeds or customer API responses.

The CrimeScore machine-learning model itself is trained exclusively on public Census-derived rate features and public geocoded incident data. Race is not a feature.

3. How we use information

To operate the CrimeScore API and dashboard, send transactional emails (invitations, billing notifications, security alerts), provide account onboarding and product lifecycle messages, send marketing messages when subscribed, enforce quotas and abuse policies, attribute advertising outcomes, measure acquisition and product activation, improve product performance, and respond to support inquiries. We do not sell personal information or use dashboard and embed activity to serve third-party advertising.

4. Subprocessors

We use the following third-party services to operate the product:

  • Amazon Web Services — hosting, databases (DynamoDB), private conversion-file storage (S3), authentication (Cognito), email delivery (SES).
  • Plunk — lifecycle email workflows, contact subscription preferences, and email delivery analytics.
  • Google Analytics — aggregate website and product-funnel measurement.
  • Google Ads Data Manager — import and matching of advertising click identifiers to measure conversion outcomes.
  • PostHog — product analytics, campaign attribution, and privacy-masked session diagnostics.
  • Stripe — payment processing and subscription management.
  • Google reCAPTCHA / form-handling provider — for protecting the demo-request form.

Each subprocessor receives only the data strictly necessary to perform its function.

5. Out-of-scope uses

The CrimeScore API is intended as one input among many in legitimate location-risk-intelligence workflows. As stated in our published model card, the following uses are explicitly out of scope and not licensed:

  • Individual-level decisions in fair-housing-protected contexts (rental approval, mortgage approval, loan underwriting).
  • Predictive policing or any operational law-enforcement decision-making.
  • Any decision that would have a legally adverse effect on a specific identified person on the basis of their address.

6. Data retention

Account-linked Google Ads attribution is retained while the account remains active and is removed when account deletion completes. Limited Google Ads conversion rows expire after 120 days and are also removed during account deletion when associated with that account. Billing records are retained for 7 years to satisfy tax-record obligations. Operational logs are retained for up to 30 days. Aggregated, non-identifying analytics may be retained indefinitely for model and product improvement.

Google Ads conversion exports contain click identifiers, event names and times, deterministic order identifiers, and subscription revenue and currency when applicable. They do not contain email addresses, internal user IDs, UTM parameters, or landing paths. CrimeScore does not use hashed-email matching for this process.

7. Your rights

If you are a customer, you can access, correct, export, or delete your account data at any time via the dashboard. To request deletion of your Stripe customer record and associated billing history, contact support@crimescore.io.

If you are an EU/UK resident, you have additional rights under GDPR/UK-GDPR including the right to lodge a complaint with your supervisory authority. If you are a California resident, you have rights under the CCPA/CPRA. We honor verifiable requests under both regimes.

8. Security

All traffic is served over HTTPS. Passwords are hashed by AWS Cognito. API keys are stored only as SHA-256 hashes; the original key is shown to you exactly once at creation time. Database access is limited to least-privileged service roles. Ongoing security review is the responsibility of the engineering team.

9. Children

CrimeScore is a B2B product not directed at children under 13. We do not knowingly collect information from children.

10. Changes

We will post material changes to this policy on this page and update the "Last updated" date above. For significant changes affecting how we use information, we will notify account holders by email.

11. Contact

Questions about this policy? Email support@crimescore.io.

CrimeScore
Map · ZIP Lookup · Embedded Maps · Blog · Research · Comparisons · Data Quality · API Docs · Privacy · Terms · support@crimescore.io · © 2026 CrimeScore by OopsLab LLC