Privacy Policy
Effective date: March 29, 2026
1. Who We Are
Theito Tech LLC, doing business as Every Iowan Iowa ("we," "us," "our"), operates the website everyiowan.com and related services (collectively, the "Service"). We are based in Urbandale, Iowa, United States.
For privacy inquiries, contact us at [email protected] or through our contact form.
2. Information We Collect
We collect only what is necessary to provide the Service:
2.1 Account Data (when you sign in)
We offer sign-in through Google, X.com (Twitter), and email magic links. When you authenticate, we receive and store:
- Name and email address — to identify your account
- Profile picture URL — to display your avatar (we store the URL, not the image)
- OAuth provider and account ID — to link your sign-in method
We do not receive or store your password from any provider. Authentication is handled entirely by the third-party provider.
2.2 Contact Form Submissions
When you submit our contact form, we collect:
- Your name and email address
- Business name (optional)
- Your message
2.3 Business Claim Data
When you claim a business listing, we collect your account information (already collected during sign-in), the entity you are claiming, your verification method (email domain match or manual review), and any notes you provide. This data is used solely to verify business ownership and grant portal access.
2.4 Automatically Collected Data
When you use the Service, our server automatically records basic technical information: pages visited, device type, and browser. This data is used only to operate and improve the platform. We aggregate anonymous interaction data (page views, click types, device categories) to provide business owners with cohort-level analytics about their listing's performance. This data is presented only in aggregate form — individual visitors are never identified to business owners. We classify visitors into anonymous groups (e.g., "consumers," "business users," "anonymous") based on account type, never by individual identity. We do not use third-party tracking cookies, analytics trackers, advertising pixels, or fingerprinting scripts.
2.5 Public Business Directory Data
Our directory contains publicly available information about Iowa businesses and organizations gathered from public websites, government databases, and directories. This data is not personal data — it relates to businesses, not individuals. If you represent a listed entity and wish to correct or remove information, please contact us.
3. Legal Basis for Processing (GDPR)
If you are located in the European Economic Area (EEA), UK, or Switzerland, we process your data under the following legal bases:
- Performance of a contract (Article 6(1)(b) GDPR) — to provide the Service when you create an account or use our client portal.
- Consent (Article 6(1)(a) GDPR) — when you submit our contact form or sign in voluntarily.
- Legitimate interests (Article 6(1)(f) GDPR) — to maintain security, prevent fraud, and improve the Service. Our legitimate interest does not override your rights; we do not use your data for profiling or targeted advertising.
4. How We Use Your Information
- To operate, maintain, and improve the platform
- To authenticate your identity and manage your session
- To communicate with you about services you requested
- To send transactional messages (account verification, service updates)
- To respond to your contact form submissions
- To provide client portal access (for business customers)
- To verify business ownership claims and grant portal access
- To provide aggregated, anonymous visitor analytics to verified business owners
- To maintain security and prevent abuse
- To comply with legal obligations
We do not sell your personal data. We do not use personal data for targeted advertising, profiling, or automated decision-making.
5. Information Sharing and Third-Party Services
We do not sell, rent, or trade your personal information. We share data only with the following service providers, who act as data processors on our behalf:
| Provider | Purpose | Data Shared |
|---|---|---|
| Google (OAuth) | Authentication | OAuth tokens (no passwords) |
| X.com (OAuth) | Authentication | OAuth tokens (no passwords) |
| Resend | Transactional email | Email address |
| Cloudflare | DNS and security | IP address, request metadata |
| DigitalOcean | Infrastructure hosting | All data at rest (encrypted) |
Each provider maintains their own privacy policy and data processing agreements. We do not transfer data to any provider that lacks adequate data protection. We do not share your personal data with third parties for their marketing purposes.
6. Cookies and Session Management
We use only strictly necessary cookies:
| Cookie | Purpose | Duration |
|---|---|---|
| authjs.session-token | Keeps you signed in | 30 days |
| authjs.csrf-token | Prevents cross-site request forgery | Session |
| authjs.callback-url | Remembers where to redirect after sign-in | Session |
We do not use analytics cookies, advertising cookies, or any third-party tracking cookies. Because our cookies are strictly necessary for the Service to function, they are exempt from consent requirements under the ePrivacy Directive.
7. Data Retention
- Account data — retained while your account is active. You may request deletion at any time.
- Contact form submissions — retained for business operations. You may request deletion at any time.
- Session data — automatically deleted 30 days after last activity.
- Server logs — rotated every 30 days.
- Database backups — overwritten after 7 days.
- Claim request data — retained for the life of the business listing for audit purposes. Rejected claims are retained for 1 year.
To request deletion of any data we hold about you, email [email protected] or use our contact form.
8. Your Rights
Regardless of where you are located, we honor the following rights:
- Access — Request a copy of the personal data we hold about you.
- Correction — Request that we correct inaccurate data.
- Deletion — Request that we delete your account and all associated data. You can do this from your account menu or by contacting us.
- Data portability — Request a machine-readable export of your data.
- Withdraw consent — You may withdraw consent at any time by deleting your account or contacting us. Withdrawal does not affect the lawfulness of processing prior to withdrawal.
- Restrict processing — Request that we limit how we use your data.
- Object — Object to processing based on legitimate interests.
To exercise any of these rights, email [email protected] or use our contact form. We will respond within 30 days.
9. California Privacy Rights (CCPA/CPRA)
If you are a California resident, you have additional rights under the California Consumer Privacy Act:
- Right to know what personal information we collect, use, and disclose.
- Right to delete your personal information.
- Right to correct inaccurate personal information.
- Right to opt-out of the sale or sharing of personal information.
- Right to non-discrimination for exercising your privacy rights.
We do not sell or share your personal information as defined by the CCPA/CPRA. We do not use personal information for targeted advertising or cross-context behavioral advertising.
10. Your Rights Under Iowa Law (SF 262)
Iowa Senate File 262 provides Iowa residents with specific data privacy rights, effective January 1, 2025. As an Iowa-based company, we take these rights seriously:
- Right to know — You can request confirmation of whether we hold personal data about you and access that data.
- Right to delete — You can request that we delete your personal data.
- Right to opt out of targeted advertising — We do not currently engage in targeted advertising, but you have the right to opt out if we ever do.
- Right to opt out of sale of personal data — We do not sell your personal data.
To exercise any of these rights, email [email protected]. We will respond within 90 days as required by Iowa law. If we decline a request, you may appeal by contacting us at the same address.
11. Children's Privacy
The Service is not directed to children under 13. We do not knowingly collect personal information from children under 13. If you believe we have collected data from a child under 13, please contact us immediately and we will delete it.
12. Data Security
We protect your data through:
- TLS encryption for all data in transit (HTTPS enforced with HSTS)
- Encrypted database connections
- HTTP-only, secure session cookies (not accessible to JavaScript)
- Firewall-restricted database access (not exposed to the public internet)
- Automated daily encrypted backups with 7-day retention
- Fail2ban intrusion prevention
- SSH key-only authentication (no password login)
No system is 100% secure. If we discover a data breach affecting your personal information, we will notify you and any applicable regulatory authority within 72 hours as required by GDPR Article 33.
13. International Data Transfers
Our servers are located in the United States. If you access the Service from outside the US, your data will be transferred to and processed in the US. By using the Service, you consent to this transfer. For EEA/UK users, this transfer is necessary for the performance of our contract with you (Article 49(1)(b) GDPR).
14. Automated Processing
Our business directory uses automated tools to gather and organize publicly available business information. All automated enrichments are reviewed by a human before publication. We do not make automated decisions about individuals that produce legal or similarly significant effects.
15. Changes to This Policy
We may update this Privacy Policy to reflect changes in our practices or legal requirements. We will post the updated policy on this page with a new effective date. For material changes, we will notify users by email if possible.
16. Contact and Complaints
For privacy questions, data requests, or complaints, contact:
If you are in the EEA and believe we have not adequately addressed your concerns, you have the right to lodge a complaint with your local data protection authority.