Privacy Policy.
What data we collect, what we do with it, who we share it with, and how to exercise your rights.
Effective 2026-04-18 · Last reviewed 2026-04-18
Who we are
1water, Inc. (“1water.ai,” “we”) is a Delaware corporation operating the agent-native water compliance platform at 1water.ai. For privacy inquiries, email privacy@1water.ai.
What we collect
- Account data: email, name, role, utility name, PWSID, population served.
- Content: CCRs you draft, lab PDFs you upload, compliance reports, distribution lists.
- Usage data: page views, feature interactions, agent events. Collected via Vercel Analytics (cookieless).
- Support data: emails and chat messages you send us.
What we don’t collect
- We don’t use third-party analytics like GA4 or Meta Pixel.
- We don’t set advertising cookies.
- We don’t share your uploaded content with anyone outside our service providers.
How we use it
- Operate the service (draft your CCR, run compliance checks, publish).
- Bill you (Stripe processes payments on our behalf).
- Notify you of regulatory changes that affect your reporting.
- Improve the platform (aggregate usage patterns, with personally identifying info removed).
Who we share it with
Only processors we need to operate the service:
- Supabase — database, storage
- Vercel — hosting, functions, CDN
- SendGrid — transactional email
- Stripe — billing
- Cloudflare R2 — file storage
- See our full subprocessor list.
How long we keep it
Per 40 CFR § 141.155, we retain your published CCRs and distribution logs for a minimum of 5 years. Account metadata is retained for the life of your account plus 90 days after cancellation.
Your rights
You can access, correct, export, or delete your personal data at any time. Under GDPR you may also object to processing and request data portability. Under CCPA you may opt out of “sale” of personal information (we don’t sell it, but the right applies). Email privacy@1water.ai to exercise any of these rights.
Security
We follow the practices described on our security page — encryption in transit and at rest, tenant isolation, least-privilege access, annual penetration testing, SOC 2 audit in progress.
Children
The service is not directed at children under 13. We don’t knowingly collect data from children.
Changes
We’ll update this policy as our practices evolve. Material changes will be emailed to account holders at least 30 days before taking effect.