Privacy Policy

Effective Date: September 18, 2020

This Privacy Policy describes our practices regarding the collection, use and disclosure of information collected by FirstRoot, Inc. (together with its subsidiaries and affiliates, “FirstRoot”) through the its websites and mobile applications (collectively, the “Service”). Please review this Privacy Policy carefully. In addition, please review the Terms of Use which govern your use of the Service.


  • Information You Provide Us Directly
  • Information We Collect Automatically


  • When You Request That We Share Your Information
  • Third Parties Providing Services on Our Behalf
  • Administrative and Legal Reasons
  • Business Transfers


We may collect information from you directly, automatically when you visit the Service, and sometimes from third parties. Some of this information may be considered “personal information” under various applicable laws. We consider information that identifies you as a specific, identified individual to be personal information (such as your name, phone number, e-mail address), and we treat additional information, including IP addresses and cookie identifiers, as “personal information” where required by applicable law. And, if we combine information we consider to be non-personal with personal information, we will treat that combined information as personal information under this Privacy Policy and as required by law. Note that we may de-identify personal information so that it is non-personal, such as by aggregating it or converting it to a code, sometimes using mathematic functions commonly known as “hashing” or a “hash.” We will treat de-identified information as non-personal to the fullest extent allowed by applicable law.

Information You Provide Us Directly
We may ask you to provide information directly, such as contact information (such as your name, phone number, or e-mail address), banking and other financial information, and other information about you, including your school or job title. You may also choose to provide photographs to the Service.

The Service is not intended for use by anyone younger than the age of 13 and we do not knowingly collect personal information from users younger than age 13. If we learn that we have inadvertently collected personal information from a user who is younger than age 13, we will delete the information from our active databases.

Information We Collect Automatically
We and our service providers and third party business partners may use a variety of technologies that automatically or passively collect certain information whenever you visit any Service or otherwise interact with us or our content (“Usage Information”). Usage Information may include the hardware model, browser, and operating system you are using, all of the areas within the Service that you visit, your time zone, location information, and mobile network (if applicable), among other information. In addition, we automatically collect your IP address or other unique identifier (“Device Identifier”) for any device you use to access our Service. In some cases, we may directly collect location information through your device. You may be able to turn off the collection of location information through the settings on your device.

The methods that may be used to collect Usage Information include the following:

Application Programming Interfaces (APIs)
APIs are programming codes that collect information about your interactions with websites and applications.

Cookies and Local Storage
Cookies and local storage are data files placed within a browser on a device when it is used to visit the Service. Certain web browsers and browser add-ons may provide additional local data storage mechanisms. Cookies and local storage can be used for a variety of purposes, including to store a unique identifier for your device that recognizes your device as you visit the Service or other web sites or online services and to remember your preferences. Most browsers provide you with the ability to disable or decline cookies and local storage. You will need to check your browser’s settings for further information. If you choose to disable cookies, some features of the Service may not function properly.

Web Beacons
Small graphic images or other web programming code called web beacons (also known as “1×1 GIFs” or “clear GIFs”), may be included in our Service and e-mail messages. Web beacons or similar technologies may be used for a number of purposes, including, without limitation, to count visitors to the Service, to monitor how users navigate a Service, to count how many e-mails that were sent were actually opened or to count how many particular links were actually viewed.

FirstRoot may use information collected through the Service, including Usage Information and personal information, to: (1) allow you to participate in features we offer, including to submit and review budget proposals, or to provide related customer service; (2) recognize you across the Service and across devices; (5) provide you with information, products, or services that you have requested or that we think may interest you; (6) investigate and prevent illegal activities or activities that violate our policies; (7) process your registration, including verifying your information is active and valid; (8) improve the Service and for internal business purposes; (9) contact you with regard to your use of the Service or any FirstRoot service and, in our discretion, changes to the Services’ policies; and (10) for purposes disclosed at the time you provide your personal information or otherwise with your consent.

We may also use and share non-personal information in our discretion.


To the fullest extent allowed by law, FirstRoot may share certain information with third parties in our discretion, including non-personal information, such as information that has been de-identified and aggregated user statistics.

We may share the information we have collected about you, including personal information, as disclosed at the time you provide your information or otherwise with your consent, and as described below or elsewhere in this Privacy Policy.

When You Request That We Share Your Information
We may share information when you request that we do so. Please note that we are not responsible for the privacy practices of third parties. If you later decide that you no longer want to receive communications from a third party, you will need to contact that third party directly.

Third Parties Providing Services on Our Behalf
We may share information about you, including personal information, with third party vendors to enable them to perform services on our behalf. Additionally, we may share various information relating to our users and fraudulent or potentially fraudulent activities with our fraud prevention and similar vendors, and they will use this information to help us and their other clients prevent fraudulent and illegal transactions.

Administrative and Legal Reasons
We may also transfer and disclose user information, including personal information, to third parties: (i) in the event we are required to respond to subpoenas or other legal process or if in our opinion such disclosure is required by law; (ii) at the request of governmental authorities conducting an investigation; or (iii) to protect and/or defend the Terms of Use or other policies applicable to the Service or our services or to protect the personal safety, rights, property or security of FirstRoot, our customers, or a third party. We may also use Device Identifiers, including IP addresses, to identify users, and may do so in cooperation with copyright owners, Internet service providers, wireless service providers or law enforcement agencies in our discretion.

Business Transfers
FirstRoot may share personal information with its parent, or its subsidiaries and affiliates, primarily for business and operational purposes. FirstRoot reserves the right to disclose and transfer all information related to the Service, including personal information: (i) to a subsequent owner, co-owner or operator of the Service or applicable database; or (ii) in connection with a corporate merger, consolidation, restructuring, bankruptcy, the sale of certain of FirstRoot’s ownership interests, assets, or both, or other company change, including, without limitation, during the course of any due diligence process.

Note that your browser settings may allow you to automatically transmit a “Do Not Track” signal to websites and online services you visit. Like many websites and online services, the Service does not alter its practices when they receive a “Do Not Track” from a visitor’s browser except as specifically required by law. To find out more about “Do Not Track,” please visit

You are responsible for maintaining the accuracy of the information you submit to us, such as your contact information provided as part of registration. The Service may allow you to update certain personal information you have provided. You may also contact us at if you have questions about or wish to modify certain information that we have collected from or about you. Note that when you modify your personal information or change your preferences on the Service, information that you remove may persist internally for FirstRoot’s administrative purposes or within backup media.

We will retain your information for as long as your account is not deleted or as needed to provide you services.

To determine the appropriate retention period for personal information, we consider the amount, nature, and sensitivity of the personal information, the potential risk of harm from unauthorized use or disclosure of your personal information, the purposes for which we process your personal information whether we can achieve those purposes through other means, and the applicable legal requirements.

When we no longer require the personal information we have collected about you, we will either delete or anonymize it or, if this is not possible (for example, because your personal information has been stored in backup archives), then we will securely store your personal information and isolate it from any further processing until deletion is possible.

If we anonymize your personal information so that it can no longer be associated with you, we may use the anonymized information indefinitely without further notice to you.

You have the right to delete your information and account. You can do this directly. We will retain and use only that portion of your information as necessary to comply with our legal obligations, resolve disputes, and enforce our agreements.

You may opt out of receiving marketing e-mails by following the opt-out instructions provided to you in those e-mails. Please note that we reserve the right to send you certain communications relating to your account or use of the Service or other FirstRoot services, such as administrative and services announcements. These transactional account messages may be unaffected if you choose to opt out from marketing e-mails.

If you sign up to receive SMS or MMS messages from FirstRoot, you may unsubscribe from any SMS or MMS messages received by replying “STOP”.

The Service may contain content that is served by someone else or links to third party content or web sites that FirstRoot does not control. You may also be able to access the Service through third party devices and platforms, such as a set-top box, internet-connected TV, or similar device. The third party operators and content providers may send their own cookies to your device, they may independently collect data or solicit personal information, and may have their own published privacy policies. FirstRoot is not responsible for the privacy practices employed by any third party.

FirstRoot takes commercially reasonable steps to protect and secure personal information. However, no data transmission over the Internet, by wireless transmission or any electronic storage of information can be guaranteed to be 100% secure. Please note that we cannot ensure or warrant the security of any information we collect, and you use the Service and provide us with your information at your own risk.

FirstRoot is based in the United States and the information we collect is governed by United States law. By accessing or using the Service or providing us with any information, you consent to the transfer, processing and storage of your information in and to the United States and other countries, jurisdictions in which the privacy laws may not be as comprehensive as those in the country where you reside and/or are a citizen.

To the extent permitted by applicable law, FirstRoot reserves the right to change this Privacy Policy at any time without prior notice and will notify you of material changes by posting the changed or modified Privacy Policy on the Service. We may also provide notice to you in other ways in our discretion, such as through contact information you have provided. Any changes will be effective immediately upon the posting of the revised Privacy Policy unless otherwise specified and your continued use of any of the Service after the effective date of the revised Privacy Policy will constitute your consent to those changes to the extent allowed by applicable law. However, FirstRoot will not make material changes to how it treats previously collected personal information about you without providing notice and giving you the chance to consent (opt-in or opt-out), as required. Note, however, that you may need to consent to our new policies in order to continue to use the Service.

The information provided in this section applies only to individuals in the EEA and United Kingdom.

Personal information. References to “personal information” in this Privacy Policy are equivalent to “personal data” governed by European data protection legislation.

Controller and Data Protection Officer. FirstRoot, Inc. is the controller of your personal information covered by this Privacy Policy for purposes of European data protection legislation. We have appointed a Data Protection Officer, whose contact information is:

a. Legal bases for processing personal information. We use your personal information only as permitted by law. Our legal bases for processing the personal information described in this Privacy Policy appear in the table below.

Processing purpose Legal basis
Provide you goods and services

Maintain records regarding individuals’ participation in our offerings (such as information about the participatory budgeting programs an individual has participated within)

Processing is necessary to perform the contract governing our provision of a service or to take steps that you request prior to signing up for a service. If we have not entered into a contract with you, we process your personal information based on our legitimate interest in providing the service you access and request.
Operate, evaluate, develop, administer, support, and improve our business, our websites, mobile application, and other products and services we offer (including to research and develop new products and services)

Communicate about the products and services we offer, and respond to requests, inquiries, comments, and suggestions

Analyze and enhance our communications and strategies (including by identifying when emails were sent to you and how you interact with them)

Tailor the content we display in our communications, on our websites and mobile application

Administer surveys and other market research

To manage our recruiting and process employment applications

Protect against, identify, investigate, and respond to fraud, illegal activity (such as incidents of hacking or misuse of our websites or mobile application), and claims and other liabilities, including by enforcing the terms and conditions that govern the services we provide

Create anonymous data and/or aggregate data that has been de-identified

Facilitate a sale of assets or merge or acquisition

These activities constitute our legitimate interests. We do not use your personal information for these activities where our interests are overridden by the impact on you (unless we have your consent or are otherwise required or permitted to by law).
To comply with law Processing is necessary to comply with our legal obligations.
With your consent Processing is based on your consent. Where we rely on your consent you have the right to withdraw it any time in the manner indicated when you consent or within the service we provide.

b. Use for new purposes.
We may use your personal information for reasons not described in this Privacy Policy where permitted by law and the reason is compatible with the purpose for which we collected it. If we need to use your personal information for an unrelated purpose, we will notify you and explain the applicable legal basis.

c. No sensitive personal information. We do not request, and we ask that you not provide us with, any sensitive personal information (e.g., information related to racial or ethnic origin, political opinions, religion or other beliefs, health, biometrics or genetic characteristics, criminal background or trade union membership) on or through any service we provide, or otherwise to us. If you provide us with any sensitive personal information to us when you use our service, you must consent to our processing and use of such sensitive personal information in accordance with this Privacy Policy. If you do not consent to our processing and use of such sensitive personal information, you must not submit such sensitive personal information through our service.

d. Your privacy rights
European data protection laws give you certain rights regarding your personal information. If you are located within the European Economic Area and United Kingdom, you may ask us to take the following actions in relation to your personal information that we hold:

  • Access. Provide you with information about our processing of your personal information and give you access to your personal information.
  • Correct. Update or correct inaccuracies in your personal information.
  • Delete. Delete your personal information.
  • Transfer. Transfer a machine-readable copy of your personal information to you or a third party of your choice.
  • Restrict. Restrict the processing of your personal information.
  • Object. Object to our reliance on our legitimate interests as the basis of our processing of your personal information that impacts your rights.

You may submit these requests by email to We may request specific information from you to help us confirm your identity and process your request. Applicable law may require or permit us to decline your request. If we decline your request, we will tell you why, subject to legal restrictions. If you would like to submit a complaint about our use of your personal information or our response to your requests regarding your personal information, you may contact or submit a complaint to the data protection regulator in your jurisdiction.

e. Cross-border data transfer
If we transfer your personal information out of Europe to a country not deemed by the European Commission to provide an adequate level of personal information protection, the transfer will be performed:

  • Pursuant to the recipient’s compliance with standard contractual clauses or Binding Corporate Rules
  • Pursuant to the consent of the individual to whom the personal information pertains
  • As otherwise permitted by applicable European requirements