QRF Radar

Privacy Policy

Last updated: 2026-06-17

1. Who we are

QRF Radar ("the Service") is an accident-news monitoring and ad geo-targeting platform operated by DJC Law PLLC ("we," "us," or "our"). We are the data controller for the limited categories of personal data described below. Contact: marketing@teamjustice.com.

2. Scope of this policy

This policy applies to QRF Radar itself — the application served at qrfradar.com and its administrative interfaces. It does not cover (a) any operator's or user's separate public website or marketing properties, (b) Google Alerts, Google Ads, or Meta's ad platforms, or (c) any law-firm client representation, which is governed by the firm's engagement agreement and applicable rules of professional conduct.

3. Information we collect

3.1 Public news content

We ingest publicly available news articles via Google Alerts RSS feeds. Each article's URL, title, summary, source outlet, and publication timestamp are stored. We do not subscribe to or scrape paywalled content. Article text is processed by Google Vertex AI (Gemini) to extract structured facts about the underlying incident — for example, accident type, location, casualty counts where reported by the source.

3.2 Names of public figures and victims

Where a news source has publicly named a victim or other person involved in an incident, that name may be retained in the structured extraction. We do not attempt to identify unnamed individuals. We honor takedown requests promptly — see Section 9.

3.3 Authentication and access data

For Service operators (firm staff): email address, hashed password (or OAuth identifier if signing in via Google), session tokens, MFA factors if enrolled, last-seen timestamp, and an audit log of administrative actions (who connected which ad platform, who toggled which feed). We do not use this data for any purpose outside operating the Service.

3.4 Ad-platform credentials

When a firm administrator connects the Service to Meta Marketing API or Google Ads API, the OAuth access and refresh tokens are encrypted at rest (AES-256-GCM) and used solely to add and remove geographic targeting criteria on the campaigns the administrator selects — and, as a side-effect of that lifecycle, to enable or pause one of those selected campaigns when its first or last geographic criterion is added or removed. We do not read ad spend, audience composition, conversion data, or modify budgets, bids, creative, or any other field. See Section 12 for Google-specific detail.

3.5 Diagnostic logs

Operational logs (request paths, error stacks, cron-tick statistics) are retained in Vercel's logging infrastructure for up to 30 days. These may contain IP addresses of operators and IDs of feeds or incidents but do not contain names of victims or other content from articles.

4. How we use the information

  • Surface incident alerts to authorized firm staff via the Service's inbox, Slack channels they have configured, and email recipients they have configured.
  • Push geographic ad-targeting criteria (radius around airports or ZIP lists for severe weather alerts) to ad campaigns the firm operates on Meta and Google Ads.
  • Maintain the integrity of the Service: rate limiting, audit logging, intrusion detection.

We do not use any of the information collected for advertising directed at the people named in news articles, profiling of individuals, training of machine-learning models for our own benefit, or any other purpose outside the Service's accident-news monitoring and ad-targeting workflow.

5. Sharing and third parties

The Service relies on these third-party processors:

  • Vercel — application hosting and logging. Operator requests and content transit Vercel's infrastructure.
  • Supabase — Postgres database hosting + authentication. Stores all persistent data described in Section 3.
  • Google Cloud — Vertex AI — runs Gemini extraction on article text. Per Google's Vertex AI terms, customer data is not used to train Google's foundation models.
  • Resend — transactional email (sign-in links, member invitations, alert emails).
  • Slack — only when an operator configures a Slack webhook for a given feed. The Service sends incident summaries to that webhook.
  • Meta Marketing API — only when an administrator connects a Meta ad account. The Service pushes geographic criteria; it does not read campaign-level performance data.
  • Google Ads API — only when an administrator connects a Google Ads account. The Service pushes geographic criteria, reads campaign status, and may enable or pause a campaign as a side-effect of adding the first or removing the last geographic criterion (so a campaign never runs untargeted). It does not read campaign performance data and does not change budgets, bids, or creative.

We do not sell, rent, or trade information with any party for marketing or any other purpose.

6. Data retention

  • Articles + incidents: retained indefinitely for case research and historical pattern analysis. Operators may delete individual records on request.
  • Ad targets: the active geo-target row is removed when the target's TTL expires (typically 7 days). The audit row documenting the add and removal is retained for forensic purposes.
  • Audit log: retained for the operational life of the Service.
  • OAuth tokens: stored only while the connection is active. Disconnecting a platform deletes the token row.
  • Diagnostic logs: up to 30 days (Vercel retention).

7. Security

Operational security measures include AES-256-GCM encryption of OAuth tokens at rest, HMAC-signed OAuth state cookies, periodic 90-day forced re-authentication of platform connections, row-level security on the database, role-based access control inside the application, audit logging of all administrative actions, and a hard request allowlist on every outgoing ad-platform API call (so the Service is physically incapable of modifying budgets, bids, or creative — it can only manage geographic targeting criteria and enable or pause a campaign as a side-effect of adding the first or removing the last such criterion). No security regime is perfect; we take commercially reasonable measures appropriate to the sensitivity of the data.

8. International transfers

The Service is operated from the United States and most of our processors store data in the United States. If you access the Service from another country, your information will be transferred to and processed in the United States.

9. Your rights

If you believe an article we have ingested references you by name and you would like the record removed or amended, email marketing@teamjustice.com with a description of the record. We aim to respond within 14 days. If you are in a jurisdiction that grants statutory data-subject rights (GDPR, CCPA/CPRA, etc.), we will honor those rights to the extent they apply to data we hold.

10. Children

The Service is not directed to children. We do not knowingly collect information from people under 13. If a news article we have ingested names a minor and you are that person's parent or guardian, please contact us per Section 9 and we will remove the name.

11. Changes to this policy

We may revise this policy from time to time. The current version's last-updated date is shown at the top. Material changes will be communicated to firm administrators through the Service's notification channels.

12. Google API Services — data access, use, and Limited Use

This section describes specifically how QRF Radar accesses and uses data obtained through Google APIs. It applies in addition to the rest of this policy.

12.1 Google sign-in

If you sign in with Google, the Service receives only your basic profile and email address, used solely to authenticate you and grant access to the application. The Service does not request or access Gmail, Drive, Calendar, Contacts, or any other Google user data for sign-in.

12.2 Google Ads API

When an administrator connects a Google Ads account, the Service uses the Google Ads API scope (https://www.googleapis.com/auth/adwords) for a single purpose: to add and remove geographic location-targeting criteria on the specific campaigns the administrator selects, to read those campaigns' status, and to enable or pause those same campaigns only as part of that targeting lifecycle — enabling a campaign when its first location target is added and pausing it before its last is removed, so a campaign never runs untargeted. The Service does not read ad spend, performance, conversion, or audience data, and does not modify budgets, bids, creative, or any other campaign field. The Google Ads API offers only this single scope for the functionality; we request it but use only the minimal subset described here.

12.3 Storage, retention, and revocation

Google OAuth tokens are encrypted at rest (AES-256-GCM) and stored only while the connection is active; disconnecting the platform within the Service deletes them. You may revoke the Service's access at any time from the Service's connections page or from your Google Account at myaccount.google.com/permissions.

12.4 Limited Use

QRF Radar's use and transfer of information received from Google APIs to any other app will adhere to the Google API Services User Data Policy, including the Limited Use requirements. We do not sell Google user data, do not use it for advertising, and do not use it to train generalized or third-party machine-learning models.

13. Contact

DJC Law PLLC
Marketing & Intake — QRF Radar
marketing@teamjustice.com