Privacy Policy
Effective Date: 2026-04-26
Applies to: NotchField Track (mobile app) and NotchField (web)
NotchField Inc. ("we," "us," "our") provides field operations and project management software for the construction industry. This policy explains what data we collect, how we use it, and your rights. We comply with the EU GDPR, the California CCPA, and Apple's App Store and Google Play privacy requirements.
1. Information We Collect
1.1 Account information you provide
- Name, email, role, company, and project assignments — when you sign up or are invited by an administrator.
- Worker certifications (e.g., OSHA SST card number and expiration date) when entered into the Manpower module.
- Digital signatures captured for safety documents (PTPs, JHAs, Toolbox Talks, Work Tickets, NODs).
1.2 Data you generate while using the app
- Production reports, area progress, surface completion status, blocked statuses with optional reasons, and field notes.
- Work tickets, RFIs, and time entries.
- Photos you take or attach: progress photos, QC photos, blocked-area evidence, delivery confirmation photos, safety documentation, and signatures. Photos may include EXIF metadata such as timestamp, camera model, and (when permitted) GPS coordinates.
1.3 Sensor and device data (NotchField Track mobile only)
- Camera: with your permission, the app accesses the camera to capture photos for field documentation.
- Photo Library: with your permission, the app reads photos you select to attach to reports.
- Precise location (GPS):
- Foreground: GPS coordinates when you check in, take a photo, or report production progress.
- Background: low-frequency location updates while the app is in the background, used solely to detect when you enter or leave a job-site geofence and auto-stamp your check-in. Background location stops when you sign out.
- Push notification token: an opaque device identifier (Apple Push Notification service or Firebase Cloud Messaging token) so we can deliver delivery alerts, assignment changes, and certification expiry warnings.
1.4 Technical and diagnostic data
- Device type, OS version, app version, language, time zone, and crash logs.
- IP address and connection metadata when communicating with our backend.
- Error reports submitted via the in-app feedback module, which may include screenshots you choose to attach.
We do not collect: contacts, calendar, social-media posts, web browsing history, IDFA or advertising identifiers, or biometric data.
2. How We Use Information
- Provide the service — show you the right projects, areas, schedules, photos, and documents based on your role and organization.
- Operate field functionality — GPS-stamp photos, geofence check-in, sync your offline edits to our database, deliver push notifications.
- Compliance and audit — generate, store, and verify safety documents with cryptographic SHA-256 hashes for tamper evidence.
- Improve the product — analyze aggregated usage patterns and crash logs (no individual targeting).
- Communicate with you — respond to support requests, send transactional emails (account creation, document distribution, delivery confirmation).
We do not use your data for advertising, profiling, or sale to third parties.
3. How We Share Information
We share data only with the service providers we use to operate the platform, under strict data-processing agreements. None of these providers use your data for their own purposes:
| Provider | Purpose | Data shared |
|---|---|---|
| Supabase | Primary database, authentication, file storage | All app data |
| PowerSync (JourneyApps) | Offline sync between mobile devices and Supabase | Database rows scoped to your user |
| Sentry | Crash reporting and error monitoring | Stack traces, device metadata, anonymized user ID |
| Apple Push Notification service | iOS push notifications | Push token and notification payload |
| Google Firebase Cloud Messaging | Android push notifications | Push token and notification payload |
| Vercel | Hosting our web application | Web traffic logs |
| Zoho Mail | Sending transactional emails | Recipient address, email content |
| Expo / EAS | Mobile build and OTA update | App metadata and build telemetry |
We may also disclose information when required by law, to protect rights and safety, or in connection with a corporate transaction (merger, acquisition).
We do not sell your personal information. We do not share your information with advertisers.
4. Data Security
- All data in transit is encrypted using TLS 1.2 or higher.
- All data at rest in Supabase is encrypted using AES-256.
- Supabase Row-Level Security (RLS) policies enforce that you can only access data scoped to your organization and role.
- Safety documents and legal correspondence are immutably hashed using SHA-256 at the moment of signature; the hash is stored alongside the document for tamper-evidence audits.
- Password storage uses bcrypt; we never see your plaintext password.
- Production access to our database is restricted to a small number of authorized engineers and is logged.
No system is 100% secure. We notify affected users and authorities promptly if we discover a breach involving personal data, in line with applicable law.
5. Data Retention
- Active accounts: retained while your account or organization is active.
- After account deletion: personal identifiers purged within 30 days.
- Safety and legal documents: retained for 7 years (or longer where required by OSHA, state law, or contract) for compliance with workplace safety record-keeping rules. SHA-256 hashes retained indefinitely as proof of authenticity.
- Crash and telemetry data: retained 90 days, then aggregated.
- Audit logs: retained 2 years.
6. Your Rights
You have the right to:
- Access the personal data we hold about you.
- Correct inaccurate data.
- Export your data in machine-readable form.
- Delete your account and associated personal data.
- Withdraw consentfor camera, location, photos, or push notifications at any time via your device's system settings.
EU residents may lodge a complaint with their local Data Protection Authority. California residents may exercise their CCPA rights.
To exercise any of these rights, email privacy@notchfield.com from the address associated with your account. We respond within 30 days.
7. Children's Privacy
NotchField is intended for adult professional use in the construction industry. We do not knowingly collect data from anyone under 18.
8. International Transfers
Our servers are operated in the United States. By using NotchField from outside the U.S., you consent to the transfer of your data to the U.S. We rely on Standard Contractual Clauses for transfers from the EU.
9. Tracking and Advertising
NotchField Track does not track you across other apps or websites. We do not use the IDFA, AAID, or any cross-app tracking identifiers. We do not display advertising. We do not sell your personal information.
10. Changes to this Policy
We will post any changes here and update the Effective Date. Material changes will be communicated via email and an in-app notice.
11. Contact
NotchField Inc.
Privacy: privacy@notchfield.com
General: support@notchfield.com
Web: https://notchfield.com