Privacy Policy
Effective Date: 2026-05-10 Last Updated: 2026-06-05
Fieldspect ("we," "us," or "our") provides a mobile-first checklist and inspection platform (the "Service"). This Privacy Policy explains what information we collect, how we use and share it, and the rights available to you.
This policy is written to comply with the California Consumer Privacy Act as amended by the CPRA ("CCPA/CPRA"), Canada's Personal Information Protection and Electronic Documents Act ("PIPEDA"), and Quebec's Act respecting the protection of personal information in the private sector, as modernized by Law 25 ("Law 25").
This policy does not describe the practices of our Customers. Where a Customer collects information from Inspectors, clients, or other end-users through the Service, the Customer is responsible for providing its own notices and obtaining any required consents.
1. Definitions
- Customer. The organization that signs up for and pays for the Service.
- Account Holder. The individual who creates the Customer's account (typically an owner or admin).
- Inspector. A user authorized by a Customer to perform inspections through the Service. Inspectors are often Customer employees or contractors.
- Account Data. Information about the Customer and its users — names, emails, organization name, branding assets, payment metadata, subscription state.
- Inspection Data. Content produced by an Inspector while using the Service — completed checklists, responses, photos, GPS coordinates, scores, and timestamps.
- Personal Information or PI. Information that identifies, relates to, or could reasonably be linked with an identified or identifiable person. "Personal information" under PIPEDA and Law 25 has substantially the same meaning.
2. Our Roles
Different parts of the data flow place us in different roles:
- Account Data — we act as the business (CCPA/CPRA), organization (PIPEDA/Law 25), or controller of this information. Section 5 rights apply directly.
- Inspection Data — we act as a service provider (CCPA/CPRA) or processor (PIPEDA/Law 25) on behalf of the Customer. The Customer is responsible for the lawful basis and notices that apply to Inspection Data. Requests from Inspectors or other Customer end-users regarding Inspection Data should be directed to the Customer; we will assist the Customer in responding.
A Data Processing Addendum ("DPA") is available on request for Customers that require one.
3. Information We Collect
A. Account Data
Collected directly from you when you register, configure your organization, or pay:
- Name, work email, and password hash
- Organization name and branding assets (logos, colors)
- Subscription tier and billing metadata (we do not store card numbers; Stripe handles all card data)
B. Inspection Data
Captured by Inspectors using the Service:
- Completed checklist responses
- Photos taken during inspections, including embedded EXIF metadata where present
- Geolocation — GPS coordinates recorded at the time of inspection or photo capture
- Scores, timestamps, and inspection status
C. Device and Usage Data
Collected automatically when you use the Service:
- Device identifier, operating system version, hardware model, and app version
- IP address (used for security, abuse prevention, and approximate geographic context)
- Product analytics events (collected via PostHog) — page/screen views, feature usage, and button clicks. On our marketing site and web app, PostHog also captures session recordings; all text input fields are masked so the values you type are not recorded.
- Error and crash reports (collected via Sentry)
We do not use the Service to track users across unrelated websites or for cross-context behavioral advertising.
D. Sensitive Personal Information (CCPA/CPRA)
Some of the data above is classified as Sensitive Personal Information under CPRA:
- Precise geolocation (GPS coordinates from Inspection Data)
- Account credentials (password hash combined with email)
We use Sensitive PI only to provide the Service and for the purposes described in Section 4 — we do not infer characteristics about you, and we do not use Sensitive PI for any purpose that would trigger a right to limit under §1798.121. If we ever expand our use of Sensitive PI beyond this scope, we will update this policy and provide a "Limit the Use of My Sensitive Personal Information" mechanism.
E. CCPA category mapping
For California residents, the categories of PI we collect, sources, business purposes, and the third parties we share each category with:
| CCPA Category | Examples | Source | Purpose | Shared With |
|---|---|---|---|---|
| Identifiers | name, email, IP, device ID | You; your device | Account, security | Supabase, Sentry, PostHog |
| Customer records | billing contact, organization | You | Account, billing | Supabase, Stripe |
| Commercial information | subscription plan, transaction history | You; Stripe | Billing | Stripe, Supabase |
| Internet/network activity | event logs, page views, masked session recordings, error reports | Your device | Product analytics, debugging | PostHog, Sentry |
| Geolocation (precise) | GPS coordinates in Inspection Data | Inspector's device | Service functionality | Supabase |
| Sensory data | photos uploaded with inspections | Inspector's device | Service functionality | Supabase |
| Professional/employment | Inspector role within Customer | You | Access control | Supabase |
We do not knowingly collect the following CCPA categories: biometric information (we do not perform facial recognition on photos), education information, characteristics of protected classifications, geolocation outside of inspections, or inferences drawn from PI.
4. How We Use Information
- Provide the Service — authenticate users, sync inspections, render branded PDF reports, deliver email.
- Secure the Service — detect abuse, prevent fraud, enforce rate limits, investigate incidents.
- Support and communicate — respond to questions, send service-related emails (subscription, security, billing), notify of material policy changes.
- Improve the Service — analyze aggregated usage to prioritize features and fix defects.
- Comply with law — respond to lawful requests, enforce our agreements, defend our rights.
We do not collect, use, retain, sell, or share your Personal Information — including Inspection Data, Account Data, or Device and Usage Data — to develop, train, or fine-tune any large language model (LLM), generative artificial intelligence system, or other machine learning model, and we do not permit our subprocessors to do so on their own behalf. If we introduce AI-based features in the future, we will update this policy before doing so and provide an opt-out where required.
5. How We Share Information
We do not sell Personal Information, and we do not share Personal Information for cross-context behavioral advertising as those terms are defined under CPRA.
We share information with:
- Subprocessors. A current list is maintained at fieldspect.com/legal/subprocessors. At the time of this policy: Supabase (database, authentication, file storage; US; runs on AWS infrastructure), Stripe (payments; US), Vercel (web hosting and CDN; US), Cloudflare (DNS and inbound email forwarding; US), PostHog (product analytics and masked session recording; US/EU), Sentry (error monitoring; US), Resend (transactional email; US). Some of these subprocessors rely on their own infrastructure providers (for example, Supabase hosts data on Amazon Web Services); we are not a direct customer of those underlying providers.
- Legal compliance. When required by law, subpoena, court order, or where necessary to protect the rights, safety, or property of Fieldspect, our Customers, or the public.
- Business transfers. In connection with a merger, acquisition, financing, reorganization, or sale of assets — we will require successors to honor the commitments in this policy.
- At your direction. Where you authorize an integration (for example, a future QuickBooks connection), we share only the data necessary to operate that integration.
- Public Template Library. If a Customer marks a template as Public, the template's structure and questions become publicly visible at
fieldspect.com/templates/[slug]. Inspection responses against a public template are never made public. Customers are responsible for ensuring no Personal Information is embedded in templates they choose to publish. - Public API (future). When a Customer enables API access, third parties holding a Customer-issued API key may receive Inspection Data scoped to that key. API access is opt-in.
We require subprocessors to commit, by contract, to handling Personal Information consistently with this policy and with applicable law.
6. Data Storage, Transfers, and Device Storage
Server-side storage. Inspection Data and Account Data are stored on Supabase infrastructure in the United States. If you are located outside the United States, your information will be transferred to and processed in the United States. By using the Service you consent to this transfer.
Storage on your device. The mobile app stores Inspection Data locally on the device so that inspections can be completed offline. Local data is removed when you sign out of the app or uninstall it. Local storage is protected by the operating system's standard application-data isolation; it is not separately encrypted at rest. If you require encrypted device storage for regulatory reasons, contact us before deploying the Service to your team.
Photos. Photos are compressed on-device before upload and stored in Supabase Storage with access controlled by per-organization signed URLs.
7. Data Retention
We retain Personal Information for the periods below. After the retention period expires, data is deleted or anonymized.
| Category | Retention |
|---|---|
| Account Data | While the account is active, plus 90 days after termination. |
| Inspection Data | While the account is active. After termination, Inspection Data is deleted within 30 days unless the Customer has exported it or requested an extension. |
| Audit log entries | 18 months from the date of the event. |
| Product analytics events (PostHog) | 12 months from the event date. |
| Error reports (Sentry) | 90 days from the event date. |
| Billing records (Stripe and our internal records) | 7 years from the transaction date, to satisfy tax and accounting obligations. |
| Marketing-site cookies and analytics | As described in our cookie disclosure. |
A Customer may request earlier deletion at any time, subject to legal-retention exceptions.
8. Your Rights and Choices
The following rights are available depending on where you live:
| Right | California (CCPA/CPRA) | Other US states with comprehensive laws | Canada (PIPEDA) | Quebec (Law 25) |
|---|---|---|---|---|
| Know / access | ✓ | ✓ | ✓ | ✓ |
| Correct inaccurate PI | ✓ | ✓ | ✓ | ✓ |
| Delete | ✓ | ✓ | ✓ (with limits) | ✓ |
| Portability | ✓ | ✓ | ✓ | ✓ |
| Opt-out of sale / sharing | ✓ (we do not sell or share) | ✓ | n/a | n/a |
| Limit use of Sensitive PI | ✓ (we limit use by default) | n/a | n/a | n/a |
| Non-discrimination | ✓ | ✓ | ✓ | ✓ |
| Withdraw consent | n/a | n/a | ✓ | ✓ |
| Object to automated decision-making | n/a | varies | n/a | ✓ |
How to exercise these rights. Email privacy@fieldspect.com. We will acknowledge requests within 10 business days and respond substantively within 45 days (extendable by 45 additional days where permitted by law). We will not discriminate against you for exercising any of these rights.
Verification. We verify requests by confirming control of the email address on file. For requests that affect Sensitive PI or Inspection Data, we may request additional verification.
Authorized agents. California residents may use an authorized agent. The agent must provide written permission from the consumer and we may verify the consumer's identity directly.
Inspection Data requests. Where a request concerns Inspection Data, we will refer the requester to the relevant Customer (the controller of that data) and will support the Customer in responding.
9. Children
The Service is not directed to children under 13, and we do not knowingly collect Personal Information from anyone under 13. If you believe a child has provided us Personal Information, contact us at privacy@fieldspect.com and we will delete it.
10. Security
We maintain administrative, technical, and physical safeguards designed to protect Personal Information, including:
- TLS 1.2+ for all data in transit.
- AES-256 encryption at rest for data stored in Supabase managed services.
- Row-Level Security policies to enforce tenant isolation between Customer organizations.
- Scoped API keys for integration access; least-privilege access for staff.
- An audit log of mutations to sensitive entities.
- Multi-factor authentication for administrator accounts.
No security control is infallible. We cannot guarantee absolute security and you are responsible for keeping your account credentials confidential.
Breach notification. If we discover a breach of security involving Personal Information, we will notify affected Customers without undue delay and, where required by law, the appropriate regulators — consistent with the notification timelines required by CCPA, PIPEDA, and Law 25.
11. Cookies and Similar Technologies
Our marketing site uses cookies and similar technologies to operate the site, remember preferences, and measure aggregate usage. We do not use advertising cookies. A cookie disclosure with controls is available on the marketing site footer. Within the authenticated app, we use only cookies and storage strictly necessary to operate the Service.
12. Automated Decision-Making
We do not currently use automated decision-making in a way that produces legal or similarly significant effects about you. If this changes, we will update this policy and, where required by Law 25 or other applicable law, provide notice and meaningful information about the logic involved.
13. Quebec (Law 25)
In addition to the rights described in Section 8:
- Privacy Officer. Our designated Person Responsible for the Protection of Personal Information is named in Section 15.
- Data residency. Personal Information of Quebec residents is currently stored in the United States. Contact us if your organization requires Canadian data residency.
- Confidentiality settings. Our defaults are designed to provide the highest level of confidentiality without further action from you.
14. Changes to This Policy
We will update this policy when our practices change. Material changes will be notified by email to Account Holders and posted on the marketing site at least 10 days before they take effect. The "Last Updated" date at the top of this policy reflects the most recent revision.
15. Contact Us
Fieldspect Privacy contact: privacy@fieldspect.com General contact: hello@fieldspect.com Website: fieldspect.com
Person Responsible for the Protection of Personal Information (Law 25 / Privacy Officer): Fieldspect Privacy Officer — reachable at privacy@fieldspect.com.