Privacy Policy

Effective July 12, 2026

1. What This Policy Covers

This Privacy Policy explains how Bow Construction ("we," "us," "our") collects, uses, and protects information when you use BowtieOS — a field operations platform for construction and trade contractors. It applies to all users: administrators, office staff, field crew, subcontractors, and viewers.

BowtieOS is business software. Your account is created and managed by your company, and your company decides what data it enters, which features it enables, and which integrations it connects. For most purposes your company is the controller of the data in its workspace and we process it on your company's behalf. This policy is written to tell you everything the platform collects and everywhere data can go — including paths that only exist when your company turns a feature on.

2. Information We Collect

Account information

Name, email address, and (if your company records it) phone number, collected when your administrator creates your account.

Job and project data

Site visit records, field measurements, dimensions, photos and videos, voice notes, client names and contact details, job addresses (including their map coordinates), project documents and drawings, estimates, invoices, schedules, tasks, time and check-in records, and comments — all entered by your company's users or imported by your company.

Location data

If your company enables location features, we collect employee and vehicle position data. Because location data is sensitive, it has its own section — see Section 3 below.

Electronic-signature records

When someone signs a document through the platform (for example approving a proposal), we record the signer's name, the typed or drawn signature, the date and time, the exact consent text they agreed to, and technical details of the submission including IP address and browser. These records are kept as evidence for as long as the signed document exists.

Device and usage data

When you submit a support ticket, we collect your browser type, screen size, and the page you were on. If you enable push notifications, we store a push token for your device. We do not use analytics trackers, tracking pixels, session recording, or behavioral advertising.

Integration credentials

If your company connects an integration (payroll, vehicle tracking, accounting), we store the credentials needed to run it. Provider secrets are encrypted (AES-256-GCM) before storage.

Error logs

If crash monitoring is enabled, error reports (including stack traces and device context) are sent to Sentry after passing through a filter that removes emails, tokens, and keys. No personally identifiable information is intentionally included in error payloads.

3. Location Data (Employee & Vehicle Tracking)

BowtieOS includes an optional location module. It is off by default. If your company enables it, the platform can collect position data in three ways:

  • A tracking app on a phone(OsmAnd/Traccar-compatible) that your company sets up on a work device. While the app is running and reporting, it sends the device's latitude/longitude, speed, heading, accuracy, and battery level to us.
  • Vehicle trackersyour company connects through Samsara or Bouncie. We pull vehicle positions from those providers using your company's credentials.
  • Payroll punch locations, where a connected payroll provider supplies a clock-in/out position.

Who can see it:only your company's office staff and administrators. Positions linked to an employee are shown only during that employee's scheduled working hours — this limit is enforced in the database itself, not just in the interface. Positions of unassigned company vehicles are visible to office staff at any time. Field users cannot see anyone's location.

What we want you to understand plainly: a tracking app or vehicle device may record and transmit positions whenever it is powered on and reporting — including outside working hours — even though the platform only displays employee positions within working hours. If you carry a tracked device, treat it as reporting whenever it is on. Raw position reports are automatically deleted after 90 days. Daily summaries (miles driven, time at job sites) are kept longer, but they are built only from working-hours positions and never encode where a device was outside working hours. Your company can request earlier deletion at any time.

Your employer's responsibility: the decision to enable location tracking belongs to your company. Laws in several U.S. states require an employer to give notice of — and in some cases obtain written consent for — employee location tracking. Your company is responsible for providing any legally required notice and obtaining any legally required consent before enabling this module, and our Terms of Service require this. If you have questions about why you are being tracked, ask your administrator.

4. How We Use Information

  • To provide the Service — storing and displaying your company's operational data
  • To send notifications relevant to your work (new assignments, comments, reminders)
  • To diagnose bugs and improve the platform using error reports and support tickets
  • To contact your administrator about billing, updates, or policy changes
  • To keep evidence records for electronic signatures and document approvals

AI assistance:when you submit a support ticket, its text and the page you were on are analyzed by an AI service (Anthropic Claude) to triage the issue; our help-center articles are also drafted with AI from our own documentation. We do not use your company's operational data to train AI models.

We do not sell your data. We do not use your data for advertising. We do not share data with third parties for their own commercial purposes.

5. How Data Is Stored

All data is stored in Supabase (PostgreSQL database + object storage) hosted on Amazon Web Services in the us-west-2 (Oregon) region. Access is controlled by Row Level Security policies — each user sees only the data their role permits within their company. Data is encrypted in transit (TLS) and at rest.

Photos, videos, documents, and voice notes are stored in private storage buckets, isolated by company, and accessed through short-lived signed URLs. Two deliberate exceptions: (a) images in our shared help center are publicly readable — they are product documentation, never customer data; and (b) when your company shares a document by link (a proposal, an RFI, a signature request), anyone who has that link can open that document — the link itself is the credential, so treat shared links as confidential.

Backups. So that your data can be recovered after an outage or accidental deletion, our backup process copies the database and stored files off-site: each backup is encrypted (AES-256) before it leaves our systems and is written to Cloudflare R2 object storage; the backup job itself runs on GitHub Actions. Backups are retained for 30 days and then deleted. This means an encrypted copy of your data is held outside the us-west-2 region described above.

6. Who Can See Your Data

Within your company, access is role-based: administrators and office staff see operational and financial data; field crew and subcontractors see only their own assigned work and related job documents — never estimates, pricing, or billing. No user can see another company's data.

Our team may access data in limited circumstances: to investigate a reported bug, respond to a support ticket your company opened, operate and secure the platform, or meet a legal obligation. We may disclose data if required by law, subpoena, or court order, and where lawful we will tell your administrator before we do.

If something goes wrong:if we learn of a security breach affecting your company's data, we will notify your company's administrator without undue delay, tell them what we know about what was affected, and cooperate with their own notification obligations.

7. Third-Party Services (Subprocessors)

We list below everyservice that can receive data when you use the platform — including services that only activate when your company enables the related feature (noted as "optional"). We would rather over-list than have you discover a recipient we didn't name.

ServicePurposeData shared
SupabaseDatabase, storage & authenticationAll Customer Data
VercelApp hostingRequest metadata (IP, headers)
Cloudflare (R2)Encrypted off-site backup storageAn AES-256-encrypted copy of the database and stored files (retained 30 days)
GitHub (Actions)Runs the scheduled backup jobProcesses the encrypted backup in transit; does not retain it
ResendTransactional email (proposals, invoices, RFIs, notifications)Recipient email, message content, and attached documents (may include client names, addresses, amounts)
Email delivery (SMTP)Account & password-setup emailRecipient email address and initial sign-in credentials for a new account
StripeSubscription billing (optional)Company name, billing email, subscription & payment metadata
Intuit QuickBooksAccounting sync (optional — when your company connects it)Clients, projects, vendors, and invoice/bill/payment amounts and line descriptions
Fingercheck / FridayPayroll hours import (optional — when your company connects a provider)API credentials, date ranges, and your company's job/task codes and descriptions (employee pay and SSN are never sent out, and are stripped from what comes in)
Samsara / BouncieVehicle tracking (optional — when your company connects a provider)Your company's provider credentials and position queries; vehicle/driver positions flow in to us (see Section 3)
Calendar providers (Google / Apple / Microsoft)Work-schedule calendar subscription or Google Calendar sync (optional — per employee)The subscribing employee's schedule: job titles, site addresses, and notes — fetched periodically by their calendar service, or pushed to Google Calendar if the employee connects it (never pricing or financials)
Anthropic ClaudeSupport-ticket analysis & help-content draftingSupport-ticket text, the page URL, and device context; help-article source content
DropboxImporting files you choose from your Dropbox (optional)The selected file and a temporary download link
OpenStreetMap & Photon (komoot)Maps & address autocomplete (the default map stack)Typed job/client addresses (as you type); map viewport (from your browser, revealing your IP)
Google Maps PlatformMaps, geocoding & routing (optional — when your company enables Google Maps)Typed and stored job/client addresses (geocoding and per-keystroke autocomplete, proxied through our servers), place details, origin→destination routes between the day's jobs, and map display from your browser. Without this enabled, Google receives only an address in an "open in maps" link you click.
jsdelivr & unpkg (CDNs)Load in-browser OCR and PDF-viewing code on the screens that use themNo customer data — your files are processed inside your browser and never uploaded to the CDN; your browser does reveal its IP address and the page it is on when fetching the code
Web push (Apple / Google / Mozilla)Delivering notifications to your subscribed devices (optional)Notification title/body and a device push token
SentryError monitoring (when enabled)Error details and browser context, after scrubbing of emails/tokens/keys

What your company cannot switch off: hosting (Supabase, Vercel), the default map/address stack (OpenStreetMap, Photon), the two code CDNs, and AI-assisted support-ticket triage (Anthropic) operate for every company. Everything else in the table is optional and inactive until your company enables the feature.

Transfers your company directs: the platform also lets your company send data to recipients itchooses — registering a webhook endpoint, authorizing a third-party app through our API, connecting an accounting or payroll provider, or an employee subscribing a calendar. Those recipients act on your company's instruction, and your company is responsible for them. Where the data includes financial records, our systems strip internal cost and margin fields before anything leaves.

8. Data Retention

  • Customer Data:retained for as long as your company's subscription is active. After cancellation, retained for 90 days to allow export, then deleted. Your company can request earlier deletion.
  • Location history: raw position reports are automatically deleted after 90 days; working-hours-only daily summaries are retained like other Customer Data (see Section 3).
  • Signature evidence: retained for as long as the signed document exists, since it is the proof of signing.
  • Backups: encrypted copies age out after 30 days. Deleted data can persist inside a backup for up to 30 days after deletion, then disappears with the backup.

9. Your Rights

You may request access to, correction of, deletion of, or a copy of your personal data. Because your company controls its workspace, requests from individual users go through your company administrator; if that isn't possible, contact us directly and we will coordinate with your company. We respond within 30 days. Where your state's law grants you specific rights over personal information — including precise-location data — we will honor requests to the extent the law requires, and we do not discriminate against anyone for exercising them.

10. Changes to This Policy

We may update this policy periodically — including whenever a new service is added to the table above, which we treat as a material change. We will notify your company administrator by email before material changes take effect. The effective date above reflects the most recent revision.

11. Contact

Privacy questions or data requests: support@bowtie.app