Privacy Policy
Effective June 19, 2026
1. What This Policy Covers
This Privacy Policy explains how Bow Construction ("we," "us," "our") collects, uses, and protects information when you use BowtieOS — a field operations platform for glazing and glass contractors. It applies to all users: administrators, office staff, field technicians, and viewers.
2. Information We Collect
Account information
Name and email address, collected when your administrator creates your account.
Job and project data
Site visit records, field measurements, dimensions, photos and videos, voice notes, client names, job addresses, project documents, estimates, and schedules — all entered by your company's users.
Device and usage data
When you submit a support ticket, we collect your browser type, screen size, and the page you were on. We do not use tracking pixels or behavioral advertising.
Error logs
If crash monitoring is enabled, error reports (including stack traces and device context) are sent to Sentry. No personally identifiable information is intentionally included in error payloads.
3. How We Use Information
- To provide the Service — storing and displaying your company's operational data
- To send notifications relevant to your work (new assignments, comments, reminders)
- To diagnose bugs and improve the platform using error reports and support tickets
- To contact your administrator about billing, updates, or policy changes
We do not sell your data. We do not use your data for advertising.
4. How Data Is Stored
All data is stored in Supabase (PostgreSQL database + object storage) hosted on Amazon Web Services in the us-west-2 (Oregon) region. Access is controlled by Row Level Security policies — each user sees only the data their role permits within their company. Data is encrypted in transit (TLS) and at rest.
Photos, videos, documents, and voice notes are stored in private Supabase Storage buckets, isolated by company. Signed URLs with short expiry times are used for access — files are never publicly accessible.
Backups. So that your data can be recovered after an outage or accidental deletion, we take encrypted backups of the database and of stored files. Each backup is encrypted (AES-256) before it leaves our systems and is copied to Cloudflare R2 object storage; the backup job itself runs on GitHub Actions. Backups are retained for 30 days and then deleted. This means an encrypted copy of your data is held outside the us-west-2 region described above.
5. Who Can See Your Data
Within your company, access is role-based: administrators and office staff see operational and financial data; field technicians see only their own assigned visits and related job documents. No user can see another company's data.
Our team may access data in limited circumstances to investigate a reported bug, respond to a support ticket, or fulfill a legal obligation. We do not share data with third parties for commercial purposes.
6. Third-Party Services (Subprocessors)
We use the service providers below to operate the platform. Some are used only when your company enables the related feature or integration (noted as "optional").
| Service | Purpose | Data shared |
|---|---|---|
| Supabase | Database, storage & authentication | All Customer Data |
| Vercel | App hosting | Request metadata (IP, headers) |
| Resend | Transactional email (proposals, invoices, RFIs, notifications) | Recipient email, message content, and attached documents (may include client names, addresses, amounts) |
| Email delivery (SMTP) | Account & password-setup email | Recipient email address |
| Stripe | Subscription billing (optional) | Company name, billing email, subscription & payment metadata |
| Intuit QuickBooks | Accounting sync (optional — when you connect it) | Clients, projects, vendors, and invoice/bill/payment amounts |
| Fingercheck / Friday | Payroll hours import (optional — when you connect a provider) | API credentials & date ranges (employee pay/SSN is not sent out) |
| Anthropic Claude | Support-ticket analysis & help-content drafting | Ticket description & page URL; help-article source content |
| Dropbox | Importing files you choose from your Dropbox (optional) | The selected file and a temporary download link |
| OpenStreetMap & Photon (komoot) | Maps & address autocomplete | Typed job/client addresses; map viewport |
| Google Maps | "Open in maps" links (only when you click one) | The job address |
| Web push (Apple / Google / Mozilla) | Delivering notifications to your subscribed devices (optional) | Notification title/body and a device push token |
| Sentry | Error monitoring (when enabled) | Error details, browser context |
| Cloudflare (R2) | Encrypted off-site backup storage | An AES-256-encrypted copy of the database and stored files (retained 30 days) |
| GitHub (Actions) | Runs the scheduled backup job | Processes the encrypted backup in transit; does not retain it |
7. Data Retention
We retain Customer Data for as long as your subscription is active. After cancellation, data is retained for 90 days to allow export, then deleted. Contact us to request earlier deletion.
8. Your Rights
You may request access to, correction of, or deletion of your personal data by contacting us. Requests from individual users should go through your company administrator. We will respond within 30 days.
9. Changes to This Policy
We may update this policy periodically. We will notify your company administrator by email before material changes take effect. The effective date above reflects the most recent revision.
10. Contact
Privacy questions or data requests: support@bowtie.app