Privacy Policy

Effective June 19, 2026

1. What This Policy Covers

This Privacy Policy explains how Bow Construction ("we," "us," "our") collects, uses, and protects information when you use BowtieOS — a field operations platform for glazing and glass contractors. It applies to all users: administrators, office staff, field technicians, and viewers.

2. Information We Collect

Account information

Name and email address, collected when your administrator creates your account.

Job and project data

Site visit records, field measurements, dimensions, photos and videos, voice notes, client names, job addresses, project documents, estimates, and schedules — all entered by your company's users.

Device and usage data

When you submit a support ticket, we collect your browser type, screen size, and the page you were on. We do not use tracking pixels or behavioral advertising.

Error logs

If crash monitoring is enabled, error reports (including stack traces and device context) are sent to Sentry. No personally identifiable information is intentionally included in error payloads.

3. How We Use Information

  • To provide the Service — storing and displaying your company's operational data
  • To send notifications relevant to your work (new assignments, comments, reminders)
  • To diagnose bugs and improve the platform using error reports and support tickets
  • To contact your administrator about billing, updates, or policy changes

We do not sell your data. We do not use your data for advertising.

4. How Data Is Stored

All data is stored in Supabase (PostgreSQL database + object storage) hosted on Amazon Web Services in the us-west-2 (Oregon) region. Access is controlled by Row Level Security policies — each user sees only the data their role permits within their company. Data is encrypted in transit (TLS) and at rest.

Photos, videos, documents, and voice notes are stored in private Supabase Storage buckets, isolated by company. Signed URLs with short expiry times are used for access — files are never publicly accessible.

Backups. So that your data can be recovered after an outage or accidental deletion, we take encrypted backups of the database and of stored files. Each backup is encrypted (AES-256) before it leaves our systems and is copied to Cloudflare R2 object storage; the backup job itself runs on GitHub Actions. Backups are retained for 30 days and then deleted. This means an encrypted copy of your data is held outside the us-west-2 region described above.

5. Who Can See Your Data

Within your company, access is role-based: administrators and office staff see operational and financial data; field technicians see only their own assigned visits and related job documents. No user can see another company's data.

Our team may access data in limited circumstances to investigate a reported bug, respond to a support ticket, or fulfill a legal obligation. We do not share data with third parties for commercial purposes.

6. Third-Party Services (Subprocessors)

We use the service providers below to operate the platform. Some are used only when your company enables the related feature or integration (noted as "optional").

ServicePurposeData shared
SupabaseDatabase, storage & authenticationAll Customer Data
VercelApp hostingRequest metadata (IP, headers)
ResendTransactional email (proposals, invoices, RFIs, notifications)Recipient email, message content, and attached documents (may include client names, addresses, amounts)
Email delivery (SMTP)Account & password-setup emailRecipient email address
StripeSubscription billing (optional)Company name, billing email, subscription & payment metadata
Intuit QuickBooksAccounting sync (optional — when you connect it)Clients, projects, vendors, and invoice/bill/payment amounts
Fingercheck / FridayPayroll hours import (optional — when you connect a provider)API credentials & date ranges (employee pay/SSN is not sent out)
Anthropic ClaudeSupport-ticket analysis & help-content draftingTicket description & page URL; help-article source content
DropboxImporting files you choose from your Dropbox (optional)The selected file and a temporary download link
OpenStreetMap & Photon (komoot)Maps & address autocompleteTyped job/client addresses; map viewport
Google Maps"Open in maps" links (only when you click one)The job address
Web push (Apple / Google / Mozilla)Delivering notifications to your subscribed devices (optional)Notification title/body and a device push token
SentryError monitoring (when enabled)Error details, browser context
Cloudflare (R2)Encrypted off-site backup storageAn AES-256-encrypted copy of the database and stored files (retained 30 days)
GitHub (Actions)Runs the scheduled backup jobProcesses the encrypted backup in transit; does not retain it

7. Data Retention

We retain Customer Data for as long as your subscription is active. After cancellation, data is retained for 90 days to allow export, then deleted. Contact us to request earlier deletion.

8. Your Rights

You may request access to, correction of, or deletion of your personal data by contacting us. Requests from individual users should go through your company administrator. We will respond within 30 days.

9. Changes to This Policy

We may update this policy periodically. We will notify your company administrator by email before material changes take effect. The effective date above reflects the most recent revision.

10. Contact

Privacy questions or data requests: support@bowtie.app