Privacy & Data Policy

Field Service Compliance ("FSC", "we", "us", or "our") is operated by Jason Brooks (Individual). This Privacy & Data Policy explains what information we collect when you use the FSC mobile application and web reporting portal, how we use it, how we protect it, and what rights you have over it. Effective Date: March 10, 2026 By using FSC you agree to the practices described in this policy. If you do not agree, please discontinue use of the application.

When you register, we collect your full name, email address, role, and organization affiliation. This information is required to provide access to FSC and enforce role-based permissions.

Audits you perform are stored and include: job address, GPS coordinates at time of audit, audit type (Satellite, Fiber, Cable, Vehicle), pass/fail status, technician notes, repair descriptions, and timestamps.

Every submitted audit is assigned a tamper-evident digital attestation block containing: your full name, GPS coordinates at time of submission, a precise timestamp, and a unique FSC-XXXXXXXX document ID (a SHA-256 hash derived from the audit ID, creation timestamp, and organization ID). This block is stored permanently with the audit record as a compliance and dispute-resolution record. The FSC document number is visible to administrators, super users, and developers in the portal audit tables.

Photos captured during audits are uploaded to secure cloud storage and associated with audit records. These images may be reviewed by your supervisors and processed by our AI validation system. Photos flagged as containing visible individuals are rejected and not retained.

If your organization has enabled the Inventory Tracker feature, photos designated as equipment label slots (model label, network identifier) are processed by Google Gemini AI to extract device identifiers — specifically: model number, serial number, MAC address, IMEI, and access card number. These identifiers are stored in our database linked to your audit record and your organization. This data is accessible to users within your organization who have manager-level or higher portal access. Organization administrators can export inventory records as a CSV file; all such exports are logged in the security audit log. Extracted identifiers are never shared outside your organization and are subject to your organization's data retention policies. If Inventory Tracker is not enabled for your organization, no equipment identifiers are extracted or stored from your photos.

If your organization has enabled the Safety Survey feature, safety surveys you complete are stored and include: a unique FSS-XXXXXXXX Survey Number (a SHA-256 hash derived from the survey's internal ID and submission timestamp, used as a tamper-evident document identifier), job type, all question responses (Pass/Fail), point values, critical failure flags, correction photo results, survey score, GPS coordinates at time of submission, timestamp, and the digital attestation block identifying both the technician and supervisor who co-signed the survey. Safety survey data is accessible to Supervisor and above roles within your organization. Surveys that trigger a stand-down create a linked stand-down record that is retained until cleared by a supervisor and archived thereafter. Organization admins and authorized supervisors can download bilingual PDF Safety Survey Reports for any survey; all such downloads are logged in the security audit log. Safety survey data is never shared outside your organization.

When a stand-down is issued to you, and you complete the required OSHA training flow, the following data is stored on the stand-down record: your selected answer for each quiz question (A, B, or C), the calculated quiz score (0–100), the timestamp at which you completed the quiz, and a snapshot of the assigned quiz questions (question text, answer choices, correct answer, and OSHA citation). If the stand-down was issued with a training video URL, that URL is stored on the stand-down record. This data is retained as part of the stand-down compliance record and is accessible to the issuing supervisor, your organization admins, and authorized management roles. Quiz response data is used solely for safety compliance training verification purposes.

If your organization has enabled the Safety Survey feature, organization admins may create named OSHA training quizzes in the Quiz Library (Safety portal → Quiz Library sub-tab). Each quiz record stores: the quiz name, an optional description, the creating admin's user ID, and the organization ID. Each quiz question stores: question text, three answer choices (A, B, C), the designated correct answer, an optional OSHA citation, a critical-failure flag, and sort order. Quiz Library data is scoped to your organization and is never shared outside it. Individual named quizzes may be linked to checklist questions, causing them to be automatically dispatched when a technician fails the linked item. Quiz Library data is accessible to Admin and above roles within your organization.

When you use the voice-to-text feature for repair notes, audio is captured and sent to our AI transcription service (Google Gemini). Audio is processed in real time and is not stored after transcription. Only the resulting text transcript is retained as part of the audit record.

Actions taken within the FSC platform that affect security or user management are recorded in a persistent, write-only security audit log. Logged events include: portal logins and logouts, user account approvals and role changes, supervisor assignments, join code regeneration, account deletions, data exports, and password changes. Each entry captures the actor's user ID, their role, the target of the action, relevant metadata, a timestamp, and the originating IP address. This log is accessible to organization administrators and authorized super users.

If you enable Phone MFA (multi-factor authentication), your phone number is stored in association with your account solely for the purpose of delivering one-time verification codes via email to your registered address. Your phone number is never sold, shared with third parties, or used for marketing purposes.

We collect basic device information including operating system type, version, and device model for debugging, compatibility, and legal compliance purposes. When you sign a legal agreement (NDA or Terms & Conditions), we also collect a device identifier — a hardware-bound ID on Android, an app-scoped vendor ID on iOS, or a persistent anonymous ID on web — solely to satisfy E-SIGN Act audit log requirements. We do not collect IMEI numbers or advertising IDs.

When you sign the NDA or Terms & Conditions, we permanently store the following as required by the E-SIGN Act: your typed electronic signature, the full text of the document at the time of signing, your name and email, the agreement version, the exact timestamp, your IP address (captured server-side at the moment of submission), a device identifier (hardware-bound on Android, app-scoped vendor ID on iOS, or persistent anonymous ID on web), your device model and operating system, your platform (iOS, Android, or web), and your browser or app user agent string. These records are retained even after account deletion to satisfy legal and compliance obligations.

We maintain server-side logs for security and debugging. All logs are automatically scrubbed of personally identifiable information (PII) — emails, names, and addresses are redacted before logging.

We use collected information solely to operate and improve FSC. Specifically: • Deliver audit workflow features and compliance tracking • Enforce role-based access control across your organization • AI-validate audit photos against quality standards • Transcribe voice repair notes to text • Send email notifications and audit receipts • Detect and prevent fraud or unauthorized access • Maintain legal records of agreement signatures • Provide executive analytics to authorized supervisors and management • Digital attestation data is used solely to provide a tamper-evident record for regulatory and dispute-resolution purposes; it is never used for profiling or marketing • Security audit log data is used for internal security monitoring and is made available to organization administrators and authorized super users for compliance review • Voice transcripts are used exclusively to populate the technician's repair notes field and are not used to train AI models or for any other purpose • Safety survey data is used to support occupational safety compliance — scoring technicians against OSHA-linked criteria, assigning tamper-evident FSS-XXXXXXXX Survey Numbers for compliance documentation, enabling supervisors to identify hazards and issue or clear stand-downs, and generating bilingual PDF Safety Survey Reports • Stand-down quiz response data (answers, score, completion timestamp, and question snapshot) is used solely to verify that technicians have completed the required OSHA safety training before returning to work after a stand-down • Quiz Library data (named quizzes and their A/B/C questions) is used solely to construct training quizzes for stand-downs — either auto-dispatched when a checklist item fails or manually assigned by a supervisor; quiz content is never used for profiling or any purpose outside stand-down training compliance • Training video URLs stored on stand-down records are used solely to direct technicians to the relevant OSHA training resource during the mandatory stand-down training flow • Safety correction photos are submitted to AI solely to evaluate whether a specific flagged hazard has been corrected; they are not used for any other purpose and are not used to train AI models • Phone numbers collected for MFA are used only to route one-time verification notifications to the user's registered email address We do not sell, rent, or trade your personal information to any third party for marketing purposes.

All data transmitted between the FSC app and our servers is encrypted using TLS 1.2 or higher. This includes API calls, photo uploads, and authentication tokens.

All data is stored in Supabase-managed PostgreSQL databases with AES-256 encryption at rest. Database credentials are never exposed client-side and are rotated regularly.

The FSC web portal and API enforce the following HTTP security headers on all responses: Content Security Policy (CSP) restricting script execution to approved sources, HTTP Strict Transport Security (HSTS) requiring HTTPS at all times, X-Frame-Options preventing clickjacking, X-Content-Type-Options preventing MIME sniffing, and Referrer-Policy controlling referrer information sent to third parties.

Your data is stored in Supabase-hosted PostgreSQL databases protected by Row Level Security (RLS) policies. Each user can only access records they are authorized to view based on their organization and role.

FSC uses JWT-based authentication with server-side token validation. Failed login attempts trigger progressive lockouts. Passwords are hashed and never stored in plain text. Optional biometric authentication (Face ID / Fingerprint) is supported.

Web portal sessions automatically time out after 10 minutes of idle activity, displaying a 2-minute countdown warning before logout. After 12 minutes total idle time, the session is cleared and the user is redirected to the login page. Any keyboard, mouse, or scroll activity resets the idle timer.

AI processing endpoints (photo validation, voice transcription, vehicle damage comparison) and authentication endpoints are rate-limited per user to prevent abuse and protect against credential stuffing attacks.

An eight-level role hierarchy (Super User, Developer, Admin, VP, Director, Manager, Supervisor, Technician) ensures users can only access data appropriate to their position. New accounts default to a "pending" status and require explicit approval by a Super User before gaining active access.

Audit photos may be submitted to Google Gemini 2.5 Flash for automated quality validation. This checks whether photos meet audit-specific standards (e.g., drip loops present, connectors weatherproofed). Image data is transmitted securely and subject to Google's enterprise data processing terms. FSC does not use customer photos to train AI models.

Before compliance analysis, each photo submitted for validation is scanned for the presence of visible individuals. Photos containing people are automatically rejected and not retained on FSC servers. No image data is stored after a rejection event. This pre-scan occurs before any compliance analysis takes place.

Voice repair notes are transcribed using Google Gemini. Audio data is sent to Google's API for real-time processing. Audio recordings are not stored by FSC after transcription is complete. Only the resulting text transcript is retained as part of the audit record and is not used for any purpose other than populating the technician's notes field.

For vehicle audits, current vehicle photos are compared against previous inspection photos using AI to flag new damage. Both the current and prior inspection photos are processed by Google Gemini and are subject to the same security controls as other audit photos. Both sets of photos are stored as part of the respective audit records.

AI extracts and analyzes address text from address photos for GPS cross-reference to confirm the technician is at the correct job site. Raw extracted text is not stored independently — it is used only for real-time verification during audit submission.

If your organization has enabled Safety Survey, technicians may voluntarily submit a correction photo alongside a failed safety survey question. This photo is submitted to Google Gemini AI to determine whether the identified hazard has been addressed. If the AI confirms correction, 50% of the question's point value is restored toward the final score. Correction photos are subject to the same privacy pre-scan as audit photos — images containing visible individuals are rejected before any safety analysis takes place. Correction photos are stored as part of the safety survey record and are not used for any purpose other than the specific survey correction evaluation. The AI analysis result (confirmed corrected / not confirmed) is stored with the survey record; no raw prompt or AI reasoning text is retained beyond what appears in the PDF report.

We send only the minimum data necessary to AI services — photos and contextual metadata required for the specific validation task. We do not transmit account credentials, GPS coordinates, or personal information to AI services.

We retain data for the minimum period necessary to fulfill its purpose: • Audit records — retained indefinitely for compliance history. Linked to your organization even after account deletion. • Digital attestation blocks — retained indefinitely as part of the audit record, even if the associated audit is otherwise archived or the account deleted. These blocks serve as the tamper-evident compliance record. • Security audit log entries — retained for a minimum of 2 years for compliance, security monitoring, and dispute-resolution purposes. Log entries are write-only and cannot be edited or deleted. • Voice transcripts — retained as long as the associated audit record exists. Audio recordings are not retained after transcription. • Account data — deleted upon account deletion request, except where retention is legally required. • Legal agreement records (NDA / T&C signatures) — retained permanently. These records have no foreign key cascade and survive account deletion to satisfy legal obligations. • AI-processed audio — not retained after transcription. • Server logs — retained for 30 days for security auditing, then purged. • Photos — retained as long as the associated audit record exists. • Safety survey records — retained as long as the associated organization account exists. Survey data (responses, scores, attestations, correction photo results) is retained to support compliance history and supervisor oversight. • Safety stand-down records — retained permanently after clearance as a compliance trail. Stand-down quiz responses, scores, question snapshots, and training video URLs stored on stand-down records are retained as part of that permanent compliance record. Open stand-downs are retained until explicitly cleared by an authorized supervisor. • Quiz Library records (named quizzes and their questions) — retained until deleted by an organization admin. Deleting a quiz removes the quiz definition but does not affect historical stand-down records, which retain a snapshot of the questions at the time of issuance. • Safety correction photos — retained as long as the associated safety survey record exists. These are stored as part of the survey and follow the same retention schedule as other audit photos.

You can export a copy of your personal data at any time from Settings → Privacy & Data → Export My Data. The export includes your account information, audit history, digital attestation records, and notification history in JSON format.

You can permanently delete your account from Settings → Privacy & Data → Delete My Account. This will remove your personal profile and account data. Audit records are preserved for organizational compliance. Legal agreement records (E-SIGN) and security audit log entries are retained permanently — deletion of your account does not remove these records, as they are required for legal compliance and tamper-evidence purposes.

If you believe any of your information is inaccurate, contact your organization's administrator or reach us directly at FieldServiceCompliance@gmail.com to request a correction or full data review.

In accordance with the Electronic Signatures in Global and National Commerce Act (E-SIGN Act, 15 U.S.C. § 7001 et seq.) and applicable state laws, your typed name constitutes your legally binding electronic signature. When you type your name and accept an agreement in FSC: • Your typed signature carries the same legal weight as a handwritten signature • The full agreement text at the time of signing is archived permanently • The exact date and time of signing are recorded in UTC • An E-SIGN audit log is permanently attached to your record, capturing: your IP address, device identifier, device model and OS, platform, and user agent string — as required for legally enforceable electronic signatures • Records are retained even if your account is later deleted • Records are accessible to authorized super users of your organization for compliance auditing You may request a copy of any agreement you have signed by contacting FieldServiceCompliance@gmail.com.

Database and authentication services. Your data is stored in Supabase-managed PostgreSQL instances with AES-256 encryption at rest and TLS 1.2+ in transit. Supabase Privacy Policy

AI photo validation (privacy pre-scan + compliance analysis), voice-to-text transcription, and vehicle damage comparison. Data sent to Google's API is governed by Google's enterprise API Terms of Service. FSC does not use customer data to train AI models. All AI processing is subject to the minimum data principle — only the necessary photo or audio data for the specific task is transmitted. Google Privacy Policy

Payment processing for subscription management. FSC does not store payment card data. All payment information is handled directly by Stripe. Stripe Privacy Policy

Transactional email delivery for audit receipts, account notifications, bulk onboarding invitations, and system alerts. Your email address is shared with Resend solely for the purpose of delivering messages to you. Resend Privacy Policy

We may update this policy periodically to reflect changes in our practices or legal requirements. When we make material changes, we will notify you within the app. Continued use of FSC after notification constitutes acceptance of the updated policy. The current effective date is always displayed at the top of this page.