1. Introduction

FirmBase ("we," "our," or "us") is a multi-tenant construction operations platform. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our website at firmbase.build, our iOS mobile application, and all related services (collectively, the "Service"). By using the Service, you agree to the collection and use of information in accordance with this policy.

2. Information We Collect

We collect information that you provide directly to us and information collected automatically:

Information You Provide

• Account Information: Name, email address, phone number, company name, job title, and role
• Project Data: Project details, proposals, estimates, invoices, change orders, contracts, and related documents
• Photos & Media: Project site photos including before, during, and after images captured through your device camera or uploaded from your photo library
• Communication Data: Messages, notes, daily field reports, safety reports, and comments within the platform
• Subcontractor Data: Company information, W-9 forms, certificates of insurance, NDA acceptance, and bid submissions provided through the subcontractor portal
• Client Data: Company details, contact information, service requests, and proposal approvals provided through the client portal
• Signature Data: Electronic signatures captured for proposal and change order approvals

Information Collected Automatically

• Location Data: GPS coordinates when using field mode features, the GPS time clock, or photo geotagging (only with your explicit permission)
• Device Information: Device type, operating system, browser type, and screen size for optimizing your experience
• Usage Data: Pages visited, features used, and interaction patterns to improve the Service
• Time Clock Data: Clock-in/out timestamps and associated GPS coordinates for crew management and payroll

3. Device Permissions

Our mobile application may request the following device permissions:

• Camera: To capture project site photos, document conditions, scan business cards, and record progress. Photos are uploaded to our secure cloud storage. You can deny camera access and manually upload photos instead.
• Photo Library: To select existing photos from your device for upload to projects. We only access photos you explicitly select.
• Location (GPS): To geotag photos, enable the GPS time clock, and provide field navigation. Location is only accessed when actively using these features and can be disabled at any time in your device settings.
• Push Notifications: To send you alerts about bid requests, project updates, proposal approvals, and other time-sensitive information. You can manage notification preferences in your account settings or disable them in your device settings.

All permissions are optional. The app will function with reduced features if any permission is denied.

4. How We Use Your Information

• To provide, operate, maintain, and improve the Service
• To process and manage construction projects, proposals, estimates, and invoices
• To facilitate communication between contractors, clients, and subcontractors
• To send notifications about project updates, bid requests, and account activity
• To generate reports, analytics, and AI-powered insights for authorized users within your organization
• To track crew time and location for payroll and field management purposes
• To process electronic signatures on proposals and change orders
• To comply with legal obligations and enforce our terms of service

5. Data Sharing & Disclosure

We do not sell, rent, or trade your personal information to third parties. We may share information in the following circumstances:

• Within Your Organization: Data is shared with members of your organization based on role-based access controls configured by your administrator
• Clients & Subcontractors: Project-related information shared through portal access that your organization configures and controls
• Service Providers: We use trusted third-party services for:
  • Cloud hosting and deployment (Vercel)
  • Database services (Neon PostgreSQL)
  • File and photo storage (Vercel Blob Storage)
  • Transactional email delivery (Resend)
  • AI text generation (Anthropic)
• Legal Requirements: When required by law, subpoena, court order, or to protect our rights, safety, or property

6. Data Security

We implement industry-standard security measures to protect your data, including:

• HTTPS/TLS encryption for all data in transit
• Secure authentication using JWT tokens with httpOnly cookies
• Role-based access controls (RBAC) to restrict data visibility
• Password hashing using bcrypt
• Encrypted database connections with SSL
• Multi-tenant data isolation between organizations

While we strive to protect your information, no method of electronic transmission or storage is 100% secure. We cannot guarantee absolute security.

7. Data Retention

We retain your data for as long as your account is active or as needed to provide the Service. Project data, photos, and documents are retained for the duration of your subscription. Upon account deletion, we will remove your personal data within 30 days, except where retention is required by law or for legitimate business purposes (such as maintaining financial records).

8. Your Rights

You have the right to:

• Access your personal data we hold
• Correct inaccurate or incomplete data
• Delete your account and associated personal data
• Object to or restrict certain processing of your data
• Export your data in a portable format
• Withdraw consent for optional data collection (location, notifications, camera) at any time through your device settings

To exercise any of these rights, contact us at the email address below.

9. Children's Privacy

The Service is designed for business use and is not intended for children under the age of 13. We do not knowingly collect personal information from children. If you believe a child has provided us with personal data, please contact us and we will promptly delete it.

10. Third-Party Links

The Service may contain links to third-party websites or services that are not owned or controlled by us. We are not responsible for the privacy practices of these third parties. We encourage you to review the privacy policies of any third-party services you access.

11. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on this page and updating the "Last Updated" date. Your continued use of the Service after changes constitutes acceptance of the updated policy.

12. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us: