Privacy Policy

1. Who We Are

Struxcor Inc. ("Struxcor," "we," "us,") is a Delaware corporation operating the Struxcor platform (the "Service"). This Privacy Policy describes how we collect, use, disclose, and safeguard personal data when you use the Service or our websites.

For purposes of the EU/UK General Data Protection Regulation ("GDPR") and the California Consumer Privacy Act as amended by the California Privacy Rights Act ("CCPA/CPRA"), Struxcor is a "data controller" or "business" with respect to personal data about our website visitors and individual account holders, and a "data processor" or "service provider" with respect to Customer Data handled on behalf of our business customers. Our Data Processing Addendum governs that relationship.

2. Personal Data We Collect

2.1 Account information

When you create an account, we collect your name, email address, organization name, job role, and password (hashed). If you sign up with Google OAuth, we receive your name, email, and a Google user identifier.

2.2 Customer Data

You may upload or create project data including daily reports, pay applications, submittals, RFIs, change orders, force account records, labor compliance records, photos, voice recordings, and related documents (collectively, "Customer Data"). Customer Data may include personal data about your employees, contractors, inspectors, and other project participants (names, email addresses, phone numbers, signatures, wage rates, hours worked, worker classifications, and employee ID numbers).

2.3 Usage and device data

We automatically collect IP address, browser type, device identifiers, operating system, referring URL, pages viewed, features used, timestamps, and crash diagnostics. This data is used for security, troubleshooting, and service improvement.

2.4 Location data

If you enable GPS-tagged photos or weather auto-fill, we collect geographic coordinates from your device (with your permission at the OS level). Coordinates are stored as part of your project data and are not used for advertising or profiling.

2.5 Payment data

Payment card processing is handled by Stripe, Inc. We do not store full card numbers, CVV, or bank-account details on our servers. We receive a tokenized identifier, last four digits, card brand, expiration, and billing metadata.

2.6 Communications

If you contact support, submit feedback, or interact with our marketing, we retain your messages and metadata.

2.7 Sensitive data

We do not intentionally collect Social Security numbers, government-ID numbers, biometric identifiers, health data, precise geolocation outside of tagged photos, sexual orientation, religious beliefs, or other "sensitive" categories under GDPR Art. 9 or CPRA. Please do not upload such data to Customer Data. We treat any such data that is nonetheless uploaded with the same protections as Customer Data.

3. How We Use Personal Data

• Provide the Service: authentication, project management, report generation, PDF export, file storage, search, and collaboration.
• AI features:at your request, send prompts and selected Customer Data to Anthropic's Claude API to generate narratives, summaries, extractions, translations, and analyses. See the AI Disclosure.
• Security: detect, prevent, and respond to fraud, abuse, and security incidents.
• Billing: process subscriptions, prevent chargebacks, and comply with tax and financial-reporting obligations.
• Support: respond to your questions and requests.
• Communications: send transactional emails (receipts, password resets, security alerts). You may opt out of non-transactional marketing emails at any time.
• Improvement and analytics: analyze aggregated, de-identified usage to improve the Service. We do not profile individuals for advertising.
• Legal compliance: meet legal, regulatory, and audit requirements and respond to lawful requests.

4. Legal Bases (GDPR/UK GDPR)

We process personal data on the following legal bases:

• Contract performance (Art. 6(1)(b)): to provide the Service you signed up for.
• Legitimate interests (Art. 6(1)(f)): to secure the Service, prevent fraud, improve features, and operate our business, balanced against your rights.
• Legal obligation (Art. 6(1)(c)): tax, accounting, and regulatory compliance.
• Consent (Art. 6(1)(a)): where required, for non-essential cookies, marketing emails, and optional features. You can withdraw consent at any time.

5. Sub-processors

We engage the following sub-processors to help deliver the Service. Each is contractually bound to confidentiality, security, and data protection obligations equivalent to ours.

We will provide customers with at least 30 days' advance notice before adding a new sub-processor that has access to Customer Data. Customers under our DPA may object to a new sub-processor on reasonable data-protection grounds.

6. Data Sharing

We share personal data only in these circumstances:

• Within your organization: as configured by your administrator.
• Sub-processors: as listed above.
• Legal requirements: when required by subpoena, court order, or other lawful process, or to protect the rights, property, or safety of Struxcor, our users, or the public. We will notify affected customers of government access requests unless prohibited by law.
• Business transfers: in connection with a merger, acquisition, financing, or sale of assets, subject to equivalent privacy commitments.
• With your consent: for any other disclosure.

We do not sell personal data and we do not share personal data for cross-context behavioral advertising, as those terms are defined under CCPA/CPRA.

7. International Data Transfers

Struxcor is headquartered in the United States, and the Service is hosted in the U.S. If you access the Service from outside the U.S., your personal data will be transferred to, stored, and processed in the U.S.

For transfers of personal data out of the European Economic Area, the United Kingdom, or Switzerland, we rely on:

• the European Commission's Standard Contractual Clauses (Module 2, Controller-to-Processor; or Module 3, Processor-to-Processor) incorporated by reference in our DPA;
• the UK International Data Transfer Addendum to the EU SCCs; and
• the EU-U.S. Data Privacy Framework and its UK and Swiss extensions where applicable.

We conduct transfer impact assessments for onward transfers to sub-processors and implement supplementary measures (encryption, pseudonymization, access controls) where appropriate.

8. Data Security

We implement technical and organizational measures designed to protect personal data, including:

• Encryption in transit (TLS 1.2+) and at rest (AES-256 for database and object storage).
• Postgres row-level security (RLS) enforced at the database layer, scoped by organization.
• Short-lived signed URLs for file access; least-privilege service roles.
• MFA-capable authentication, bcrypt-hashed passwords, and session management with rotating tokens.
• Audit logs for privileged and destructive actions.
• Principle-of-least-privilege access for employees, with access reviews and mandatory training.
• Security monitoring via Sentry and Vercel observability; vulnerability scanning; periodic penetration testing.

No system is perfectly secure. You are responsible for keeping credentials confidential and promptly reporting suspected unauthorized access to security@struxcor.com.

9. Breach Notification

If we confirm a personal-data breach affecting Customer Data, we will notify the affected customer administrator without undue delay and in any event within 72 hours of confirmation, providing (where known) the nature of the breach, categories and approximate number of data subjects affected, likely consequences, and remediation measures taken or proposed.

10. Cookies and Similar Technologies

We use a limited set of cookies and similar technologies. We do not use third-party advertising cookies or cross-site tracking pixels.

Strictly necessary cookies are set without consent because they are required to deliver the Service. You may refuse or delete cookies via your browser, but the Service may not function correctly without authentication cookies.

11. Your Rights

Depending on your jurisdiction, you may have the following rights with respect to your personal data:

• Access / Know: request a copy and categories of personal data we hold about you.
• Correction / Rectification: ask us to correct inaccurate data.
• Deletion / Erasure: ask us to delete your personal data, subject to legal retention obligations.
• Portability: receive your data in a structured, machine-readable format (PDF, CSV).
• Objection / Restriction: object to or restrict processing based on legitimate interests.
• Withdraw consent: at any time where we rely on consent.
• Opt-out of automated decision-making: we do not use personal data for automated decisions producing legal or similarly significant effects.
• Appeal: where we deny a request, you have the right to appeal under state laws such as Virginia VCDPA, Colorado CPA, Connecticut CTDPA, and similar.
• Complaint: lodge a complaint with a supervisory authority (your local data protection authority in the EU/UK, or the California Privacy Protection Agency).

To exercise any of these rights, email privacy@struxcor.com from the address associated with your account. We will respond within the time frame required by applicable law (generally 30–45 days). We will not discriminate against you for exercising your rights.

If personal data about you is stored as part of a business customer's Customer Data, please direct your request to that customer (the controller). We will assist them in responding.

12. California Privacy Rights (CCPA/CPRA)

California residents have rights under the CCPA/CPRA, including the rights listed in Section 11. In the preceding 12 months, we have collected the categories of personal information listed in Section 2. We disclose personal information to the sub-processors listed in Section 5 for business purposes. We do not sell or share personal information for cross-context behavioral advertising, and we have not done so in the preceding 12 months. We do not knowingly sell or share the personal information of consumers under 16.

You may designate an authorized agent to make a request on your behalf. We may require the agent to provide proof of your written permission and verify your identity.

13. Data Retention

• Active accounts: Customer Data is retained for the duration of your subscription.
• After termination: Customer Data is retained for 90 days to permit export, then deleted, except where longer retention is required by law (e.g., payroll records, public-works records) or by a signed order form.
• Billing records: retained for 7 years to comply with U.S. tax and accounting requirements.
• Security logs: retained for up to 13 months.
• Aggregated / de-identified data: may be retained indefinitely for analytics and service improvement.
• AI prompts and outputs: retained according to Section 3 of the AI Disclosure.

14. Children's Privacy

The Service is not directed to children under 18. We do not knowingly collect personal data from children under 18. If you believe a child has provided us personal data, contact us and we will delete it.

15. Do-Not-Track and Global Privacy Control

We honor the Global Privacy Control (GPC) signal as an opt-out of sale and sharing under CCPA/CPRA where required. Because we do not sell or share personal data, GPC signals generally have no additional effect. We do not respond to legacy Do-Not-Track browser signals at this time because there is no industry standard for how to respond.

16. Changes to This Policy

We may update this Policy from time to time. We will notify account holders of material changes by email or in-product notice at least 30 days before the change takes effect. The "Last updated" and "Version" fields at the top of this page reflect the current version. Prior versions are available on request.

17. Contact and Data Protection Contacts

We have not appointed a Data Protection Officer (DPO) because our processing activities do not meet the mandatory appointment thresholds under GDPR Art. 37. If your jurisdiction requires an EU or UK representative, contact us and we will provide current information.