Privacy Policy
Effective Date: February 11, 2026
Last Updated: February 11, 2026
This Privacy Policy explains how PermitTracker ("Company," "we," "us," "our") collects, uses, discloses, and protects information when you access or use the PermitTracker website, web application, and related services (collectively, the "Service").
The Service is intended for business and commercial use (e.g., contractors and construction-related professionals). If you do not agree to this Privacy Policy, do not use the Service.
1) Scope and Roles
1.1 Who This Applies To
This Privacy Policy applies to:
- website visitors;
- individuals who create accounts or use the Service ("Users"); and
- individuals whose personal information may appear in data or documents uploaded to the Service ("Customer Content").
1.2 Controller vs. Processor
When an organization ("Customer") uses the Service, the Customer generally acts as the "controller" (or equivalent under applicable law) of personal information contained in Customer Content, and the Company acts as a "processor" or "service provider" processing that data on the Customer's behalf and according to the Customer's instructions.
For information we collect directly (such as account registration data, usage analytics, and support communications), the Company acts as the controller.
1.3 Workspace Administration
If you access the Service through a Customer's workspace, the Customer's administrators may access and manage workspace data, User accounts, and permissions. Please refer to your organization's privacy practices for information about how your employer or organization handles your information.
2) Information We Collect
2.1 Information You Provide
- Account Information: Name, work email address, login credentials (stored in hashed form via our authentication provider), role, and permissions.
- Organization Information: Organization name, team member information, workspace settings, and billing contact information.
- Project and Permit Data: Project names, addresses, jurisdictions, permit identifiers, statuses, dates, inspection schedules, reminder configurations, notes, and related metadata.
- Customer Content: Documents and files you upload (e.g., PDFs, images of permits) and associated metadata. These documents may contain personal information such as names, addresses, and contact information of third parties (e.g., inspectors, property owners, subcontractors).
- Payment Information: If you subscribe to a paid plan, payment information is collected and processed by our third-party payment processor (currently Stripe). We receive limited payment details (e.g., last four digits of card number, billing address, transaction confirmations) but do not store full payment card numbers.
- Support Communications: Messages, emails, and attachments you send to us when requesting support or providing feedback.
2.2 Information Collected Automatically
- Usage and Log Data: IP address, timestamps, pages viewed, features used, actions taken, error logs, referring URLs, and session duration.
- Device Information: Browser type and version, operating system, language settings, screen resolution, and device identifiers (where available).
- Cookies and Similar Technologies: We use cookies and similar technologies for authentication, security, user preferences, and analytics. See Section 8 for details.
2.3 Information from Third Parties
- Payment Processor: Transaction confirmations, billing status, and limited payment details from Stripe.
- Email Delivery Signals: Delivery confirmations, bounce notices, and engagement metrics (open/click) from our email service provider, used to ensure reliable notification delivery.
- Authentication Providers: If single sign-on (SSO) or third-party authentication is enabled, identity assertions and basic profile information from the identity provider.
3) How We Use Information
We use information for the following purposes:
| Purpose | Lawful Basis (where applicable) |
|---|---|
| Provide, operate, and maintain the Service (including authentication, storage, organization of Customer Content, collaboration, and notifications) | Performance of contract; legitimate interest |
| Send transactional communications (account verification, security alerts, configured reminders, service notices) | Performance of contract |
| Process and scan documents, including AI-assisted extraction of fields (dates, permit numbers, conditions, etc.) | Performance of contract |
| Provide customer support and respond to inquiries | Performance of contract; legitimate interest |
| Monitor, analyze, and improve the Service (including debugging, performance optimization, and feature development) | Legitimate interest |
| Detect, prevent, and address security incidents, fraud, and abuse | Legitimate interest; legal obligation |
| Enforce our Terms of Service and other policies | Legitimate interest; legal obligation |
| Comply with legal obligations (including responding to lawful requests and legal process) | Legal obligation |
| Process payments and manage billing | Performance of contract |
We may also use aggregated, de-identified, or anonymized data for analytics, benchmarking, and product improvement. Such data is not personal information.
4) AI and Automated Processing
4.1 How We Use AI
The Service may use AI and automated processing to:
- Extract structured data (dates, permit numbers, addresses, conditions, inspection requirements) from uploaded documents;
- Suggest field values based on document content;
- Generate reminder text for notifications; and
- Categorize and organize documents.
4.2 Accuracy Disclaimer
Automated and AI-generated outputs may be inaccurate, incomplete, or incorrect. The Service is intended to assist your workflows, not to replace official verification, professional judgment, or independent review. You are responsible for reviewing and confirming all AI-extracted information before relying on it.
4.3 No Model Training with Customer Content
We do not use Customer Content to train public, general-purpose, or third-party AI/machine learning models. Customer Content is processed only to provide the Service to you (e.g., to extract fields from a document you upload). We will not use Customer Content for model training unless you provide explicit, affirmative, opt-in consent via a separate written agreement or an in-product setting.
4.4 Third-Party AI Providers
We may use third-party AI services (currently Anthropic's Claude API) to process documents. When we do: (a) we transmit document content to the provider solely for processing; (b) the provider is contractually prohibited from using your data to train its models (per our agreement and Anthropic's data usage policies); and (c) document content is not retained by the provider after processing is complete (subject to the provider's data handling terms, which are available upon request).
5) Communications
5.1 Transactional and Operational Messages
We send transactional and operational communications, including: account verification emails, security notices, configured deadline reminders and alerts, trial expiration notices, billing confirmations, and Service change announcements. These messages are part of the Service and cannot be opted out of while you maintain an active account.
5.2 Marketing Communications
We will not send marketing or promotional emails unless you have opted in. You may opt out of marketing communications at any time by clicking the "unsubscribe" link in any marketing email or by contacting us at privacy@permittracker.app.
5.3 Product Update Communications
We may send periodic notifications about new features, improvements, or changes to the Service. These may be sent to current users and, infrequently, to former users whose accounts are no longer active. All such communications include an unsubscribe option; if you opt out, we will stop sending product update communications promptly (within 10 business days).
5.4 Future Communication Channels
If we add SMS, push notifications, or other messaging channels in the future: (a) message frequency will vary based on your configuration; (b) standard message and data rates may apply; (c) opt-out will be available via in-app settings and/or channel-specific controls (e.g., reply STOP for SMS).
5.5 Customer Responsibility for Third-Party Contact Information
If you upload or enter contact information for employees, subcontractors, clients, inspectors, or other third parties, you represent and warrant that you have provided appropriate notices and obtained any required consents to contact them via the Service. You are solely responsible for the lawfulness of such communications.
6) How We Share Information
We may share information in the following circumstances:
6.1 Service Providers (Subprocessors)
We share information with third-party service providers who assist in operating the Service. These providers process information solely on our behalf and under our instructions, and are contractually obligated to protect it. Our current subprocessors include:
| Provider | Purpose | Data Processed | Location |
|---|---|---|---|
| Supabase | Database, authentication, file storage | All Customer Content and account data | United States |
| Vercel | Application hosting | Usage data, IP addresses | United States / Global CDN |
| Anthropic | AI document processing | Document content (for extraction) | United States |
| Resend | Email delivery | Email addresses, notification content | United States |
| Stripe | Payment processing | Billing and payment data | United States |
A current list of subprocessors is maintained at permittracker.app/subprocessors. We will provide notice of material changes to this list.
6.2 Within a Customer Workspace
Information is shared with authorized Users and administrators within a Customer's workspace, subject to the permissions configured by the Customer.
6.3 Legal and Safety
We may disclose information if we believe in good faith that disclosure is necessary to: (a) comply with applicable law, regulation, or legal process (e.g., a subpoena, court order, or government request); (b) protect the rights, safety, or property of the Company, our Users, or the public; (c) investigate or address fraud, security issues, or technical problems; or (d) enforce our Terms of Service.
6.4 Business Transfers
In connection with a merger, acquisition, corporate reorganization, financing, or sale of all or substantially all of our assets, information may be transferred to the successor entity. We will provide notice of any such transfer that materially changes the handling of your information.
6.5 With Your Consent
We may share information with your explicit consent or at your direction.
6.6 No Sale of Personal Information
We do not sell personal information as defined under the California Consumer Privacy Act (CCPA), California Privacy Rights Act (CPRA), or any other applicable US privacy law. We do not share personal information for cross-context behavioral advertising.
7) Data Retention
7.1 Active Accounts
We retain information for as long as your account is active and as needed to provide the Service.
7.2 After Account Closure
Upon account termination or cancellation:
| Data Type | Retention Period | Reason |
|---|---|---|
| Customer Content | Deleted within 30 days of export period expiration (typically 60 days total post-cancellation) | Customer data ownership |
| Account information | Deleted or anonymized within 90 days | Administrative purposes |
| Billing records | Retained for up to 7 years | Tax and legal compliance |
| Security and audit logs | Retained for up to 1 year | Security, fraud prevention, legal compliance |
| Backup copies | Purged within 90 days of active deletion | Standard backup rotation |
7.3 Legal Holds
We may retain information beyond the periods above if required by law, legal process, or to protect our legal rights.
7.4 Deletion Requests
You may request deletion of your personal information by contacting privacy@permittracker.app. We will process requests in accordance with applicable law. Note that deletion of Customer Content within a workspace may need to be initiated by the Customer's administrator.
8) Cookies and Similar Technologies
8.1 Types of Cookies We Use
| Type | Purpose | Examples |
|---|---|---|
| Essential | Required for authentication, session management, security, and core functionality | Session cookies, CSRF tokens, authentication tokens |
| Functional | Save your preferences and settings | Language, theme, sidebar state |
| Analytics | Help us understand how the Service is used and improve performance | Page views, feature usage, error tracking |
8.2 No Advertising Cookies
We do not use advertising or tracking cookies. We do not engage in cross-site tracking or behavioral advertising.
8.3 Your Choices
You can control cookies through your browser settings. Disabling essential cookies may prevent the Service from functioning properly. Most browsers allow you to: view cookies, delete cookies, and block cookies from specific or all sites.
8.4 Do Not Track
We do not currently respond to "Do Not Track" browser signals, as there is no industry-standard interpretation. We do not engage in cross-site tracking.
9) Security
9.1 Security Measures
We implement reasonable administrative, technical, and organizational safeguards designed to protect information from unauthorized access, disclosure, alteration, and destruction. These measures include:
- Encryption: Data is encrypted in transit (TLS 1.2+) and at rest (AES-256 or equivalent, provided by our infrastructure providers).
- Authentication: Secure password hashing, session management, and support for multi-factor authentication.
- Access Controls: Role-based access controls within the application; least-privilege access for Company personnel to production systems.
- Infrastructure: Hosted on industry-standard cloud infrastructure with built-in security controls.
- Monitoring: Application error monitoring and security logging.
9.2 No Absolute Guarantee
No method of transmission or storage is 100% secure. While we strive to protect your information, we cannot guarantee absolute security.
9.3 Incident Response
In the event of a security incident involving unauthorized access to personal information, we will: (a) investigate and take steps to contain the incident; (b) notify affected Customers without unreasonable delay (and within any timeframe required by applicable law); and (c) cooperate with Customers in their notification obligations.
9.4 Your Responsibilities
You are responsible for maintaining the security of your account credentials and for all activity under your account. Please notify us immediately at security@permittracker.app if you believe your account has been compromised.
10) International Data Transfers
10.1 Processing Locations
We operate using infrastructure and service providers that process and store data primarily in the United States. Our personnel and contractors may access systems from locations outside the United States, including Israel.
10.2 Transfer Safeguards
If you access the Service from the European Economic Area (EEA), United Kingdom (UK), Switzerland, or other regions with data transfer restrictions, your data may be transferred to jurisdictions that may not provide equivalent data protection. Where required by applicable law, we rely on appropriate safeguards for such transfers, including contractual protections with our service providers (e.g., Standard Contractual Clauses or equivalent mechanisms).
10.3 Data Processing Addendum
If your organization requires a Data Processing Addendum ("DPA") to comply with GDPR or similar legislation, please contact privacy@permittracker.app.
11) Your Rights
11.1 General Rights
Depending on your location and applicable law, you may have the right to:
- Access: Request a copy of the personal information we hold about you.
- Correction: Request correction of inaccurate or incomplete personal information.
- Deletion: Request deletion of your personal information, subject to certain exceptions.
- Portability: Request a copy of your personal information in a structured, machine-readable format.
- Restriction: Request that we restrict processing of your personal information in certain circumstances.
- Objection: Object to our processing of your personal information on grounds relating to your particular situation.
- Withdrawal of Consent: Where processing is based on consent, withdraw consent at any time.
11.2 California Residents (CCPA/CPRA)
If you are a California resident, you have the right to:
- Know what personal information we collect, use, and disclose.
- Delete your personal information (subject to exceptions).
- Correct inaccurate personal information.
- Non-discrimination for exercising your privacy rights.
We do not sell personal information or share it for cross-context behavioral advertising. In the preceding 12 months, we have collected the categories of information described in Section 2. For details on the categories of personal information collected, the purposes of collection, and the categories of third parties with whom information is shared, please refer to Sections 2, 3, and 6 of this Privacy Policy.
11.3 How to Exercise Your Rights
To submit a privacy rights request, contact us at:
- Email: privacy@permittracker.app
- Subject Line: "Privacy Rights Request — [Your Name]"
We will verify your identity before processing requests. We aim to respond within 30 days (or within the timeframe required by applicable law). If we need additional time, we will notify you.
11.4 Workspace-Level Requests
If you use the Service through a Customer's workspace, certain requests (such as deletion of Customer Content) may need to be directed to and initiated by the Customer's administrator. We will assist as appropriate.
12) Children's Privacy
The Service is not intended for individuals under 16 years of age (or the minimum age required by applicable local law). We do not knowingly collect personal information from children. If we learn that we have collected personal information from a child, we will take steps to delete it promptly. If you believe a child has provided information to us, please contact privacy@permittracker.app.
13) Changes to This Privacy Policy
We may update this Privacy Policy from time to time. If we make material changes, we will provide notice by: (a) posting the updated Privacy Policy with a new "Last Updated" date; and (b) sending an email notification to the address associated with your account or providing a notice within the Service. Your continued use of the Service after the effective date of changes constitutes your acceptance of the updated Privacy Policy.
14) Contact Us
If you have questions about this Privacy Policy or our privacy practices, please contact us at:
PermitTracker
Email: privacy@permittracker.app
Support: support@permittracker.app
For data protection inquiries or to submit a privacy rights request:
Email: privacy@permittracker.app