PRIVACY POLICY

This Privacy Policy explains how [Legal Entity Name] (“Spotter,” “we,” “us”) collects, uses, shares, and protects information in connection with the Spotter web application and related services (the “Service”). Spotter lets construction safety professionals author Internal Traffic Control Plans (ITCPs), deliver them as multilingual visual briefings to field crews, and maintain an acknowledgment log for OSHA compliance.

For most personal data about field workers, Spotter acts as a processor on behalf of the customer (the employer), who is the controller of that data. For account-holder data, Spotter is the controller. Where this distinction matters, it is called out below.

1. Information We Collect

ACCOUNT HOLDERS

When you create or use a Spotter account, we collect your name and email address. If you sign in with Google or Microsoft (Entra) OAuth, we receive your name and email from that provider. If you sign up with email and password, we store your email and a securely hashed password. We also collect your organization name and your role within it.

FIELD WORKERS

When a worker acknowledges a safety briefing through a tokenized link, we collect the name they provide and acknowledgment metadata: the timestamp, the language the briefing was viewed in, the tokenized link used, and any optional fields the employer requests (such as trade or crew). This data is collected on behalf of the customer who published the briefing, to document that the briefing was delivered and acknowledged.

SITE IMAGERY & PLAN CONTENT

We store the site imagery you upload and the plan content you author (zones, equipment placements, waypoints, annotations, notes, and exports). When you use “Start from location,” we send the location you enter to Mapbox to retrieve satellite imagery and geocoding results, which we then store as the base image for your plan.

2. Sub-processors

We rely on the following third parties to process data on our behalf. Each is bound by contractual data-protection obligations.

• VercelApplication hosting and delivery
• NeonPostgreSQL database storage
• SupabaseStorage of uploaded site imagery and generated exports
• MapboxSatellite imagery and geocoding for “Start from location”
• ResendTransactional email delivery
• Google and MicrosoftAuthentication (OAuth sign-in)

3. How We Use Information & Legal Basis

We use the information above to deliver and operate the Service: to authenticate accounts, author and render traffic-control plans, deliver multilingual briefings, capture acknowledgments, and generate the compliance documentation our customers rely on for OSHA recordkeeping. We also use it to secure the Service, prevent abuse, provide support, and improve reliability.

Our legal bases for processing are: performance of our contract with the customer; our legitimate interests in operating and securing the Service; compliance with legal obligations; and, where applicable, consent. For field-worker data, the customer (employer) determines the legal basis for collecting acknowledgments.

4. Data Retention

We retain account data for as long as the account is active and as needed to provide the Service. Plan content, imagery, and acknowledgment records are retained for the customer's account so that compliance documentation remains available; the customer controls how long worker acknowledgment records are kept and may request deletion. We delete or anonymize data when it is no longer needed for the purposes above or when required by law.

5. Security

Data is encrypted in transit (TLS). We restrict access to personal data to personnel and systems that need it, use authentication and access controls, and rely on reputable infrastructure providers (listed above) for encryption at rest and operational security. No method of transmission or storage is perfectly secure, but we work to protect your information.

6. Your Rights

Depending on your jurisdiction, you may have rights to access, correct, export, or delete your personal data, and to object to or restrict certain processing. Account holders can exercise these rights by contacting us at [privacy contact email].

Because Spotter is a processor for field-worker acknowledgment data, workers who want to access, correct, or delete that data should direct their request to their employer (the customer that published the briefing). We will assist our customers in responding to such requests.

7. Cookies

We use a small number of cookies that are necessary for the Service: session and authentication cookies to keep you signed in, and a locale-preference cookie that remembers the language a worker selects for a briefing. We do not use third-party advertising or cross-site tracking cookies.

8. Children

The Service is a workplace tool intended for use by professionals. It is not directed at children under 16, and we do not knowingly collect personal data from them.

9. International Transfers

Our sub-processors may process data in the United States and other countries. Where required, we rely on appropriate safeguards for cross-border transfers of personal data.

10. Changes to This Policy

We may update this Policy from time to time. When we make material changes, we will update the “Last updated” date above and, where appropriate, notify account holders.

11. Contact

Questions about this Policy or our data practices can be directed to [privacy contact email], or by mail to [Company mailing address].