PRIVACY POLICY

1. INFORMATION WE COLLECT

We collect the following categories of information when you interact with the Services:

A. Account & Personal Information

• Name, email address, phone number, and password
• Profile photo (optional)
• Business name, role, and company information
• Mailing and service addresses
• Authentication identifiers from Sign in with Apple or Sign in with Google, if you choose those sign-in methods

B. Financial Information

• Payment card and bank account information, collected and processed directly by our payment processor, Stripe. Procured does not store full card numbers or bank credentials on its servers.
• Invoices, quotes, payment history, payouts, and transaction metadata generated by your use of the Services.
• For contractors using Procured Payments (Stripe Connect): business tax identifiers, beneficial owner information, and other data required by Stripe for identity verification and anti-money-laundering compliance.

C. Location Information

If you use the Procured mobile app and grant location permissions, we collect:

• Precise (GPS) location while the app is in use, to show your position on the map and associate photos and notes with job sites.
• Background precise location, only if you explicitly grant "Always" (iOS) or "Allow all the time" (Android) location permission. Background location is used solely to automatically detect arrival at and departure from scheduled job sites, to track visit duration for time and billing, and to enable dispatch and routing features for contractor administrators. It is not used for advertising and is not sold to any third party.
• Device motion data, used to reduce GPS polling and conserve battery during location tracking.

You may revoke location permissions at any time in your device settings. Doing so will disable automatic visit detection and related features but will not prevent you from using the rest of the app.

D. Photos, Files, and Media

• Photos and videos you capture with the in-app camera or select from your photo library to attach to jobs, quotes, invoices, or service requests.
• Documents you upload (e.g., PDFs, spreadsheets) for attachment to records in the Services.
• Image metadata (such as capture timestamp and, where available, embedded location) associated with uploaded photos.

E. Contacts & Calendar (Optional)

If you choose to import clients from your device address book or sync scheduled visits to your device calendar, we access your contacts or calendar only with your explicit permission and only to perform the specific import or sync you requested. Contact and calendar data is not used for advertising and is not shared with third parties beyond the infrastructure providers described in Section 4.

F. Device & Usage Information

• Device identifiers, device model, operating system and version, app version, language, and timezone
• IP address and approximate (IP-based) location
• Log data, including pages or screens viewed, features used, actions performed, timestamps, and crash and performance diagnostics
• Push notification tokens (issued by Apple Push Notification Service and Firebase Cloud Messaging) used solely to deliver notifications from the Services

G. Content You Create

Information you enter into the Services in the course of running your business, including client records, job details, schedules, quotes, invoices, notes, time and labor entries, expenses, and similar operational data. This content belongs to you and your organization; we process it on your behalf to provide the Services.

2. HOW WE USE YOUR INFORMATION

We use the information we collect to:

• Provide, operate, maintain, and improve the Services
• Create and manage your account and authenticate your sessions
• Process payments, payouts, refunds, and related financial operations through Stripe
• Enable core field-service features such as scheduling, route planning, visit tracking, dispatch, time and labor tracking, and invoicing
• Send transactional communications (e.g., appointment confirmations, invoices, password resets) by email, SMS, and push notification
• Send marketing communications, but only where you have provided explicit, optional consent (see Section 6)
• Monitor, diagnose, and fix crashes, errors, and performance issues
• Detect, investigate, and prevent fraud, abuse, and security incidents
• Comply with legal obligations and enforce our Terms of Service and other agreements

We do not use your personal information, photos, contacts, calendar data, or location data for advertising, and we do not sell your personal information.

3. LEGAL BASES FOR PROCESSING (EEA / UK USERS)

If you are located in the European Economic Area or the United Kingdom, we process your personal data on the following legal bases:

• Contract: to provide the Services you or your employer have signed up for
• Legitimate interests: to secure, improve, and promote the Services, where our interests are not overridden by your rights
• Consent: for marketing communications, optional device permissions (location, camera, photos, contacts, calendar, notifications), and any other processing that requires consent under applicable law
• Legal obligation: to comply with tax, accounting, anti-money-laundering, and other legal requirements

4. HOW WE SHARE INFORMATION; THIRD-PARTY SERVICES AND SDKs

We do not sell or rent your personal information. We share information only in the following circumstances, and only to the extent necessary:

• Within your organization: Information you enter into the Services is visible to other authorized users within your Procured organization in accordance with their assigned roles and permissions.
• With your clients: Quotes, proposals, invoices, and related records you send to your clients through the Services are visible to those clients.
• With service providers and sub-processors that help us operate the Services, as listed below. Each provider is contractually required to protect your data and use it only to provide services to us.
• For legal and safety reasons, where required by law, subpoena, court order, or to protect the rights, property, or safety of Procured, our users, or the public.
• In connection with a business transaction such as a merger, acquisition, financing, or sale of assets, subject to customary confidentiality protections.

The Services use the following third-party providers and software development kits (SDKs). Some of these providers may receive personal information (including device identifiers, IP address, diagnostic data, or, where applicable, the content you submit to them) in the course of providing their services to us:

This list is representative and may change as we improve the Services. We will update this Privacy Policy when material changes occur.

5. GOOGLE PLAY DATA SAFETY SUMMARY

The following summary is provided to help Android users understand what data the Procured mobile app collects and shares. This summary is informational and does not replace the more detailed disclosures in Sections 1 and 4.

• Data collected: name, email, phone number, user ID, photos, files and documents, precise location (including in the background, if you grant permission), app activity, app info and performance, device or other identifiers, and payment information (handled by Stripe).
• Data shared with third parties: the minimum data necessary is shared with the service providers listed in Section 4 to operate the Services (for example, payment data with Stripe, diagnostic data with Sentry, map queries with Mapbox).
• Data is encrypted in transit using TLS 1.2 or higher, and encrypted at rest in our Supabase database using AES-256 (provided by Amazon RDS).
• You can request deletion of your data at any time (see Section 7).
• We do not sell or share your personal data, do not use your data for third-party advertising, and do not use any cross-app tracking identifiers.

6. MARKETING COMMUNICATIONS

We may send marketing communications, including email newsletters, product updates, promotional offers, and SMS notifications, only to users who have provided explicit, optional consent.

• Consent: Marketing consent is collected during account creation or in account settings, and is entirely optional. You can use the Services without consenting to marketing. For SMS marketing, consent is captured as TCPA-compliant express written consent with a timestamp, IP address, and the exact language you agreed to.
• Frequency and rates: Marketing emails and SMS are sent periodically (typically no more than a few messages per month). Msg & data rates may applyfor SMS.
• Unsubscribe: You can opt out at any time by clicking the unsubscribe link in any marketing email, replying STOP to any marketing SMS, replying HELP to any marketing SMS for help information, or contacting us at privacy@procured.us.
• Transactional messages: Regardless of marketing preferences, we may send you operational messages (password resets, invoices, appointment reminders, security alerts) because they are necessary to provide the Services. You may reply STOP to any SMS (including transactional) to stop further messages on that phone number under carrier rules.

7. YOUR RIGHTS AND CHOICES

Depending on where you live, you may have some or all of the following rights regarding your personal information:

• Access: Request a copy of the personal data we hold about you.
• Correction: Ask us to correct inaccurate or incomplete data.
• Deletion: Request that we delete your personal data, subject to legal or contractual retention obligations.
• Portability: Request your data in a portable, machine-readable format.
• Objection and restriction: Object to or restrict certain processing of your data.
• Withdraw consent: Withdraw any consent you previously provided (for example, for marketing or for device permissions).
• Non-discrimination: We will not discriminate against you for exercising your privacy rights.

California residents (CCPA/CPRA): You have the right to (a) know what personal information we collect, (b) delete it, (c) correct it, (d) limit our use of Sensitive Personal Information, (e) opt out of any sale or sharing of personal information, and (f) designate an authorized agent to make requests on your behalf. Procured does not sell or share personal information as those terms are defined under the CCPA/CPRA, and we do not use data for cross-context behavioral advertising. If you designate an authorized agent, we may require proof of the agent's authority before processing the request.

Sensitive Personal Information (CPRA). The following categories we collect are considered Sensitive Personal Information: precise geolocation (background location for visit detection), account login credentials, date of birth (when an employer chooses to enter one for an employee), and government identification numbers such as Social Security Number or Employer Identification Number (collected by our payment processor Stripe for sole-proprietor Stripe Connect accounts). We use this information only as necessary to provide the Services, and California residents may request that we limit its use to that purpose.

Do Not Sell or Share My Personal Information.Procured does not sell or share personal information as those terms are defined under the CCPA/CPRA and similar state laws. If that ever changes we will publish a dedicated opt-out mechanism on this page and in our applications before any sale or share begins.

Residents of Virginia, Colorado, Connecticut, Utah, Iowa, Indiana, Tennessee, Montana, Oregon, Texas, Delaware, New Hampshire, New Jersey, Maryland, Minnesota, Rhode Island, Nebraska, and Kentucky have substantially similar rights under their state privacy laws, and may exercise them by contacting us at the email below. We will respond within the timeframe required by your state's law (typically 45 days) and will provide an appeal mechanism where required.

To exercise any of these rights, contact us at privacy@procured.us. We will respond within the timeframes required by applicable law.

Account and data deletion. You may request deletion of your individual user account at any time from within the Procured mobile or web app, or by submitting a request at procured.us/delete-account. If you are the owner of a Procured organization (company), you may also request deletion of the entire organization and all associated business records. Because a Procured organization may contain financial records, invoices, payroll data, tax information, and other records that the organization or its owner is legally required to retain, full organization deletion may involve identity verification, a confirmation waiting period, and the opportunity to export data before deletion. Certain records may be retained after deletion only to the extent required by law (for example, financial, tax, and anti-money-laundering records) or to protect our legal rights. We will inform you of the expected timeline and confirm when deletion is complete.

8. DATA RETENTION

We retain personal information for as long as your account is active or as needed to provide the Services, and longer where required by law. The table below describes how long we retain each category after an account or company is deleted.

Cold storage records are stored in a separate, access-restricted location that cannot be read through the application itself, and are purged automatically when the retention period expires. Access to cold storage requires a documented break-glass process with two-person approval and audit logging.

9. DATA SECURITY

We implement administrative, technical, and physical safeguards to protect your data, including:

• TLS 1.2 or higher for all network communication
• AES-256 encryption at rest for all database content (provided by Supabase on Amazon RDS)
• Row-Level Security policies in our database that enforce tenant isolation at the SQL layer
• Hardware-backed secure storage for authentication tokens on mobile devices (iOS Keychain / Android Keystore)
• A minimum password length of 12 characters, combined with Supabase Auth's built-in rate limiting and brute-force protection
• Role-based access controls, audit logging, and least-privilege access for our personnel
• SOC 2 Type 2 certified infrastructure (inherited from Supabase and Stripe)

PCI DSS scope. Payment card data is handled exclusively by Stripe and never touches Procured's servers. This places Procured in PCI DSS SAQ-A scope. You can review Stripe's current PCI attestation at stripe.com/docs/security.

No system can be guaranteed to be completely secure, and we cannot guarantee absolute security of information transmitted to or stored in the Services.

10. INTERNATIONAL DATA TRANSFERS

Procured is based in the United States, and the Services and most of our service providers operate in the United States. If you access the Services from outside the United States, your information will be transferred to, stored in, and processed in the United States and other countries where we or our service providers operate.

For personal data transferred from the European Economic Area, United Kingdom, or Switzerland, we rely on the following lawful transfer mechanisms:

• The European Commission's Standard Contractual Clauses (SCCs), using Module 2 (controller-to-processor) for our own vendors and Module 3 (processor-to-processor) where we act as a processor for our customers;
• The UK International Data Transfer Addendum (UK IDTA) for UK data subjects;
• The Swiss FDPIC-recognized SCC variant for Swiss data subjects;
• Our own Transfer Impact Assessment (available on request);
• Where available, adequacy decisions under the EU-US Data Privacy Framework for certified providers.

By using the Services you acknowledge these transfers. If you have questions about a specific transfer mechanism, contact us at the email below and we will provide the relevant details.

11. COOKIES AND TRACKING TECHNOLOGIES

Our website and web application use cookies and similar technologies to keep you signed in, remember your preferences, and measure aggregate usage. You can manage cookie preferences through your browser settings.

The Procured mobile app does not use cookies (mobile apps generally do not), does not use any advertising identifiers (no IDFA, no Android Advertising ID), does not use cross-app tracking SDKs, and does not participate in any ad network or data broker program.

12. CHILDREN'S PRIVACY AND MINOR EMPLOYEES

The Services are intended for business use by adults and are not directed to children under the age of 13. We do not knowingly collect personal information from children under 13, and we do not permit accounts to be created on behalf of children under 13. If we learn that we have collected personal information from a child under 13, we will delete it promptly. If you believe a child has provided personal information to us, please contact us at privacy@procured.us.

The Services are not intended for minors under 14 in any capacity. Minors aged 14 to 17 may only be added by their employer as employees, subject to applicable child labor laws.

Contractors who use the Services as an employer are solely responsible for complying with all applicable federal, state, and local labor laws when adding minor employees, including the Fair Labor Standards Act Hazardous Occupation Orders (which prohibit workers under 18 from roofing, excavation, operating certain power tools, and driving company vehicles outside narrow exemptions), the hour restrictions for 14-15 year olds, any required parental consent, and state work permits. Procured does not independently verify the age of employees added to a contractor's account.

13. THIRD-PARTY LINKS

The Services may contain links to third-party websites or services not operated by Procured. We are not responsible for the privacy practices of those third parties, and we encourage you to review their privacy policies before providing any information.

14. NO TRACKING, NO ADVERTISING, NO DATA BROKERS

Procured does not display third-party advertising in the Services. We do not use advertising SDKs, cross-app tracking identifiers, or the iOS Identifier for Advertisers (IDFA). We do not share personal information with data brokers. We do not link your data with third-party data for targeted advertising or advertising measurement. In Apple App Store terms, your data is not "used to track you." We verify this on each iOS release using the iOS App Privacy Report.

14A. OUR ROLE AS CONTROLLER AND PROCESSOR

Under the GDPR and similar laws that distinguish between data controllers and data processors, Procured plays two distinct roles:

• For personal data of your business's clients and employees that you enter into Procured, you (the contractor) are the data controller and Procured is a data processor acting on your instructions. We will execute a Data Processing Agreement (DPA) with any customer that requests one -- email privacy@procured.us.
• For personal data we collect directly -- your account credentials, billing information, marketing preferences, usage analytics, crash diagnostics -- we are the controller.

14B. AUTOMATED DECISIONS AND PROFILING

Procured includes an automated scheduling engine that assists contractor administrators in assigning visits and jobs to employees based on location, skills, availability, and estimated drive time. The engine's output is always reviewed and approved by a human administrator before any employee is dispatched, and employees may raise concerns about any assignment directly with their employer. For the purposes of GDPR Article 22, Procured does not use solely automated decision-making that produces legal or similarly significant effects on individuals.

14C. ARTIFICIAL INTELLIGENCE AND MODEL TRAINING

Procured may use third-party large language model (LLM) and machine learning services to power optional features such as voice-to-text intake, document summarization, or automated categorization of expenses. When these features are used:

• Content you submit to an AI feature is sent to our AI provider under a data processing agreement that prohibits the provider from retaining or using your content to train their general-purpose models.
• We do not use your business content or personal data to train our own models or any third party's models.
• AI features are always optional and can be disabled in Settings.

14D. HOW WE OBTAIN CONSENT

Where we rely on your consent (for marketing communications, optional device permissions, or processing that requires consent under applicable law), we present the request clearly at the point of collection, record your affirmative response along with a timestamp and the exact text you agreed to, and retain that record for the period described in the retention table in Section 8 so we can demonstrate compliance. You can withdraw consent at any time without affecting the lawfulness of processing that happened before withdrawal.

15. CHANGES TO THIS PRIVACY POLICY

We may update this Privacy Policy from time to time, for example when we add new features, change service providers, or respond to changes in the law. We review this Privacy Policy at least once every 12 months as required by California law.

When we make material changes, we will provide affirmative notice by email to the email address on your account and by an in-app notice the next time you open the Services, and we will not apply the changes to data we already hold until you have had a reasonable opportunity to review them. We will update the "Last Updated" date at the top of this page on any change.

If we introduce new categories of data collection (for example, additional financial or accounting features, bank account linking, or new AI features), we will update this Privacy Policy, our Google Play Data Safety form, and our Apple App Privacy Details before those features are released.

16. CONTACT US

If you have any questions or requests regarding this Privacy Policy or our data practices, please contact us at: