CoastalOpsBack home

Privacy Policy

Effective: May 4, 2026

This Privacy Policy explains how CoastalOps (“we”, “us”) collects, uses, and protects information when you use the CoastalOps platform (the “Service”).

1. Information We Collect

You provide

  • Account info: name, email, phone number, role (admin / overseer / technician / maintenance), company name, and billing address.
  • Operational data: service points (customer property addresses), routes, jobs, photos, chemical readings, technician notes, and timestamps.
  • Customer contact info: for your end-customers (the property owners you serve) — name, email, phone — used to send repair updates and invoices on your behalf.
  • Payment info: billing details are collected and stored by Stripe; we do not store full card numbers.

Collected automatically

  • Device + usage data: IP address, browser, device type, pages viewed, action timestamps. Used for security, debugging, and product analytics.
  • GPS: if you enable location services in the technician app, we record approximate coordinates at job check-in for proof of service. You can disable this in your device settings; jobs will still complete without GPS.
  • Cookies: session cookies for authentication and role preview, plus first-party cookies from Supabase and Stripe. We do not use third-party advertising or tracking cookies.

2. How We Use Information

  • To provide and operate the Service.
  • To process billing and send transactional emails (invoices, repair notifications, account alerts).
  • To detect and prevent fraud, abuse, and security incidents.
  • To improve the Service — feature analytics, performance monitoring, and aggregate usage metrics.
  • With your permission, to power AI features (e.g. voice command, email parsing) by sending the relevant input to our model providers under their data-processing terms.

We do not sell your personal information or your customers' contact information.

3. Sharing

We share data only with:

  • Subprocessors who help us run the Service: Supabase (database, auth, storage), Vercel (hosting), Stripe (billing), Resend (transactional email), Twilio (SMS), Anthropic (AI inference), Sentry (error monitoring), and QuickBooks Online (only if you connect it). Each is contractually bound to use your data only to provide their service to us.
  • Your team within your CoastalOps tenant, scoped by role. Cross-tenant data is isolated via row-level security.
  • Legal authorities when required by law or valid legal process. We will challenge overbroad requests and notify you when permitted.
  • Acquirers in the event of a merger, sale, or asset transfer, subject to this Privacy Policy.

4. Data Retention

  • Account data: kept while your subscription is active and for 30 days after termination.
  • Job photos — cleaning: we purge routine pool-cleaning photos each January (a year-end retention cycle designed for the seasonal nature of pool service).
  • Job photos — evidence: repair, equipment, chemical, and filter photos are retained as part of the audit trail for as long as your subscription is active.
  • Logs + analytics: 90 days (operational logs), aggregated metrics retained longer.
  • Billing records: retained for 7 years to satisfy tax and accounting requirements.

5. Your Rights

Depending on your location, you may have rights to access, correct, export, or delete your personal information. To exercise these rights, email support@coastalops.io from the email associated with your account. We will respond within 30 days.

California residents have additional rights under the CCPA/CPRA, including the right to know what we collect and the right to delete.

EU/UK residents have rights under GDPR/UK-GDPR. We rely on legitimate-interest and contract bases to process your data; you may object or withdraw consent at any time.

6. Security

We use industry-standard measures including TLS in transit, encryption at rest (Supabase / Vercel managed), row-level security for tenant isolation, signed webhook verification, and Sentry-based anomaly detection. No system is perfectly secure; if a breach affects your data we will notify you within 72 hours of confirmation.

7. Children

The Service is not directed to children under 16 and we do not knowingly collect data from them. If you believe a child has provided us data, contact us and we will delete it.

8. International Transfers

Our infrastructure is hosted primarily in the United States. If you access the Service from outside the US, you understand your data will be transferred to and processed in the US. For EU/UK transfers we rely on standard contractual clauses with our subprocessors.

9. Changes

We may update this Privacy Policy from time to time. Material changes will be posted here and emailed at least 14 days before they take effect.

10. Contact

Questions or requests about your data? Email support@coastalops.io.