Privacy Policy

1. Introduction

ConductorIQ ("we," "our," or "us") is operated by ConductorIQ, Inc., a Delaware corporation. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our property management platform at app.conductoriq.com and any associated mobile applications (collectively, the "Service").

By using the Service, you consent to the data practices described in this policy. If you do not agree, please do not use the Service.

2. Information We Collect

2.1 Account Information

When you create an account, we collect:

• Full name and email address
• Phone number (optional, for SMS notifications)
• Authentication credentials managed via Google OAuth or email/password through Supabase Auth
• Organization name and role (for B2B accounts)

2.2 Property & Asset Data

Information you provide about your properties, assets, vehicles, maintenance tasks, insurance policies, bills, contractor relationships, and related documents.

2.3 Documents & Files

Files you upload to the document vault, including images, PDFs, receipts, and other documents. Sensitive files are stored with AES-256 encryption at rest.

2.4 Google Account Data

If you connect your Google account, we may access the following data depending on which features you enable. See Section 5 for full details on our Google API usage.

• Google Profile: Name, email address, and profile picture (via Google Sign-In)
• Gmail (read-only): Email content for the Vault auto-scan feature to extract receipts, warranties, gift cards, and financial documents
• Google Calendar: Event creation for service booking calendar sync

2.5 Usage Data

We automatically collect device information, browser type, IP address, pages visited, and usage patterns. We use LogRocket for session replay and Sentry for error tracking to improve the Service.

2.6 Contractor & Service Provider Data

When you search for service providers, we query Google Places API using your property location to find local contractors. Contractor business information (name, phone, address, ratings) is sourced from Google's public business directory.

3. How We Use Your Information

We use the information we collect for the following specific purposes:

• Account management: To create and authenticate your account, manage your subscription, and verify your identity
• Core service delivery: To manage your properties, assets, vehicles, maintenance tasks, insurance policies, bills, and documents
• Contractor services: To search for and recommend service providers, send quote requests, track bookings, and facilitate service completion
• Vault auto-scan: To scan your connected Gmail account (read-only) for receipts, warranties, gift cards, insurance documents, and other financial items, and present them for your review before adding to your vault
• Calendar sync: To create calendar events in your connected Google Calendar for scheduled service appointments
• Notifications: To send service-related notifications including maintenance reminders, bill due dates, approval requests, service booking confirmations, and contractor quote responses via email, SMS, and in-app notifications
• Payments: To process subscription payments and manage billing through Stripe
• Service improvement: To analyze usage patterns, diagnose errors, and improve the Service using aggregated, anonymized data
• Security: To detect and prevent fraud, abuse, and unauthorized access
• Support: To respond to your support requests and provide customer assistance
• Legal compliance: To comply with applicable laws, regulations, and legal processes

4. Data Security

We implement industry-standard security measures including:

• Encryption at rest: AES-256 encryption for sensitive data including vault redemption codes, API credentials, and OAuth tokens
• Encryption in transit: TLS 1.2+ encryption for all data transmitted between your browser and our servers
• Data isolation: Row-level security (RLS) in PostgreSQL ensuring complete data isolation between organizations
• Access control: Role-based access control (RBAC) with six permission levels (owner, admin, manager, member, contractor, guest)
• Authentication: OAuth 2.0 with PKCE flow for secure authentication; session tokens with automatic expiry
• Infrastructure: Hosted on Railway (application) and Supabase (database), both SOC 2 compliant platforms, with AWS S3 for encrypted file storage

5. Google API Data Usage

ConductorIQ's use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.

5.1 Google Scopes We Request

• Google Sign-In (profile, email): Used to authenticate your identity and create your account. We access your name, email address, and profile picture.
• Gmail Read-Only (gmail.readonly): Used exclusively for the Vault auto-scan feature. We scan your inbox to identify and extract receipts, warranties, gift cards, insurance policies, and vehicle documents. You must explicitly authorize this access, and all extracted items require your manual review and approval before being added to your vault.
• Google Calendar: Used to sync service booking appointments to your Google Calendar. Calendar events are created only when you explicitly click "Add to Google Calendar."

5.2 How We Use Google Data

• Google profile information is used solely for account authentication and display
• Gmail content is scanned server-side to extract structured data (amounts, dates, merchant names) and is not stored in raw form after processing
• Calendar access is used only to create events at your explicit request

5.3 What We Do NOT Do with Google Data

• We do not sell Google user data to any third party
• We do not use Google user data for advertising, ad targeting, or ad personalization
• We do not use Google user data for AI/ML model training, fine-tuning, or any machine learning purposes beyond providing the Service to you
• We do not share Google user data with third parties except as necessary to provide the Service (e.g., storing extracted vault items in our database hosted on Supabase)
• We do not retain raw Gmail content after processing; only the structured data you approve is stored

5.4 Revoking Google Access

You can revoke ConductorIQ's access to your Google account at any time:

1. Go to your Google Account Permissions page
2. Find "ConductorIQ" in the list of connected apps
3. Click "Remove Access"

Revoking access will disable the Vault auto-scan and Calendar sync features but will not affect your existing account or previously saved vault items.

6. Data Sharing & Third-Party Processors

We do not sell your personal information. We share data only with the following categories of service providers who process data on our behalf:

We may also disclose your data:

• Legal requirements: When required by law, subpoena, or court order
• Business transfers: In connection with a merger, acquisition, or sale of assets, with prior notice to affected users
• Safety: To protect the rights, property, or safety of ConductorIQ, our users, or the public

7. Data Retention

• Active accounts: We retain your data for as long as your account is active and as needed to provide the Service
• Account deletion: Upon account deletion request, we remove your personal data within 30 days, except where retention is required by law or for legitimate business purposes (e.g., billing records)
• Google data: Raw Gmail content is not stored after processing. Extracted vault items are retained until you delete them or your account
• Backups: Encrypted database backups may retain data for up to 90 days after deletion
• Anonymized data: Aggregated, anonymized analytics data may be retained indefinitely for service improvement

8. Data Deletion & Revoking Access

You can request deletion of your data or revoke access at any time:

8.1 Delete Your Account

1. Log in to your ConductorIQ account
2. Navigate to Settings > Account > Delete Account
3. Confirm deletion (this action is irreversible)

All personal data, properties, assets, documents, and vault items will be permanently deleted within 30 days.

8.2 Request Data Deletion via Email

Send a deletion request to privacy@conductoriq.com from the email associated with your account. We will process your request within 30 days and send confirmation.

8.3 Revoke Google Access

Visit Google Account Permissions and remove ConductorIQ. This immediately disables Gmail scanning and Calendar sync.

8.4 Export Your Data

Before deleting your account, you can export your data in portable formats (CSV, PDF) from Settings > Account > Export Data.

9. Your Rights

9.1 Rights for All Users

Regardless of your location, you have the right to:

• Access: Request a copy of the personal data we hold about you
• Correction: Request correction of inaccurate or incomplete data
• Deletion: Request deletion of your personal data
• Portability: Export your data in a machine-readable format
• Opt-out: Opt out of marketing communications at any time
• Withdraw consent: Revoke consent for optional data processing (e.g., Gmail scanning)

9.2 California Residents (CCPA/CPRA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA):

• Right to know: What personal information we collect, use, and disclose
• Right to delete: Request deletion of your personal information
• Right to opt-out of sale: We do not sell personal information
• Right to non-discrimination: We will not discriminate against you for exercising your rights
• Right to correct: Request correction of inaccurate personal information
• Right to limit use of sensitive data: Limit use and disclosure of sensitive personal information

To exercise these rights, contact us at privacy@conductoriq.com. We will respond within 45 days.

9.3 European Residents (GDPR)

If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, you have additional rights under the General Data Protection Regulation (GDPR):

• Legal basis: We process your data based on contractual necessity (providing the Service), legitimate interest (improving the Service), and consent (optional features like Gmail scanning)
• Right to restrict processing: You may request that we restrict processing of your data in certain circumstances
• Right to object: You may object to processing based on legitimate interests
• Right to lodge a complaint: You may file a complaint with your local data protection authority
• Data transfers: Your data is processed in the United States. We rely on Standard Contractual Clauses (SCCs) for international data transfers where required

To exercise these rights, contact us at privacy@conductoriq.com. We will respond within 30 days.

10. Cookies

We use the following types of cookies:

• Essential cookies: Required for authentication, session management, and CSRF protection. These cannot be disabled.
• Analytics cookies: Used by LogRocket for session replay to improve the Service. You can opt out via browser settings.

We do not use third-party advertising cookies or tracking pixels for ad targeting.

11. Children's Privacy

The Service is not intended for users under 18 years of age. We do not knowingly collect personal information from children. If we learn that we have collected data from a child under 18, we will delete it promptly. Contact us at privacy@conductoriq.com if you believe a child has provided us with personal information.

12. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by:

• Posting the updated policy on this page with a new "Last updated" date
• Sending an email notification for significant changes
• Displaying an in-app notification upon your next login

Continued use of the Service after changes constitutes acceptance of the updated policy.

13. Contact Us

If you have questions about this Privacy Policy, wish to exercise your data rights, or have a privacy concern, contact us at: