Privacy Policy

1. Who we are, and the scope of this policy

Epitaph LLC operates the Service. This policy applies to personal information we handle as a business/controller — primarily account, billing, support, and usage data.

Much of the content created in the Service (inspections, notes, and photos) is submitted by our business customers and their personnel. For that content, the customer organization decides what is collected and why; we process it as a service provider / processoron the organization’s behalf and under its instructions, and the organization’s own privacy notice governs. If an organization gave you access to the Service (for example, your employer), please direct privacy requests about inspection content to that organization — we will assist them as their processor.

2. Information we collect

We collect the following categories of information:

• Account & profile data — name, email address, role (inspector, manager, or admin), the organization you belong to, and your password (stored only in hashed form by our authentication provider).
• Information from your organization — an administrator may create your account, set your role, and assign your manager.
• Inspection content — checklists, pass/fail verdicts, notes, findings, sign-off names, and photos or document attachments uploaded during an inspection.
• Billing data — your plan, seat counts, and billing contact. Card details are collected and stored directly by our payment processor (Stripe); we never receive or store full card numbers.
• Usage, device & log data — IP address, browser and device information, pages and features used, timestamps, and actions taken in the Service.
• Communications — messages you send us (for example, support or sales inquiries) and your contact details.

3. How we use information

We use personal information to:

• provide, operate, maintain, and secure the Service;
• authenticate users and enforce role-based access within an organization;
• generate inspection reports and, where an organization enables it, deliver them to integrations;
• process subscriptions and send transactional email (invitations, password resets, overdue notices, and service messages);
• monitor reliability, diagnose and debug errors, and detect, prevent, and address fraud, abuse, or security issues;
• analyze usage to understand and improve the Service;
• comply with legal obligations and enforce our agreements; and
• communicate with you, and (only where permitted) send product updates you can opt out of.

4. Legal bases for processing (EEA/UK)

If you are in the European Economic Area or the United Kingdom, we rely on the following legal bases: performance of a contract (to provide the Service you or your organization signed up for); our legitimate interests (to secure, support, and improve the Service and prevent abuse, balanced against your rights); consent (where we ask for it, such as certain optional communications — you may withdraw it at any time); and compliance with legal obligations. Where we act as a processor for a customer organization, that organization is responsible for the legal basis of its processing.

5. Photos and location data

Inspection photos are an important part of the record. To protect privacy, when a photo is uploaded we generate an optimized copy and strip embedded metadata, including EXIF GPS location, before the image is stored. We do not use your device’s precise geolocation, and the Service requests no location permission.

6. How we disclose information

We do not sell your personal information. We disclose it only as described here:

• Service providers (subprocessors) who process data on our behalf to run the Service — hosting, database and file storage, email delivery, payments, and error monitoring. See our Subprocessors list.
• At your direction — when an organization enables an integration (for example, Procore or a webhook it configures), we send the data it specifies to that destination.
• Legal, safety, and rights — when required by law or legal process, or to protect the rights, property, or safety of our users, the public, or us.
• Business transfers — in connection with a merger, acquisition, financing, or sale of assets, subject to this policy.
• With your consent, or as otherwise disclosed at the time of collection.

We do not sell personal information, and we do not share it for cross-context behavioral advertising.

7. On-device and offline storage

Artifact works offline. Inspection data and photos you capture in the field are stored locally in your browser (IndexedDB) until they sync to our servers. This local data — along with cached templates and your offline session — is erased when you sign out or switch users on a shared device.

8. Cookies and similar technologies

We use strictly necessary cookies to keep you signed in and to secure requests; the Service does not function without them. We also use a privacy-conscious error-monitoring tool (Sentry) to capture diagnostics when something breaks. We do not use third-party advertising or cross-site tracking cookies. Because we do not sell or share personal information or use cross-context advertising, browser signals such as Global Privacy Control have nothing to opt out of for that purpose.

9. Data retention

We keep account and inspection records for as long as your organization’s account is active. Inspection photos and attachments are retained for a configurable window — one year by default — measured from when an inspection is completed, after which the underlying files are deleted to bound storage; the inspection record itself (results, notes, statuses) is preserved. When an account is closed, we delete or de-identify personal information within a reasonable period, except where we must retain it to meet legal, accounting, security, or dispute-resolution obligations; residual copies may persist in backups for a limited time before they cycle out. We keep security and audit logs for a limited period to protect the Service.

10. Security

We protect data with encryption in transit (HTTPS/HSTS), database row-level security that isolates each organization’s data, role-based access controls, EXIF/GPS stripping on uploaded photos, and audit logging of sensitive actions. No method of transmission or storage is perfectly secure, but we work to safeguard your information and to limit access to those who need it. If we become aware of a security breach affecting your personal information, we will notify you and the appropriate authorities as required by applicable law.

11. Your privacy rights

Depending on where you live, you may have the right to access, correct, delete, or receive a portable copy of your personal information; to restrict or object to certain processing; and to withdraw consent where processing is based on consent. To exercise a right, contact us at epitaphlabs@outlook.com.

We will verify your request (typically by confirming control of the email on file) and respond within the time required by applicable law. An authorized agent may submit a request on your behalf with proof of authorization. We will not discriminate against you for exercising your rights. If we decline a request, you may appeal by replying to our response, and you may also lodge a complaint with your data-protection supervisory authority or applicable state regulator. If your personal information was provided to us by an organization using the Service, please direct your request to that organization.

12. California privacy rights (CCPA/CPRA)

If you are a California resident, you have additional rights. In the past 12 months we have collected these categories of personal information: identifiers (such as name, email, and IP address); commercial information (such as subscription and billing details); internet or network activity (such as usage and log data); general geolocation inferred from IP address (precise photo geolocation is stripped, as described above); professional or employment information (such as your role and organization); and visual information (inspection photos). We collect this information from you, your organization, your devices, and our service providers, and we use and disclose it for the business purposes described in this policy.

You have the right to know/access, delete, and correct your personal information, to opt out of the sale or sharing of personal information, and to limit the use of sensitive personal information. We do not sell or share personal information, and we do not use sensitive personal information for purposes that require a right-to-limit option. We will not discriminate against you for exercising these rights. Under California’s “Shine the Light” law, we do not disclose personal information to third parties for their own direct-marketing purposes. To exercise a right, contact us using the details above; an authorized agent may act on your behalf with valid authorization.

13. International users and data transfers

The Service is operated from, and your information is processed and stored in, the United States. If you access the Service from outside the United States, your information will be transferred to and processed in the United States, where data-protection laws may differ from those in your country. Where required for transfers from the EEA, UK, or Switzerland, we rely on appropriate safeguards such as the European Commission’s Standard Contractual Clauses.

14. Children’s privacy

Artifact is a workplace tool not directed to children, and we do not knowingly collect personal information from anyone under 16. If you believe a child has provided us personal information, contact us and we will delete it.

15. Changes to this policy

We may update this Privacy Policy from time to time. We will revise the “last updated” date above and, for material changes, take additional steps as required by law. Your continued use of the Service after an update means you accept the revised policy.

16. Contact us

Questions about this policy or our data practices? Contact Epitaph LLC at epitaphlabs@outlook.com, 203 Pitt St, Leechburg, PA 15656.