This Privacy Policy describes how Fieldmark (“we,” “us,” or “our”) collects, uses, stores, and discloses information when you use the Fieldmark platform (“Service”). We are committed to protecting your privacy in accordance with the Personal Information Protection and Electronic Documents Act (PIPEDA) and the Personal Information Protection Act (Alberta PIPA).
1. Who This Policy Applies To
This policy applies to:
- Organization administrators and users who create accounts on the Service
- Individuals whose personal information is submitted through the Service by their organization (e.g. named auditors, assignees)
If you are using Fieldmark as an employee of a customer organization, your organization is the primary party responsible for how your information is used within the Service. Please refer to your organization's own policies as well.
2. Information We Collect
2.1 Account information. When you create an account or are invited to the Service, we collect: name, email address, username, password (hashed, never stored in plain text), and role within your organization.
2.2 Usage data. We collect information about how you use the Service, including: pages visited, features used, timestamps, device type, and browser/app version. This is used to operate, maintain, and improve the Service.
2.3 Operational data. As part of using the Service, you and your organization submit: observation notes, audit scores, photos, corrective action records, and related operational data. This data belongs to your organization (see Terms of Service, Section 4).
2.4 Payment information. Payment is processed by Lemon Squeezy, our merchant of record. We do not store credit card numbers or full payment details. We receive and store: subscription status, billing customer ID, and subscription ID for account management purposes.
2.5 Communications. If you contact us for support or otherwise communicate with us, we retain those communications.
2.6 Device tokens. If you use the mobile app and enable push notifications, we store your device push token to deliver notifications.
3. How We Use Your Information
We use the information we collect to:
- Provide, operate, and maintain the Service
- Process subscription payments and manage your account
- Send transactional emails (account invitations, password resets, payment notifications)
- Send push notifications related to your assigned audits and activities
- Respond to support requests
- Monitor Service health and diagnose technical issues
- Improve the Service based on usage patterns
- Comply with legal obligations
We do not sell your personal information. We do not use your information to serve third-party advertising.
4. AI Features and Your Data
If you are on an AI-tier subscription, operational data (observation notes, audit records) may be sent to our AI provider (Anthropic) to generate summaries, recommendations, and insights. This data is processed solely to provide the AI features to your organization and is not used to train AI models. See Section 6 for details on Anthropic's data handling.
5. Data Location and Storage
Your data is stored on servers located in AWS us-east-2 (Ohio, United States) via our database provider, Supabase. Photos and file attachments are stored on Cloudflare R2, which is distributed globally via Cloudflare's network.
By using the Service, you acknowledge that your data may be stored and processed in the United States. We ensure that appropriate safeguards are in place with our service providers.
6. Third-Party Service Providers
We share data with the following third-party providers solely to operate the Service:
| Provider | Purpose | Data shared | Privacy information |
|---|---|---|---|
| Supabase (AWS us-east-2) | Database hosting | All structured data | supabase.com/privacy |
| Cloudflare R2 | Photo/file storage | Uploaded photos and files | cloudflare.com/privacypolicy |
| Lemon Squeezy | Payment processing (merchant of record) | Email, subscription data | lemonsqueezy.com/privacy |
| Anthropic | AI features (AI tiers only) | Observation notes, audit data | anthropic.com/privacy |
| Resend | Transactional email | Email address, email content | resend.com/privacy |
| Expo | Mobile push notifications | Device push token, notification content | expo.dev/privacy |
| Render | API hosting | Processed in transit | render.com/privacy |
| Vercel | Web frontend hosting | Processed in transit | vercel.com/legal/privacy-policy |
We do not share your data with any other third parties except as required by law.
7. Data Retention
Active accounts. We retain your data for as long as your account is active.
Cancelled accounts. When you cancel your subscription, your data is retained indefinitely. This is intentional — audit and compliance records may be needed for regulatory, legal, or insurance purposes after cancellation. Access to the Service is gated upon cancellation, but the data is preserved.
Deletion requests. You have the right to request deletion of your personal information at any time by contacting support@fieldmark.works. We will process deletion requests within 30 days, subject to any legal obligation to retain certain records (e.g. records relevant to ongoing legal proceedings or regulatory requirements).
Operational data.Operational data submitted by your organization (observations, audit records) is owned by your organization. Deletion of such data upon request will be handled in coordination with your organization's administrator.
8. Your Rights (PIPEDA / Alberta PIPA)
Under Canadian privacy law, you have the right to:
- Access the personal information we hold about you
- Correct inaccurate personal information
- Withdraw consent to the collection or use of your personal information (subject to legal or contractual obligations — note that withdrawing consent may affect your ability to use the Service)
- Request deletion of your personal information (subject to Section 7)
- Know what personal information we have collected, why, and with whom it has been shared
To exercise any of these rights, contact us at support@fieldmark.works. We will respond within 30 days.
9. Security
We take reasonable technical and organizational measures to protect your information, including:
- Passwords stored as bcrypt hashes (never plain text)
- All data transmitted over TLS/HTTPS
- Photos served via short-lived authenticated URLs (presigned URLs), not public links
- JWT-based authentication with per-request token validation
- Organization-level data isolation enforced at the application layer
No method of transmission or storage is 100% secure. We cannot guarantee absolute security. If you believe your account has been compromised, contact us immediately at support@fieldmark.works.
10. Cookies and Tracking
The web application uses an httpOnly session cookie (fieldmark_token) to maintain your authenticated session. This cookie is not accessible to JavaScript and is not used for advertising or cross-site tracking.
We do not use third-party advertising cookies or tracking pixels.
11. Children's Privacy
The Service is not directed at individuals under the age of 18. We do not knowingly collect personal information from minors. If you believe a minor has provided us with personal information, contact us at support@fieldmark.works.
12. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of material changes by email or in-app notice at least 14 days before the changes take effect. The “Last updated” date at the top of this policy reflects the most recent revision.
13. Contact Us
For privacy questions, access requests, or deletion requests:
Email: support@fieldmark.works
Subject line: Privacy Request
For complaints about our privacy practices, you may also contact the Office of the Privacy Commissioner of Canada (priv.gc.ca) or the Office of the Information and Privacy Commissioner of Alberta (oipc.ab.ca).
This Privacy Policy was last updated in June 2026. Have a lawyer review before first paid customer.