We respect your inspection data.

Scope and role

This Privacy Policy describes how insp.ac (“we,” “us,” or “our”) collects, uses, and discloses information when you access our websites, applications, and related services (collectively, the “Services”). It applies to all visitors, users, and others who access the Services. For business accounts, the account owner or employer is generally the controller of inspection data and we act as a processor or service provider on their behalf. If you are using the Services through an organization, your organization’s privacy practices and data processing agreement with us may supplement or override portions of this policy with respect to customer content.

Information we collect

We collect information you provide directly, information collected automatically from your use of the Services, and information from integrations or third-party services you connect.

• Account and profile data: name, email address, phone number, organization name, role, and authentication credentials.
• Customer content: inspection templates, inspection run records, answers, notes, scores, sections, questions, variables, and associated metadata.
• Media and attachments: photographs, videos, audio recordings, signatures, and other files uploaded during inspections or through issue intake forms.
• Site and geolocation data: site names, addresses, geographic coordinates (latitude and longitude), bounding boxes, and Google Place identifiers you provide or associate with inspections.
• Issue and intake data: issue descriptions, status, resolution notes, and contact information (name, email, phone) submitted through authenticated or public issue intake forms.
• Integration data: OAuth tokens, configuration details, and data exchanged with connected third-party services such as Google Sheets, Dropbox, and automation platforms.
• Payment and billing data: subscription plan, entitlements, and usage counters; payment card details are collected and processed directly by our payment provider and are not stored on our servers.
• Usage, device, and log data: IP address, browser type and version, operating system, device identifiers, referring URLs, page interactions, feature usage, session duration, and error diagnostics.
• Cookies and similar technologies: session identifiers, security tokens, preference flags, and analytics tags used for security, functionality, and performance measurement.
• Locally stored data: when you use offline mode, the Services cache templates, inspection drafts, and pending sync queues in your browser’s local storage (IndexedDB or similar) on your device.

AI and machine learning features

Certain optional features use artificial intelligence to help you create or refine inspection templates. When you use these features, the prompts and relevant template content you provide are sent to our third-party AI service provider for processing. We do not use your customer content to train general-purpose AI or machine learning models. AI-generated outputs are provided for convenience only and may contain errors; you are solely responsible for reviewing and validating any content generated through AI features before use. Our AI provider processes data pursuant to its own data processing terms, and we select providers that commit to not using customer inputs for model training.

How we use information

We use personal information to provide and maintain the Services, protect users and systems, and improve product performance. We do not sell personal information and do not share personal information for cross-context behavioral advertising.

• Provide, operate, secure, support, and troubleshoot the Services, including offline sync, data export, and report generation.
• Process transactions, manage subscriptions, and send transactional and service-related communications.
• Deliver AI-assisted features when you opt to use them.
• Develop and improve features using aggregate, de-identified analytics; we do not use identifiable customer content for product development without consent.
• Detect, investigate, and prevent abuse, fraud, unauthorized access, or security incidents, including rate limiting and bot detection on public-facing forms.
• Enforce our Terms of Service, Acceptable Use Policy, and other contractual rights.
• Comply with legal obligations, respond to lawful requests, and protect the rights, property, and safety of insp.ac, our users, and the public.

Legal bases for processing

Where required by applicable law (for example, under the GDPR), we process personal information on one or more of the following legal bases:

• Performance of a contract: processing necessary to provide the Services you have requested.
• Legitimate interests: processing for our or a third party’s legitimate interests, such as fraud prevention, security, and service improvement, except where those interests are overridden by your data protection rights.
• Legal obligation: processing necessary to comply with laws, regulations, or court orders.
• Consent: processing based on your freely given, informed consent, which you may withdraw at any time (withdrawal does not affect the lawfulness of prior processing).

How we share information

We share information only as needed to operate the Services and comply with law. We do not sell your personal information.

• Service providers and subprocessors: hosting and infrastructure (Vercel, Neon), authentication (Clerk), file storage (Vercel Blob), AI processing (OpenAI), rate limiting and caching (Upstash), event delivery (Svix), analytics, and payment processing. Each provider is contractually obligated to use data only for the purposes we specify.
• Your organization administrators: organization owners and admins may access and manage account data, templates, inspection records, and user activity within the organization.
• Connected integrations: when you authorize a third-party integration (e.g., Google Sheets, Dropbox, Zapier), data is shared with that service in accordance with the integration’s configuration and the third party’s own terms.
• Public issue intake respondents: if you enable public issue intake forms, information submitted through those forms is accessible to your organization. Access codes, when configured, can be used to restrict who can submit.
• Professional advisors: attorneys, auditors, insurers, and consultants who need access in connection with professional services.
• Legal and safety: law enforcement, regulators, courts, or other governmental authorities when required by law, subpoena, or court order, or when we reasonably believe disclosure is necessary to protect rights, property, or safety.
• Business transfers: a successor entity in connection with a merger, acquisition, financing, reorganization, bankruptcy, or sale of all or a portion of our assets, in accordance with applicable law.

Data retention and deletion

We retain information for as long as reasonably necessary for the purposes described in this policy, including contractual, legal, tax, accounting, and security obligations. Customer content is generally retained while the account remains active and then deleted or anonymized according to our retention schedules and backup cycles. Specific retention details:

• Active accounts: customer content is retained for the duration of the subscription plus a short grace period to allow for reactivation or data export.
• Terminated accounts: customer content is queued for deletion and removed from active systems and backups within commercially reasonable timeframes, unless longer retention is required by law, contract, or legitimate security needs.
• Locally cached data: offline data stored on your device (IndexedDB) persists until you clear your browser storage or uninstall the application. We do not have direct access to locally stored data.
• Aggregated data: de-identified, aggregated data that cannot reasonably be used to identify you may be retained indefinitely for analytics and product improvement.

Security

We use commercially reasonable technical and organizational safeguards designed to protect information. These include:

• Encryption of data in transit (TLS 1.2+) and sensitive data at rest (e.g., integration secrets are encrypted before storage).
• Role-based access controls and least-privilege principles for internal systems.
• Monitoring, logging, and alerting for suspicious activity.
• Regular review of third-party provider security practices.
• No method of transmission or storage is completely secure, and we cannot guarantee absolute security. You are responsible for maintaining the confidentiality of your account credentials and for any activity under your account.

International data transfers

The Services are operated from the United States. Your information may be processed in countries other than your own, including the United States, where data protection laws may differ. Where required by applicable law, we implement appropriate safeguards for cross-border transfers, such as Standard Contractual Clauses (SCCs) approved by the European Commission, data processing agreements, or reliance on an adequacy decision. By using the Services, you acknowledge that your information may be transferred to and processed in jurisdictions outside your country of residence.

Your privacy choices and rights

Depending on your location and applicable law, you may have the following rights with respect to your personal information:

• Access: request a copy of the personal information we hold about you.
• Correction: request that we correct inaccurate or incomplete personal information.
• Deletion: request that we delete your personal information, subject to legal retention requirements.
• Restriction: request that we restrict certain processing of your personal information.
• Objection: object to processing based on legitimate interests or for direct marketing purposes.
• Portability: request a machine-readable copy of your personal information for transfer to another service.
• Withdraw consent: where processing is based on consent, withdraw consent at any time without affecting the lawfulness of prior processing.
• Non-discrimination: we will not discriminate against you for exercising your privacy rights.
• If you are an end user of a business account, please contact your organization administrator first, as they control your inspection data.
• To submit a rights request, email privacy@insp.ac. We will verify your identity before processing your request and respond within the timeframe required by applicable law.

U.S. state privacy disclosures

If you are a resident of California, Colorado, Connecticut, Virginia, Utah, or another U.S. state with a comprehensive privacy law, the following additional disclosures apply:

• Categories of personal information collected: identifiers, commercial information, internet/electronic activity, geolocation data, professional information, and inferences. See “Information we collect” above for details.
• We do not “sell” personal information as defined under the CCPA/CPRA or other state laws, and we do not “share” personal information for cross-context behavioral advertising.
• We do not process personal information for profiling in furtherance of decisions that produce legal or similarly significant effects.
• Sensitive personal information: we may collect precise geolocation data (when you provide site coordinates) and account login credentials. We do not use sensitive personal information for purposes beyond those permitted by applicable law.
• You may designate an authorized agent to make a request on your behalf, subject to identity verification.
• If we deny your request, you may appeal by emailing privacy@insp.ac with the subject line “Privacy Appeal.”

Cookies, tracking, and Do Not Track

We use cookies and similar technologies for security, authentication, preferences, and analytics. We do not respond to Do Not Track (DNT) browser signals because there is no industry-accepted standard for DNT compliance. You can control cookies through your browser settings; however, disabling certain cookies may impair the functionality of the Services.

• Essential cookies: required for authentication, security, and core functionality. These cannot be disabled while using the Services.
• Analytics cookies: used to understand aggregate usage patterns and improve performance. These can be disabled via your browser.
• We do not use advertising or behavioral tracking cookies.

Automated decision-making

The Services may use automated processing to calculate inspection scores, flag issues based on template rules, and apply rate limiting or bot detection. These automated processes do not make decisions that produce legal or similarly significant effects on individuals. Where AI features are used, they provide suggestions that require human review and approval before taking effect.

Children’s privacy

The Services are not directed to children under 16 (or the applicable minimum age in your jurisdiction), and we do not knowingly collect personal information from children. If we learn that we have collected personal information from a child without parental consent, we will take steps to delete the information promptly. If you believe a child has provided us with personal information, please contact us at privacy@insp.ac.

Changes to this policy

We may update this Privacy Policy from time to time to reflect changes in our practices, the Services, or applicable law. When required by law, we will provide notice of material changes. The ‘Last updated’ date at the bottom indicates when this version became effective. Your continued use of the Services after the effective date constitutes acceptance of the updated policy.

Contact

Questions, concerns, or complaints about this Privacy Policy or our data practices can be sent to privacy@insp.ac. If you are located in the European Economic Area and believe we have not adequately addressed your concern, you have the right to lodge a complaint with your local data protection supervisory authority.