Privacy Policy

Last updated: May 3, 2026

Privacy First, Always

FastPunch is built for construction professionals who value privacy. We don't sell your data, we strip GPS from every photo, we serve images through expiring secure links, and we give you full control over your information. This policy explains what we collect and why — nothing more.

1. Information We Collect

Account Information

Email address (for login and notifications)
Company name (optional)
Role/title (optional, for onboarding customization)

Project Data

Punch list items and descriptions
Photos you attach to items
Trade and lot assignments
Status updates and completion timestamps
Voice recordings (only if you use voice capture, processed immediately and not stored)

Usage Data

App feature usage (anonymized, for product improvement)
Crash reports and error logs
Device type and OS version (for compatibility)

2. What We DON'T Collect

GPS location data (automatically stripped from photos on upload)
Device identifiers from photos (camera model, serial numbers stripped)
Contacts from your device
Personal identification numbers (SSN, EIN, etc.)
Browsing history or data from other apps

3. How We Use Your Data

To provide the service: Syncing your punch lists across devices, generating reports, and enabling sharing
To improve the product: Analyzing feature usage to make FastPunch better
To train AI (optional): If you opt in, anonymized voice patterns help improve transcription accuracy. You can opt out anytime in Settings.
To communicate: Sending important updates, maintenance notices, or responding to support requests

4. Data Storage & Security

Your data is stored securely using Firebase (Google Cloud Platform) with industry-standard encryption:

Data encrypted in transit (TLS 1.3)
Data encrypted at rest (AES-256)
Access limited to authorized personnel only

Photo & Sensitive Data Protection

Construction job site photos can contain sensitive information — defect documentation, work quality evidence, and private property interiors. We treat all photos as confidential:

Metadata stripped on upload: GPS coordinates, device model, camera serial numbers, and original timestamps are automatically removed from every photo before storage. Only the image itself is retained.
Signed URLs with 5-minute expiry: Photos are never directly accessible via public URLs. Every photo access generates a temporary, cryptographically signed URL that expires after 5 minutes. No permanent photo links exist.
No direct storage access: Our storage rules deny all direct access to photo files. Photos can only be retrieved through our API, which verifies your identity and permissions on every request.
Access audit logging: Every photo view is logged with user identity, timestamp, and item context. You can request your access log at any time.
Data retention: Photos are retained only while your project is active. After project completion, photos are automatically deleted within 90 days (configurable by enterprise administrators).
Photo resolution limits: Uploaded photos are optimized to a maximum of 2048 pixels on the longest edge, balancing quality with security.

Authentication & Access Control

JWT-based authentication with 24-hour token expiry
Rate limiting on all authentication endpoints (20 attempts per 15 minutes)
Role-based access control — trade partners can only view items assigned to their company
Security headers (Helmet) on all API responses
Restricted CORS policy — only FastPunch domains can access the API

5. Data Sharing

We do not sell, trade, or rent your personal information. We only share data in these limited circumstances:

With your consent: When you explicitly share a project via web link or assign items to trade partners
Trade partners: When you assign a punch item to a trade contractor, they can view only that item's description, location, trade type, and photos — limited to what's necessary to complete the work
Service providers: Firebase (hosting, storage), RevenueCat (subscription management) — all under strict data processing agreements
Legal requirements: If required by law or to protect our rights

6. Your Rights

You have full control over your data:

Access: Download all your data anytime from the app
Delete: Permanently delete your account and all associated data
Opt out: Disable AI training data contribution in Settings
Export: Export your projects to PDF or CSV format

7. AI Training & Anonymization

Our AI features use a two-tier approach:

On-device AI: Voice processing happens on your device. No audio leaves your phone.
Cloud AI (opt-in): If enabled, voice transcripts are anonymized (no names, locations, or project details) and used to improve the AI model. You control this in Settings.

8. Children's Privacy

FastPunch is not intended for children under 13. We do not knowingly collect data from children under 13. If you believe we have inadvertently collected such data, please contact us immediately.

9. Changes to This Policy

We may update this privacy policy from time to time. We will notify you of any changes by posting the new policy on this page and updating the "Last updated" date. For significant changes, we will notify you via email.

10. Contact Us

If you have any questions about this Privacy Policy, please contact us:

Email: privacy@getfastpunch.app
Mail: APRJ Development LLC, Attn: Privacy, [Your Business Address]