Guspora™ Privacy Policy

Ferguson Fire Protection LLC ("Company," "we," "us," or "our") operates Guspora (the "Service"). This Privacy Policy explains how we collect, use, disclose, and protect your information when you use our Service, including our three-party compliance ecosystem connecting AHJ Inspectors, Customers, and Service Providers.

1. Information We Collect

1.1 Information You Provide

Account Information (All Users):

• Name, Email address, Phone number
• Company or agency name
• Role (AHJ Inspector, Customer, or Service Provider)

AHJ Inspector Information:

• Jurisdiction (department, county, city, district)
• Badge or credential number
• Department affiliation
• Supervisor or department head contact

Customer Information:

• Property addresses and details
• Business name and type
• Billing address (if applicable)
• Property management authority documentation

Service Provider Company Information:

• State fire protection contractor license number(s)
• General liability insurance Certificate of Insurance (COI)
• Workers compensation insurance certificate
• Business license documentation
• Billing address
• Payment information (processed by Stripe)

Service Provider Technician Information:

• Individual state technician license number(s)
• Manufacturer-specific certifications (CaptiveAire, Buckeye, Ansul, Kidde, Amerex, and others)
• Factory training completion records
• ICC certification numbers
• Certification expiration dates

Business Data:

• Inspection records and reports
• Deficiency records (descriptions, photographs, code citations, severity classifications)
• Equipment inventories and manufacturer identification
• Repair documentation and progress notes
• Service histories
• Documents and files you upload

Communications:

• Support requests
• Feedback and surveys
• Correspondence with us
• In-platform messages between authorized parties

1.2 Information Collected Automatically

Usage Data:

• Pages visited and features used
• Time spent on the Service
• Actions taken within the application

Device Information:

• Browser type and version
• Operating system
• Device identifiers
• IP address

Log Data:

• Access times
• Error logs
• Referring URLs

1.3 Information from Third Parties

Payment Processor (Stripe):

• Transaction history
• Payment method details (we do not store full card numbers)

Authentication Providers:

• If you sign in via Google or other providers, we receive basic profile information

State Licensing Databases:

• License status, expiration dates, and disciplinary actions for credential verification

Manufacturer Technician Databases:

• Authorized technician status, certification dates, and authorization scope for manufacturer-specific credential verification

Insurance Verification:

• COI validation and expiration data

2. How We Use Your Information

We use your information to:

Provide the Service:

• Create and manage your account
• Process transactions (Service Providers)
• Conduct credential verification and monitoring
• Manage the deficiency lifecycle and dual-approval workflow
• Generate inspection reports
• Store and organize your business data
• Send notifications via email, SMS (Twilio), and in-app alerts

Credential Verification:

• Verify state licenses against licensing databases
• Cross-reference technician certifications against manufacturer-authorized technician databases
• Monitor insurance certificate expiration dates
• Implement automatic suspension upon credential lapse
• Display verification badges to authorized parties

Three-Party Compliance Ecosystem:

• Share deficiency information between authorized AHJ Inspectors, Customers, and Service Providers as described in Section 3
• Process dual-approval access requests
• Maintain permanent audit trails of deficiency lifecycles
• Provide compliance analytics to authorized parties

Improve the Service:

• Analyze usage patterns
• Develop new features
• Fix bugs and improve performance
• Train and improve AI features (using anonymized/aggregated data only)

Communicate with You:

• Send service notifications (deficiency alerts, approval requests, credential expiration warnings)
• Respond to support requests
• Provide product updates
• Send marketing communications (with your consent)

Legal and Security:

• Comply with legal obligations
• Enforce our Terms of Service including anti-bid-board provisions
• Protect against fraud and abuse
• Maintain security of the Service

3. Three-Party Data Sharing

The core function of Guspora's compliance ecosystem requires controlled data sharing between AHJ Inspectors, Customers, and Service Providers.

3.1 Data Visible to AHJ Inspectors

AHJ Inspectors can view, within their verified jurisdiction:

• Deficiency records they created (full details)
• Customer property information related to their inspections
• Service Provider company credentials (license, insurance, business status)
• Individual technician credentials and verification badges
• Repair progress and status updates on deficiencies in their jurisdiction
• Completion documentation submitted by Service Providers
• Jurisdiction-wide compliance analytics (aggregated)

3.2 Data Visible to Customers

Customers can view, for their properties:

• Full deficiency details including descriptions, photographs, and code citations
• Service Provider company profiles and credential status
• Individual technician verification badges and certification status
• Real-time repair progress on their deficiencies
• Complete compliance history and audit trails
• List of verified Service Providers qualified for specific equipment types

3.3 Data Visible to Service Providers

Before Dual Approval: Service Providers can only see general location (city/county), equipment category, and requesting Customer name for pending access requests.

After Dual Approval: Service Providers can view full deficiency details, AHJ Inspector notes and requirements, Customer contact information, and equipment specifications for approved deficiencies only.

3.4 Deficiency Data Gating

3.5 Credential Data Sharing

Service Provider company credentials and individual technician certifications are visible to:

• AHJ Inspectors (as a compliance verification tool)
• Customers (when evaluating or selecting Service Providers)
• The Service Provider themselves (for management purposes)

Credential information is NOT shared with other Service Providers or any unauthorized parties.

4. AI and Data Processing

4.1 AI Features

Guspora uses artificial intelligence to assist with report generation. When you use AI features:

• Your input (voice recordings, text) is processed by AI services
• AI-generated content is stored in your account
• We use OpenAI and Anthropic APIs for AI processing

4.2 AI Training

• We do NOT use your individual customer data, deficiency records, or credential information to train AI models
• We may use anonymized, aggregated data to improve our AI prompts and features
• You may opt out of anonymized data usage by contacting us

4.3 Voice and Video

If you use voice or video inspection features:

• Recordings are stored securely in AWS S3
• Transcriptions are generated using AI services
• You control retention and deletion of recordings

5. How We Share Your Information

5.1 Between Platform Parties

As described in Section 3, information is shared between AHJ Inspectors, Customers, and Service Providers through the controlled three-party compliance ecosystem.

5.2 Service Providers (Third-Party Technology)

These providers are contractually obligated to protect your data.

5.3 Legal Requirements

We may disclose information if required by law, regulation, legal process, government requests, protection of our rights or safety, or investigation of fraud or security issues.

5.4 Business Transfers

If we merge with or are acquired by another company, your information may be transferred. We will notify you.

5.5 With Your Consent

We may share information with your explicit consent.

6. Data Security

Technical Safeguards:

• Encryption in transit (TLS/SSL)
• Encryption at rest (AES-256)
• Secure cloud infrastructure (AWS)
• Regular security updates

Access Controls:

• Role-based access controls enforcing three-party data boundaries
• Dual-approval gating for Service Provider deficiency access
• Multi-factor authentication available
• Regular access reviews

Credential Data Protection:

• Credential verification data stored in encrypted databases
• License and certificate numbers protected with access controls
• Insurance documentation stored securely with limited access
• Manufacturer database connections secured with API authentication

Operational Security:

• Employee security training
• Incident response procedures
• Regular security assessments

7. Data Retention

After account termination, you have 30 days to export your data before deletion. Deficiency audit trail data may be retained longer as required for legal compliance.

8. Your Rights and Choices

8.1 Access and Export

• You can access your data through the Service dashboard
• Export in standard formats (CSV, PDF)
• Request a copy of all data we hold about you

8.2 Correction

You can update your account information at any time through settings. Credential information updates are subject to re-verification.

8.3 Deletion

• You can delete individual records (subject to audit trail requirements)
• Request account deletion by contacting support@guspora.com
• Data will be deleted within 30 days

8.4 Marketing Opt-Out

• Unsubscribe from marketing emails
• Adjust notification preferences

Service notifications (deficiency alerts, credential warnings, approval requests) cannot be disabled as they are essential to platform function.

8.5 Do Not Track

We do not currently respond to "Do Not Track" browser signals.

9. Cookies and Tracking

9.1 Cookies We Use

Essential Cookies:

• Authentication and session management
• Security features
• Required for Service functionality

Analytics Cookies:

• Usage patterns and performance
• Feature adoption
• May be disabled in settings

9.2 Managing Cookies

You can control cookies through your browser settings. Disabling essential cookies may affect Service functionality.

10. Children's Privacy

Guspora is not intended for children under 18. We do not knowingly collect information from children. If you believe a child has provided us information, contact us immediately.

11. International Data Transfers

Your data is processed and stored in the United States (AWS us-east-1 region). By using the Service, you consent to the transfer of data to the United States.

For users in the European Economic Area (EEA), we rely on Standard Contractual Clauses and your consent.

12. California Privacy Rights

California residents have additional rights under the CCPA:

• Right to Know: Request disclosure of data collected about you
• Right to Delete: Request deletion of your personal information (subject to audit trail retention requirements)
• Right to Opt-Out: We do not sell personal information
• Non-Discrimination: We will not discriminate against you for exercising these rights

To exercise these rights, contact privacy@guspora.com.

13. Changes to This Policy

We may update this Privacy Policy periodically. Changes will be posted with an updated "Last Updated" date. Material changes communicated via email, in-app notification, and prominent website notice. Continued use after changes constitutes acceptance.

14. Contact Us

15. Additional Disclosures

15.1 Government and Enterprise Users

AHJ Inspectors and other government users may be subject to additional requirements regarding data handling, public records laws, and ethics regulations. The Service does not replace official government inspection processes, records systems, or legal authority.

15.2 HIPAA

15.3 Industry Compliance

While we implement strong security practices, you are responsible for ensuring your use of Guspora complies with industry-specific regulations applicable to your business.

15.4 Credential Data Accuracy

Guspora relies on state licensing databases, manufacturer technician databases, and user-provided documentation for credential verification. While we make reasonable efforts to verify accuracy, we cannot guarantee that all credential data is complete, current, or error-free. Users should not rely solely on Guspora's verification system for critical hiring or contracting decisions.

15.5 Audit Trail Permanence

Deficiency lifecycle data, including creation, access approvals, status updates, and clearance records, is maintained as a permanent audit trail. This data may persist after individual account deletion to maintain the integrity of compliance records shared across the three-party ecosystem.