Guspora^™

This Privacy Policy describes how Ferguson Fire Protection, LLC, doing business as Guspora™ ("Company," "we," "us," or "our"), collects, uses, stores, and protects personal information in connection with the Guspora™ platform ("Platform").

1. Scope

This Privacy Policy applies to all users of the Guspora™ Platform including:

• Service Providers (Inspectors/Technicians)
• Customers (Property Owners/Managers)
• Authorities Having Jurisdiction (AHJs)
• Insurers

2. Information We Collect

2.1 Information You Provide

• Account registration information (name, email, phone, company)
• Service company profile (business address, license numbers, certifications)
• Customer and property records
• Inspection data, reports, photos, videos, and audio notes
• Equipment inventories and service histories
• Billing and payment information
• Communications with support

2.2 Information Collected Automatically

• Device information (browser, OS, device identifiers)
• Usage data (pages viewed, features used, session duration)
• IP address and approximate location
• Authentication logs and access timestamps

2.3 Information We Do NOT Collect

• Social Security numbers
• Full credit card numbers (handled by Stripe)
• Biometric data
• Data from minors under 16

3. Three-Party Data Sharing Framework

The Guspora™ Platform facilitates data sharing between three key parties: Authorities Having Jurisdiction (AHJs), Customers, and Service Providers (SPs). Each party has different visibility into platform data:

4. Credential Data Collection

For service providers, we collect and verify professional credentials:

4.1 Data Collected

• State license numbers and types
• License issue and expiration dates
• NICET certification levels
• Manufacturer certifications (CaptiveAire, Buckeye, Ansul, etc.)
• Insurance and bonding information

4.2 Verification Sources

• Kentucky Department of Housing, Buildings and Construction (DHBC)
• Other state licensing databases as applicable
• NICET verification system
• Manufacturer certification databases

4.3 Visibility

Credential status is publicly visible to customers and AHJs. This transparency allows all parties to verify that work is being performed by qualified, licensed individuals.

5. Evidence and Audit Data

5.1 Metadata Embedded in Evidence

Photos, videos, and audio recordings captured through the Platform include:

• GPS coordinates (latitude/longitude)
• Timestamp (UTC)
• Device identifier
• Technician ID
• Inspection/deficiency reference

5.2 Integrity Verification

Files are hashed using SHA-256 at upload. This hash is stored separately and can be used to verify that evidence has not been modified since capture.

5.3 Access Logs

All access to inspection evidence is logged, including who accessed it, when, and for what purpose. These logs are maintained for the duration of the data retention period.

6. Third-Party Service Providers

We share limited data with the following categories of service providers:

• Cloud Infrastructure: Amazon Web Services (AWS) for hosting and storage
• Payment Processing: Stripe for secure payment handling
• Email Services: Transactional email for notifications
• AI Processing: AI providers for inspection analysis (data not used for training)

All third-party providers are bound by data processing agreements that prohibit using data for their own purposes.

7. Data Retention

Data is retained for periods aligned with legal requirements and business necessity:

7.1 Post-Termination

• Data export available for 30 days after account termination
• Active data deleted within 45 days of termination
• Retention periods above may extend beyond account termination as required by law

8. Audit Trail Permanence

8.1 What is Retained. The audit trail includes:

• Deficiency identification (date, inspector, code citation)
• Status changes (acknowledged, in progress, resolved, verified)
• Approval records (customer approval, AHJ approval)
• Evidence hashes (SHA-256 of photos/videos)
• Credential verification at time of work

8.2 Purpose. This permanent audit trail maintains compliance record integrity and provides legal defensibility for all parties.

8.3 Persistence After Deletion. Audit trail data may persist after individual account deletion to maintain the integrity of the compliance record. This is necessary to ensure that historical deficiency records remain verifiable.

9. GPS and Location Data

The Platform collects GPS location data for the following purposes:

• Evidence Verification: GPS coordinates are embedded in inspection photos and videos
• Technician Check-In/Out: Location is recorded when technicians check into job sites
• Route Optimization: Location data is used to optimize dispatching and routing

9.1 Collection Period. Location is collected only when technicians are actively working (checked in to a job). Tracking stops when they check out.

9.2 Retention. Location history is retained for 90 days for service verification, then anonymized or deleted.

10. Recording Practices

10.1 Inspection Recordings

Technicians may capture photos, videos, and voice memos during inspections for documentation. These recordings are stored securely with AES-256 encryption.

10.2 AI Processing

Recordings may be processed by AI for transcription, deficiency detection, and report generation. AI providers are prohibited from using this data for training.

10.3 Call Recording

Support calls may be recorded for quality assurance. An automated message announces recording at the start of calls. Standard calls are retained for 12 months; emergency service calls for 7 years.

11. Your Rights

All users have the following rights regarding their personal data:

12. California Privacy Rights (CCPA/CPRA)

California residents have additional rights under the CCPA and CPRA:

• Right to Know: What data we collect and how it's used
• Right to Delete: Request deletion (subject to exceptions)
• Right to Opt-Out of Sale: We do not sell personal information
• Right to Non-Discrimination: Equal service regardless of rights exercised

To exercise these rights, contact our Privacy Officer at the address below. We respond to verified requests within 45 days.

13. European Privacy Rights (GDPR)

For users in the EEA, UK, or Switzerland, we process data in compliance with GDPR.

Legal Bases: Contract performance, legitimate interest, legal obligation, and consent.

International Transfers: Data is stored in AWS US-East-1. We rely on Standard Contractual Clauses (SCCs) for EEA transfers.

14. Cookies and Tracking

We use only essential cookies:

• Session Cookies: Required for authentication
• Security Cookies: CSRF protection and fraud prevention
• Preference Cookies: Your display settings

We do not use advertising cookies, third-party tracking, or behavioral advertising.

15. Security

We implement industry-standard security measures:

• TLS 1.3 encryption for data in transit
• AES-256 encryption for data at rest
• AWS infrastructure with SOC 2 compliance
• Regular security audits and penetration testing
• Multi-factor authentication support
• Role-based access controls

16. Children's Privacy

The Platform is not intended for use by individuals under 16. We do not knowingly collect personal information from children. If we become aware of such collection, we will delete the information promptly.

17. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated via email at least 30 days before taking effect. The "Last Updated" date at the top indicates when the most recent changes were made.