Guspora^™

This Privacy Policy describes how Ferguson Fire Protection, LLC, which operates the Guspora™ platform ("Company," "we," "us," or "our"), collects, uses, stores, and protects personal information in connection with the Guspora™ platform ("Platform").

1. Scope

This Privacy Policy applies to all users of the Guspora™ Platform including:

• Service Providers (Inspectors/Technicians)
• Customers (Property Owners/Managers)
• Authorities Having Jurisdiction (AHJs)
• Insurers
• Users of the Guspora™ mobile application (com.guspora.app)
• Purchasers and users of Guspora Track™ hardware devices

2. Information We Collect

2.1 Information You Provide

• Account registration information (name, email, phone, company)
• Service company profile (business address, license numbers, certifications)
• Customer and property records
• Inspection data, reports, photos, videos, and audio notes
• Equipment inventories and service histories
• Billing and payment information
• Communications with support

2.2 Information Collected Automatically

• Device information (browser, OS, device identifiers)
• Usage data (pages viewed, features used, session duration)
• IP address and approximate location
• Authentication logs and access timestamps

2.3 Mobile Application Data

The Guspora™ Android application (com.guspora.app) requests the following device permissions and collects data accordingly:

• Camera: Photos and videos captured during inspections. Used for inspection documentation, barcode scanning, and evidence capture. Photos and videos include embedded metadata (GPS, timestamp, device ID).
• Fine Location (GPS): Precise location data collected during active inspection workflows (check-in/check-out). Used for evidence geolocation, technician dispatch, and route optimization. Location is NOT collected when the app is in the background or when the technician is not actively checked into a job.
• Microphone: Audio recordings captured during inspections for voice notes and AI-powered inspection reporting features. Audio is processed by AI providers (OpenAI Whisper) for transcription and is not retained by AI providers beyond the processing window.
• Storage: Read/write access to device storage for offline data caching (SQLite), photo/document access, and file uploads.

2.4 Guspora Track™ Data

If you purchase and activate Guspora Track™ GPS/BLE tracking devices, we collect:

• Continuous GPS location data from tracked vehicles/assets
• Device battery status and connectivity information
• Movement history, speed, and route data
• Geofence entry/exit events

This data is collected continuously while the tracking device is active and powered. Guspora Track™ location data is stored for 90 days, then archived for an additional 12 months before deletion. You may request deletion of tracking data at any time. Guspora Track™ data is only visible to the account holder who registered the device.

2.6 SMS Data

When you opt in to SMS notifications, we collect your phone number, consent status, consent method (web form, verbal, or text keyword), timestamp of consent, and IP address at the time of consent. This information is used exclusively for delivering service-related messages in accordance with our SMS Terms & Conditions.

2.7 Information We Do NOT Collect

• Social Security numbers
• Full credit card numbers (handled by Stripe)
• Biometric data (fingerprints, facial recognition)
• Data from minors under 16
• Background location data when not actively checked into a job (inspection GPS)

3. Three-Party Data Sharing Framework

The Guspora™ Platform facilitates data sharing between three key parties: Authorities Having Jurisdiction (AHJs), Customers, and Service Providers (SPs). Each party has different visibility into platform data:

4. Credential Data Collection

For service providers, we collect and verify professional credentials including state license numbers and types, license issue and expiration dates, NICET certification levels, manufacturer certifications, and insurance and bonding information.

Verification sources include Kentucky DHBC, other state licensing databases, NICET verification system, and manufacturer certification databases. Credential status is publicly visible to customers and AHJs.

5. Evidence and Audit Data

All inspection evidence includes embedded metadata (GPS, timestamp, device ID, technician ID, inspection reference). Files are hashed using SHA-256 at upload. All access to evidence is logged.

6. Third-Party Service Providers (Subprocessors)

All third-party providers are bound by data processing agreements. AI providers (OpenAI and Anthropic) are contractually prohibited from retaining inspection data beyond the immediate processing window or using it for model training.

For the complete list, see /legal/subprocessors.

6A. SMS / Phone Numbers

• Phone numbers are shared with Twilio for SMS delivery.
• Used for customer care SMS (scheduling, updates, invoices, support).
• Service providers may deliver SMS through the Platform on behalf of their business.
• Message frequency varies. Msg & data rates may apply.
• Reply STOP to opt out. Reply HELP for help.
• Consent to receive SMS is not a condition of purchase.

See /legal/sms.

7. Data Retention

Data export available for 30 days after termination. Active data deleted within 45 days. Legal retention periods may extend beyond termination.

8. Audit Trail Permanence

Deficiency lifecycle data is maintained permanently including identification, status changes, approval records, evidence hashes, and credential verification. Audit trail data may persist after account deletion to maintain compliance record integrity.

9. GPS and Location Data

• Inspection GPS: Collected only when technicians are actively checked in. Not collected in background.
• Guspora Track™: Continuous collection while device is active. Separate from inspection GPS.
• Retention: Inspection location: 90 days then anonymized. Track™ data per Section 7.

10. Recording Practices

Inspection recordings stored with AES-256 encryption. AI processing via OpenAI Whisper (transcription) and Anthropic Claude (reports) with no data retention by AI providers. Support calls recorded with notice; standard 12 months, emergency 7 years.

11. Your Rights

12. California Privacy Rights (CCPA/CPRA)

Right to Know, Right to Delete, Right to Opt-Out of Sale (we do not sell data), Right to Non-Discrimination. Contact support@guspora.com. Response within 45 days.

13. European Privacy Rights (GDPR)

Legal bases: contract performance, legitimate interest, legal obligation, consent. Data stored in AWS US-East-1. Standard Contractual Clauses for EEA transfers.

14. Cookies and Tracking

Essential cookies only (session, security, preference). No advertising cookies, third-party tracking, or behavioral advertising. If we add analytics tools in the future, we will update this policy and provide notice.

15. Security

TLS 1.2+ in transit, AES-256 at rest, AWS SOC 2 infrastructure, regular security audits, MFA support, role-based access controls, SHA-256 evidence hashing.

16. Children's Privacy

Not intended for individuals under 16. No knowing collection from children.

17. Changes to This Policy

Material changes communicated via email 30 days before taking effect.