Fielded Privacy Policy

The short version. Fielded is built by Recordo for professional inspectors. Inspection reports often contain client names, property addresses, photos of private homes, voice notes, and written findings. We use that content to run Fielded for you: capture the inspection, draft report updates, store report assets, generate PDFs, and serve report links you choose to share. We use OpenAI and Google Gemini through commercial API services to help draft reports, and we do not permit AI providers to use your content to train general-purpose models. We do not sell your personal data, we do not show advertising, and we do not share inspection content with data brokers. Read on for the details, and please contact privacy@recordo.app if anything is unclear.

1. Who We Are
2. Scope of This Policy
3. Information We Collect
4. How We Use Information
5. Legal Basis for Processing (GDPR / UK GDPR)
6. AI Processing and AI Providers
7. Other Service Providers and Subprocessors
8. Sharing and Disclosure
9. Data Retention
10. International Data Transfers
11. Data Storage and Security
12. Your Rights
13. Notice for California Residents
14. When You Capture Other People's Data
15. Children
16. Changes to This Policy
17. Contact and Complaints

1. Who We Are

This Privacy Policy describes how Recordo, a limited liability company organized under the laws of the Republic of Armenia ("Recordo," "we," "us," or "our"), collects, uses, shares, and protects personal data in connection with the Fielded mobile application, the getfielded.app website, the publicly shareable inspection-report links generated by the application, and related services (together, the "Service"). This policy is part of, and incorporated into, our Terms of Service.

For matters subject to the General Data Protection Regulation (Regulation (EU) 2016/679, the "GDPR"), Recordo is the controller of personal data described below, unless the policy says otherwise (in particular, see Section 14).

2. Scope of This Policy

This policy covers personal data we collect from or about people who:

Download, install, or use the Fielded mobile application;
Visit our website at getfielded.app;
Receive a publicly shareable Fielded report link from a Fielded user and open it; or
Contact us by email, social media, or any other channel.

This policy does not cover websites, products, or services operated by anyone other than us, even if we link to them.

3. Information We Collect

3.1 Information you provide

Account information

Email address (required to create an account).
Authentication credentials (passwords are stored as cryptographic hashes by our authentication provider; OAuth tokens if you sign in with Apple or Google).
Display name, profile picture, and other profile fields you choose to add.

Inspection content

Voice recordings you capture while using the Service, and transcriptions derived from those recordings.
Photos you take, upload, annotate, or attach to inspection details or report sections.
Text observations, notes, status pills (Repair or Replace, Monitor, Inspected, Not Present), and other report content.
Property details you enter (address, weather, occupancy, who was present, scope and limitations).
Client or counterparty contact information you choose to enter into a report.

Support and communications

The contents of any email, message, or in-application support request you send us, and our replies.

3.2 Information collected automatically

Device and technical

Device identifier, operating system, app version, language, timezone.
IP address and approximate location derived from it.
Push-notification tokens (if you have enabled notifications).
Crash logs and diagnostic information when the application encounters an error.

Usage and analytics

Screens viewed, actions taken, and feature interactions within the Service.
Session duration, frequency of use, performance metrics.
Authentication events (sign-in, sign-out).

Location (when you allow it)

Current device location, used to autofill property addresses and to power place search. You can grant or revoke location permission at any time in your device settings.

Subscription state

Information about your subscription (plan, status, renewal date, trial state) received from RevenueCat, our subscription-management provider, which in turn receives it from the Apple App Store or Google Play. We do not see your full payment-card number or your bank-account details.

3.3 Information from public report links

When you generate a public web link to share a report, recipients who open the link generate the following data: their IP address, the time they accessed the link, the User-Agent string of their browser, and the report they viewed. We use this in aggregate for security, anti-abuse, and to detect that links have been accessed.

4. How We Use Information

We use the personal data described in Section 3 for the following purposes:

Run the Service for you. Create your account; sync your content across your devices; store inspection report assets; transcribe voice notes; structure observations into reports; render PDFs; generate and serve public report links.
AI processing. Send voice recordings, photos, and text observations to our AI providers (Section 6) so they can transcribe, classify, route, and help draft your reports.
Account and security. Authenticate you; protect against unauthorized access, fraud, and abuse; investigate suspected violations of our Terms of Service.
Customer support. Respond to your messages, debug problems you report, and provide explanations of how a feature works.
Service improvement. Understand which features are used; identify bugs and performance issues; develop and test new features.
Subscription administration. Confirm your subscription status with the platform you purchased through, deliver receipts where required, and remind you of upcoming renewals where the platform allows us to.
Communications. Send transactional emails (account confirmation, password reset, subscription changes, security alerts), in-product notifications, and, only with your consent or where otherwise permitted by law, product updates and marketing.
Legal and regulatory. Comply with applicable laws and regulations; respond to lawful requests from public authorities; enforce our agreements; protect our rights, the rights of users, and the rights of third parties.

5. Legal Basis for Processing (GDPR / UK GDPR)

If you are in the European Economic Area, the United Kingdom, or another jurisdiction whose data-protection law requires us to identify a legal basis for each purpose, we rely on:

Purpose	Legal basis
Provide the Service (account, sync, report asset storage, AI-assisted drafting, exports)	Performance of a contract (GDPR Art. 6(1)(b))
Subscription administration and billing communications	Performance of a contract (Art. 6(1)(b))
Security, abuse prevention, fraud detection	Legitimate interests (Art. 6(1)(f)): keeping the Service secure
Analytics and Service improvement	Legitimate interests (Art. 6(1)(f)): improving the Service. You can object to this processing; see Section 12.
Marketing communications (if any)	Consent (Art. 6(1)(a)), withdrawable at any time
Legal compliance, response to lawful requests	Legal obligation (Art. 6(1)(c)) and/or legitimate interests (Art. 6(1)(f))

6. AI Processing and AI Providers

The Service uses artificial intelligence to transcribe voice, inspect photos you submit for report drafting, classify observations, route findings to report sections, draft report text, structure punch lists, and answer in-product questions. AI requests may be routed through Vercel AI Gateway. We use the following AI providers, acting as our subprocessors:

OpenAI, L.L.C., providing GPT-family models, under the OpenAI API terms.
Google LLC, providing the Gemini family of models, under the Google Cloud / Generative AI terms.

Our commitments to you about AI processing:

We do not permit AI providers to use your inspection content to train general-purpose AI models offered to the public.
We send AI providers the minimum content needed to perform the requested task.
We do not let our AI providers serve advertising based on your content.
We do not sell content to our AI providers.

AI providers operate on infrastructure they control (primarily in the United States). Your content is transmitted to them under transport-layer encryption. Their data-processing and retention practices are governed by their agreements with us and by the product terms for the API services we use; provider safety and abuse monitoring may still apply.

7. Other Service Providers and Subprocessors

To run the Service we engage the following service providers (called "processors" or "subprocessors" under data-protection law). Each has a contract with us that limits how they may use your data.

Provider	Role	Primary region
Vercel, Inc.	API hosting, serverless compute, and AI Gateway routing	United States
Supabase, Inc.	Database, authentication, file storage	United States
Google LLC (Firebase)	Push notifications, mobile analytics, crash reporting	United States
PostHog Inc.	Product analytics	United States
RevenueCat, Inc.	Subscription management	United States
Apple Inc.	App distribution and in-app purchase (iOS users)	United States
Google LLC (Play)	App distribution and in-app purchase (Android users)	United States
OpenAI, L.L.C. and Google LLC (Gemini)	AI processing - see Section 6	United States

We may add or change processors from time to time. Material changes will be reflected in a revised version of this policy.

We share personal data only in the limited circumstances described below.

With service providers (Sections 6 and 7)

Under contracts that require them to process the data only on our instructions and to protect it.

With recipients of report links you share

When you generate a public report link and share it, anyone with the link can view the report contents until you revoke or rotate the link. You decide whom to send a link to; we have no control over what a recipient does with the link or its contents.

For legal reasons

We may disclose personal data when we believe in good faith that disclosure is required to comply with a law, regulation, legal process, or governmental request; to enforce our Terms of Service; to detect, prevent, or address fraud, security, or technical issues; or to protect against harm to our rights, property, or safety, or that of our users or the public.

In connection with a corporate transaction

If we are involved in a merger, acquisition, reorganization, financing, or sale of all or substantially all of our assets, personal data may be transferred as part of that transaction. We will require the recipient to honor this policy or give you notice and a chance to opt out of further processing.

What we do not do.

We do not sell or rent your personal data.
We do not show advertising in the Service, and we do not share personal data with advertisers or ad networks.
We do not let our AI providers use your content to train their general-purpose models.
We do not share inspection content with data brokers or aggregators.

9. Data Retention

We keep personal data only for as long as we need it for the purposes described in this policy, or as required by law.

Data category	Retention
Inspection photos and annotated images	Retained as private report assets while your account is active, unless you delete the photo, delete the inspection, or close your account. Public report pages use short-lived signed image URLs generated when a report is viewed.
Voice recordings	Processed in memory or short-term storage and deleted after transcription where technically feasible; the transcribed text is retained as part of your report content.
Structured report content (text, observations, status pills, property details)	Retained while your account is active. You can delete an inspection from the app.
Public report links	Remain active until you revoke or rotate the link, delete the inspection, or close your account.
Account profile and credentials	Retained while your account is active. On account closure, deleted within 30 days, except where we are required to retain it for legal, accounting, tax, or fraud-prevention purposes.
Usage analytics in identifiable form	Up to 24 months from collection. After that, aggregated or anonymized.
Crash and security logs	Up to 12 months.
Subscription / billing records	As required by applicable tax, accounting, and consumer-protection law (typically up to 7 years).
Support communications	Up to 24 months after the matter is closed.
Backups	Cycled out as part of normal backup rotation, typically within 30-60 days.

10. International Data Transfers

Recordo is based in the Republic of Armenia. Our service providers (Section 7) operate primarily in the United States. When you use the Service, your personal data is transferred to, stored in, and processed in the United States, and may be accessed by us from Armenia.

Where required by applicable law, we put in place safeguards for these transfers. In particular:

For transfers of EU/EEA and UK personal data to the United States, we rely on the Standard Contractual Clauses approved by the European Commission (Decision 2021/914) and the equivalent UK International Data Transfer Agreement or UK Addendum, as applicable. To the extent that one of our US providers is certified under the EU-U.S. Data Privacy Framework or the UK Extension to it, we additionally rely on that certification.
For transfers of personal data to Armenia, we rely on the safeguards available under the GDPR (e.g., the Standard Contractual Clauses signed with our processors and onward-transfer provisions) and on the Armenian Law on the Protection of Personal Data of 2015, which provides protections recognized as broadly compatible with European standards.

You can request a copy of the safeguards we rely on by writing to privacy@recordo.app.

11. Data Storage and Security

We use technical and organizational measures intended to protect personal data against unauthorized or unlawful processing and against accidental loss, destruction, or damage. These include:

Encryption of personal data in transit (HTTPS / TLS) between the application and our servers, and between our servers and our service providers.
Encryption of personal data at rest at the database and storage layer of our cloud providers.
Authentication of users with industry-standard mechanisms; role-based access controls inside our infrastructure.
Row-level security policies in our database so that users can only access their own content.
Logging and monitoring of administrative access.
Private storage for inspection photos, plus short-lived signed URLs for report images.

No system is perfectly secure. If we become aware of a personal-data breach that is likely to result in a risk to your rights and freedoms, we will notify you and, where required, the relevant supervisory authority, in line with applicable law.

12. Your Rights

Depending on where you live, you may have some or all of the following rights with respect to personal data we hold about you:

Access: request a copy of your personal data and information about how we process it.
Rectification: ask us to correct inaccurate or incomplete personal data.
Deletion: ask us to delete your personal data, subject to lawful retention obligations.
Restriction: ask us to restrict our processing in specific circumstances.
Portability: receive certain personal data in a structured, commonly used, machine-readable format and have it transmitted to another controller where technically feasible.
Objection: object to processing that we carry out on the basis of legitimate interests (including analytics) or for direct marketing.
Withdraw consent: where we rely on your consent, withdraw it at any time. Withdrawal does not affect the lawfulness of processing carried out before withdrawal.
Complain to a supervisory authority: lodge a complaint with the data-protection authority in your country of residence or workplace if you believe our processing of your data is unlawful.

To exercise any of these rights, write to privacy@recordo.app. We will respond within the time limits required by applicable law (typically within one month for GDPR / UK GDPR requests, 45 days for CCPA requests). We may need to verify your identity before acting on your request; we will use reasonable methods proportionate to the sensitivity of the request.

13. Notice for California Residents

This section provides additional information for California residents under the California Consumer Privacy Act / California Privacy Rights Act ("CCPA").

Categories of personal information we collect, the sources, and the purposes

In the past 12 months, and on a going-forward basis, we collect the categories of personal information described in Section 3 of this policy. We collect these categories directly from you, automatically from your device when you use the Service, and from our service providers (Section 7). We use this information for the business and commercial purposes described in Section 4.

Disclosure

In the past 12 months, and on a going-forward basis, we have disclosed each category of personal information described in Section 3 to the service providers listed in Sections 6 and 7, for the business purposes described in Section 4.

Sale or sharing of personal information

We do not sell personal information, and we do not share personal information for cross-context behavioral advertising, as those terms are defined under the CCPA.

Sensitive personal information

We do not use or disclose sensitive personal information for purposes other than those permitted by Cal. Civ. Code §1798.121(a) (e.g., to provide the Service that you requested).

Your CCPA rights

Right to know what personal information we have collected, used, disclosed, or sold/shared (which is "none" for sale/share).
Right to delete personal information, subject to exceptions in the CCPA.
Right to correct inaccurate personal information.
Right to opt out of sale or sharing of personal information, although, as stated, we do not sell or share.
Right to limit the use of sensitive personal information, although, as stated, we do not use sensitive personal information for purposes that would trigger this right.
Right to non-discrimination for exercising your CCPA rights.

To exercise these rights, contact privacy@recordo.app. If your request is denied, you can appeal by replying to our response.

14. When You Capture Other People's Data Through the Service

The Service is designed for inspectors and similar professionals who capture content about real property, and sometimes about people present on the property, in the course of their work. Where you use the Service to collect or process personal data about other people (e.g., voice recordings that capture a homeowner, photos that show a third party, names of contractors you list in a punch list), you are the controller of that personal data under European data-protection law and any equivalent regime.

In that scenario:

You are responsible for having a lawful basis to collect and process that personal data, and for complying with any local laws on recording, photography, and consent (including U.S. state two-party-consent statutes, where applicable). See Section 7 of our Terms of Service.
We act as your processor in respect of that personal data, processing it on your instructions only to provide the Service to you.
If you require a written data-processing agreement (for example, because your customer has asked you for one or your local law requires it), please contact legal@recordo.app.
If a data subject contacts us directly about personal data you captured through the Service, we will normally refer them to you to handle, and assist you as required by law.

15. Children

The Service is intended for adults engaged in professional or commercial activity. You must be at least 18 years old to use the Service. We do not knowingly collect personal data from anyone under 18. If you believe we have collected personal data from a child, please contact us at privacy@recordo.app and we will take appropriate steps to delete it.

16. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes to our practices, to the Service, or to applicable law. When we make material changes, we will:

Update the "Last Updated" date at the top of this policy;
Notify you in the application or by email to the address associated with your account; and
Where required by law, request your consent before the change applies to you.

We encourage you to review this policy from time to time.

17. Contact and Complaints

If you have questions, requests, or complaints about this Privacy Policy or our handling of your personal data, please contact us:

Privacy: privacy@recordo.app
Legal: legal@recordo.app
Support: support@recordo.app
Postal: Recordo, Artsruni Yeghbayrneri St. 14, Gavar 1201, Gegharkunik Province, Republic of Armenia

We aim to respond to privacy requests within 30 days.

If you are in the EEA, you can also lodge a complaint with the data-protection authority in the EU member state where you live or work, or where you believe the alleged infringement occurred.

If you are in the UK, you can lodge a complaint with the Information Commissioner's Office (ico.org.uk).

If you are in Canada, you can contact the Office of the Privacy Commissioner of Canada.

If you are in Australia, you can contact the Office of the Australian Information Commissioner.

Table of Contents