Effective date: 2026-01-15

This Privacy Policy describes how we collect, use, disclose, and protect personal information in connection with the Scaffold Insite platform (the "Service"). We are committed to safeguarding privacy and complying with applicable laws, including Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA), substantially similar provincial laws, and relevant U.S. laws such as the California Consumer Privacy Act (CCPA) as amended by CPRA, where applicable.

1. Who we are

We provide a cloud-hosted application for scaffold lifecycle and asset management. Our Service is hosted on cloud based infrastructure located primarily in Canada. Contact details are provided in the "How to contact us" section below.

2. Scope

This Policy applies to personal information we collect about platform users and individuals whose data is processed within the Service (e.g., employees, contractors). Where we act as a service provider/processor on behalf of a customer, we process personal information according to our customer agreements and their instructions.

3. Information we collect

• Account and profile data: name, email, role, company, project affiliation, and preferences.
• Authentication and security data: passwords (hashed), multifactor tokens, session identifiers, audit logs.
• Usage and device data: IP address, browser/OS metadata, log files, page views, feature usage, time and date of access.
• Project/operations data: records relevant to scaffolding activities, inspections, photos, documents, and related metadata uploaded or generated by users.
• Support/feedback data: tickets, survey responses, and communications you submit.

4. How we use information

• Provide, operate, and improve the Service, including personalization and feature development.
• Authenticate users, secure accounts, detect and prevent fraud or misuse.
• Provide support, respond to requests, and communicate about updates and changes.
• Comply with legal obligations, enforce terms, and protect the rights, property, and safety of users and the public.
• Generate aggregated, de-identified analytics to improve performance and reliability.

5. Legal bases (PIPEDA & applicable U.S. laws)

We process personal information with consent (including implied consent by using the Service) and as necessary for legitimate interests such as security, fraud prevention, and product improvement. Where required, we seek express consent. You may withdraw consent at any time, subject to legal and contractual restrictions.

6. International transfers & data residency

Primary hosting is in Canada on AWS. Limited sub-processor services (e.g., email delivery, error monitoring) may process data outside Canada and the U.S. where necessary and subject to appropriate safeguards and agreements.

7. Disclosure of information

• Service providers: cloud hosting, support, analytics, and communications vendors bound by confidentiality and data protection obligations.
• Customers: administrators may access information within their organization’s workspace.
• Legal compliance: to courts, regulators, or law enforcement when required by law or to protect rights and safety.
• Business transfers: in connection with a merger, acquisition, or asset sale, subject to ongoing protections.

8. Security

We employ administrative, technical, and physical safeguards aligned with industry best practices, including encryption in transit and at rest, role-based access controls, audit logging, least privilege, secure software development practices, and regular vulnerability management.

9. Retention

We retain personal information for as long as necessary to provide the Service, comply with legal obligations, resolve disputes, and enforce agreements. Customers may define retention periods for certain data sets; we provide tools to export or delete data where feasible.

10. Your rights

Subject to applicable law, you may have rights to access, correct, update, port, or delete personal information, and to object to or restrict certain processing. Requests can be submitted via the contact methods below. We will verify your identity before fulfilling requests and may require assistance from your organization’s administrator.

11. Children

The Service is not directed to children under 13 (U.S.) or under the age of consent in your jurisdiction. We do not knowingly collect personal information from children without appropriate consent.

12. Cookies and similar technologies

We use cookies and similar technologies to keep you signed in, remember preferences, and analyze usage. You can control cookies via browser settings. Essential cookies are required for the Service to function.

13. Sub-processors

We rely on select sub-processors to deliver the Service (e.g., AWS, email/SMS providers). All sub-processors are subject to written agreements imposing data protection obligations.

14. Cross-border compliance (PIPEDA/CCPA/CPRA)

• PIPEDA: We are accountable for personal information in our possession and under our control. We implement appropriate safeguards and ensure equivalent protection when information is processed by service providers.
• CCPA/CPRA: Where we are a “service provider,” we process personal information on behalf of customers and do not sell or share personal information for cross-context behavioral advertising. We honor consumer rights requests directed to us by customers where applicable.

15. Changes to this Policy

We may update this Policy periodically. Material changes will be communicated through the Service or by other appropriate means. Your continued use of the Service after changes take effect constitutes acceptance.

16. How to contact us

For questions or requests regarding this Policy or your personal information, contact: privacy@scaffoldinsite.com. You may also have the right to contact your provincial/territorial privacy commissioner or the Office of the Privacy Commissioner of Canada.