EmoryMfg
Get Pricing

Privacy Policy

Version 2026-04-30

# Privacy Policy

**Effective:** 2026-04-30

This Privacy Policy explains what information EmoryMfg collects, how we use it, who we share it with, how long we keep it, and the rights you have. By using the Services you consent to the practices described here.

## 1. Categories of data we collect

* **Account data:** name, email, phone, password hash, OAuth identifiers, role, biometric/WebAuthn key handles (we never store raw biometrics).
* **Order and quote data:** RFQs, drawings, materials, quantities, lead times, prices, payment outcomes.
* **Communications:** chat messages, AI assistant transcripts, escalated tickets, email and SMS exchanges, call notes you log in CRM.
* **Workforce data (team only):** time entries with GPS, geofence transitions, piece-rate logs, payroll calculations, safety incidents.
* **Media:** photos, videos, livestreams, recordings, OCR text and AI captions extracted from them.
* **Device and usage data:** IP address, user agent, device identifiers, push token, telemetry, crash logs.
* **Payment data:** stored only by our PCI-DSS-certified processors. We retain non-sensitive references and last-4 digits.
* **Location data:** real-time GPS while clocked in or while using location-aware features in the mobile app, vehicle GPS pings, geofence calculations.
* **AI processing artifacts:** prompts, model output, intermediate enrichment (caption, OCR, transcript, drawing parse).

## 2. How we use data

* Provide, secure, and improve the Services.
* Match orders to capacity, schedule jobs, route deliveries, calculate payroll.
* Authenticate users, prevent fraud, and investigate abuse.
* Operate AI assistants and pricing drafts.
* Communicate about your account, orders, payments, support, and platform updates.
* Comply with law, resolve disputes, enforce our agreements.
* Analyze usage and produce aggregated/anonymized statistics.

We do **not** sell personal information. We do not use customer drawings or chat to train third-party generative models.

## 3. How we share data

* **Subprocessors that operate our infrastructure:** hosting (Cloudflare, Vercel), database (Neon Postgres), object storage (Cloudflare R2 or AWS S3), email (Resend), SMS (Twilio), shipping carriers (Shippo, EasyPost, FedEx, UPS, USPS, DHL), payment processors (Stripe, Adyen, PayPal, Plaid, Coinbase Commerce, Circle, BitPay), real-time media (LiveKit), maps (Mapbox), AI assistant infrastructure, and similar service providers under written confidentiality terms.
* **At your direction:** when you send a share link, post to the public feed, or invite a teammate.
* **Legal:** when required by valid legal process, lawful request, or to protect rights, safety, or security.
* **Corporate transactions:** in connection with a merger, acquisition, financing, or sale of assets, with continuity of these protections.

## 4. Cookies and similar technologies

We use first-party session cookies (`emorymfg_session`, `emorymfg_team_session`) for authentication. We use minimal analytics cookies for performance. We do not use cross-site advertising trackers.

## 5. International transfers

Data may be processed in the United States and other countries. We use standard contractual clauses or equivalent safeguards where required.

## 6. Retention

* Account and order records: duration of the relationship plus seven (7) years for tax and audit.
* Payment references: as required by financial regulations.
* GPS pings: 90 days for shift validation; aggregated indefinitely for analytics.
* Media: until you or the team removes it; approved public posts may persist longer.
* AI conversation history: 12 months by default; you can request deletion sooner.
* Backups roll off within 35 days.

## 7. Your rights

Depending on jurisdiction (including under GDPR, CCPA/CPRA, PIPEDA), you may have rights to access, correct, delete, port, restrict, or object to processing of your personal data, and to withdraw consent. Submit requests to privacy@emorymfg.com. We will respond within statutory timelines and may require identity verification.

## 8. Children

The Services are not directed to children under 16. We do not knowingly collect personal data from children.

## 9. Security

We use TLS, encryption at rest, principle of least privilege, role-based access, audit logging, MFA on privileged accounts, and continuous monitoring. No system is perfectly secure; we encourage you to use strong unique passwords and enable MFA.

## 10. AI processing notice

Photos, videos, audio, and documents you upload may be processed by our internal computer-vision (BLIP captioning, EasyOCR text detection) and speech (Whisper) services to make them searchable and to assist with quality and quoting. We do not transmit your content to external generative-model providers without your explicit instruction (e.g., when you start a chat that uses an external LLM).

## 11. Changes

Material changes will be communicated and require re-acceptance.

## 12. Contact

privacy@emorymfg.com or 100 Industrial Way, Jacksonville, FL 32256.