Privacy Policy

1. Who we are

ArcDocs (the "Service", "we", "our") is a documentation tool that helps electrical contractors generate NFPA 70E 130.2(B)(1) Energized Electrical Work Permits. This policy explains what personal data we collect, how we use it, and the rights you have over it.

ArcDocs is operated as a registered sole proprietorship in Israel. The data controller can be reached at info@arcdocs.app.

2. Information we collect

We collect only what is necessary to provide the Service:

• Email address — when you sign in (magic link)
• Permit content — circuit descriptions, locations, voltages, worker names, and other fields you enter or speak when generating a permit
• Voice recordings — when you record audio for permit extraction (held briefly during processing, then deleted; see §5)
• Payment metadata — when you subscribe or purchase, PayPal sends us a transaction ID and subscription status. We do not collect or store your card details — those are handled entirely by PayPal.
• Billing country and US state — derived from the address you supply to PayPal at checkout. We store the country (ISO code, e.g., US, IL, GB) and, for US customers, the state code (e.g., CA, NY) — nothing else from the billing address. We do not store street, city, ZIP, or phone. Used solely for sales-tax compliance (US Wayfair economic-nexus law). Lawful basis under GDPR: legal obligation (Art. 6(1)(c)).
• Usage data — IP address, browser type, request timestamps, and pages visited (for security, abuse prevention, and aggregate analytics via Umami, which is self-hosted and does not use cookies)
• AI extraction telemetry — for each voice or text extraction we run for you, we record processing statistics (whether the call succeeded, how long it took, how many fields were populated, which model version was used). This does not include transcript text, audio, or any permit field values — only metadata about the processing. Used to detect service-quality regressions.
• Email delivery events — when a transactional email (e.g. a magic-link login) is delivered, bounces, fails, or is marked as spam, we record the recipient email, event type, and a short server response excerpt. We do not store the email body. Used to detect when login emails fail to reach you so we can investigate.
• Browser error telemetry — when an unhandled JavaScript error or Promise rejection occurs in your browser while using the Service, our error-capture script POSTs the error message, the source script URL and line number, a stack trace, the page URL, and your browser's user-agent string to our server. We do not capture form values, the contents of any document you are viewing, cookies, keystrokes, screenshots, or session replays. Used to detect bugs that affect users (e.g. a recorder failure on a particular browser version) so we can fix them.
• Content-Security-Policy violation reports — your browser sends our server a small JSON report when a script, image, or other resource on one of our pages is blocked by our security policy (typically a sign of a misconfiguration on our side or a tampered page). The report contains: the directive that blocked the load, the URL that was attempted, the page URL, and your browser's user-agent string. It does not contain form values, document content, cookies, or your IP address. Used to detect security policy regressions and possible attempted attacks.
• Audit log — security-relevant events (logins, account changes, payment events) with hashed identifiers for incident response

3. Why we use it

• Provide the Service (generate, store, and display your permits)
• Bill you accurately and process payments through PayPal
• Detect and prevent abuse, fraud, and unauthorized access
• Improve the Service through aggregate, non-identifying usage analysis
• Comply with legal obligations (e.g., tax records of payments)

4. Third-party processors

We use the following providers to deliver the Service. Each is bound by their own privacy commitments:

• Google (Gemini API) — voice/text → permit field extraction. Audio and text you submit travel briefly to Google. Google's policy: ai.google.dev/gemini-api/terms
• PayPal — payment processing. paypal.com/legalhub/privacy-full
• Resend — transactional email delivery (magic links, permit-ready notifications). resend.com/legal/privacy-policy
• New Relic — server-side application performance monitoring. We send request paths, response status codes, error stack traces, and query timings (with SQL literals obfuscated). We exclude IP addresses, cookies, authentication headers, request body parameters, and response bodies from what's sent. Hosted in the EU (Frankfurt). newrelic.com/termsandconditions/services-notices
• Cloudflare — CDN and DDoS protection. cloudflare.com/privacypolicy
• Oracle Cloud Infrastructure — server hosting. oracle.com/legal/privacy

We do not sell your personal information. We do not share it for advertising purposes.

5. Data retention

• Voice recordings — uploaded to Google Gemini for transcription and deleted within minutes of completion. Not stored on our servers.
• Permit PDFs — kept for 30 days after generation, then automatically deleted. Permit metadata in our database persists until you delete your account.
• Account data — retained while your account is active. When you request deletion, the account is scheduled for permanent removal in 30 days. During those 30 days you can sign in to restore the account with all permits and quota intact. After 30 days the user record, permits, magic-link tokens, and PDFs on disk are irreversibly deleted.
• Payment records — anonymized when your account is permanently deleted but retained for 7 years to comply with US tax and accounting law. The billing-country and (US-only) state code captured per payment are part of these records and persist alongside the rest of the financial trail.
• Audit logs — retained for security purposes (e.g., investigating account compromise) for up to 1 year.
• AI extraction telemetry — retained for up to 90 days for service-quality monitoring. When your account is permanently deleted, the link between these rows and your user identifier is severed immediately (the rows persist as anonymous aggregate statistics until the 90-day window passes).
• Email delivery events — retained for up to 365 days for delivery-trend analysis. When your account is permanently deleted, your email address and user identifier are removed immediately from these rows (they persist as anonymous aggregate statistics until the 365-day window passes).
• Browser error telemetry — retained for up to 90 days for bug investigation. When your account is permanently deleted, the link between these rows and your user identifier is severed immediately (the rows persist as anonymous aggregate error-frequency statistics until the 90-day window passes).
• Content-Security-Policy violation reports — retained for up to 90 days. These reports are anonymous (not linked to a user account); no further action is needed on hard delete.

6. Where the data lives

Our servers are hosted in the United States (Oracle Cloud, Phoenix region). Application performance telemetry is processed by New Relic in the EU (Frankfurt). Email and AI processing providers may store data in the US or EU; see their policies above. By using the Service you consent to these transfers.

7. Your rights

Whether you live in California, the EU, or elsewhere, you have these rights:

• Deletion — delete your account and personal data yourself at /account. See §5 for the deletion timeline.
• Correction — edit your permits directly in the app at any time.
• Access / Portability — download a ZIP of all the personal data we hold yourself at /account. The export is generated immediately and includes a README explaining what is and isn't included.
• Opt out of sale/sharing — we don't sell or share data, so this is automatic.
• Non-discrimination — exercising these rights does not affect your service or pricing.

EU residents may also lodge a complaint with their local data protection authority.

8. Security

We use TLS 1.2+ for all traffic, encrypted server storage, role-restricted database access, audit logging, rate limiting, and CSRF/CSP protection. Despite our best efforts, no system is perfectly secure. If you suspect a vulnerability, please report it via /.well-known/security.txt.

9. Children

The Service is not directed at children under 16. We do not knowingly collect personal information from children. If you believe we have, please email us and we will delete it.

10. Changes to this policy

We may update this policy from time to time. The "Last updated" date at the top tells you when. If the change is material, we will notify you via email or an in-app notice.