Legal

Privacy Policy

Last Updated: March 26, 2026

1. Scope

This Privacy Policy explains how Ontario Engineering Solutions Inc., doing business as FieldWorks ("FieldWorks," "we," "us," or "our"), collects, uses, discloses, stores, and protects personal information in connection with the FieldWorks websites, authenticated application, external share-link workflows, communications, and related services (collectively, the "Service").

FieldWorks is a multi-tenant construction management platform designed to help organizations manage project workflows, deficiencies, submittals, files, team access, billing, and external collaboration. This Privacy Policy applies globally, but some rights, disclosures, and legal standards vary by jurisdiction.

2. Roles and Responsibilities

If you use FieldWorks on behalf of an organization, that organization may control certain project data, files, comments, and workflow records submitted to the Service. In those situations:

  • your organization may be the data controller, business, or equivalent decision-maker for that customer data; and
  • FieldWorks generally processes that customer data on the organization's behalf in order to provide the Service.

If your request relates to customer-controlled project data, we may direct you to the relevant organization administrator or coordinate with that organization as required by law and contract. Additional processing terms for business customers may be addressed in our Data Processing Addendum.

3. Information We Collect

We collect information directly from users, automatically through the Service, from organizations that use FieldWorks, and from service providers or integrations used to deliver the Service.

A. Account and Profile Information

We may collect:

  • name
  • email address
  • account credentials and password hashes
  • profile image
  • username
  • locale and language preferences
  • timezone information
  • account verification status
  • authentication settings such as passkeys or multi-factor authentication data

B. Organization and Team Information

We may collect:

  • organization name
  • membership and role information
  • invitations, acceptances, and team administration records
  • organization billing ownership and account administration details
  • tool assignments, staged access assignments, and related entitlement records

C. Project and Workflow Information

Organizations and users may submit or generate:

  • project names, numbers, descriptions, addresses, dates, and statuses
  • deficiency records, descriptions, locations, due dates, statuses, priorities, comments, reminders, and assignee information
  • submittal records, specification references, review statuses, timestamps, notes, and attachments
  • photos, documents, files, and related metadata
  • activity logs, audit trails, and user action history
  • external dashboard or share-link configuration data

This information may contain personal information if users include personal details in project records, comments, attachments, or free-form text.

D. Billing and Commercial Information

If your organization purchases paid subscriptions, we may collect or receive:

  • customer and billing identifiers
  • plan, pricing, interval, and seat information
  • purchase history and invoice history
  • transaction and refund status
  • Stripe customer IDs, subscription IDs, portal activity, and related commercial records

We do not store full payment card numbers in FieldWorks. Payment card data is collected and processed by Stripe or its affiliated payment processors.

E. External Share Link Information

FieldWorks allows organizations to create password-protected and time-bounded external share links. In connection with those links, we may collect:

  • share-link tokens and associated access scopes
  • hashed link passwords
  • expiration, revocation, and access status data
  • IP address, access timestamps, and user agent information for external visitors
  • information submitted by external collaborators, including uploads, comments, and status updates

F. Technical, Usage, Device, and Support Information

We automatically collect limited technical and operational information, such as:

  • IP address
  • browser type and version
  • device and operating system information
  • session identifiers and authentication tokens
  • user agent strings
  • access timestamps
  • referrer information
  • security and audit event records
  • error, crash, and performance telemetry
  • support and troubleshooting information you provide to us

G. Information from Other Sources

We may receive limited information from third-party sources, including:

  • identity and authentication data from Microsoft if you choose to use social sign-in
  • payment status and transaction confirmations from Stripe
  • email delivery metadata from Resend
  • hosting, performance, analytics, and observability data from infrastructure providers such as Vercel and Sentry

4. How We Use Information

We use personal information and customer data to:

  • provide, operate, maintain, and improve FieldWorks
  • authenticate users and secure accounts
  • create and manage organizations, memberships, permissions, and access controls
  • deliver core product functionality, including project coordination, file handling, external sharing, dashboards, and audit trails
  • process subscriptions, manage billing, administer trials and renewals, and support refunds or cancellations
  • send transactional communications such as invitations, password resets, verification emails, billing notices, and service messages
  • monitor performance, investigate incidents, prevent fraud, detect abuse, and enforce our agreements
  • comply with legal obligations and respond to lawful requests
  • generate aggregated or de-identified analytics to understand product usage and service performance

We do not sell personal information for money. We do not use customer project data for unrelated advertising purposes or cross-context behavioral advertising.

5. Legal Bases for Processing

Where laws such as the GDPR or UK GDPR apply, we rely on one or more of the following legal bases:

  • Contract performance to provide the Service, maintain accounts, process subscriptions, and support customer use of FieldWorks
  • Legitimate interests to secure the Service, prevent misuse, improve reliability, analyze performance, administer our business, and maintain support records where those interests are not overridden by your fundamental rights
  • Consent where required by law, including for optional analytics or certain communications
  • Legal obligation to comply with laws, court orders, tax obligations, accounting requirements, and lawful governmental requests

If we rely on consent, you may withdraw that consent where permitted by law. Withdrawal does not affect processing already carried out lawfully before withdrawal.

6. When We Disclose Information

We may disclose personal information or customer data in the following circumstances:

  • Service providers and subprocessors. To vendors, contractors, and service providers who process information on our behalf and need access in order to provide infrastructure, email delivery, billing, storage, analytics, security monitoring, or support services.
  • Organization administrators. To organization administrators who manage your team's FieldWorks account, including for account, billing, membership, export, support, and content-administration purposes.
  • External share-link recipients. When an organization creates an external share link, project data associated with that link may be disclosed to the external recipient in accordance with the link's configured scope.
  • Legal obligations and proceedings. When we believe disclosure is reasonably necessary to comply with applicable law, regulation, legal process, governmental request, court order, or enforceable administrative or regulatory request.
  • Protection of rights and safety. To investigate, prevent, or respond to suspected fraud, security incidents, violations of our terms, threats to safety, or other situations involving potential violations of law or risk to the rights, property, or safety of any person or entity.
  • Business transfers. In connection with a merger, acquisition, financing, restructuring, asset sale, bankruptcy, or similar transaction involving all or part of our business.
  • With consent or instruction. Where you, your organization, or another authorized party instructs us or consents to a specific disclosure.
  • Aggregated or de-identified information. We may share information that has been aggregated or de-identified so that it can no longer reasonably identify an individual.

7. Service Providers, Subprocessors, and Integrations

We use third-party service providers to operate FieldWorks. Depending on your configuration and use of the Service, these may include:

  • Supabase for hosted PostgreSQL database infrastructure and related services
  • Stripe for billing, subscriptions, checkout, invoicing, refunds, and customer portal services
  • S3-compatible storage providers, including AWS-based storage services, for file and document storage
  • Resend for transactional email delivery
  • Vercel for hosting, deployment infrastructure, and limited analytics and performance tooling
  • Sentry for error monitoring and application observability
  • Microsoft for optional OAuth-based authentication

We share only the information reasonably necessary for these providers to perform services for us. We maintain a public Subprocessor List describing key subprocessors and their functions.

8. International Data Transfers

FieldWorks may be accessed globally, and personal information may be processed in Canada, the United States, or other jurisdictions where we or our service providers operate.

Our preview Supabase environment is currently hosted in Canada, but some hosting, support, storage, billing, observability, or service-provider operations may occur outside your province, state, or country. Data protection laws in those jurisdictions may differ from those in your home jurisdiction.

When required by applicable law, we use appropriate safeguards for international data transfers, which may include contractual protections, standard contractual clauses, adequacy-based transfer mechanisms, and vendor commitments designed to protect personal information.

9. Data Retention

We retain personal information and customer data for as long as reasonably necessary to:

  • provide the Service
  • maintain account history and security logs
  • support billing, accounting, and tax compliance
  • resolve disputes
  • enforce agreements
  • satisfy legal or regulatory requirements

Retention periods vary depending on the type of information, customer relationship, support history, legal obligations, and security needs. We maintain an internal retention schedule for key data categories and use a combination of product workflows, administrative controls, and scheduled cleanup processes to remove or de-identify certain records when they are no longer needed.

We may retain limited records after account closure or service termination where necessary for fraud prevention, legal compliance, backup integrity, dispute resolution, or the establishment, exercise, or defense of legal claims. Backup and disaster recovery systems may retain deleted information for a limited period consistent with the provider's backup lifecycle.

10. Cookies and Similar Technologies

FieldWorks uses cookies and similar technologies that are necessary to operate the Service and, if you permit them, to measure usage and performance.

These technologies may include:

  • authentication and session cookies
  • security-related cookies
  • locale and language preference cookies
  • cookie consent records
  • analytics and performance tooling used to understand service usage and reliability

We currently present a consent choice between necessary cookies and broader analytics/performance tooling. You can usually control cookies through your browser settings, but disabling essential cookies may prevent the Service from functioning correctly. For more detail, see our Cookie Policy.

Do Not Track Signals. Some browsers transmit "Do Not Track" signals. There is currently no universally accepted standard for how online services should respond to them. At this time, FieldWorks does not respond differently to DNT signals, but limits tracking as described in this Privacy Policy and our Cookie Policy.

11. Data Security

We use administrative, technical, and organizational safeguards designed to protect personal information and customer data, including measures such as:

  • encryption in transit
  • access controls and role-based permissions
  • hashed passwords and credential protections
  • audit logging and monitoring
  • customer data segregation within our multi-tenant architecture
  • controlled service-provider access

No method of transmission over the Internet or method of storage is completely secure. For that reason, we cannot guarantee absolute security.

If a security incident involving personal information triggers notification obligations under applicable law, we will provide the required notices to affected individuals, customers, and regulators within the timeframes required by law.

12. Automated Decision-Making

FieldWorks does not currently use automated decision-making or profiling that produces legal effects or similarly significant effects on users. If that changes, we will update this Privacy Policy and provide any required notice and rights.

13. Your Rights and Choices

Depending on your location and applicable law, you may have rights relating to your personal information.

Canada

You may have the right to request access to, correction of, or information about our handling of your personal information, subject to legal limitations and identity verification requirements. You may also withdraw consent to certain uses of your personal information, subject to legal and contractual restrictions.

European Economic Area, United Kingdom, and Similar Jurisdictions

You may have the right to:

  • access your personal information
  • request correction of inaccurate information
  • request deletion of certain information
  • request restriction of processing
  • object to certain processing
  • request data portability where applicable
  • withdraw consent where processing is based on consent

You may also have the right to lodge a complaint with a competent supervisory authority.

California and Certain United States State Privacy Laws

Subject to applicable law, you may have rights to:

  • know the categories of personal information we collect and the categories of sources from which that information is collected
  • know the categories of personal information disclosed for business purposes
  • request access to certain personal information
  • request deletion of certain personal information
  • request correction of inaccurate personal information
  • request a portable copy of certain information where required by law
  • not be discriminated against for exercising applicable privacy rights

The categories of personal information described in Section 3 are the categories we may collect. We collect those categories from users, organizations, devices and browsers, integrated service providers, and other parties described in this Privacy Policy. We disclose those categories to the recipients described in Sections 6 and 7 for business purposes.

FieldWorks does not sell personal information and does not share personal information for cross-context behavioral advertising as those terms are defined by applicable US state privacy laws. We do not use or disclose sensitive personal information for purposes other than those permitted by law.

How To Exercise Rights

To submit a privacy request, contact us at support@fieldworkshq.com. We may need to verify your identity and authority before fulfilling a request. If your request relates to organization-controlled project data, we may direct you to the relevant organization administrator or coordinate with that organization as required.

We aim to respond to verifiable privacy requests within the timeframes required by applicable law. Many requests can be addressed within 30 days, but some jurisdictions permit extensions when reasonably necessary.

14. Children's Privacy

FieldWorks is intended for business and professional use in the construction industry. It is not directed to children under 16, and we do not knowingly collect personal information from children under 16 through the Service.

If you believe a child has provided personal information to us, contact us at support@fieldworkshq.com, and we will take appropriate steps consistent with applicable law.

15. Third-Party Services

FieldWorks may contain links to third-party websites, applications, or services that we do not own or control. This Privacy Policy does not apply to those third-party services, and we are not responsible for their privacy practices. We encourage you to review the privacy policies of any third-party service before providing personal information to them.

16. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. If we make material changes, we may provide notice through the website, within the application, by email, or by other appropriate means. The updated version becomes effective when posted unless otherwise stated.

17. Contact

For privacy questions or requests, contact:

Ontario Engineering Solutions Inc.
FieldWorks Privacy
21 Duke Street
St. Catharines, Ontario
Canada
support@fieldworkshq.com