Privacy

1. Who controls the data

For Customer Data submitted into your workspace (sites, posts, guards, crowd updates, incident reports, supervisor requests, post visits, exports), your organization is the data controller; StrikeLeap (Workbird LLC) is the processor and acts on your instructions per these terms and any DPA we sign with you.

For account data (your email address, your name, billing data), StrikeLeap (Workbird LLC) is the controller.

2. What we collect

• Account data — name, work email, organization name. Required to use the service.
• Operational data you create — sites, posts, guards (name, phone, email, vehicle make/color/plate/mileage, gender, role, pay rate), digital IDs with selfie photos, drug-test results, uniform issuances, state-license records, hotel room assignments, Day-1 paperwork signatures, crowd updates, incident reports (title, narrative, severity, photos, witnesses, chain-of-custody), supervisor requests, post visits, shift logs, daily situation reports, clock-in / clock-out records with hours and per-diem accrual, hotel folios, expense receipts (including officer-submitted reimbursement receipts).
• Location at submission — when an officer, supervisor, or visitor opts in via the browser, we record GPS coordinates at the moment a report or visit is filed. This is recorded with the row, not as continuous tracking.
• Audit log — every meaningful action with actor, timestamp, and (where relevant) IP address.
• Billing data — name, email, payment method last-4 + brand, ZIP, billing history. The full card number lives only with our payment processor (Stripe), not on our servers.
• Usage logs — application logs (route, status code, error), retained 30 days, used for debugging and abuse prevention.
• Cookies — strictly necessary cookies for authentication (HTTP-only, SameSite=Lax). No third-party tracking pixels.

3. What we do not collect

• Continuous location tracking. We have no background geolocation.
• Microphone, camera, or contacts on the officer's or supervisor's phone — the camera is only used when the officer affirmatively chooses to attach a photo to a record (incident, receipt, selfie ID, badge scan).
• Third-party tracking pixels, ad networks, or marketing analytics on the dashboard or marketing page.
• Health, biometric, or precise demographic data.

4. Why we use it (lawful bases)

• To deliver the service. Hosting your data, displaying it back to your team, generating exports. Lawful basis: performance of contract.
• To bill and collect payment. Lawful basis: performance of contract; legitimate interests in billing.
• To secure and improve the platform. Audit logs, abuse detection, debugging. Lawful basis: legitimate interests.
• To comply with law. Tax records, lawful subpoenas, etc.
• For consented marketing (if any). Opt-in only. You can withdraw consent any time.

5. Where it lives

• Customer Data — Supabase (Postgres + Storage), hosted in the United States.
• Email delivery — Resend (US).
• Payment processing — Stripe (US, PCI DSS Level 1).
• Hosting / edge — Vercel (US), with regional edge nodes for static assets.
• Map tiles — Mapbox (US).

We do not sell or rent personal data. We do not enable cross-context behavioral advertising.

6. Sub-processors

We use third-party sub-processors to deliver the service. Current list:

• Supabase, Inc. — database, authentication, file storage
• Vercel, Inc. — application hosting
• Stripe, Inc. — payment processing (when billing is enabled)
• Resend, Inc. — transactional email
• Mapbox, Inc. — map tiles (when the live map view is enabled)

We require sub-processors to commit to data-protection terms at least as protective as these. Material changes to this list will be posted with at least 30 days' advance notice for active customers.

7. International transfers

If you or your Authorized Users access the service from outside the United States, your data will be transferred to and processed in the United States. We rely on Standard Contractual Clauses (or successor mechanisms) where required. Customers in regions with data-residency requirements should contact privacy@strikeleap.com before purchasing.

8. Retention

• Active workspace data — retained while your workspace exists.
• After termination — exportable on request for 30 days, then deleted from production within 30 additional days. Encrypted backups are aged out within 90 days.
• Audit logs — 24 months.
• Application logs — 30 days.
• Billing records — 7 years (US tax requirement).

9. Your rights

Depending on jurisdiction, you may have the right to access, correct, delete, port, restrict, or object to processing of your personal data, and to withdraw consent or complain to a supervisory authority. Specifically:

• EU / UK (GDPR / UK GDPR). Access, rectification, erasure, restriction, portability, objection, automated-decision rights.
• California (CCPA / CPRA). Right to know, delete, correct, opt out of sale or share (we do neither), limit use of sensitive personal information, and non-discrimination.
• Other US states with comprehensive privacy laws (VA, CO, CT, UT, etc.) — comparable rights as applicable.

To exercise any right, email privacy@strikeleap.com. We will respond within 30 days (or shorter if required by your jurisdiction). For Customer Data, we will route requests to the controlling organization where appropriate.

10. Security

Detailed architecture is on the security page. Highlights:

• Row-level security on every per-tenant table.
• Magic-link authentication for managers; SHA-256-hashed access tokens + bcrypt PINs for guards.
• HMAC-signed cookies bound to specific token rows; no cookie-only access to data.
• TLS in transit; encryption at rest at the database layer.
• Service-role keys never run in the browser.

11. Breach notification

If we determine that a breach affecting your personal data has occurred, we will notify affected customers without undue delay and within 72 hours of confirmation, with the nature of the incident, categories of data involved, the steps taken, and our recommended actions. We may delay notice on lawful instruction from law enforcement.

12. Children

StrikeLeap is a B2B service not directed to anyone under 18. We do not knowingly collect data from children. If you believe a child's data is in our service, contact privacy@strikeleap.com for prompt deletion.

13. Changes

Material changes will be posted with a new "Last updated" date and, where required, announced to active customers by email. Continued use after the effective date constitutes acceptance of non-material changes.

Contact

Privacy questions, rights requests, or breach reports: privacy@strikeleap.com