Privacy Policy

This Privacy Policy explains how the Damage Assessment Tool ("DAT," "we," "us") collects, uses, shares, and protects information when you use our Service.

DAT is a B2B SaaS tool. The majority of personal data we process is on behalf of our customers (workspace owners), who act as the data controllers for that data; we act as the processor. This Policy describes both our direct collection (when you sign up, pay for the Service, contact support, etc.) and our processor role on behalf of our customers.

Account information. Name, email, password (hashed via argon2id; we never store plaintext), phone (optional), and workspace name when you create an account.

Payment information. Processed entirely by Stripe. We receive limited tokens and metadata (e.g., last 4 digits of card, expiration, billing address) but never full card numbers or CVCs.

Usage information. IP address, device/browser fingerprint, session timestamps, and inspection-volume counts. Used to detect credential sharing, enforce plan limits, and improve the Service.

Communications. Records of support tickets, email logs (template + recipient + send status; we intentionally do not store email body content), and audit logs of administrative actions.

When you create inspections, the Service stores the data you upload on your behalf, including:

• Customer name, address, phone, and email (information about your customer, not you)
• Storm date, peril type, insurance carrier, claim number
• Photos and their EXIF metadata (camera make, GPS, timestamps)
• Damage descriptions, measurements, and pricing
• Voice memos and their transcriptions
• Generated PDF reports

This data is governed by your workspace owner. We process it solely to provide the Service.

We use the information described above to:

• Provide and operate the Service
• Authenticate users and protect against unauthorized access
• Process subscriptions and overage charges
• Send transactional emails (signup confirmation, invites, password resets, billing notices)
• Detect and prevent abuse, including credential sharing across multiple individuals
• Analyze aggregate usage patterns to improve the Service
• Respond to support inquiries
• Comply with legal obligations

We do not sell personal information or use Customer Data to train AI models.

The Service offers optional AI-assisted features (damage description suggestions, voice-memo transcription). When you use these features:

• Photos and audio are transmitted to our AI providers (currently Google for vision and OpenAI for transcription) for processing.
• We have data processing agreements with these providers that prohibit them from using your data to train their models.
• If you prefer not to use AI features, simply do not invoke them — the Service is fully functional without.

We share information only as follows:

• Within your workspace. Members of your workspace see Customer Data per the role-based permissions set by the workspace owner.
• Service providers. Stripe (billing), Resend (email), Cloudflare R2 (file storage), Railway (hosting), Google + OpenAI (AI features only when used). All bound by contractual confidentiality obligations.
• When you share externally. Adjuster share links and customer-portal links expose only the data you choose to share.
• Legal requirements. If required by law, court order, or to protect the Service's integrity.
• Business transfers. In the event of a merger or sale, your information may transfer to the acquiring entity, subject to this Policy.

We protect your data with industry-standard measures, including encryption in transit (TLS 1.2+) and at rest, argon2id password hashing, AES-256-GCM encryption for two-factor secrets, short-lived JWT access tokens, and refresh-token rotation. We maintain audit logs of administrative actions and monitor for unusual access patterns.

No system is perfectly secure. If we become aware of a data breach affecting your information, we will notify you in accordance with applicable law.

We retain account and Customer Data for the lifetime of your subscription. Upon cancellation, we retain data for 30 days for potential reactivation, then permanently delete it from production systems within 60 days. Backups containing your data are purged within 90 days of cancellation.

Audit logs, email logs, and aggregate usage statistics may be retained longer for security, fraud prevention, and compliance purposes.

Depending on your jurisdiction, you may have rights to:

• Access the personal information we hold about you
• Correct inaccurate information
• Delete your account and associated data
• Export your data in a portable format
• Object to certain processing
• Withdraw consent where consent is the basis for processing

Workspace data export is self-serve from workspace settings. For other requests, email privacy@damageassessmenttool.com. We will respond within 30 days.

The Service uses essential cookies and similar technologies (e.g., localStorage, sessionStorage) for authentication, session management, and security. We do not use third-party advertising cookies. We may use first-party analytics to understand usage patterns; if so, the analytics provider will be listed in this Policy.

The Service is not directed to individuals under 18. We do not knowingly collect personal information from children. If you believe a child has provided us information, please contact us immediately so we can delete it.

Our infrastructure is primarily based in the United States. If you access the Service from outside the U.S., your information will be transferred to and processed in the U.S. We rely on appropriate safeguards (e.g., Standard Contractual Clauses) for transfers from jurisdictions with cross-border restrictions.

We may update this Policy from time to time. Material changes will be communicated by email to workspace owners and announced in the application. The version string and effective date at the top of this page indicate when it was last updated.

Email privacy@damageassessmenttool.com for privacy-related questions or to request a Data Processing Agreement (DPA).